Packaging SAP GUI for macOS with Java 11 support

A while back, I wrote a post on building a SAP GUI installer for macOS, where SAP GUI needed to have Oracle’s Java 8 JDK as a pre-requisite. Since then Oracle has made an announcement that the use of Oracle’s Java 11 JDK is no longer free if you’re using it for production work.

One of the consequences of that decision by Oracle is that SAP GUI 7.50 rev 5 is the first version of SAP GUI to support Java 11. However, the SAP GUI developers are now recommending the use of OpenJDK 11 in place of Oracle’s Java JDK 11. More specifically, the SAP GUI folks are recommending the use of SAP’s own SapMachine Java JDK 11 release.

Screen Shot 2018 12 14 at 10 39 38 AM

Meanwhile, a Java library named JavaFX used by SAP GUI is no longer being bundled as part of Java 11. Instead, JavaFX has been split off into its own open source project called OpenJFX and is now a separate install.

Screen Shot 2018 12 14 at 4 15 11 PM

What do SapMachine JDK 11 and JavaFX have in common? Among other things, neither have a native installer for macOS. Instead, each is distributed via compressed files.

Screen Shot 2018 12 14 at 11 14 36 AM

Screen Shot 2018 12 14 at 11 14 59 AM

Installation is performed by uncompressing into the following directory on macOS:

/Library/Java/JavaVirtualMachines

Screen Shot 2018 12 14 at 4 11 14 PM

That said, SAP GUI also still works with Oracle’s Java JDK 8 as of the release of SAP GUI 7.50 rev 5. JavaFX is bundled with Java JDK 8, so installing Oracle’s Java JDK 8 handles both the Java and JavaFX requirements.

Screen Shot 2018 12 14 at 2 46 13 PM

With all the changes, how should SAP GUI now be packaged for installation? Without question, the main challenge for deployment here is going to be the Java component. In my testing, which was limited to “Launch SAP GUI and see if it runs”, I found SAP GUI 7.50 rev 5 is able to run on the following Java releases:

If using any Java 11 release, OpenJFX will need to be installed for SAP GUI to successfully run.

With this in mind, it’s possible to build a package that does the following:

  1. Detects if Java is installed
  2. Detects if JavaFX is installed
  3. If Java is not installed, install the latest release of SapMachine JDK.
  4. If JavaFX is not installed, install the latest release of OpenJFX.
  5. Verifies that both Java and JavaFX are installed.
  6. If both Java and JavaFX are installed, install SAP GUI

For more details, please see below the jump.

For information on how to get and configure the SAP GUI installer, please see my earlier post on the topic as these details have not changed.

Downloading SapMachine Java 11 JDK

As of SAP GUI 7.50 rev 5, SAP GUI supports Java 11, with the preferred Java 11 release being the latest SapMachine OpenJDK 11 release. SapMachine is maintained and supported by SAP, so it is the OpenJDK 11 release best supported by SAP for SAP GUI.

To get the latest SapMachine OpenJDK 11 release, use the link below:

https://github.com/sap/SapMachine/releases/latest

Download the sapmachine-jdk-version_number_here_osx-x64_bin.tar.gz file.

Screen Shot 2018 12 14 at 10 44 56 AM

Downloading JavaFX

As of Java 11, the JavaFX libraries used by SAP GUI are no longer bundled as part of the Java JDK. Instead, they must be downloaded and installed separately.

To get the latest OpenJFX release, use the link below:

https://gluonhq.com/products/javafx/

Download the JavaFX Mac OS X SDK .zip file.

