Episode 316: Peter Borg

Lingon has been a part of the MacAdmins toolkit for as long as recent memory caused us to make launch items. Sandkorn became useful around the same time that we had to start looking at application sandboxes. In today’s episode, we interview the person behind these: Peter Borg

Hosts:

  • Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
  • Charles Edge, CTO, Bootstrappers.mn – @cedge318

Guests:

  • Peter Borg

Links:

Click here to read the transcript

This week’s transcription is brought to you by Alectrona

James Smith:
This week’s episode of the Mac Admins podcast is brought to you by Kandji. You know where the biggest potholes are when switching device management solutions? It’s not the prep work or figuring out how to replicate your current configuration in the new system. It’s that moment when management is temporarily removed from a Mac, leaving you with no control. From there, you have to rely on users to follow your instructions and enroll their devices into the new solution. Multiply by hundreds or thousands of devices, and support tickets and errors start cropping up at scale.
Kandji has changed the game with this migration assistant, a seamless tool with completely customizable logic that guides users through enrollment into Kandji’s device management solution so your support team won’t have to. 100% free for all new customers, Kandji’s migration assistant is just one piece of an overall exceptional experience Mac Admins enjoy with the use of Kandji’s comprehensive solution. To learn more, head on over to kandji.io/migration. That’s K-A-N-D-J-I.io/migration. Or join the Kandji channel on the Mac Admin Slack to say hi and see what they’re up to. Thanks again to Kandji for sponsoring this episode of the Mac Admins Podcast.

Marcus Ransom:
Wow, that delay was really… That was like… You look like you were clapping five seconds behind me.

Charles Edge:
I thought I was right with you. I wonder if the video’s-

Marcus Ransom:
Yeah.

Charles Edge:
Yeah. He’ll figure it out.

Marcus Ransom:
James.

Charles Edge:
Sorry, James. We haven’t even started.

Marcus Ransom:
This is going to be one of those episodes, James,

Charles Edge:
In our bloopers reel. We haven’t even started, we’ll end up in there.

Marcus Ransom:
Hello and welcome to the Mac Admins podcast. I’m your host today, Marcus Ransom, and we were just discussing this may be one of those episodes. Charles, how are you going?

Charles Edge:
I was great till we tried to clap sync and I messed it up. If you can’t get that right, what can you get right? But how are you Marcus?

Marcus Ransom:
I’m fine. I just got back from a week of traveling and living out of suitcases and-

Charles Edge:
Been a while for that.

Marcus Ransom:
… Seeing two different countries, three different airlines, multiple hotels, flood warnings right as the keynote for Jamf Nation live in Auckland kicked off. Getting to experience the members stand at the Sydney Cricket Ground. It was great. It was a wonderful time. But now having to readjust and trying to set everything back up on my desk after carrying all of my stuff with me for so long. So if the audio drops out, it’s all due to my own inability to plug things in where they’re supposed to be. So we haven’t got Tom with us here today, so it’s just Charles and I. So we’ll see how this goes.

Charles Edge:
Yeah. Not only that, but it’s an interesting new take on ways to get guests who don’t want to be interviewed on air. So one of the things that we run into is sometimes people don’t feel comfortable with English, the language that we typically use, or maybe they feel anxious.
I can think about a dozen more reasons why people have said, “I’m not really interested in being on the podcast.” And some of those we’ve been able to address by having will collect them sometimes and have a menagerie of guests at once, a panel, I guess we call it. And that’s one way to get people who might not otherwise be interested. But one of the people that we’ve wanted since, I think, day one is Peter Borg. And I would say Lingon has been a part of the Mac Admins toolkit for about as long as recent memory caused us to make launch items. And Sandkorn became useful around the same time that we had to start looking at application sandboxes. So in today’s episode, we get to interview Peter Borg and we’re going to read his written responses to our questions that we asked before we hit the record button. And he won’t physically be on the pod, not that anyone ever shows up physically. Everybody’s virtual because we record over Zoom. He’ll be in spirit with us. How’s that?

Marcus Ransom:
I’m glad that we’ve been able to find a way to get this to work as well, because more often than not, I’ve found the people who are reluctant guests, when we’ve been able to convince them to come on have had the most amazing stories to tell. It’s a bit like conference presentations. People who are like, well, “I’ve got nothing I could present at a conference,” usually don’t realize how wrong they are. And the amazing insight and the stories and experience that they’ve got trapped inside them are actually sometimes the stories that people really need to hear. So bear with us while we try to tell Peter’s story for him and we’ll try and do his amazing insight justice.

Charles Edge:
Truly. So the first question we had is the typical, “Thank you so much for agreeing to do this episode with us, Peter.” And by the way, thank you so much for responding in writing, Peter, in case you get to listen to this. “So many a Mac Admin will have used Lingon or Sankorn, but it’s great for us to get to know a little bit about the people behind the app. So do you mind giving us a little bit of an origin story, how you got into programming?”

