Apple Notarisation and Custom PKG Installers

Description

Apple has introduced notarisation as a requirement for installation of PKGs on macOS with macOS version 10.15. Notarisation status can be determined in two ways :

Offline: cryptographically verifying a ticket stapled to the PKG at installer creation time
Online: contacting apples servers to verify an app / installer has been notarised

Information

Custom installers for FileWave Client and Booster will be notarised starting from Version 13.2.2 and upwards, however, the notarisation ticket will not be stapled onto the PKG you download from https://custom.filewave.com at the current time, requiring 'Online' confirmation.

Provided your macOS machines can reach the required servers outlined in https://support.apple.com/en-us/HT210060 , you can expect everything to work as normal after 10-15 minutes of downloading the custom PKG.

Hosts	Ports	Protocol	OS	Description	Supports proxies
17.248.128.0/18	443	TCP	macOS only	Ticket delivery	—
17.250.64.0/18	443	TCP	macOS only	Ticket delivery	—
17.248.192.0/19	443	TCP	macOS only	Ticket delivery	—

Custom PKG Version 13.2.2
Version 13.2.2 Custom PKGs created prior to 4th March 2020 will not be notarised and will require re-creating if notarisation is required

Confirmation

The PKG may be tested for notarisation. On macOS 10.15.x you may observe the following:

Before notarisation has been completed by Apple:

Unnotarised

% spctl -a -vvv -t install FileWaveClient_13.2.2-fw.filewave.com-20-Feb-2020.pkg
FileWaveClient_13.2.2-fw.filewave.com-20-Feb-2020.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: FileWave (Europe) Gmbh (83S2TRZ3CS)

After notarisation has been completed by Apple:

Notarised

% spctl -a -vvv -t install FileWaveClient_13.2.2-fw.filewave.com-20-Feb-2020.pkg
FileWaveClient_13.2.2-fw.filewave.com-20-Feb-2020.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: FileWave (Europe) Gmbh (83S2TRZ3CS)

Desktop / Laptop Client Install and Configure

Enrolling Computer Clients in to FileWave

Mass Deploy Windows FileWave Client

Apple Notarisation and Custom PKG Installers

User Approved MDM Enrollment (macOS)

macOS MDM Enrolment State

Enrolling Mobile Devices into FileWave

Enrolling AppleTV into FileWave

Importing Computer Clients from a File

Location Tracking Technologies

Location Tracking Setup

Clearing FileWave Client Certs

FileWave Client notification for zsh running in the background

FileWave Client Rename Behavior

FileWave Client Status Check: How to ask the client what it is doing on macOS and Windows

Using PsExec to Remotely Restart the FileWaveWinClient Service

Understanding and Resolving Proxy Communication Issues in FileWave

Using PowerShell to Remotely Check the Windows FileWave Client Status

When does the inventory client run scans?

PSExec as a Helper in Troubleshooting

Apple Notarisation and Custom PKG Installers

Description

Information

Confirmation

Unnotarised

Notarised

No Comments