Screen Shot 2018 12 14 at 10 49 51 AM

Building the SAP GUI installer

The SAP GUI installer can perform the following tasks:

  • Installing the latest Java on an as-needed basis
  • Installing the latest JavaFX on an as-needed basis
  • Installing the SAP GUI software
  • Installing the SAP GUI connection and settings files

Pre-requisites

1. Set up a new Packages project and select Raw Package.

Screen Shot 2018 12 14 at 3 41 10 PM

2. In this case, I’m naming the project SAP GUI 7.50 rev5.

Screen Shot 2018 12 14 at 3 41 26 PM

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

Screen Shot 2018 12 14 at 3 41 52 PM

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Tag section:

Identifier: set as appropriate (for my installer, I’m using com.sap.pkg.SAPGUI750rev5 )
Version: set as appropriate (for my installer, I’m usings 7.50.05 )

In the Post-installation Behavior section:

On Success: should be set to Do Nothing

In the Options section:

Require admin password for installation should be checked
Relocatable should be unchecked
Overwrite directory permissions should be unchecked
Follow symbolic links should be unchecked

Screen Shot 2018 12 14 at 3 42 43 PM

7. Select the Payload tab. Nothing here should be changed from the defaults.

Screen Shot 2018 12 14 at 3 43 12 PM

8. Select the Scripts tab.

Under the Additional Resources section, add the following files:

If you have a templates.jar file, also add that file.

Screen Shot 2018 12 14 at 2 08 30 PM

Screen Shot 2018 12 14 at 3 54 40 PM

The last part is telling the SAP GUI for Java installer to run. For this, you’ll need a preinstall script and postinstall script.

Here’s the preinstall script being used for this installer package:

If not already selected, select the preinstall script and add it to the project.

Screen Shot 2018 12 14 at 3 55 57 PM

Screen Shot 2018 12 14 at 4 24 32 PM

Here’s the postinstall script being used for this installer package:

If not already selected, select the postinstall script and add it to the project.

Screen Shot 2018 12 14 at 3 56 11 PM

Screen Shot 2018 12 14 at 3 56 23 PM

9. Build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Screen Shot 2018 12 14 at 4 00 00 PM

Testing the installer

Once the package has been built, test it by installing it on a test machine which has the following:

  • Does not have the SAP GUI client installed

The end result should be that the SAP GUI client installs into /Applications. If a templates.jar was included with the installer, the SAP GUI configuration specified by the templates.jar file should also be installed.

Depending on whether Java is installed on this test machine or not, the following actions should take place:

  • If Java 8 JDK is installed on the test Mac, neither SapMachine JDK 11 or JavaFX should be installed by the SAP GUI installer.
  • If Java 11 JDK and Open JavaFX are installed, neither SapMachine JDK 11 or JavaFX should be installed by the SAP GUI installer.
  • If Java 11 JDK is installed, only Open JavaFX should be installed by the SAP GUI installer.
  • If Java is not installed, both SapMachine JDK 11 and Open JavaFX should be installed by the SAP GUI installer.

Quand le Mac ne se met plus en veille

Bug TRÈS agaçant sur mon Macbook Pro ces derniers jours : je le ferme, je le mets dans mon sac, je pars en vadrouille… et il ressort chaud du sac, car il ne s’est pas mis en veille comme prévu. Et ça s’est répété un soir où je l’avais fermé mais non connecté au serveur, et beaucoup d’apps actives. Pas de mise en veille… et la batterie à zéro le matin.

Pour comprendre ce qui se passe, le plus simple reste de passer par le Terminal, et de taper la commande suivante :

pmset -g

La fenêtre suivante s’affiche alors : 

Pmset

La ligne qui nous intéresse, c’est évidemment la ligne sleep.

Pmset sleep

Ici, on voit que la mise en veille est empêchée par le logiciel sharingd. Mais ça sert à quoi, ça, sharingd ? Le « d » à la fin nous indique qu’il s’agit d’un daemon Unix. Un coup de man sharingd (ou l’appui sur la touche qui va bien sur la Touch Bar #protip) :

Protip man touchbar

Et donc on apprend que…

 

Man sharingd

Intéressant ! sharingd gère donc tout ce qui est lié aux fonctions Continuité de macOS, le partage de fichiers, l’accès aux lecteurs DVD distants… Or, ces temps-ci, j’utilise beaucoup le partage de connexion de mon iPhone ou iPad. Donc, coupons le WI-Fi pour voir avant la mise en veille… Et vérifions déjà ce que ça donne.

 

Pmset ok

 

Voilà ! À priori, ça devrait aller mieux. Cependant, il ne s’agit pas d’une méthode universelle, et il n’est pas interdit par exemple de tester une réinitialisation du SMC si cette méthode ne suffit pas.

