Hey all, this is one I found out a few months ago and completely forgot to share.
New in macOS 10.12.4, Apple added a new security measure that asks users to confirm that are happy to reconnect to a server.
What’s the issue?
Well, at many sites we tend to connect to file shares at login via Launch Agents (or on a Jamf Pro site, a login policy). These sites are using Kerberos for authentication, and could connect to the same shares manually using the Finder “Connect to Server…” dialog box.
However, on login (using our scripted connections), the users were presented with this message, per server.
What’s causing that?
Well it turns out this is a new security feature implemented by Apple as of the macOS 10.12.4 update (and newer). I’m assuming it’s to help uncover a malicious item connect to servers over file sharing ports but the exact reasoning isn’t explained by Apple.
How do I turn it off?
We’re not ones normally to recommend turning off security features just because they’re new, but this one was starting to affect educational lab environments heavily. And there’s always a few kids who are looking for a reason to cause disruption 😉
So, how’d you turn it off? The command detailed by Apple is as follows:
sudo defaults write /Library/Preferences/com.apple.NetworkAuthorization AllowUnknownServers -bool YES
We’ve tried turning the above in a configuration profile with no success, so it looks like it needs to be a script to run it, but it is a ‘once per device’ thing making things easier.
I’d suggest one of the following paths to achieve this:
- If you are using a ‘first boot’ or ‘first run’ script in your workflows, chuck the above into that script (minus the sudo)
- If you are using outset ( https://github.com/chilcote/outset ) to run scripts on first boot, add the above line into a ‘boot-once’ script, or even a ‘boot-every’ script (it shouldn’t hurt! Also minus the sudo)
- If you are not using a management system that can run commands, perhaps consider packaging this into a ‘run with admin rights’ Apple Script and distribute that to your users.
For the official KB article from Apple, check out here
As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
The usual Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.