Marcus Ransom:
So Peter’s response to this one was, “I have a little bit of an unusual background as it is in liberal arts and I’m self taught when it comes to programming, but I’ve always been interested in computers and I realize that my brain seems to work quite well for developing and programming. As I started to work as a Mac Admin and it progressed to more and more developing. And about 10 years ago, I quit my job and I’ve worked with my own company since then. And I really enjoyed solving problems and being creative and in that way help others to make something quite complicated, as easy as possible for all. So those are my favorite bits with my job and with my previous jobs and enjoyed writing small apps and scripts to help solve problems and make life better for my users.”

Charles Edge:
And the thing I love about this is that era where he first released Lingon, that is extremely exemplary. So many of those people, who, whether they wrote the apps or they were CS admins just learning to program, a lot of them had liberal arts degrees, music, art, industrial design.

Marcus Ransom:
Well, I think reading that, it was really taking me back to exactly that same scenario where I decided to quit my career and move into trying to make a full-time gig out of managing these Macs. And it was literally tools like Lingon that helped me understand how launchd worked and the difference between launch daemons and launch agents and how to actually create them from someone who wasn’t that comfortable with the command line.

Charles Edge:
I do feel like when it came to Lingon, I used it a lot in books to visually show how these things work because it’s so much easier to craft a plist once you’ve done it under the auspices of a GUI. It surfaced this knowledge and it did a few things under the hood, like fix permissions because launchd items had to have a specific permission, but when it boxed you in to having to put stuff in the right place and put the right stuff in the right place, eventually you just got to this point and I learned how to do the launchd stuff from Lingon first if I’m not mistaken. But eventually you get to this point where you’re like, “Oh, I’ll just do this in the command line now.” But also forever it helped to put everything in a nice concise, like I can look at a thing and I can see all the things at once. So even when I wasn’t using it to create things, I would still use it because it was easy to visualize what was running on the system.

Marcus Ransom:
Absolutely. Being able to see how many different items there were and how they might have been interacting with each other rather than having to go in individually to all of the components. The other thing that I really loved was when you look at apps like Auto Packager and the Jamf Compliance Editor is lowering the barrier for the point of entry for people to be able to use these complex tools like Auto Package or the Macro Security Compliance Project without having to have all of the background in using Git or being comfortable in the command line or just being in a hurry and wanting to be able to do something really quickly without having to set everything up.

Charles Edge:
Sometimes it’s easy to surface a command line thing and give someone, if you distill it down, what are the things that you need to do and just get 75%, 80% of the stuff and a really slick interface. And then if you need the other 25% or 30%, you got to learn to drop it in the command line at that point. But I think if I were to try to summarize it, did that for launchd. So I am forever grateful for that. So thank you Peter, even though you’re not here.

Marcus Ransom:
I’ll take the next question, which is I think works quite well here. So the next question was, “So Peter, where did the idea come from to write Lingon?”

Charles Edge:
And his response was, “I personally never really enjoyed using cron. So when launchd was launched in 10.4 OSX Tiger, if I remember correctly, I started to write plists by hand to use it. But I soon realized that both for me and for the others, it would be a great to have a simple UI for it and also an app that would feel like a Cocoa app, which wasn’t really a given in those days. And perhaps not always now either, if you were to probably extend that logic to SwiftUI. So just as with all my apps, my motivation has always been to make something for me and other people that make it easier to use something.

Marcus Ransom:
I think we could say that it achieved that. It definitely made it a lot easier. Because that transition from cron was confusing for a lot of people. And like everything, there was still a lot of people desperately clinging on cron to keep using it, to have things happen at certain frequencies in certain times. So anything that’s able to make that transition, whether it be understanding that transition and getting familiar with it, to a new way of doing things or just finding, as we were saying before, a smarter way of using it without being able to abstract out all of the other extraneous information there.

Charles Edge:
It’s amazing to me how little, by the way, launchd has changed. I mean there are differences and it has evolved, but when Dave wrote it in, I want to say ’05, so maybe a Tiger release, it was just well architected. Hands down. And I know that replacing any init system for an operating system is kind of an extremely complicated task, but they just kind of nailed it. And I do think it seemed overly complicated at the time maybe, but over time when you realized just how extensible and extensive that it is, it became like, “Oh, I get it.” Because keeping in mind all of Apple’s kernel tasks were kicking off at launchd too. So hey, you got to bootstrap yourself. How’s that?

Marcus Ransom:
It’s also interesting to see, you mentioned how little it’s had to change. But I think we saw last year with Ventura sort of the first… And it wasn’t so much a change, it was an extra layer of transparency around it, letting users know where the background login items, what’s actually happening in there. So much like Lingon provided a GUI for us as admins to be able to visualize what’s happening for Apple to eventually understand that the users could probably do with some insight into what’s happening in there as well.

Charles Edge:
Yeah, I mean everybody always had it, but you had to know how to go find it.

Marcus Ransom:
Exactly.

Charles Edge:
And that’s actually a perfect segue into the next question. “So how did Lingon evolve over the years?”

