Jamf Blog
May 15, 2019 by Tom Koehler

Things you should know about App Notarization

With the release of macOS 10.14.5, Apple introduced an important security enhancement for App Notarization. Get full details in this Q&A blog post.

With the release of macOS 10.14.5, Apple introduced an important security enhancement for App Notarization.

What is App Notarization?

Per Apple, App Notarization gives users more confidence that the Developer ID-signed software distributed has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket to staple to the software; the notary service also publishes that ticket online where Gatekeeper can find it.

How are Jamf customers affected?

The only hard stop for not being notarized comes from dealing with kernel extensions (kext).

Starting in macOS 10.14.5, all new or updated kernel extensions must be notarized in order to run. If an end user tries to install a non-notarized kernel extension, they will receive a pop-up similar to this:

Apps from existing developers will NOT be impacted at this time as long as their Developer ID account has been around since before April 7, 2019. However, Apple will be requiring all non-Mac App Store apps to be notarized in a future macOS release. This means that apps distributed outside of the Mac App Store will not function without going through Apple's notary service. App Notarization allows Apple to ensure that any app determined to be rogue or malicious cannot run.

Notarization has been available to developers since Apple’s last Worldwide Developer’s Conference (WWDC) in June 2018, but it seems that some developers have not been actively testing it before now.

Can I validate whether an app or kernel extension (kext) is notarized?

Yes! Mac administrators can validate whether a kernel extension is signed by executing the following command:

 kextutil -nt Name_of_Kernel_Extension_Here.kext

Mac administrators can validate whether an app is notarized by executing the command:

 spctl -v -a /path/to/app/here

Can I opt-out of the kernel extension notarization requirements?

Apple has provided a way for enterprise admins to bypass the kext blocking. If a kernel extension is whitelisted with the User Approved Kernel Extension List (UAKEL) feature of mobile device management (MDM) it will not be blocked for lack of notarization. That said, even if a customer is using UAKEL, they should also press developers to update and notarize their extensions properly.

Can I opt-out of the App Notarization requirements?

Notarization is checked by Gatekeeper as part of the Quarantine system. While not recommended, administrators can disable Gatekeeper via MDM. In general, though, developers should be updating their apps to support the Notarization security system.

What Jamf apps are notarized?

The impact of these changes is widespread. Jamf develops many applications that are subject to these requirements.

Notarized:

  • Composer
  • Jamf Admin
  • Jamf Remote
  • Recon
  • Self Service
  • Jamf Connect Sync
  • Jamf Connect Verify

Not Notarized:

  • Jamf Imaging

See the Jamf Pro 10.11.0 and Jamf Pro 10.12.0 Release Notes under "App Notarization" for additional details about Jamf Pro apps and App Notarization.

Tom Koehler
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.