Mac notarization: Everything Mac admins need to know
The increasing popularity of the macOS platform has made it an attractive target for attackers. Knowing this, Apple has placed a series of protection regimes to keep pace with the changing nature of the malicious forces. Applications are the most important gateways to intrude into any system, and the mac ecosystem is not any different. Though we have the safe and sound place, the mac’s own App Store to get apps from, many developers distribute their apps, software, and extensions outside the mac App Store by several other means. When it comes to such beyond the mac App Store distributions, Apple has laid down some strict security checks to prevent unsure things from running on the mac, all part of a push for advanced security.
Mac notarization is one of the safeguard measures wherein Apple directly signs off on the reliability of the Mac software. Notarization assures that apps, software, and extensions are from trusted sources, and the system is untroubled by malicious codes, viruses, or software. With this particular focus on security, Apple is compelling developers to get their stuff’s security verified via notarization, but this is making things complicated for the mac administrators in organizations as notarization is not a viable choice always.
Here we’ll look at the security enhancements as well as difficulties brought about by mac app notarization and how MDM solutions help Mac admins bypass it in specific scenarios without any security flaws. Let’s dive in and start by discussing what exactly Apple notarization is.
What is Mac notarization?
Mac notarization is the process by which Apple inspects mac-ready apps and software that are distributed outside the App Store to make sure that they comply with Apple’s safety guidelines. Non — App Store mac deliverables like applications, disk images, OSX flat installer packages, kernel extensions, etc. can be notarized. After scanning for malicious content, the result will be returned to the app developer. Apple also ensures that there are no issues with the code signing of the developer ID signed applications as well as new or updated kernel extensions. Software distributed via App Store undergoes similar security checks and hence doesn’t require notarization.
Mac notarization was introduced with macOS Mojave10.14.5 and is widely adopted by mac developers now. In the beginning, notarization had strict prerequisites, but later, Apple had temporarily brought some relaxations to the notarization requirements until Feb 2020. Starting from Feb 3, 2020, Apple requires all notarizations to meet the initial prerequisites, or else they won’t run from macOS Catalina onwards.
There are two ways by which developers can distribute their apps, either through the Mac App Store or independently after signing the developer ID and Apple’s security check using its notary service. In the notarization process, developers submit their software to Apple’s server for malware check. Apple notary service is a quick and automated service which involves the following steps:
- Upload the app for notarization.
- The status will change to processing.
- Check the status log details. If the upload fails, review the error messages and code signing problems that should be fixed to get the app notarized.
- Check the notarization status. It can be processing, upload failed, ready to distribute, or rejected.
- Click export to get the notarized app for distribution.
Notarization of unpublished apps is quite easy as compared to already published apps. If the app passes Apple’s notarization check, the result will be stored in Apple’s server. It will generate a ticket that will be awarded to the software for offline review of the software and can be attached to it using a stapler tool. The ticket tells Mac’s Gatekeeper that the app is notarized by Apple. Users get additional assurance if third party apps, plugin, or installer packages have such tickets attached to them.
Notarization is usually a low time process, but under certain conditions, it may extend to some more time than the typical case. To minimize the notarization response time:
- Reduce the total number of files to the minimum.
- Save the file to places that don’t require code signatures.
- Avoid uploading corrupted and largely compressed disk images.
- Don’t use large and non-executable data files.
- Have only 75 notarizations per day.
Suppose the developer ID signing key is exposed in any manner, and unauthorized versions are found distributed without the knowledge of the actual developer. In that case, Apple can revoke the associated tickets if the developer requests it. Before distribution, it is better to verify that the app launches correctly.
How does notarization add to Mac security?
Mac has an inbuilt technology known as Gatekeeper, which prevents unprotected and unverified software from running on macOS devices. Since its launch, Gatekeeper has been assuring macOS users that all the software running on their machine comes from trusted sources and is free of malicious content. With Gatekeeper, third-party software downloaded outside the Mac App Store must be signed with a valid developer ID certificate obtained from Apple through a single-time online process.