Marcus Ransom:
So Peter’s response to this was that, “The first two versions basically added features, but when the Mac App Store started, I simplified Lingon. For example, removed the ability to run things as root as it wasn’t allowed and released version three in the App Store. In the beginning, I could still release versions in the Mac App Store that loaded and unloaded launchds. However, when Apple restricted that and the fact that I really felt the need to be able to run jobs as root, I diverged the app and released Lingon.” Now here’s where we’ll get interesting here. Is it Lingon X Peter? Is it Lingon 10? I’ll assume that it’s Lingon 10 outside the App Store. “And then it was possible for users to do more complex things like for example, run a job as root. And that’s where we are now.”

Charles Edge:
And this is just a perfect summary of one of the ways that the OS has evolved.

Marcus Ransom:
And seeing Apple sort of understand the security implications of allowing users to have access to everything on their device and whether the users then allow somebody else to have access to everything on their device by proxy. So protecting users from themselves and having those gates around the App Store. And it’s been interesting to see how many applications found that the Mac App Store was really not the best home for them due to some of these requirements around root access and what they can and can’t do.

Charles Edge:
Yeah, I have maybe three dozen things that I would put on the App Store if it would be possible given the level of access that they need or private APIs that they use. But otherwise they just sit on my GitHub. And I’m horrible about making distribution packages, so it’s like, sign it yourself, that kind of thing. But I completely get that, I get that more than I get most responses. Having said that, it’s so much easier if something’s on the App Store, you just hit install or get [inaudible 00:17:08] absolutely.

Marcus Ransom:
Yes. And the idea, I’ve found this, when devices become more ephemeral sort of, it’s funny that a erase all content settings for me has been the thing that has made me rely more on the Mac App Store where things are not being pushed down by the MDM or the management tool, the things that I’m wanting to customize myself. It’s like realizing I can just go to sign into the App Store, click, click, click, click, click, click, click, all the stuff comes down and there we are. Whereas in the old days where your primary production machine going away had far scarier consequences with data, now all of my important data is in the cloud. Sometimes it’s easier rather than trying to clean up my desktop and my downloads folder to actually just clean up the whole machine entirely and start again.

Charles Edge:
So this next question, the thing that is most interesting to me about it in hindsight, because I’m working on my presentation, I wrote like 150 slides, so trying to split that into two presentations becomes challenging. But I’m working on my presentation for MacAD.UK and Penn State, which I’m going to do part one and part two and it’s about extensions. And I built a tool to provide telemetry into extensions and I wanted to make it free on the App Store, but you have to call root and it can’t be properly sandboxed because you can’t load or unload it in an extension or even see other extensions. You can see the file system, so theoretically you can get a sum of it, but not all of it. So I guess here’s the question that we posed to Peter about Lingon. “Can it use the App Sandbox and so be on the App Store?” And his response, Marcus?

Marcus Ransom:
Yeah, so his response to that was, “Well, so the main Lingon 10 app is sandbox, but it isn’t possible to load or unload launchd plists in a sandboxed executable or in an App Store app. So in Lingon 10, I used XPC Services to read the jobs and to load and unload jobs and also other things like scheduling startup or shut down of the Mac and the XPC Services aren’t Sandbox but communicates safely with the main app.”

Charles Edge:
That’s a perfect response to any question about things that you’re trying to get telemetry on that you can’t get an entitlement for, I guess.

Marcus Ransom:
Yeah. well I suppose it would be interesting to see, because I really like the approach Apple’s taken with the endpoint security APIs and system extensions where to get that level of access with a system extension, you need to have a configuration profile deployed by MDM to be able to give you those entitlements and allow that to work. And I suppose that really comes down to who is the target audience for something like Lingon. Could you then leverage an MDM entitlement for them to allow Mac App Store apps to be able to function that way, but then well the average non-managed user is left out of being able to have that. Can they then manually enable system extensions to get that to work? Do we get a system extension that allows apps or apps to function in a more complex manner?

Charles Edge:
That’s an interesting question. I mean part of the answer is the endpoint security framework requires a special entitlement as you mentioned and it provides a veritable fire hose of content that spews out of it. So now you have to accept it all and parse it, which can become very memory intensive or resource intensive because it’s not just memory. You could theoretically get to all of that XPC data, but now you’re, A, rearchitecting the app to work inside of an extension that has to be loaded by MDM as you mentioned. What about the home user that just wants to see a list of the launch daemons on their machine? Because that’s one of the amazing things to me about Lingon is I included it in the first edition of the security book. Because it’s like all in my mind, and now we would call these, at the time, I don’t think we called them this, but now we would call them persistent threats. But at the time we just called them crap running on your machine that probably couldn’t.

Marcus Ransom:
Tomato, tomato.

Charles Edge:
But when you’re talking to, especially when you write a security book, it’s like home users et cetera, and you’re trying to surface some of this information and Lingon definitely played into that where it’s like, hey, use this to see all this stuff. And your point about who are you effectively marketing this to or who’s the audience, I always felt like Lingon, the audience was anywhere from the home user who just wants to see what’s running on their machine all the way up to enterprise admins who want to create launch daemons for mass distribution or whatever.

Marcus Ransom:
And that’s the beauty of still being able to run code that’s not in the Mac App Store and doesn’t follow those rules is rather than having to jump through all of these hoops to try and get something to work in a certain way and have the user going in and manually approve entitlements or have a configuration profile, you can just not distribute it that way and make it so much easier to be able to do things.

