In this article we will run though the long history of Mac OS X, or macOS as it is now known. For an overview of the features of the various versions of the Mac operating system, showing how it. Worldwide just over three-quarters of desktop computers run some variant of Microsoft Windows, with Mac OS 10 a very distant second at just over 10% market share. Windows and Mac OS are very different operating systems in terms of their underlying code with modern versions of Windows-based on the Windows NT kernel and Mac OS instead based on UNIX. Roku has started rolling out its latest operating system, and it will give its HD streaming devices AirPlay 2 and HomeKit compatibility. When the company first introduced AirPlay 2 support for its. Since the introduction of Mac OS X 10.0 in 2001, Apple has been using a numerical OS versioning system based on 10.x, with 16 major releases between versions 10.0 and 10.15. Even when Apple transitioned from 'Mac OS X' to 'macOS' in 2016, the 10.x numbering system persisted. The Rolling Macaroni is Pennsylvania's premier food truck! Serving all types of Mac & Cheese, we are perfect for various festivals and parties.
-->There are two basic ways that you, as an administrator, can deploy the OneDrive sync app to Mac users in your organization:
Install and set up the OneDrive sync app by following the instructions in Sync files with OneDrive on macOS. To install the OneDrive sync app for Mac, a user has to be an administrator on the Mac or know an administrator account name and password.
Download the installer package file to your local network, and then use your software distribution tools to deploy the app to your users. By using a software distribution tool, you have more control over the deployment, including which users get the sync app and when. The OneDrive sync app for Mac uses the Apple Installer technology for installation allowing you to use the software distribution tools that you normally use to deploy software to Mac users. You can use Microsoft Intune. Other common tools are Jamf Pro, Munki, and AutoPkg. You can also use Apple Remote Desktop and AppleScript.
Manage OneDrive settings on macOS using property list (.plist) files
After the OneDrive sync app for Mac is installed, users can configure settings for the app. These settings are called preferences. As an administrator, you might want to provide users in your organization with a standard set of preferences. Preferences for the OneDrive sync app for Mac are stored in property list (.plist) files.
| Standalone | Mac App Store | |
|---|---|---|
| .plist location | ~/Library/Preferences/com.microsoft.OneDrive.plist | ~/Library/Containers/com.microsoft.OneDrive-mac/Data/Library/Preferences/com.microsoft.OneDrive-mac.plist |
| Domain | com.microsoft.OneDrive | com.microsoft.OneDrive-mac |
Configure sync app settings
Configure the settings on macOS as follows:
Quit the OneDrive app.
Define the settings you want to change by creating a .plist file with the values. You can also use a script to set the default values.
Deploy the settings onto the local computer.
Refresh the preferences cache.
On the next start of OneDrive, the new settings will be picked up.
Overview of settings
Use the following keys to preconfigure or change settings for your users. The keys are the same whether you run the standalone or Mac App Store edition of the sync app. However, the .plist file name and domain name will be different. When you apply the settings, ensure that you target the appropriate domain depending on the edition of the sync app.
List of settings
AllowTenantList
This setting prevents the users from uploading files to other organizations by specifying a list of allowed tenant IDs. If you enable this setting, the user gets an error if they attempt to add an account from an organization that isn't in the allowed tenants list. If the user has already added the account, the files stop syncing. This setting takes priority over Block syncing OneDrive accounts for specific organizations setting. Do NOT enable both settings at the same time.
The parameter for the AllowTenantList key is TenantID and its value is a string, which determines the tenants for whom the Allow Tenant setting is applicable. For the setting to be complete, this parameter also requires a boolean value to be set to it. If the boolean value is set to True, the tenant is allowed to sync.
The example for this setting in the .plist file is:
AllowTenantList
TenantId1
True
TenantId2
True
AutomaticUploadBandwidthPercentage
This setting enables the sync app to automatically set the amount of bandwidth that can be used for uploading files, based on available bandwidth.
To enable this setting, you must define a number between 1 and 99 that determines the percentage of bandwidth the sync app can use out of the total available bandwidth.
The example for this setting in the .plist file is:
AutomaticUploadBandwidthPercentage
(Bandwidth)
BlockExternalSync
This setting prevents the sync app from syncing libraries and folders shared from other organizations.