Backing up macOS scripts from Jamf Pro

When working with scripts for managing Macs on Jamf Pro, I prefer to download then and back them up to GitHub or a similar internal source control tool. The reason I do this is the following:

  1. I have an off-server backup for the scripts
  2. I can track changes to the scripts

While I’ve usually had copies of the scripts stored elsewhere, sometimes I would make changes to the scripts on Jamf Pro and then not update the offline copy of the scripts with my changes. Being able to download them from my Jamf Pro server would mean that I could always have a copy of the latest version of the script in production.

To help me with this, I’ve written a script to do the following:

  1. Use the Jamf Pro API to identify the Jamf Pro ID numbers of the scripts.
  2. Download each script using its Jamf Pro ID number as raw XML.
  3. Format the downloaded XML
  4. Identify the display name of the script
  5. Extract the script from the downloaded XML
  6. Save the script as Display Name Goes Here to a specified download directory.

For more details, please see below the jump.

For authentication, the download script can accept hard-coded values in the script, manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file.

The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

To run the download script:

/path/to/Jamf_Pro_Computer_Script_Download.sh

When run, you should see output similar to that shown below.

Screen Shot 2018 12 07 at 10 17 02 PM

The downloaded scripts themselves will be stored in either a user-specified directory or, if no directory is specified, a directory created by the script.

Screen Shot 2018 12 07 at 10 17 09 PM

The download script is available below, and at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Computer_Script_Download

Jamf_Pro_Computer_Script_Download.sh:

Downloading macOS High Sierra from the Mac App Store

Now that macOS Mojave has been released, it’s become more difficult to access the macOS High Sierra installer for those who still need it. Fortunately, High Sierra has not been removed from the MAS and it is still available for download. Apple has a KBase article that shows how to access the macOS High Sierra page in the Mac App Store, available via the link below:

https://support.apple.com/HT208969

Screen Shot 2018 12 02 at 12 46 28 PM

 

Screen Shot 2018 12 02 at 12 46 19 PM

 

To access the macOS High Sierra page directly, please click on the link below:

https://itunes.apple.com/us/app/macos-high-sierra/id1246284741?ls=1&mt=12

That link should open the MAS and take you to the macOS High Sierra download page.

Screen Shot 2018 12 02 at 12 46 54 PM

 

In the event that you’re blocked from downloading macOS High Sierra, you should be able to download it in a virtual machine. I have a post on how to do this, available via the link below:

https://derflounder.wordpress.com/2017/02/21/downloading-older-os-installers-on-incompatible-hardware-using-vms/

Quand un Mac est (trop) verrouillé… pensez PRAM !

Cas étrange hier chez un client : un MacBook Pro précédemment verrouillé par iCloud avec la fonction Localiser mon Mac, puis supprimé du compte associé. Pourtant le Mac restait bloqué sur l’écran de boot avec le message : Veuillez patienter 60 minutes. Sauf qu’au bout des 60 minutes, seul un message apparaît en rouge : « Wrong password ». Alors que rien n’a été tapé du tout. Gênant.

Heureusement, boot possible sur un disque externe. J’ai donc décidé d’associer le poste à un autre compte iCloud, puis de le verrouiller. Au redémarrage, j’ai bien un message sur la fenêtre de login expliquant que le poste a bien été verrouillé par le compte iCloud de mon choix. Mais toujours le même message : « attendez 60 mn », et aucun moyen de saisir le mot de passe tapé sur icloud.com. Encore gênant.

La solution, simplissime, m’a été transmise par le support Apple (merci Laurent) : faites un reset de PRAM sur le poste, avec le classique Cmd-Option-P-R au démarrage. Et effectivement, y’avait une pétouille dans la PRAM qui ne plaisait pas au firmware et l’envoyait directement en mode verrouillé.

Depuis, le Mac a pu être réinstallé et est fonctionnel. Et il vit de nouveaux jours heureux avec son nouveau propriétaire…

Backing up smart and static groups from Jamf Pro

When working with smart and static groups on Jamf Pro, especially more complex smart groups, I prefer to download then and back them up to GitHub or a similar internal source control tool. The reasons I do this are the following:

  1. I have an off-server backup for the groups
  2. I can track changes to the groups
  3. If needed, I can make a change to a smart group and upload via the API instead of having to edit in the web console.