Charles Edge:
If you shell things out as root, you can’t go on the App Store or if you do, things that would typically require that. And an extension, unless you have endpoint security, as far as I’m aware, there might be a way that I don’t know about, but can’t see other extensions from other apps. I guess if you can see the file system you can make as assertations or you can try to enumerate them, but it’s hard to know for sure, for sure, unless you look at what’s loaded. Same as launch daemons.

Marcus Ransom:
It’s adding so much additional complexity that is today’s complexity is tomorrow’s tech debt.

James Smith:
This week’s episode of the Mac Admins podcast is also brought to you by Kolide. Our sponsor, Kolide has some big news. If you are an Okta user, they can get your entire fleet to a hundred percent compliance. How? If a device isn’t compliant, the user can’t log into your cloud apps until they’ve fixed the problem. It’s that simple. Kolide patches one of the major holes in zero trust architecture device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone’s OS and browser up to date. Unsecured devices are logging into your company’s apps because there’s nothing to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication and it’s built to work seamlessly with Okta.
The moment Kolide’s agent detects a problem, it alerts the user and gives them instructions to fix it. If they don’t fix the problem within a set time, they’re blocked. Kolide’s method means fewer support tickets, less frustration, and most importantly, a hundred percent fleet compliance. Visit kolide.com/macadminspodcast to learn more or book a demo. That’s K-O-L-I-D-E.com/macadminspodcast. Thanks to Kolide for sponsoring this episode of the Mac Admins podcast.

Marcus Ransom:
So the next question is, goodness, “It must have been around 2008 or 2009 that the importance of the App Sandbox started to emerge on the Mac platform. So when did you start working on Sandkorn and where did the idea for it come from?”

Charles Edge:
And this is continuing on with the theme of telemetry I guess, but Peter’s response was, “I had an internal tool to check various things that I wrote over 10 years ago, I think. To start with, it was mainly for my own curiosity and as Apple started to restrict more and more, I thought that it might be useful for other people as well to see what apps can do. So I tidied it up and refined the UI a bit and added some features and released it about five years ago.” And Marcus, I guess, and we’re getting away from Peter’s response here to make it clear to the listener, but have you used Sandkorn? Do you want to take us through what it is?

Marcus Ransom:
No. Actually reading about it here, it’s one that I have not used and this is the first time I’ve discovered it and I can tell you what it’s going to be something I’m going to use from here on in. Especially with the changes where Apple seems to be modifying more and more what apps are and aren’t allowed to do in that sandbox. And when you’re troubleshooting why an older application or a newer version of an application or applications talking to each other are working in different ways, this is really useful. How about you? Have you been using it for much at all?

Charles Edge:
Yeah, I have definitely used it. For the listener from Peter’s website, which by the way is peterborgapps.com. The hero for this page is, “See which apps are sandboxed in their entitlements.” Which is one of the best application descriptions I’ve ever read. It’s just spot on. Nailed it. So what can your app do and what does your app want to do and what have you told it that it can do, basically.

Marcus Ransom:
Especially for home users to remember because we’ve all seen the idea of approving all of these entitlements. The idea is that it stops people from allowing apps to do things they shouldn’t be doing. But then that translates to when a user wants an application for doing something, will they just download it and arbitrarily click everything they need to get it functioning and perform the task they want to use the application for. And then maybe want to go back and go, “So how good were the choices I made there when I was allowing this to happen?” Maybe getting a little bit more aware of that functionality in Mac OS as well. And curiosity to see. And we’ve seen this in iOS now where it’s really obvious what sort of entitlements applications are being given and some really sort of notable examples where application installs were noticeably impacted by putting front and foremost exactly what sort of seemingly unusual entitlements they were requesting.

Charles Edge:
I have an interesting thought that I never had before, which is on a multi-tenant machine. So take an iMac in the home. That iMac is probably, maybe you create a different user for each person in the home, or maybe you just say this iMac is the home iMac and it has one user because it also happens to be the IoT hub that’s running a Homebridge or whatever and you don’t want people mucking around or fast user switching between accounts. So you don’t know all the things that other people hit okay on. To me, that’s what Sandkorn is. It’s let me see what all the other people in my home on my Homebridge machine or whatever who just sat down real quick to look at something that asks for microphone access or I don’t know what. I don’t know.

Marcus Ransom:
Perfect example of this is this iMac that I’ve got sitting on the desk right next to me here is that that’s exactly what that’s used for. It’s primarily used for-

Charles Edge:
Recording?

Marcus Ransom:
An extra display. It’s an extra display for when I’m working on my work machine to be able to bring up other webpages or things like that there. But it’s also the machine that a lot of the rest of the family uses for web browsing. Now, not going through and looking at application entitlements, but looking at Safari notifications and how that then is carried across via iCloud onto different machines. And I had that case there. It’s like what on earth are all of these notifications that are in here? And realize that, that it’s just people clicking the button they want to click to make something go away, which sometimes is allow.

Charles Edge:
I found if you just keep your finger hovered above escape that does the [inaudible 00:31:16].