Set the setting's value to True, to prevent the users from syncing OneDrive, SharePoint libraries, and folders with organizations other than the user's own organization. Set the value to False or don't enable the setting to allow the OneDrive, and SharePoint files to be synced with other organizations also.
The example for this setting in the .plist file is:
BlockExternalSync
<(Bool)/>
BlockTenantList
This setting prevents the users from uploading files to organizations that are included in the blocked tenant IDs list.
If you enable this setting, the users get an error if they attempt to add an account from an organization that is blocked. If a user has already added an account for a blocked organization, the files stop syncing. This setting does NOT work if you have Allow syncing OneDrive accounts for only specific organizations setting enabled. Do NOT enable both settings at the same time.
Enable this setting by defining IDs for the TenantID parameter, which determines the tenants to whom the block tenant setting is applicable. Also set the boolean value to True for the ID of every tenant you want to prevent from syncing with the OneDrive and SharePoint files and folders.
Note: In the list, inclusion of the tenant ID alone doesn't suffice. It's mandatory to set the boolean value to True for the ID of each tenant who is to be blocked.
The example for this setting in the .plist file is:
BlockTenantList
TenantId1
True
TenantId2
True
DefaultFolderLocation
This setting specifies the default location of the OneDrive folder for each organization.
The parameters are TenantID and DefaultFolderPath.The TenantID value is a string that determines the tenants to whom the default folder location setting is applicable.The DefaultFolderPath value is a string that specifies the default location of the folder.
The following are the conditions governing the default folder location:-Mac app store: The path must already exist when the user is setting up the sync app.-Standalone: The path will be created (if it doesn't already exist) after the user sets up the sync app. Only with the Standalone sync app you can prevent users from changing the location.
The example for this setting in the .plist file is:
DefaultFolder
Path
(DefaultFolderPath)
TenantId
(TenantID)
DisableHydrationToast
This setting prevents toasts from appearing when applications cause file contents to be downloaded.
If you set the setting's value to True, toasts do not appear when applications trigger the download of file contents.
The example for this setting in the .plist file is:
DisableHydrationToast
<(Bool)/>
DisablePersonalSync
This setting blocks user from signing in and syncing files in personal OneDrive accounts. If this setting has been configured after a user has set up sync with a personal account, the user gets signed out.
If you set the setting's value to True, the users are prevented from adding or syncing personal accounts.
The example for this setting in the .plist file is:
DisablePersonalSync
<(Bool)/>
DisableTutorial
This setting prevents the tutorial from being shown to the users after they set up OneDrive.
If you set this setting's value to True, the tutorial is blocked from being shown to the users after they set up the OneDrive.
The example for this setting in the .plist file is:
DisableTutorial
<(Bool)/>
DownloadBandwidthLimited
This setting sets the maximum download throughput rate in kilobytes (KB)/sec for computers running the OneDrive sync app.
Set this setting's value to an integer between 50 KB/sec and the maximum rate is 100,000 KB/sec that determines the download throughput in KB/sec that the sync app can use.
The example for this setting in the .plist file is:
DownloadBandwidthLimited
(Download Throughput Rate in KB/sec)
FilesOnDemandEnabled
This setting specifies whether Files On-Demand is enabled.
Important
We recommend keeping Files On-Demand enabled. See all our recommendations for configuring the sync app
If you don't set this setting, Files On-Demand will be enabled automatically as we roll out the feature, and users can turn the setting on or off.
If you set this setting to True, FilesOnDemand is enabled and the users who set up the sync app can view the online-only files, by default.
If you set this setting to False, FilesOnDemand is disabled and the users won't be able to turn it on.
The example for this setting in the .plist file is:
FilesOnDemandEnabled
<(Bool)/>
HideDockIcon
This setting specifies whether a dock icon for OneDrive is shown.
If you set this setting's value to True, the OneDrive dock icon is hidden even if the app is running.
The example for this setting in the .plist file is:
HideDockIcon
<(Bool)/>
HydrationDisallowedApps
This setting prevents apps from automatically downloading online-only files. You can use this setting to lock down apps that don't work correctly with your deployment of Files On-Demand.
