jasonvorhe 2 months ago | next |

I don't see a single product listed there that actually improves security. I'd consider them "cover your ass for compliance" products. None of these vendors has a track record of delivering quality or actual protection without increasing the attack surface, as proven by past screwups of these companies. They even quote Crowdstrike in the first paragraph.

macOS release dates are predictable and Apple ships developer previews and public betas. If these vendors can't update their products in time that doesn't speak for their processes, automated testing infrastructure nor care for their customers.

move-on-by 2 months ago | prev | next |

> “As a developer of macOS security tools, it’s incredibly frustrating to time and time again have to deal with (understandably) upset users (understandably) blaming your tools for breaking their Macs, when in reality it was Apple’s fault all along,”

I would like to understand this better. Were there not any beta releases that these companies could have tested with in advance? Or were changes made between the beta and the release that broke things? Or something else?

sephamorr 2 months ago | root | parent | next |

Per Patrick Wardle, this was well reported to Apple during beta.

https://x.com/patrickwardle/status/1836862900654461270

move-on-by 2 months ago | root | parent | next |

Thank you, this makes the frustration in the above quote more understandable. For anyone wanting to avoid the x click:

> Worth stressing this was reported to Apple before the GA was released (by multiple people, to multiple teams/orgs within Apple) so Apple 100% knew about this, and shipped macOS 15 anyways

bzzzt 2 months ago | root | parent | next |

IMO those Mac anti-virus tools are basically malware exploiting all kinds of loopholes and hacks to get their hands on everything going on in the system. It's a good thing Apple fixes those loopholes and it's not Apple's responsibility to make sure every hack used by these tools keeps working.

MichaelZuo 2 months ago | root | parent | prev |

Apple, or at least their teams responsible for answering feedback, rarely ever give substantial responses nowadays, regardless of how well documented the submission was. So it compounds the frustration.

And this isn’t even the most egregious case, sometimes the bugs are so obvious that they generate multiple hard faults, per hour, logged in Console, on a fresh installation with only the default apps running.

aaomidi 2 months ago | root | parent | prev | next |

Apple is not responsible for ensuring your malware (yes, that’s what I personally consider this software) or even your software runs on Mac.

The betas are there for you to test your code against future Mac releases. Apple can and probably will take away APIs that your business is built around. Especially when those APIs are actually decreasing security.

jhbadger 2 months ago | root | parent | prev |

I'm not a big fan of these tools myself (although like many people my employer insists on them). But still, isn't it the responsibility of the tool maker to make their software work with new OS versions and not Apple's?

Spivak 2 months ago | root | parent | prev |

This is the part I'm missing too. Major versions are the time to ship braking changes, did none of these companies bother to test their software that mucks deep in the plumbing of the OS?

eviks 2 months ago | root | parent | prev | next |

They did, reported it, nothing changed.

It's an OS bug, you can't make it look good by invoking some generic "time to break" principle

ywvcbk 2 months ago | root | parent |

Or they fixed a bug/loophole that allowed this software to function?

eviks 2 months ago | root | parent |

Or they didn't since this software is supposed to function and has been functioning for all the previous many years/OS versions?

RockRobotRock 2 months ago | root | parent | prev |

Is there even an equivalent to WSUS on macOS that lets admins block an update until it's tested?

salmo 2 months ago | root | parent | next |

Yeah. There’s Jamf and similar tools. Companies often block major updates until their 100 agents all officially support it. Oh, and do cool things like not letting you change your background or whatever random settings some admin decides are good.

ripa 2 months ago | root | parent |

Yep, a lot of these policies seem to come from some random person scrolling through a list of supported options and arbitrarily making up values that are enforced on people.

One of our policies enforce that screen savers must start after 20 minutes, and it’s not possible to reduce it (I have my personal on 3 minutes). Or the fact that it will constantly reset the UI notification volume to 100% and speaker output, even though have headphones almost always.

Infuriating.

wpm 2 months ago | root | parent | prev | next |

There is a configuration profile payload that can stop updates like major version changes for up to 90 days. You cannot stop them indefinitely from appearing in Software Update.

colechristensen 2 months ago | root | parent | prev |

Yes, it's called MDM (Mobile Device Management) and lets admins set all kinds of policy on apple devices. There are several vendors out there that implement it.

mikl 2 months ago | prev | next |

Always fun to see the spyware merchants whining about how Apple’s privacy protection efforts makes creeping on users difficult.

Cry harder, dirtbags.

Someone 2 months ago | prev | next |

> At this point, it’s unclear exactly what is the issue

So, is this a bug in Sequoia or a change that affects these low-level tools? If the latter, they may not like it, but that’s par for the game on MacOS.