Marcus Ransom:
Or as I discovered, go in the preference for the do not allow websites to request to enable notifications. It’s like, how long has it taken me to find that checkbox? But yeah, I think that’s a perfect example is the shared machine that multiple people can use or even being able to see what that transparency of what sort of entitlement software that’s deployed by a management tool or something like that is enabling. Coming back to Apple’s approach with background login items, of the user having an explicit understanding of what’s going on in their machine. There are ones that they’re not able to, without opening the command line, be able to enable or be able to disable, but at least being able to see what’s going on on their machine or what their teenager is installed in the machine or what their parent has installed on the machine.

Charles Edge:
I’m not saying I’m more worried about my parent, but maybe. So talking about the sandbox is one of those things that I think has evolved over time. And so our next question to Peter was, “In general the sandbox has changed development for apps. How has the transition to Swift and SwiftUI gone for you?” So expanding the scope of the conversation a bit.

Marcus Ransom:
So his response to this one is, “I know that some developers don’t like it, but I like the sandbox and I can really see its usefulness. Of course it can make developing a bit harder and more time consuming, but in the end I think it’s worth it. I just wish that Apple could add more entitlements so that one could, for example, run things as root if one asks the user for it and then Apple could include an app similar to Sandkorn in the system so we could all check what permissions each app has.” So it’s almost like he was listening to our conversation we just had there.
So he also says that, “The transition to Swift was fairly straightforward, just a lot of work and it made me tidy up the code quite a bit as well. But I really should have waited a little bit longer before I move to only use Swift. It took a lot of unnecessary time at the beginning with all the changes in the language, but it’s settled down now. So now one just has to keep an eye out for any performance problems as it can be hard to guess when writing the code, if there will be any performance issues with Swift one needs to check. But I think that that’s one thing that we’ll look into more in the next major release of Swift version six.”
So he also says that, “I learned from the transition to Swift that I shouldn’t jump into SwiftUI directly. So today there are actually no components in my released app that use SwiftUI. I have some internal tools that are written in SwiftUI and I’ve tried building new features with SwiftUI, but there are still issues with making everything work as it should. So 90% of getting there with SwiftUI is easy, but the final 10% are really hard and time consuming.”

Charles Edge:
Yeah. I can say we’ve built tons of instrumentation tools to try to get that last 10% and maybe we should open source them. Because one of the developers I work with said about one of the tools that we built, trying to find this is trying to find a needle in a haystack and this new thing that we built is like, if you could make the needle the size of a baton. And that’s pretty much software development troubleshooting for you right there. So why do we build tools to build tools? That’s why. So his next question or our next question for him was, “How about notarization and app signing?”

Marcus Ransom:
And the response was, “All of my apps are notarized and properly signed and I really like both and I think that everyone should use them if possible.” And I think this is a great response. I think the reasons Apple have put notarization and signing in there to give people that assurance that this is in fact still the same application you thought you were signing and it hasn’t been intercepted somewhere along the way. And that the operating system’s got all of these built in checks to ensure that some basic security standards are being adhered to.

Charles Edge:
Yeah. I mean think even if it doesn’t go on the App Store, just having to have it notarized. I hope it doesn’t give a false sense of security, but it makes me feel better when I download some random tool, for sure.

Marcus Ransom:
Also, to me makes me feel that if something was discovered further down the track that it was doing something that shouldn’t do, being signed that gives you a greater ability to then retrospectively revoke access to things. If code is signed and notarized, we know that Apple’s got mechanisms in there and we know that third party security tools have got mechanisms to leverage that code signing and notarization to be able to identify where something has come from and to be able to take action on that. So I think that’s great to hear developers of tools like this actually embrace that and not just get caught up in the, this is just taking us down the path of the Mac App Store, so I’m going to reject all of this and keep doing things the way I have been.

Charles Edge:
And it’s no more difficult to distribute software, with one exception. And that’s when you put the source up on a GitHub, it needs to be signed by somebody and who’s that somebody? And it’s easy enough to change who has to change the developer certificate and Xcode, but you kind of have to open Xcode and know and not be frightened by the big red Xs and all the clicking around and do it.

Marcus Ransom:
So this is sort of interesting where things like us, the Mac Admins Foundation has started supporting that Mac Admins Open Source. So the idea that you can have open source projects where the code base is available, but there’s also the option of downloading compiled and signed and notarized versions of the software. So you’ve got that transparency of being able to see the code and understand what it’s doing, but also to be able to have pre-compiled, packaged, signed notarized versions that you can just really quickly push out to your fleet and use. Or if you want to change the code yourself, you can build your own repo, put in all of your changes that you want and then sign it yourself if you’ve specific requirements.

James Smith:
This week’s episode of the Mac Admins podcast is brought to you by Alectrona Patch. What would you do with your time if you no longer have to spend so much of it on packaging and deploying updates for third party app? With Alectrona Patch, you can install or update over 300 Mac applications automatically to keep your users protected with the latest security update. Alectrona Patch works with your existing MDM solution by simply deploying a package and a configuration profile for ongoing management. It’s cloud native so no server or package hosting is required and the latest updates are delivered directly from the software vendor. You control which apps are installed or updated so you deploy only what you need. Alectrona patch is customizable to ensure your users can update without interruption, so you can keep your security team and your end users happy. Alectrona is a proud charter sponsor of the Mac Admins Foundation. Check out Alectrona Patch at alectrona.com/patch, that’s A-L-E-C-T-R-O-N-A.com/patch to learn more and to book a demo with our team. Thanks to Alectrona Patch for sponsoring this episode of the Mac Admins podcast.