To enable this setting, you must define a string in JSON format as described below:[{'ApplicationId':'appId','MaxBundleVersion':'1.1','MaxBuildVersion':'1.0'}]
'appID' can be either the BSD process name or the bundle display name. 'MaxBuildVersion' denotes the maximum build version of the app that will be blocked. 'MaxBundleVersion' denotes the maximum bundle version of the app that will be blocked.
The example for this setting in the .plist file is:
HydrationDisallowedApps
[{'ApplicationId':'appId','MaxBundleVersion':'1.1','MaxBuildVersion':'1.0'}, {'ApplicationId':'appId2','MaxBundleVersion':'3.2','MaxBuildVersion':'2.0'}]
<(Bool)/>
OpenAtLogin
This setting specifies whether OneDrive starts automatically when the user logs in.
If you set this setting's value to True, OneDrive starts automatically when the user logs in on Mac.
The example for this setting in the .plist file is:
OpenAtLogin
<(Bool)/>
SharePointOnPremFrontDoorUrl
This setting specifies the SharePoint Server 2019 on-premises URL that the OneDrive sync app must try to authenticate and sync against.
To enable this setting, you must define a string containing the URL of the on-premises SharePoint Server.
The example for this setting in the .plist file is:
SharePointOnPremFrontDoorUrl https://Contoso.SharePoint.com
SharePointOnPremPrioritizationPolicy
This setting determines whether or not the client should set up sync for SharePoint Server or SharePoint in Microsoft 365 first during the first-run scenario when the email is the same for both SharePoint Server on-premises and SharePoint in Microsoft 365 in a hybrid scenario.
If you set this setting's value to 1, it is an indication that OneDrive should set up SharePoint Server on-premises first, followed by SharePoint in Microsoft 365.
The example for this setting in the .plist file is:
SharePointOnPremPrioritizationPolicy
(0 or 1)
SharePointOnPremTenantName
This setting enables you to specify the name of the folder created for syncing the SharePoint Server 2019 files specified in the Front Door URL.
If this setting is enabled, you can specify a TenantName that is the name the folder will use in the following convention:
OneDrive – TenantName (specified by you)
TenantName (specified by you)
If you do not specify any TenantName, the folder will use the first segment of the FrontDoorURL as its name. For example, https://Contoso.SharePoint.com will use Contoso as the Tenant Name in the following convention:
OneDrive – Contoso
Contoso
The example for this setting in the .plist file is:
SharePointOnPremTenantName
Contoso
Tier
You can configure the OneDrive Standalone sync app to receive delayed updates. Blacklight mac os.
| .plist Location | Domain |
|---|---|
| ~/Library/Preferences/com.microsoft.OneDriveUpdater.plist | com.microsoft.OneDriveUpdater |
| Setting | Description | Parameters | Example .plist Entry |
|---|---|---|---|
| Tier | Defines the update ring for the computer | UpdateRing (String): This parameter has two different values. Production - The default update ring for OneDrive updates. Insiders - This update ring receives updates that are 'pre-production' and that allow you to play with features before they are released. Note that builds from this ring may be less stable. Enterprise - This update ring (now called 'Deferred') receives updates after they have been rolled out through the Production ring. It also lets you control the deployment of updates. For more information about the update rings and the procedure used by the sync app for checking for updates, see The OneDrive sync app update process. | Tier (UpdateRing) |
We Are Rolling Mac Os Download
Important
We recommend selecting several people in your IT department as early adopters to join the Insiders ring and receive features early. We recommend leaving everyone else in the organization in the default Production ring to ensure they receive bug fixes and new features in a timely fashion. See all our recommendations for configuring the sync app
UploadBandwidthLimited
This setting defines the maximum upload throughput rate in KB/sec for computers running the OneDrive sync app.
To enable this setting, set a value between 50 and 100,000 that is the upload throughput rate the sync app can use.
The example for this setting in the .plist file is:
UploadBandwidthLimited
(Upload Throughput Rate in KB/sec)
Earlier this month, researchers from AlienVault and Intego reported a new malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target's computer using Java vulnerability CVE-2011-3544 and execute it. The webserver would serve a platform-specific JAR
Earlier this month, researchers from AlienVault and Intego reported a new malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target's computer using Java vulnerability CVE-2011-3544 and execute it. The webserver would serve a platform-specific JAR (Java Archive) dropper based on the browser's UserAgent String to infect the user's Windows or OS X system.