Up until recently, I didn’t have a good process for handling this but I was able to develop a way as part of working with an engineer from Jamf. After some work, I was able to build two scripts which do the following:

  1. Use the Jamf Pro API to identify the Jamf Pro ID numbers of the smart and static groups.
  2. Download each group as an XML file using its Jamf Pro ID number.
  3. Format the downloaded XML.
  4. Identify the display name of the group.
  5. Identify if it was a smart or static group.
  6. Save the downloaded XML as Group Name Here.xml to a specified download directory, based on whether it was a smart or static group.

For more details, please see below the jump.

I’ve written two scripts for this purpose:

  • Jamf_Pro_Computer_Group_Download.sh – This script is designed to download and handle macOS smart and static groups
  • Jamf_Pro_Mobile_Device_Group_Download.sh – This script is designed to download and handle iOS and tvOS smart and static groups.

For authentication, the scripts can accept hard-coded values in the script, manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file. The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

Both scripts run in similar ways, with the main difference being which kind of profiles are being downloaded.

To download macOS smart and static groups:

/path/to/Jamf_Pro_Computer_Group_Download.sh

To download iOS and tvOS smart and static groups:

/path/to/Jamf_Pro_Mobile_Device_Group_Download.sh

When run, you should see output similar to that shown below.

Screen Shot 2018 11 23 at 3 07 21 PM

The groups themselves will be stored in either a user-specified directory or, if no directory is specified, a directory created by the script. They will be sorted by whether the individual group is a smart or static group.

Screen Shot 2018 11 23 at 2 53 29 PM

Screen Shot 2018 11 23 at 2 53 39 PM

The scripts are available below, and at the following addresses on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Computer_Group_Download

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Mobile_Device_Group_Download

Jamf_Pro_Computer_Group_Download.sh:

Jamf_Pro_Mobile_Device_Group_Download.sh:

Backing up configuration profiles from Jamf Pro

When working with configuration profiles on Jamf Pro, I prefer to download and back them up to GitHub or a similar internal source control tool. The reasons I do this are the following:

  1. I have an off-server backup for the profiles
  2. I can track changes to the profiles

Up until recently, this had been a manual process for me where I would download the profiles in question from the server and then upload them to my source control tool.

My process looked like this:

1. Download the profiles from the Jamf Pro server using the Download button.

Screen Shot 2018 11 15 at 3 47 35 PM

2. Remove the code-signing and formatting the profile using a process similar to the one described in the link below:

https://macmule.com/2015/11/16/making-downloaded-jss-configuration-profiles-readable/

3. Move the profile to the correct directory in my source control repo.
4. Review changes and commit to the repo.

However, as I’ve started using profiles more, this process got cumbersome and I wanted to automate at least the download part of the process. After some work, I was able to build two scripts which do the following:

  1. Use the Jamf Pro API to identify the Jamf Pro ID numbers of the configuration profiles.
  2. Download each profile using its Jamf Pro ID number
  3. Decode and format the profile
  4. Identify the display name of the profile
  5. Save the profile as Display Name Here.mobileconfig to a specified download directory.

For more details, please see below the jump.

I’ve written two scripts for this purpose:

  • Jamf_Pro_Mac_Configuration_Profile_Download.sh – This script is designed to download and handle macOS configuration profiles
  • Jamf_Pro_Mobile_Device_Configuration_Profile_Download.sh – This script is designed to download and handle iOS and tvOS configuration profiles

For authentication, the scripts can accept hard-coded values in the script, manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file. The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

Both scripts run in similar ways, with the main difference being which kind of profiles are being downloaded.

To download macOS profiles:

/path/to/Jamf_Pro_Mac_Configuration_Profile_Download.sh

To download iOS and tvOS profiles:

/path/to/Jamf_Pro_Mobile_Device_Configuration_Profile_Download.sh

When run, you should see output similar to that shown below.