Marcus Ransom:
So getting into some more detail around Round Sandkorn. The next question was, “So how do you go about ascertaining app entitlements in Sandkorn?”

Charles Edge:
And his response was, and you’re going to have to pardon me for my reading of this, “I use the SecCopyCodeSigningInformation function,” and by the way, that’s camel cased all the way through, “From the security framework in the system. And then just parse the results as I need it.” Very succinct. Wonderful answer. Thank you, Peter.

Marcus Ransom:
And, “So how do you deal with paths like if an app can be in application support directory?”

Charles Edge:
And he responded, “Today in Sandkorn, I have the sidebar, where the user can add folders themselves where Sandkorn should look for apps. That is of course not perfect, and I’ve been looking into instead using the mdfind command to find apps and that works as well as long as the user hasn’t disabled spotlight indexing for the disc. So I’m still thinking about good ways to have a fallback for that scenario and hopefully it will appear in a coming redesign.” And the next question we asked was, “People must have feature requests all the time. As former or current product managers,” and I had planned for Tom to read this by the way, but, “We’re always curious how others prioritize those. How do you do it?”

Marcus Ransom:
Well, I’ll answer that as someone who just likes asking for feature requests, so I’ll take this one. So Peter’s response to that was, “Well to begin, I fix major bugs as soon as possible and release an update with those fixes. So smaller bugs and feature requests are all listed in text files in Smultron. Of course, I’m old school and I regularly sit down and think about these along with stuff I myself come up with. But I’m also wary of changing too much between major releases. So generally I don’t change the behavior or large parts of the UI and minor releases and those need to wait until the next major release. And I generally try to be quite careful not to add too much. So I really think that most users don’t really want too many new things on the whole. So in general, I try to prioritize bug fixes and performance and anything that will make it easier to use. And brand new features are somewhat lower prioritized.”

Charles Edge:
I really love the incremental approach. I agree with him. Yeah, people probably don’t want that much more. And here he mentioned another tool called Smultron which I’ve used quite a bit. So Smultron is a text editor that parses code very nicely, especially json. So I will go ahead and read what we asked him. “And you have other apps like a text editor called Smultron. How did you go about picking names for these?”

Marcus Ransom:
So he says, “I like unique names that are a bit different. And I also think it’s good for everyone that everything isn’t using descriptive names in English. It makes everyone a bit more creative, I think, when one’s brain encounters new words. But I also try to make sure that the names aren’t too unusual and basing names on berries makes making the icons a lot easier.”

Charles Edge:
What an awesome response.

Marcus Ransom:
That’s awesome. Yeah. Start with the icon and work backwards to functionality maybe. I don’t know.

Charles Edge:
Lingon berries. I haven’t been to IKEA. I need to go to IKEA. I don’t know what I need at IKEA. But you always know that you need something in IKEA.

Marcus Ransom:
Meatballs. That’s what you need.

Charles Edge:
Or salmon. They have decent salmon.

Marcus Ransom:
Yeah. The next question is, “You also have Being Boring, which is available for Mac and iOS. So how is developing for iOS different than developing for the Mac?”

Charles Edge:
And his response was, “Nowadays I don’t think there is such a great difference, apart from the obvious different hardware capabilities. From the start, there was a great many things that Cocoa Touch lacked that was in Cocoa, but Apple has evened it out, I think.” And I would say in addition to his response here, we’re not going to invoke a root account to check what Launch Daemon items or what extensions or what entitlements an app has in iOS. That’s not a thing. But I think in SwiftUI, I can say, I had one app that had a different version for Mac than for iOS, and you would build your distribution packages and promote it and then merging it. Once you’ve made that jump into SwiftUI merging, it becomes, oh, here’s a different SwiftUI view, basically. Like a HTML front end-ish for this thing. Unless it calls backend APIs or frameworks that just don’t exist on the other platforms.

Marcus Ransom:
And especially now, you can actually run iOS apps in Mac OS as well. It’s really seeing the lines get blurred. Not that every iOS app is at all useful to be able to run on Mac OS.

Charles Edge:
Oh, they all are, come on.

Marcus Ransom:
Exactly. Just because you can doesn’t mean you should.

Charles Edge:
Remember those old iPhone apps that you could click the 2X button and run on iPad? It’d be like huge?

Marcus Ransom:
What, like Instagram?

Charles Edge:
Right.

Marcus Ransom:
Still does that now.

Charles Edge:
Oh, we’re not going to diss Instagram or they’ll never sponsor the pod.

Marcus Ransom:
No.

Charles Edge:
Wait. They’ll never sponsor the pod anyways. Okay, go ahead diss Instagram.

Marcus Ransom:
Yeah. So finally, “The landscape for absent developers continues to evolve. So most of our listen listeners are admins, so what are some of the things you think they might need to know for larger scale deployment and or research into the safety of the apps they’re considering for deployment?”

