Apple released macOS 14 Sonoma this week. Our review of the first beta back in June covers much of what Sonoma brings to Enterprise users and is worth reading as a preface to this post. Sonoma’s headline features are listed by Apple here, and for the first time, it has also stood up a separate “What’s New” for enterprise listing here.
In this post, we’ll supplement our earlier review and other sources with some additional thoughts about what’s new and what’s missing in macOS Sonoma from a security perspective.
Sonoma Hardware and Software Support
We covered this last time out and nothing has changed in the interim, but for convenience, note that Sonoma drops support for 2017 Intel MacBook Pros and iMacs, with only the iMac Pro from that year officially supported for Sonoma. Otherwise, it’s 2018 and on as a minimum hardware requirement.
Although not available at the time of writing, the venerable Open Core Legacy Patcher project is promising an update to the project for Sonoma on or around October 2nd. Not recommended in enterprise or production environments for security reasons, it nevertheless can be useful for those that want to repurpose old hardware for research or experimental purposes.
Security is always top of our mind, and password security is naturally a major concern. In Sonoma’s Settings.app (previously known as System Preferences), there’s a few small but useful changes.
After unlocking the Password’s pane, a new option allows users to review recently generated passwords. Unsaved passwords will only remain for 30 days, so they need to be saved either Apple’s own My Passwords or a third-party password manager during that time.
The Password Options pane also offers a new housekeeping task that can automatically delete verification codes in Messages and Mail after inserting with AutoFill. This mirrors a similar functionality available in iOS 17. We’d hope services are rapidly moving away from simple 2FA as a secure means of verification, but for those that haven’t, this is a nice bonus feature.
Along with other vendors Apple began in Ventura the long process of trying to ween users of passwords as a primary authentication factor in favor of passkeys. In Sonoma, passkeys are now supported across Managed Apple IDs and can be collected, along with passwords, in groups so that they can be shared securely.
MacAdmin guru Rich Trouton has noted that for admins enforcing password policies across their fleets via MDM, the initial release of macOS Sonoma has a bug which may be triggered when deploying a configuration profile that sets password rules for local accounts. The bug causes unwanted notifications to pop up telling the user they need to update their passwords. Rich details a workaround which involves suppressing notifications for local password management until Apple fix the issue.
Sticking with the Settings.app, macOS Sonoma brings a bit more control to the rudimentary device control first added in Ventura regarding USB accessories. In the Privacy & Security pane, users can find a new preference to choose different consent policies when a new USB device is connected. The options for the “Allow accessories to connect” preference are Ask Every Time, Ask for New Accessories, Automatically When Locked, and Always. Attacks via poisoned USB may seem like something from the past, but they are very much still a thing.
More fine-grained device control is welcome, but like most of Apple’s TCC-controlled security restrictions this one is both a weak and blunt approach. There is no option to block USBs entirely, or for a certain user, class of peripheral, or group. The strongest option is to ask the user for consent each time, which means alert fatigue or social engineering are both obvious flaws that could allow a malicious device to get past this setting regardless of what option is chosen.
Additionally, as a system-wide setting, it doesn’t take into account different needs for different users on Macs with multiple accounts. Full, fine-grained device control is, however, available from security solutions like SentinelOne.
Mail can now autofill verification codes sent via email without the user having to leave the browser. This is a feature that’s been available via Messages for some time, and adding a parallel feature to Mail makes sense.
Users will more likely notice Mail in Sonoma for what it lacks rather than what it adds; chiefly, this is the loss of Mail Plug-Ins. As elsewhere across the OS, plug-ins are deprecated in favour of Extensions. However, as noted by the developers of the widely-used GPG Mail plugin, the Mail Extensions API lacks some important functionality. This includes:
- Entire message data is not always passed to the extension making processing the encrypted message impossible
- Reliably encrypted drafts
- Support for setting the default state of the sign and encrypt button in compose windows which can lead to dangerous side-effects
- Sign and encrypt button could go out of sync with internal state, if keyring changes are detected
It is expected that support for the missing features may arrive in the first Sonoma update and GPG are holding off releasing a Mail Extension equivalent until the missing features become available. If you rely on GPG Mail for security, the GPGTools team are advising not to update to Sonoma for the time being.
Perhaps the biggest changes to come with Sonoma – and also backported to Ventura – are those in Safari 17. As noted in our review of Sonoma beta, Safari 17 gains quite a few features, including Web apps and Profiles. We don’t have much to say about these that we didn’t say already except that we found the former perhaps less useful in practice than the latter. Chrome has long had a Profiles equivalent, so Apple are definitely playing catch up here.
From a security (rather than productivity) point of view, the main advantage to point out with Safari Profiles is the ability to restrict extensions to a given profile. This means that you can have extensions for your personal profile that can’t access data in, say, your work profile and vice versa. That assumes, of course, that you work for a company that doesn’t mind you mixing personal and work tasks on the same device. In addition, each profile also gets separate bookmarks, favorites, history and cookies.
While we’re on the subject of extensions, its worth noting that in Safari Settings (aka Preferences), users can now choose whether the extension works in Private Browsing mode or not.
As ever, Safari remains some distance behind Chrome when it comes to extensions and Add Ons, particularly for web developers, though Apple has certainly tried to set out its case for wooing back that particular audience. The lack of scripting and customization such as you get with, say, Vivaldi, remain annoying for certain use cases in Safari, but native scripting support has been on the wane in macOS for a long time.
If you’re a Chrom(e)ium or other browser user it’s unlikely there’s anything in Safari 17 that will make you jump ship, but aside from (in our view) offering better security for things like saved passwords and better integration across the Apple ecosystem, Safari 17 at least starts to add some missing features familiar to users of other browser products. Nonetheless, it remains the case that some websites still don’t perform properly with Safari and thus a secondary browser (Firefox, here) continues to remain a necessity.
SentinelOne Supports macOS Sonoma
SentinelOne macOS Agent version 23.2 GA supports macOS Sonoma 14.0 (23A344). Customers are advised to upgrade the SentinelOne agent version prior to upgrading to macOS 14.0 Sonoma and to consult the support notes available here.
Sonoma, much like Ventura before it, continues Apple’s steady evolution of the platform as it transitions away from Intel-based Macs entirely. There is nothing groundbreaking here and the features added to Sonoma are more incremental than fundamental. Insofar as the platform focuses on stability and security first and features second, that will be all the more welcome by enterprise users and security vendors alike.
from SentinelOne https://bit.ly/3RDt3Lo