First some background. I’d been waiting for a bump in Apple’s laptop line for quite some time and it got to the point where the money I’d saved was starting to burn a hole in my bank account and make inroads to the Earth’s core. So Apple finally and quietly released a new set of MacBook Pros on the 12th July and it was like: credit card clear? check! bank account has enough funds? check! TARGET SIGHTED! PULLING TRIGGER!
I’m typing this now on the results. However during the course of events after receiving the machine I did make some discoveries and they’re all related to “Our new T2 chip overlords” ™.
I decided to update the OS, using my developer account and the 10.14 beta that I’ve access to. Not going to discuss anything NDA, don’t worry. Part way through the initial installation process I thought: “Hey, I wonder if I can hit command + L and get a log window?”.
Yes you can. You can save it too, so I did for later examination.
I also did wonder that the initial window stayed on “estimating 2 minutes …” for rather longer than two minutes. Anyway 30 or so minutes after that, I then examined the log file that I’ve saved earlier.
So for brevity’s sake, I’ll post a snippet of the relevant items and then I’ll go through.
Jul 24 08:51:57 Richards-MacBook-Pro InstallAssistant: Running OS Build: Mac OS X 10.13.6 (17G2112)
Jul 24 08:51:57 Richards-MacBook-Pro InstallAssistant: Env: TMPDIR=/var/folders/jc/q967nwyn0clb9wbz4g8nj8tm0000gn/T/
Jul 24 08:51:58 Richards-MacBook-Pro osinstallersetupd: seedProgramSource : Default
Jul 24 08:51:58 Richards-MacBook-Pro osinstallersetupd: seedProgram : PublicSeed
Jul 24 08:51:58 Richards-MacBook-Pro osinstallersetupd: catalogURLString : https://swscan.apple.com/content/catalogs/others/index-10.14beta-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz
1. It runs a detect on the device and the existing OS version. Makes a note then works out what the appropriate macOS software update catalog URL is, incidentally using a .gz compressed file I’ve never seen before now. I guess the .plist files are getting a little big with nearly ten OS versions in there.
2. Err ok, it’s actually loading the catalog?
Jul 24 08:52:18 Richards-MacBook-Pro osinstallersetupd: OSISDownloadOperation: Using catalog for bridgeOS: https://swscan.apple.com/content/catalogs/others/index-10.14beta-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz
Jul 24 08:52:18 Richards-MacBook-Pro osinstallersetupd: OSISDownloadOperation: bridgeOS update is required (minimum bridge version: 16.16.334.5.5,0)
Jul 24 08:52:19 Richards-MacBook-Pro osinstallersetupd: Using product at distance 25
3. It’s just compared what the latest bridgeOS update is with the version that’s on my device, and my device has been shown as wanting.
(for those unaware, the touchbar on current macOS laptops is running bridgeOS and on the newer T2 based devices, it’s probably doing a lot more than just making that work.)
4. Wait. It’s now downloading nearly 3/4 Gb of packages, so what exactly is in the 5.5Gb that’s in the Install macOS app bundle?
Jul 24 08:53:46 Richards-MacBook-Pro osinstallersetupd: Started downloading package com.apple.pkg.BridgeOSBrain (http://swcdn.apple.com/content/downloads/37/45/091-95250/sr9mc3h2fhn4mwr0lrzh5ekk92gfr7b1yz/BridgeOSBrain.pkg)
Jul 24 08:53:46 Richards-MacBook-Pro osinstallersetupd: PackageKit: Received response from peer 18.104.22.168
Jul 24 08:53:47 Richards-MacBook-Pro osinstallersetupd: Retrieved package com.apple.pkg.BridgeOSBrain (http://swcdn.apple.com/content/downloads/37/45/091-95250/sr9mc3h2fhn4mwr0lrzh5ekk92gfr7b1yz/BridgeOSBrain.pkg)
5. Holy )(*!! it’s downloading updates, running some checks who’s logs I’ve left out, and applying them.
Jul 24 08:56:18 Richards-MacBook-Pro osinstallersetupd: bridgeOS prepare summary: 15P6613 -> 16P50334e, update = 16.16.334.5.5, brain = 16.16.334.5.5, variant = com.apple.bridgeOSCustomer, macOS = 17G2112 (customer), project = BridgeOSInstall-55.1, userAuth = 0, prod fused = 1, model = j680ap, client = InstallAssistant, retries = 0, session = 6F37CA43-6DF5-4E4D-9479-C9C0C0D272F9: success
Jul 24 08:56:18 Richards-MacBook-Pro osinstallersetupd: bridgeOS update prepare complete
6. And now does it get on with the rest of the OS upgrade.
It’s only after finding all this out, do I get the real bombshell. This is a suitably censored screen grab from the Mac Admin’s Slack:
So this all has wider implications: if you deploy the Apple install macOS app bundle to devices it will attempt to contact the internet for further updates. I like the idea of keeping a device and all it’s many firmwares patched but I’m also aware of how impossible this is going to be in very secure environments.
In fact, I feel a migraine coming on just thinking about it.
Do you have proxy services? Do you have next generation firewalls? In fact do you have anything that restricts traffic egress or otherwise interferes with internet traffic? These devices represent a world of pain heading your way, and this is only going to get worse. The T2 chip is going to slowly percolate over the Apple product line.
Now I’m going to go think of crazy networking solutions, or just start recommending to people “BeyondCorp or GTFO” because Apple’s devices really don’t play nice with many corp environments anymore.
And maybe that’s not such a bad thing?