Charles Edge:
And his response was, “Apart from a general check for what other apps that developers has released, I check that everything is properly signed and notarized. For example, with the code sign or spctl commands, then I check the entitlements with Sandkorn and see if there is something strange in them. It might not be a problem, but if, for example, gives itself permissions to read and write files and folders where it really shouldn’t, one can ask oneself why that is and perhaps ask the developer as well. Another thing I do is to look in the bundle of the app itself with control, click, show command or show package contents and see if everything seems to be where it should be.
“If many files are placed in wrong folders, it could be a sign of something. Apple has a guide which a user can use to see where everything should be placed.” And we’ll include a link for that in the show notes rather than read it out loud. “And if they use a lot of third party frameworks, I think one should consider how those are checked for any possible security issues. And of course, if the app is really large, one should look into it and try to release why that is and why the developer needs everything in that bundle. Are they, for example, tracking usage of users?” And I’ll add to Peter’s response here, or maybe they’re using one of those write once, run many app frameworks and so it’s not really optimized for any of the Apple platforms.

Marcus Ransom:
For me, this is a really fascinating response. So I have lots of conversations with organizations that want to restrict admin rights on machines. We want to protect our users with the applications that we are deploying.

Charles Edge:
And some of them need to. Legit.

Marcus Ransom:
Yeah, absolutely. And it’s a good thing to protect users, but the conversation is, it then comes back to, so what are you doing to check these applications that you are, in fact, deploying? Are we packaging them all ourselves? We’ve got an offline version of auto package where everything has to be packaged by our teams. Okay. So they’re being packaged by you. A lot of the time, that’s really just downloading the vendors packaged and going, “Good to go” and then uploading it into your device management solution.
But how many of those organizations are actually running basic checks? The well-known applications from well-known vendors. But when we start getting into developer land or we’re starting to look at utilities that people are requesting, what sort of checking is going on with these applications? And I think it’s a really good question to say, look, what is this application allowing these users to be able to do as a result of the entitlements it’s requesting, whether it’s got any launch agents or launch daemons that get installed with it that may be able to be providing a additional attack vendors or lowering your security or just creating a really poor experience for your users.
So having a look at these tools that Peter’s created and this approach that he’s showing of what you should be doing with applications, you realize there’s some pretty basic checks you can do to at least have the confidence of knowing what you are pushing out onto all of your systems for your users and what sort of entitlements they’re getting, what’s going on. We’ve all seen poor choices developers have made with the best intentions.

Charles Edge:
I make them daily. But another thing I would say is as we’ve gone through this and he’s talked through what he’s put into a bunch of things, we realize that all of this stuff can be scripted yourself if you need to. So for example, you can write your own agent and say, “Show me an array or dump me some chase on or XML or whatever into an extension attribute or some other placeholder of what every single app on my system has access to. And if that changes from what it was yesterday, alert me.” Because what I really care about is what changes over time. If an app has access to X, Y, and Z, or Zed, since you’re here, I don’t really care all that much because I know the user had that entitlement or what have you. But if that changes over time or if they add a new extension, then I really would love an alert that something happened there. Because managing change, I think, is the hardest thing on a large fleet of devices.

Marcus Ransom:
And the more insight you can get into what that change is, whereas if you can run some basic checks and go, this is one of the features of AutoPkg that I love at the moment where you get that notification if a recipe has changed and you’ve got to then approve that to have that visibility onto what’s been introduced into your system that you maybe weren’t aware of if you just arbitrarily click okay on everything.

Charles Edge:
On the other side of that transaction in suspicious package, what has that then told me that is going to be put on my system and in Sankorn or Lingon what did get put on my system. And if there’s a new capability. For example, if it’s before we started recording, you mentioned the session that Jaron gave. So yeah, hypothetically, let’s say someone in my environment manages to install something they got off Pirate Bay and the bundle ID looks similar to something that I’ve already seen, but now it has access to… Why should my PDF viewer have access to command line, for example?

Marcus Ransom:
Exactly.

Charles Edge:
So that becomes a whole new way to track change because everything… To kind of finish my thought, everything that these tools can do, the reason they can’t be on the App Store, or at least Sandkorn or what have you, is we’re calling command line options. So that means that it’s scriptable.

Marcus Ransom:
Yeah. Or the reason in Jaron’s session about crypto jacking, the reason why this version of Final Cut 10 was on the Pirate Bay rather than the App Store was because it’s doing all of these things it shouldn’t do. No business [inaudible 00:53:48].

Charles Edge:
Yeah, don’t get your software from Pirate Bay.

Marcus Ransom:
No. Not a [inaudible 00:53:53].

Charles Edge:
I think Final Cut’s moving to a subscription model, just pay the subscription.

Marcus Ransom:
When Europe’s talking about being able to side load apps into iOS, that’s not what they mean. Have having said that, I’m intrigued. We’re less than a month away from WWDC and given what we saw last year with the background login items and slowly putting up more boundaries around what things can and can’t do and what users can and can’t see. I’m intrigued to see what we’re going to see next from that respect.

