Big Sur (macOS 11.0) is now upon us. This new operating system begins Apple’s journey to Apple Silicon and beyond. This blog will unpack the immediate security and operational implications for end users of Big Sur, and highlight how BeyondTrust Privilege Management for Mac will help enterprises make the most of the their leap to the new OS.
Big Sur Release in Perspective
Big Sur is the first major OS release for Macs in nearly two decades. Mac OS X 10.0 Cheetah was released in 2001. macOS 11.0, is a gesture to the major hardware changes that Apple is forging ahead with.
Big Sur reflects more than just a new OS. The release announcement also coincides with the news that Apple is dropping Intel as their chip manufacturer. This marks one of the first steps in the migration to a new hardware architecture for MacBooks.
Benefits of macOS 11
Let’s briefly look at the most touted benefits of macOS 11.
Design refresh
Big Sur will see big changes in the look and feel that has been described as both “fresh and familiar” at the same time. System sounds, windows, the dock, icons, and, even color schemes have been changed.
Major Safari improvements
Safari, Apple’s graphical web browser, will not only have a fresh look, but is reported to be faster and more battery efficient than prior versions. Apple is a vocal proponent of reducing its carbon footprint is great to see them embodying the principle here.
Safari will also come with an improved Privacy Report, and will even translate web pages for you with the click of a button.
Privacy
Privacy will be further enhanced for Apple users with every app having information included about it on the app store, in a format akin to a nutrition label. Developers will have to self-report privacy practices, for example if the app collects data around:
- Usage
- Contact information
- Location
Software Updates
In the future, updating to a new OS version will be even easier, as new versions will begin downloading in the background, therefore reducing the time-to-value and reduced impact on productivity. The system can do this via signed system volume, which means the system volume is cryptographically signed and allows your Mac to know the exact layout of the system volume.
To watch and hear Apple talk about this themselves, we recommend watching the WWDC 2020 keynote.
macOS Big Sur & BeyondTrust
When engaging with our customers, one of the first questions that we are invariably asked is: “Is BeyondTrust ready for Big Sur?” This is hardly surprising given that anyone using our Privilege Management for Mac solution is now familiar with the below popup:
We are proud to say that BeyondTrust is ready. Our newest release, Privilege Management for Mac 5.7, allows users to utilize System Extensions and provides a smooth migration path from their current OS to Big Sur. This means our users have one less thing to worry about when it comes to migrating an entire Mac fleet to a new OS version that has major architectural changes.
BeyondTrust continuously strives to ensure our users are secure—no matter what operating system or platform they use. This means we’re always working to stay well ahead of the curve.
BeyondTrust works alongside Apple, employing a dedicated Mac team to ensure that we offer the most complete, flexible, and fast-to-deploy solution for Mac endpoint privilege management. BeyondTrust’s solution addresses significant macOS security gaps around privileged access and is an essential component of a secure and compliant Mac endpoint estate.
For current Privilege Management for Mac customers, it is recommended to update to version 5.7 and enable System Extensions prior to updating the MacOS 11 (Big Sur). Taking this approach will ensure the upgrade to Big Sur will be a seamless process, and no additional changes would be required. For more information, please reference this Knowledge Base Article.
System Extensions
For Privilege Management for Mac to function on Big Sur, System Extensions must be utilized. This is because the Kernel Extensions used in older versions of BeyondTrust’s solution have been deprecated. The Kernel is the part of the OS that loads first and is responsible for controlling and monitoring hardware resources, like memory and CPU allocation.
Both System Extensions and Kernel Extensions allow applications like Privilege Management for Mac to act as extensions of the operating system itself. In this instance, they extend the native capability of macOS.
Privilege Management for Mac uses Apple's new Endpoint Security API to apply Application Control, a powerful capability of the BeyondTrust product. Endpoint Security and employing System Extension, allows our product to perform operations in user mode, which previously had to be performed by a KEXT running in kernel mode.
Apple is deprecating third-party KEXTs in favor of user mode equivalents. This restricts direct access to the Kernel and abstracts away platform differences between Intel and Apple Silicon CPU’s.
Improving Mac Endpoint Security for macOS 11 & Beyond
In general, the migration to Big Sur should provide macOS users with a more stable, safer operating system. And, disallowing third-party KEXT’s reduces an obvious attack vector, while also providing enhanced OS stability. End users of Privilege Management for Mac should notice little to no change when migrating to Big Sur.
For our solution’s administrative users, installing Privilege Management 5.7 and enabling System Extensions ensures they can benefit from an easy migration route to Big Sur for their Mac estate.
Optimizing Privilege Management for Mac Settings for macOS 11
Authorizing the System Extension and granting it full disk access does require a little more work for admins than usual. To make this as easy as possible, BeyondTrust has shipped a configuration profile (.mobileconfig) with our version 5.7 deployment. This can be imported into an MDM for the purpose of making these changes en masse.
BeyondTrust has a dedicated Mac team focused on ensuring that our users have the best experience and functionality when using and managing Macs—just as we do across Windows, Unix, Linux, and other major operating systems. Our System Extensions work is cited by industry experts, and our work is patented.
Preparing Your Mac Endpoint & Security Estate for Big Sur & Apple Silicon
Migrating to Big Sur allows your userbase to utilize System Extensions and, therefore, leverage Apple’s latest security framework in conjunction with Privilege Management for Mac.
Apple’s new hardware platform, Apple Silicon, will only run Big Sur (macOS 11) and future macOS iterations. BeyondTrust’s Mac team is working to ensure our application natively supports Apple Silicon, thus providing the best performance and experience for our users.
One example of this, is our ongoing work to have universal binaries ready to use in our product. This will allow Privilege Management for Mac to run natively on Apple Silicon as well as on previous Intel chip iterations. Therefore, regardless of the OS version or hardware versions your Mac users run, admins can install the same version of our Mac endpoint privilege management solution on all Mac endpoints.
Contact the BeyondTrust Mac Development Team
Questions? Comments? Our development team wants to hear from you! Contact us today.
BeyondTrust Privilege Management for Mac Development Team,
James Allan – Product Owner
Simon Fradkin – Software Architect
Omar Ikram – Senior Developer
Paul Thexton – Senior Developer
Steven Joruk – Senior Developer
Chris Hill – Scrum Master
Steve Langford-Jones - QA Engineer
Ataulah Bukhari – QA Engineer