(Tried reading https://x.com/patrickwardle/status/1836862900654461270, referenced by sephamorr, but that link isn’t working for me)

inkyoto 2 months ago | root | parent | next |

It apepars that the default application firewall blocking rules are overly restrictive.

There are two «firewalls» in OS X: the IP packet filter (controlled pfctl) and the application level one (controlled by /usr/libexec/ApplicationFirewall/socketfilterfw). The one that is causing a lot of grief for upgraded users is the latter one.

The workaround is to remove/disable the app level blocking rules manually:

1. Get a list of app level firewall rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
2. Locate the app(s) of interest.

3. Disable the app specific rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp <path to the app from the list in step 1>
Alternatively, the app can be removed from the list of application firewall rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --remove <path to the app from the list in step 1>
That will fix the problem, e.g. with Firefox (tested) or WireGuard (reported by somebody else above, untested).

If a DoH DNS configuration is used, it also makes sense to explicitly whitelist the DoH provider in «pfctl» rules at IPv4/IPv6 and domain levels.

replete 2 months ago | root | parent | prev |

There's a bug megatread on r/macos full of networking bugs that makes it clear that upgrading to sequoia is not a good idea just yet.

SemioticStandrd 2 months ago | root | parent |

Not just networking issues, there are plenty of reports with external drives having problems as well.

replete 2 months ago | root | parent |

I usually wait for a .4 update before upgrading. One time around Catalina there was a bug that broke USB-C docks.. Oh cool none of my devices work.

Interestingly in that thread, 'Intel' is not mentioned once.

whynotmaybe 2 months ago | root | parent |

This reminds me of a joke about "windows users waiting for the service pack while macos is always stable" that a friend always rubbed in my face whenever I had some issue with windows a decade ago.

And that I just sent a message yesterday to my team to wait before installing sequoia... But now I'll use your target of .4.

replete 2 months ago | root | parent |

That's the trick for stability on MacOS, wait a few versions after a major. Done this for a few years now and I have had no problems. When they change OS APIs, it happens on a major point zero release. Another good reason to wait is many apps aren't ready in time for the changes. I'll install a point 2 or a point 3 if it looks like a good release, but it looks like this isn't one of them. My pro tip for finding out whether its a good upgrade or not is the macrumors article comments, I'll scan through and see what people are saying about the update.

perryizgr8 2 months ago | prev | next |

Yes, this is the right move that Windows should have done long ago. These are not security products; they are security theater. Chosen only for compliance or CYA reasons by people who don't fully understand the systems they are in charge of securing and administering.

Break them again and again until people realize how useless they are.

yawnbox 2 months ago | prev | next |

all my wireguard tunnels could not connect upon upgrade. disabling the macos firewall allowed me to use my tunnels again, fyi.

evulhotdog 2 months ago | root | parent | next |

I read somewhere about old ESET rules being in the macOS firewall blocked various udp traffic. Quick Google might get you more information.

lxgr 2 months ago | prev | next |

> “As a developer of macOS security tools, it’s incredibly frustrating to time and time again have to deal with (understandably) upset users (understandably) blaming your tools for breaking their Macs, when in reality it was Apple’s fault all along,”

> On the day of macOS Sequoia’s release, a CrowdStrike sales engineer said in a Slack room for Mac admins that the company had to delay support for the new version of Mac’s operating system. “I’m very sorry to report that we will not be supporting Sequoia on day 1 in spite of our intention (and previous track record) to support the latest OS within hours of [General Availability],” the engineer said in the message, seen by TechCrunch.

If only Apple had offered these clowns some sort of beta or developer preview version to test their snake oil against before the widespread release of the new OS...

Absolutely zero sympathy.

musicale 2 months ago | prev |

> And, somehow, the software update has broken the functionality of several security tools made by CrowdStrike, ...

What terrible news – whatever shall we do?

appendix-rock 2 months ago | root | parent |

Please look past the fact that CrowdStrike is today’s, or yesterday’s, cultural whipping boy. They make software, and its users would like it to work. It’s not a good thing.

ronsor 2 months ago | root | parent |

And it's their responsibility to make sure it works by testing on pre-release OS builds and implementing fixes when necessary.

FireBeyond 2 months ago | root | parent |

And when they report bugs to the vendor, and Apple just black holes those bugs, as they do in probably 99.8%+ of bug reports?

"Suck it up"?

floydnoel 2 months ago | root | parent |

find a workaround because you already know what is coming down the pipe? this isn't new to development, I've done it in my own apps for apple issues before. maybe they just need some more experienced developers?

ossobuco 2 months ago | root | parent |

> find a workaround because you already know what is coming down the pipe? this isn't new to development, I've done it in my own apps for apple issues before.

I mean yes, ultimately if you want your app to be used, you'll have to do that, but wouldn't it be better if Apple stopped carelessly breaking backward compat with every update?