macOS 14 Sonoma | Toughening up macOS for the Enterprise?

At WWDC23 this week, Apple made some big announcements across its product lines and maintained its annual ritual of upgrading macOS, now to version 14 and tagged as macOS Sonoma. At SentinelOne, we’re already busy testing the new operating system and preparing for macOS 14 support.

With Apple’s mixed AR/VR kit Vision Pro predictably grabbing most of the headlines, the latest developments in macOS might have seemed a little underwhelming. However, our early look at the Sonoma beta suggests Apple has given the operating system and supporting services some much needed attention that should be welcome news to enterprise users.

Here’s a quick round-up of what’s new in the early preview released this week.

Sonoma Specs | macOS 14 Hardware Requirements

Apple continues its migration away from Intel architecture with macOS Sonoma dropping support for another year’s worth of hardware. Last year, Ventura dropped support for models earlier than 2017. This year, with the exception of the iMac 2017, Sonoma requires a Mac manufactured in or after 2018.

Sonoma supported Mac

Notably, Sonoma drops support for the 2017 line of Intel MacBook Pros and iMacs. The ill-fated MacBook, first introduced in 2015 and not updated since 2017, is now entirely cut off from further macOS upgrades.

As for the rest of the Intel line, last updated in 2019, it’s not unimaginable that Sonoma could be the end of the line. Certainly, support for Intel Macs is unlikely to extend beyond next year’s macOS 15 as the company completes its ARM64 transition.

Safari Profiles | Apple Taking Work Seriously

In Safari 17, users can now take advantage of Profiles to help maintain that work-life separation, something that is increasingly important as more organizations move towards allowing hybrid use of “mobile” devices – think laptops not just smartphones – in the workplace.

Profiles macOS 14 Sonoma Safari 17

Users can make as many Profiles as they wish – work, education, social, hobbies – and each gets its own bookmarks, favorites, history, cookies, and extensions. Identification of which profile you’re in is accomplished by a simple dropdown menu in the toolbar.

Video Conferencing | Zoom In on the Details

The pandemic unarguably changed the nature of work with video conferencing software suddenly becoming a necessity for pretty much everybody in the enterprise. Recognizing the centrality of video conferencing software to people’s workday, Sonoma introduces some enhancements that will work across third party apps. These include “Presenter Overlay” that allows the speaker to move independently of a display of their screen, allowing them to highlight different details.

Sonoma video conferencing
Source: Apple

The newly-introduced screen sharing picker will also ease fears about sharing unwanted details inadvertently. Instead of having to pick an entire display to share to the audience, Sonoma will allow the user to pick just the view from a particular app, multiple apps or an entire screen.

Passwords and Passkeys | Making Theft Harder, Sharing Simpler

Apple had previously announced Passkeys in Ventura as a long-term solution and replacement for passwords, but in Sonoma there’s a new emphasis on using passkeys in the workplace to help protect against cyber attacks from vectors such as phishing, credential theft and 2FA bypasses.

With Sonoma, passkeys are now supported across Managed Apple IDs. Moreover, admins can now control which devices users can sign in with and ensure that passkeys stay on work devices only.

Users can also create groups for passwords and passkeys such that they can be shared securely with others in the group. While this is touted primarily as a “family and friends” feature, it also has obvious benefits for small teams that need to share credentials for some common resources.

Safari 17 | Create a Web App from Any Webpage

Sonoma web apps

In Sonoma, Safari adds the ability for users to create a web app from any web page simply by browsing to the site and choosing ‘Add to Dock’ from Safari’s File menu.

The web app isn’t just a short link to open the site in the browser – it’s a completely browser-independent application. Internal links will open within the web app, though this and some other ways the web app behaves can be customized by web site devs. By default, users should remain logged in to any accounts associated with the site, but there are some gotchas for devs to look out for. More information can be found here, but web apps could be a great feature for enterprises that want to provide a unique experience for either employees or customers.

For Mac Admins | Declarative Device Management

Away from the user interface, Apple is making improvements to the way IT admins manage their fleet of Macs with further development of “DDM” – Declarative Device Management. DDM works with the existing MDM (Mobile Device Management) but is ultimately intended to replace it.  DDM brings greater support for enforcing software updates, managing applications and securing devices through task monitoring and lockdown of system services. More information about DDM can be found in the WWDC session here.

Security and Privacy | Application Data Protection

macOS Sonoma brings some under the hood changes to data security which we will be keenly testing over the beta period. Among these are new restrictions designed to protect application data such as session cookies and other sensitive files like databases from messaging apps (e.g., Telegram, Signal, WhatsApp and others) that can be stolen by malware.

Up to now, sandboxing has been a one-way affair – sandboxed apps are prevented from reaching out to access data elsewhere, but there’s nothing to stop unsandboxed apps from reaching in to grab data held in a sandboxed app’s container.

In macOS 14, Sonoma requires user consent before any application can access data in a data container from a different developer. This protection only applies to apps that are sandboxed, so any unsandboxed app is still wide open for data theft from other unsandboxed applications or processes. Given that this entire process is an extension of Apple’s much-troubled TCC controls, we’ll be keeping a close eye on how this develops.

Meanwhile, Apple has also extended privacy protections in Safari 17’s Private Browsing mode, offering additional privacy by discarding history of visited pages, searches and AutoFill information when the private tab is closed – you’d be forgiven for thinking that it should have already been doing that. Alongside that, Safari in Sonoma now prevents known tracking and fingerprinting resources from being loaded during private browsing.

Finally, Apple announced a much-welcome improvement in App Extension privacy. Browser extensions can now be managed with more granularity, with users able to choose which webpages an extension can access on a per-site basis rather than having to grant wholesale access to every site or none at all.

SentinelOne Support for macOS Sonoma

Our dedicated Mac development team is already busy working on support for macOS 14 Sonoma. We will be announcing the release of Agent version 23.1 GA in the coming weeks for customers who wish to test Apple’s beta versions of Sonoma.

As always, we will officially support the new version of macOS after final testing of the public release later this year. In line with Apple’s own guidelines, SentinelOne recommends users not to test beta software in a production environment as beta versions can be unstable from one version to another.

Conclusion | “So That’s Sonoma”

Integration has been a theme of macOS development for some years now – making Macs work more seamlessly with iOS and other elements of Apple’s ecosystem – and much of that focus has been related to the idea of Macs being used in the home and for entertainment purposes. While Apple has a long history of marketing its line of computers to both enterprise and educational audiences, support for features that such users typically need hasn’t always been top of mind.

With Sonoma, Apple has put some much needed attention on to the fact that Macs are widely used in workplace and educational settings as well as for personal use. If Sonoma doesn’t bring any headline grabbing changes to “wow” new users, it nevertheless does a lot of good work around the edges and between the cracks to firm up the operating system as fit for use in professional settings.

From shared passkeys and smarter video conferencing to web apps and better device management, macOS Sonoma looks like Apple has understood and reacted to its ever increasing presence in the workplace. We look forward to testing Sonoma as it develops over the summer and we’ll be back with our final verdict when the public release drops later in 2023.