Charles Edge:
It would be hard to be doing that with Apple because you don’t want to give people too much. It’s not the endpoint security framework. As an end user when you open an app, you don’t want to see eight popups that say all these things. You just want-

Marcus Ransom:
Eight popups. Endpoint security, it’s like eight billion.

Charles Edge:
Yeah, per minute.

Tom Bridge:
Here at the Mac Admins podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Bakka, thank you. Adam Selby, thank you. Nate Walk, thank you Michael Tsai, thank you. Rick Goodie, thank you. Mike Boylan, you know it. Thank you. Melvin Vives, thank you. Bill Steitz, thank you. Anush Dorville, thank you. Jeffrey Compton, M.Marsh, Stu McDonald, Hamlin Crusin, Adam Berg. Thank you. A.J. Petrepka, thank you. James Stracy, Tim Perfette of Two Canoes. Thank you. Nate Sinal, Will O’Neill, Seb Nash, the folks at Command Control Power, Steven Weinstein, Chet Swarthout, Daniel McLaughlin, Justin Holt, Bill Smith, and Weldon Dodd. Thank you all so much and remember that you can back us if you just head out to patreon.com/macadmpodcast. Thanks everybody.

Charles Edge:
You wrote us a lovely bonus question.

Marcus Ransom:
Yeah, so well, Charles, what berry would you like to see turned into an app icon next?

Charles Edge:
Oh boy. Why don’t you go first and I’ll think about it.

Marcus Ransom:
So I’ll say something that autocorrect will love is the fact that the macadamia nut, which is technically a fruit, I don’t know if it’s necessarily a berry, but maybe I’ll just say the macadamia nut because every time I type Mac Admin, it autocorrects into that.

Charles Edge:
Right.

Marcus Ransom:
Yeah. So add that into Spotlight as an app I can call and it’s just like I got no chance of typing anything Mac Admin. So that would be it for me.

Charles Edge:
Yeah, so I just planted blueberries today because I love blueberries, but I think they would be very boring app icons. It’s just a blue circle. I think cloudberry is native Swedish because I think we’re on a theme there. So maybe that’s a thing. I don’t know. By the way, for listeners who don’t know, a lingonberry or lingonberry as we call them in the us, the Swedish name is actually a Lingon. Ergo the app, Lingon. Cloudberry though, the Swedish name is hjortron, I think, if I’m not mistaken. Which I don’t know that the localized version of that plays as well in a lot of contexts. The beauty of Lingon is it’s the Swedish name and it’s so descriptive of what it does, as opposed to Gooseberry, which is krusbär. And Smultron, by the way, is the Swedish name for a wild strawberry. So as we go through all these, it’s like, I mean, in terms of spelling, I think hallon is raspberries, so that’s much easier to spell than some of these with the umlauts in the…

Marcus Ransom:
Extra points for umlauts.

Charles Edge:
Right? So yeah, I guess Cloudberry might be perfectly descriptive of an app. Yet, it might not localize as well as you might think.

Marcus Ransom:
See, I’m all of a sudden going down the path of puns and thinking maybe an application that looks for old, unused items in your file system and the elderberry comes to mind.

Charles Edge:
Elderberry.

Marcus Ransom:
Yeah. And that’s probably a sign that we should finish off.

Charles Edge:
Because Tom’s not here to tell us to go home. I mean, we are home, but you know, stop.

Marcus Ransom:
We are now. So a big thanks to Peter for agreeing to be part of the podcast, even if not being on the podcast. Your tools are amazing and really looking forward to seeing what else comes next and how these tools evolve as Mac OS evolves. We’ll put some links in the show notes to Peter’s software and some of the things that we’ve discussed today. And a big thanks to our Patreon subscribers, a big thank you to our sponsors for this week. That’s Kandji, Kolide and Alectrona. And we’ll see you next time.

Charles Edge:
Can’t wait. See you next time.

Marcus Ransom:
See you later.

Tom Bridge:
The Mac Admins podcast is a production of Mac Admins LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kugdega the first time he opened GarageBand. Sponsorship for the Mac Admins podcast is provided by the macadmins.org Slack, where you can join thousands of Mac Admins in a free Slack instance. Visit macadmins.org. And also by Technolutionary, LLC. Technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcasts.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.

Listen

Sponsors:

With Alectrona Patch you can install and update over 300 Mac applications automatically to keep your users protected with the latest security updates. Alectrona is a proud Sponsor of the MacAdmins Podcast and MacAdmins Foundation. Check out Alectrona Patch at alectrona.com/patch to learn more and to book a demo with our team.

Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Conferences
Event Name Location Dates Format Cost
XWorld Melbourne, AUS 30-31 March 2023 TBA TBA
Upcoming Meetups
Event Name Location Dates Cost
Houston Apple Admins Saint Arnold Brewing Company 5:30pm 4th March 2024 Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free
#cascadia Channel Happy Hour Online (see #cascadia channel in Mac Admins Slack) Thursdays 4 p.m. PT (US) Free

If you’re interested in sponsoring the Mac Admins Podcast, please email sponsor@macadminspodcast.com for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon



Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!

Subscribe

Archives