Notarization is an additional layer of security assurance added by Apple on top of the existing Gatekeeper security verifications which could enforce a particular set of security rules on third-party software distributed outside the Mac App Store. After the introduction of notarization, Gatekeeper includes an additional check for non-Mac App Store apps, whether they are notarized and trustworthy. When a developer uploads his software for notary service and if there are no issues with the software, a ticket will be generated by the notary service, which can be stapled to the software. Gatekeeper can also find this ticket published by the notary service online in the Gatekeeper code directory catalog, and the software will be added to Apple’s database as a safe or allowed software.
When third-party apps, bundles, extensions, disk images, zip archives, plugins, or installer packages attempt to run on a Mac device, the Gatekeeper will carry out a security check. Third-party software deliverables will pass the Gatekeeper’s full first run check only if a ticket is present along with it (either attached or found online). The result is that Gatekeeper shows a slightly different message for notarized deliverables than unnotarized ones, which implies that the software Apple has examined the software for security. So, the users can be more confident and can make an informed decision to launch the software on their device.
The true benefits of Mac notarization
Notarization benefits both users and developers in the same way. When Apple requires developers to submit their apps for notarization, what they mean is that they want the app developers to be confident and user devices to be risk-free. Other significant benefits of app notarization include:
- Gatekeeper identifies the developer of an app stapled with the notarization ticket as a trusted developer.
- Gatekeeper provides a slightly different warning for notarized apps, which shows that an app attempting to run has passed Apple verification.
- Mac users get more confidence that no malicious content is present on the app and so their system is protected.
- Most developer ID signed and notarized software can take advantage of additional features like Apple Push Notifications and Cloudkit.
- Notarization allows Apple to identify significant security flaws on third party software and enables them to take necessary actions.
- Developers get a way to show the users that they are reliable, and their apps are trustworthy with the unique stamp of approval from Apple.
- Notarization is a kind of two-factor authentication, and the developer gets an email after every notarization. This protects the developer’s ID certificate from misuse by unauthorized persons.
Difficulties with notarization
Before the introduction of notarization, the Gatekeeper security check was a simple process, but notarization has made it more complicated. All notarization submissions go through XCode, and there is no other alternative. So, the person who submits the object for notarization should have prior knowledge in handling XCode. Another critical problem is that malware authors can sometimes submit innocent apps, get them notarized, and later push malware content in the form of updated versions of the already notarized app. A manipulated app can be signed and notarized with a stolen developer ID. Though Apple will eventually block such developer IDs, this can also be a severe issue.
Notarization requires every third-party app, software, installer packages, and kernel extensions to be submitted before Apple notary services. Some in-house objects may not be viable for notarization and get blocked by Gatekeeper. Given this and all other difficulties of notarization, Mac admins very rarely like to get their third-party apps and extensions notarized.
Though disabling Gatekeeper is a method to allow non-notarized third-party objects to run on Mac devices, it is not a recommended process. All these difficulties left Mac admins with a lot of confusion and concerns pushing them to look for ways to bypass notarization. With that being said, it is better to avoid taking this as an excuse to tie over the security benefits offered by notarization. What we need is a way to bypass Gatekeeper blocking of non-notarized software deliverables without compromising the device security.
Mac notarization and MDM
For Mac administrators using an MDM solution for mac deployments, Apple provides a relaxation in the notarization requirement of third-party kernel extensions, saving them from being blocked by the Gatekeeper. If your organization distributes kernel extensions using the kernel extension whitelisting policy with MDM, notarization is not needed. This shows that Apple still acknowledges the efforts MDM is putting in for securing macOS. This is an excellent advantage for enterprise admins who need to bypass kernel extension blocking owing to notarization. In a management deployment, admins never want to annoy their users with the warning messages popping up for non-notarized apps.
As Apple accepts that they are moving through a more security-oriented path to verify downloaded software before execution, the responsibilities of Mac admins who are authoritative for management and deployment of mac executables also increase. There are entitlements provided by Apple that allow Mac admins to get the security verifications bypassed. With the already proven level of security, Apple provides some flexibility for MDMs when it comes to such security matters. Following its tradition of always being ahead of the game, Hexnode MDM also offers the flexibility to deploy non-notarized kernel extensions using its Kernel extension whitelisting payload.