Screen Shot 2018 11 15 at 3 11 38 PM

The profiles themselves will be stored in either a user-specified directory or, if no directory is specified, a directory created by the script.

Screen Shot 2018 11 15 at 3 13 02 PM

The scripts are available below, and at the following addresses on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Mac_Configuration_Profile_Download

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Mobile_Device_Configuration_Profile_Download

Jamf_Pro_Mac_Configuration_Profile_Download.sh:

Jamf_Pro_Mobile_Device_Configuration_Profile_Download.sh:

Le syndrome du Pro

Qu’est-ce qu’un pro ?

Je me pose la question encore une fois, suite à de nombreuses discussions sur mon fil Twitter. Certains estiment que l’iPad Pro… n’est pas pro. Parce qu’il n’est pas capable par exemple de gérer facilement un disque dur USB à travers l’appli Fichiers. Une limite totalement arbitraire imposée par Apple, c’est vrai.

Pour d’autres, ça sera l’absence de souris qui constituera une faiblesse. L’absence de pavé numérique. L’absence de Photoshop / InDesign / une application de bureau classique.

Pour d’autres, c’est l’absence de Microsoft Office. Ah mais non, il est dispo depuis bientôt 4 ans. Ah oui mais non, c’est pas la même chose que sur un ordinateur de bureau. Donc pas pro.

Mais est-ce que ces seuls points discréditent l’iPad (pas forcément Pro, non plus), de remplir des tâches professionnelles ?

Chaque jour, on rencontre de nouveaux utilisateurs d’iPad qui s’en disent satisfaits. Qui bossent avec, qui créent. Ce sont aussi des pros. Mais à la différence d’autres utilisateurs, ils ont été prêts à accepter les quelques sacrifices qu’imposaient la bascule vers iOS pour un outil qui leur correspondait peut-être plus. Qui leur proposait des choses qu’un ordinateur portable ne fait pas aussi facilement. Comme prendre une photo, et griffonner des remarques dessus avec un Apple Pencil avant de l’envoyer à un contact quelconque ou le stocker dans un service cloud dédié pour qu’un client puisse également l’annoter. C’est pas pro, ça ? Pourtant, c’est exactement ce pourquoi l’iPad a été conçu.

IPad Pro

Tenez, prenez la revue-fleuve de Federico Vittici sur iOS 12. Ce n’est pas sa première revue, loin de là, entièrement réalisée sur iOS. Ce n’est donc pas un usage professionnel ? Vraiment ? Pourtant, il a produit plusieurs milliers de signe, et tout mis en ligne uniquement avec son iPad. En revanche, il est intéressant de constater que dans la liste des applications utilisées pour réaliser cette revue, il n’y a pas de ces killer apps si indispensables à tout usage pro. Pas de Microsoft Word™, pas d’Adobe Photoshop™. Car l’iPad Pro n’est pas une machine de confort. C’est un ordinateur (disons-le, oui, c’est un ordinateur, ni plus ni moins), qui ne se laissera apprivoiser que si vous acceptez de remettre en cause votre façon de travailler, vos outils, pour y trouver de bien meilleurs outils, plus adaptés à vos besoins.

C’est un peu d’ailleurs un problème général : se dire que Word ou Excel sont incontournables, alors qu’il existe des outils cent fois meilleurs pour certaines tâches, même sur Mac. Personnellement, j’ai par exemple de plus en plus de mal à travailler avec Word, alors que je prends de plus en plus plaisir avec Pages, ne serait-ce que parce qu’il gère correctement les fonctions d’auto-enregistrement de macOS.

Mais alors, on peut toujours revenir à la question initiale : qu’est-ce qu’un pro ? Un professionnel, donc. Mais de quoi ?

Si l’on prend la définition de Wikipedia: Le professionnel est une personne spécialisée dans un secteur d’activité ou exerçant une profession ou un métier. Le professionnalisme caractérise la qualité du travail de quelqu’un ayant de l’expérience. Le professionnalisme est la capacité à assurer un engagement envers la société et à répondre à ses attentes. Mais historiquement, chez Apple, les Pro… ce sont les créatifs. Enfin, ça c’était avant. Depuis, Apple a conquis avec l’iPad et l’iPhone bien d’autres marchés professionnels, dont on parle beaucoup moins, parce qu’on reste attaché à cette frange de professionnels qu’ont été les créa de l’image, du son et de la vidéo durant des années pour Apple.