The OS X-specific dropper is also served to Linux clients. Since the dropped payload is designed for OS X only, Linux clients will not be infected.
This analysis is focused on the OS X payload and the network protocol it used to communicate with its Command and Control (C&C) server.
OS X uses the Mach-O file format for its executable files. For OSX/Lamadai.A, the Mach-O executable was compiled for 64-bit only, which is unusual since Mach-O binaries normally contain both the 32-bit and 64-bit versions of the executable.
Upon execution, the threat copies itself to /Library/Audio/Plug-Ins/AudioServer and adds a launcher script named ~/Library/LaunchAgents /com.apple.DockActions.plist pointing to the copied file to ensure it is executed whenever the current user logs in.
Note that by default, on OS X 10.7.2, regular users do not have write permissions to /Library/Audio/Plug-Ins/AudioServer, meaning this threat is not persistent (i.e. it won't survive a reboot). We are unsure if older versions of OS X have different filesystem permissions. Nonetheless, using another location under the user's home directory would have worked better for the attacker.
Afterwards, the threat will try to contact its C&C server by resolving dns.assyra.com (100.42.217.73 at the time of analysis, the domain now points to 127.0.0.1) and establishing a TCP connection to port 8008. The server will respond with a TCP RST unless it has some instructions to communicate. The infected system then falls into a busy wait loop, trying to reconnect at random intervals ranging from 0 to 10 seconds.
The server may issue one of the three following instructions to the infected system:
Upload a file: the C&C sends the path to upload, the client responds with the file content;
Download a file: the C&C sends the file path and content, the client creates the file with permissions set to 777 (-rwxrwxrwx);
Start a remote shell: the C&C sends an arbitrary shell command, the client responds with the output.
All communications between the client and the C&C are encrypted with AES and XOR. The crypto seems to be performed with a slightly modified implementation of AES and SHA1 from the PolarSSL library. The AES keys are generated from the first forty (40) bytes coming from the C&C. While the keys are constant during the entire communication, two different hardcoded XOR keys are used, one for incoming traffic and one for outgoing traffic.
Furthermore, the malware will not act upon any instruction unless the first packet received from the C&C matches a hardcoded key 16 bytes long, as seen in the picture below. The client will also add that key to the first response it will send to the C&C.
We Are Rolling Mac Os Catalina
Finally, a custom SHA1-based hash is appended to every information packet going to and from the C&C for authentication and integrity checking purposes:
hash = SHA1(key1 + sha1(key2 + encrypted_packet_content + packet_number))where key1 and key2 are two 64-byte strings derived from the first XOR key
During our investigation, we observed a live dialog between the C&C and our test machine. The timing and nature of the instructions received from the C&C lead us to believe that they were being manually typed by a human. Here are a few interesting pieces:
After some filesystem browsing, the C&C issued two File Upload instructions targeting one Keychain file and the Safari's cookies store. The purpose here clearly is information stealing.
A lot of effort has been put into the network protocol, which is quite involved. The operators seemed to have a real interest in hiding the raw communication from a network dump so as to make reverse engineering more difficult. However, the use of symmetric cryptography makes it so that it is totally possible to reproduce the encryption and decryption routines and analyze the communication on-the-fly.
This attack is another reminder to stay current with OS patches as Apple patched this vulnerability in Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update in November 2011.
ESET security software (including ESET Cybersecurity for Mac) since signature update 7001 detects this threat as OSX/Lamadai.A. Some AV vendors flagged the file as OSX/Olyx, a previous Mac malware. We did not find any relation between the two threats, the network protocol and obfuscation techniques being different.
MD5 of the files analyzed:
39084b60790ca3fdebe1cd93a4764819 file-mac.tmp (OSX payload)
MD5 of related files
7f7cbc62c56aec9cb351b6c1b1926265 file-win.tmp (Win32 payload)
dd7421fb6ca03c5752a06cffb996285a index.jar (OSX/Linux dropper)
2d86dce83851f76493ba0492d066c095 default.jar (Win32 dropper)
4b6eb782f9d508bbe0e7cfbae1346a43 index.html (HTML serving the droppers)
Thanks to Marc-Étienne M. Léveillé who performed the technical analysis.
Alexis Dorais-Joncas
Discussion