Il y a cependant une différenciation très importante chez Apple sur l’utilisation du mot pro. Chez Apple, le Pro s’applique pour différencier les gammes de matériel. Ce terme Pro a remplacé le terme Power avec le temps : Power Macintosh > Mac Pro, PowerBook > MacBook Pro, Power Pascal > Pascal Praud (ok je sors). L’iPad aurait pu s’appeler le Power iPad… et cela aurait été finalement plus clair. Un iPad, avec plus de puissance, tout simplement. Apple fait donc peut-être une erreur et complique la situation en attribuant le terme Pro à ses ordinateurs qui sont simplement les plus puissants, et pas juste réservés à une clientèle pro voire une clientèle s’intéressant uniquement à la création pure.

Revenons donc à nos iPad Pro. Si vous estimez donc que vous avez absolument besoin de connecter un disque dur externe de 8 To dessus pour travailler toute la journée, alors peut-être qu’effectivement, l’iPad Pro n’est pas (encore) pour vous. Mais ne pensez pas que ce que vous ne pouvez faire qu’avec votre ordinateur disqualifie automatiquement l’iPad comme outil professionnel pour beaucoup de gens. Considérez juste l’iPad comme un outil inadapté à votre besoin, tout comme le MacBook Pro pourrait être considéré comme inadapté à d’autres besoins. Seul importe le résultat final. Et ça ne rendra pas l’iPad pro moins pro pour les autres. Your mileage may vary, comme disent les anglais avant le Brexit (après, ils diront juste « Fuck fuck fuck »).

Ce n’est pas l’outil qui décidera si vous êtes un pro ou non. C’est ce que vous ferez de cet outil qui le décidera pour vous.

Session videos from Jamf Nation User Conference 2018 now available

Jamf has posted the session videos for from Jamf Nation User Conference 2018, including the video for my “Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤” session.

For those interested, all of the the JNUC 2018 session videos are available on YouTube. For convenience, I’ve linked my session here.

T2, FileVault and brute force attack protection

Apple recently released an overview document for its new T2 chip, which includes how the new T2 chip-equipped Macs have new protections against brute force attacks. This protection only applies if FileVault is enabled and is similar in concept to how iOS devices set with passcodes are protected against brute force attacks.

On iOS, if an incorrect passcode is entered more than five times, a one minute delay is set.

Img 58462d7da9d03 477x600

After the sixth try, the delay is now five minutes and the delays get longer from there until the device has the 10th wrong passcode entered and the device wipes.

Screen Shot 2018 11 01 at 4 31 50 PM

On Apple iOS devices with a Secure Enclave, those delays are enforced by the Secure Enclave processor. Similarly, the T2 chip-equipped Macs also have a Secure Enclave processor which is managing access attempts and introducing delays.

For Macs with Secure Enclave, the enforcement looks like this:

  • 30 unlock attempts via using the password at the login window or target disk mode
  • 10 unlock attempts via using the password in Recovery Mode
  • 30 unlock attempts for each enabled FileVault recovery mechanism
    • iCloud recovery
    • FileVault personal recovery key
    • FileVault institutional recovery key

The maximum number of unlock attempts is 90, regardless of the mix of methods used. After 90 attempts, the Secure Enclave processor will no longer process any requests to do the following:

  • Unlock the volume
  • Decrypt the volume
  • Verify the password / recovery key

Delays are also imposed on macOS between attempts.

Screen Shot 2018 11 01 at 8 40 50 AM

So what happens after 90 attempts? Does the Mac lock forever and become a paperweight?

After checking with AppleCare Enterprise, the answer is that the Mac will not be a paperweight, but that the Mac’s boot drive will need to be erased before it can be used again. This approach helps make sure that the Mac is still usable, but also ensures that the encrypted data stored on the boot drive is no longer recoverable.

For more information about brute force protection for encrypted iOS and macOS devices, I recommend checking out Apple’s currently available white papers: