Introducing LockRattler
Introducing LockRattler
In 2016, some brand new MacBook Pros shipped to users with one of the key parts of their
security protection – System Integrity Protection, or SIP – turned off. It wasn’t until they
were updated to macOS Sierra 10.12.2 some weeks later that this was turned back on, and
they benefitted from the protection from malware that they require.
When I first heard about this, it occurred to me that users cannot easily check whether any of
the powerful protection systems built into macOS have become disabled, or their protection
data files (which are normally updated silently by Apple) had become out of date.
LockRattler lets you check these most important and otherwise hidden features in macOS
without having to type magical incantations into Terminal. I hope that it will provide you
with assurance, or at least will enable you to fix a problem before any malware does.
Getting started
LockRattler comes compressed as a Zip file, which you should decompress, and move the
app to your preferred folder, such as /Applications. It is not fussy where it is run from,
though.
LockRattler is now not just properly signed, but is also notarized. If the app doesn’t open
correctly when you first try to run it, please contact me immediately.
Although LockRattler accesses important information in your Mac, it doesn’t need to access
any from the special areas protected by the privacy system in Mojave and later. You don’t
need to give it any special access rights in the Security & Privacy pane. If you’re unsure
what settings to use, look at the explanation in the Privacy settings command in the Help
menu.
To run the app, simply double-click it, or open it in any of the other normal ways. It then
displays its only window. When you close that window, Lock Rattler automatically quits.
When that window first opens, it runs all its tests except that for two, Software update and
Firmware password, and doesn’t perform any of the three checks for updates available
lower down.
To complete the Software update test, click on the Check status button and then
authenticate as an admin user. To complete the Firmware password test, click on the Check
pwd button and then authenticate as an admin user (not available for Apple silicon Macs).
1
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
LockRattler has to obtain your authentication in order to check the software update and
firmware password status. It does not access any of your user files, or change anything on
your Mac, and if you’d rather not authenticate, don’t click on any of those buttons.
You might already know that some or all of your security data files are up to date, but at this
stage it may be helpful to check them against what is supposed to be current. Apple doesn’t
provide that information, but if you click on the Check blog button, a basic browser window
will open and connect to one of four special pages on the Eclectic Light Company blog.
These display the current versions of XProtect, Gatekeeper, KEXT block, MRT and TCC data
files, and the latest applicable security update for the version of macOS which your Mac is
running. You can then compare those against the versions listed in the LockRattler window.
After you have run LockRattler for the first time on any given Mac, it stores all the results
apart from those obtained after authentication in its preference file. When you run the app
again, or click on its Refresh button, LockRattler compares the latest results with the
previous ones. Those which have changed are displayed using red text, to make it easier to
notice any changes. The results which can be shown in red are made clear in the screenshot
below.
To check whether your Mac has the latest firmware installed, use the Firmware versions
command in the Help menu. This will open the article on the Eclectic Light Company blog
which lists current firmware versions for different models. Once again, Apple doesn’t provide
an official listing, but I maintain that article as well as I can.
2
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
ℹ
⚠
Checking for updates
Each of the four buttons to check for updates does something significantly different:
• Trigger background check tells macOS to check in the background for security and
other urgent software updates only.
• List all pending updates asks Apple’s servers what updates of all kinds, including
‘silent’ security updates, are currently available for your Mac.
• Install all pending updates asks Apple’s servers to provide your Mac with all pending
updates, including ‘silent’ security updates, and to install them immediately.
• Install update named: asks Apple’s servers to provide your Mac with only the update
package which you have named in the adjacent box, and to install it immediately.
In each case, the results are written into the large scrolling text box to the right of the upper
three buttons.
When you click on the Trigger background check button, LockRattler runs the following
command:
sudo softwareupdate --background-critical
This first requires you to authenticate as an admin user in order to run. It then instructs your
Mac to perform a check for security and other critical software updates in the background. If
it finds any such updates available for your Mac, they will be silently downloaded and
installed over the next few minutes.
If you have turned off automatic checks for software updates, this may not work.
This action is most suitable if you don’t want to install any other updates, only security
and other critical software updates, but doesn’t force them to be downloaded and installed
immediately.
When you click on the List all pending updates button, LockRattler runs the following
command:
softwareupdate -l --include-config-data
or, in El Capitan,
softwareupdate -l
This shouldn’t require you to authenticate, and asks Apple’s servers to provide a list of any
and all outstanding software updates, including ‘silent’ security updates, available for your
Mac. It doesn’t attempt to download or install any of them, but simply lists all those available
in the scrolling text box. This should work even when automatic updates are disabled.
This action is most suitable when you just want to see which updates are available, but
don’t want to install them yet. It is also ideal when you just want to install one or two
packages: obtain the list of pending updates, select one which you wish to install, copy it, and
paste that text into the box next to the Install update named: button.
3
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
ℹ
⚠
When you click on the Install all pending updates button, LockRattler runs the following
command:
softwareupdate -ia --include-config-data
or, in El Capitan,
sudo softwareupdate -ia
This tries to connect to Apple’s servers, and discover whether there are any outstanding
software updates for your Mac. If there are, they will then be automatically downloaded and
installed for you. The text box displays the result from that command in full.
This automatically installs all updates including ‘silent’ security updates, whether you
want them or not. When large updates are available, it may take several hours to complete,
during which LockRattler will display a ‘busy spinner’ to indicate that it is still busy. You
may wish to list pending updates first to see what is available first.
This action is most suitable if you want to have all updates installed immediately, and
saves you from having to open the App Store app to download and install them.
When you click on the Install update named: button, LockRattler runs the following
command:
softwareupdate -i --include-config-data updatepackage
or, in El Capitan,
sudo softwareupdate -i updatepackage
where updatepackage is the valid name of an available update package. This tries to
connect to Apple’s servers, and download and install the named package for you. The text
box displays the result from that command in full.
This automatically installs only the named package. If that is very large, it may take
several hours to complete, during which LockRattler will display a ‘busy spinner’ pointer to
indicate that it is still busy.
This action is most suitable if you don’t want to install all the updates which are
available. It’s best to list those available using the List all pending updates button first, to
select and copy the package name from that listing, and to past it into the text box before
clicking the button. If the text box is empty, clicking on this button does nothing.
By default, LockRattler automatically installs all the updates it downloads. If you want to
download updates but not install them immediately, you can now change that, as detailed
next.
By default, LockRattler both downloads and installs updates. There are occasions when you
may prefer only to download updates for the time being, and decide whether to install them
later. For example, a bug in MRT version 1.68 caused problems on many Macs. If you wish
to be cautious, you could just download future updates to MRT then, after a couple of days, if
the latest update appears to be problem-free, you could install it.
4
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
⚠
To disable automatic installation, select the Install Updates command in the LockRattler
menu. It will then become unticked and show the words Download Updates. Select that
again to turn automatic installation back on.
To remind you that updates are only being downloaded, when installation is disabled a
warning triangle is displayed in LockRattler’s window, and buttons which normally read
Install … are changed to read Download … instead.
Downloaded updates are saved in the /Library/Updates folder, which is automatically opened
for you when downloading is complete. Apple’s documentation (from 2012) warns that those
Installer packages “are not designed to be installed by double-clicking the packages in that
directory: always use [softwareupdate] --install or the App Store to actually perform the
install.” However, in Mojave and later that doesn’t appear necessary. Downloading can also
result in spurious errors being reported when the update is in fact perfectly good.
Click on the Save as text button to save the results out to a text file. There is an example
provided at the end of this manual. Note that the time given at the end of that file, and used in
the default name of that file too, is that at which the last set of data were obtained by
LockRattler, i.e. when the window opened or was last refreshed, whichever is the later.
When you’re finished, closing LockRattler’s single window will also quit the app.
LockRattler runs a total of fifteen tests, each of which is reported in a separate section in its
window. You can run them as often as you like, and if you leave the window open, clicking
on the Check button will run all the tests again.
When run on High Sierra systems, the TCC version doesn’t appear, as this is only (very)
important in Mojave and later.
When run on Catalina or later, the Gatekeeper Disk version is renamed GKE to reflect its
changed role. XProtect version gives two numbers, the first for its normal checks, and the
second for its new Remediator features.
5
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
On Intel Macs which are running Big Sur and later, this also reports whether the current
System volume is sealed. If it isn’t, and you haven’t deliberately unsealed it, you should
reinstall Big Sur to enable it again. SSV is checked using the shell command
csrutil authenticated-root status
To check whether FileVault (disk encryption) is turned on, it runs the shell command
fdesetup status
This is an option which you control in the Security & Privacy pane of System Preferences.
To check firmware, it runs the shell command
system_profiler SPHardwareDataType
These return the same version which is shown in System Information. For Intel Macs, the
upper result box shows the version number for the EFI firmware, and the lower gives the
iBridge version number for models with a T2 chip. On Apple Silicon Macs, the upper result
box gives the iBoot version, which is effectively its firmware. Any errors are reported in the
scrolling textbox below.
Firmware is now only updated as part of an Apple macOS upgrade or update, and performed
within that installer. Apple doesn’t provide separate copies of firmware which you can install
yourself outside of a system update.
6
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
To check whether Software Update is set to Automatic, it runs the shell command
sudo softwareupdate --schedule
with root privileges, which is why you are prompted to enter your admin password.
This is an option which you control in Software Update in System Preferences or System
Settings.
To check whether the firmware password has been set, it runs the shell command
sudo firmwarepasswd -check
with root privileges, which is why you are prompted to enter your admin password.
This is an option which is normally managed in the Firmware Password Utility in Recovery
mode, but can also be managed in Terminal’s command line.
Firmware passwords are not available in Apple Silicon Macs, where this box is used to
report Platform Security instead. A summary is shown here, with itemised settings in the
lower scrolling text view. These are obtained using the shell command
system_profiler SPiBridgeDataType
To check the firmware version of any connected Apple Studio Displays, it runs the shell
command
system_profiler SPDisplaysDataType
The result shown gives the version and build number of the firmware in the first Studio
display it detects.
The other seven checks are of the current versions of the data files used by macOS security
protection systems. Apple pushes out silent updates to these, but if you have recently applied
a Combo update or your Mac has been away from an Internet connection for some time, your
data files may not be up to date.
7
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
⚠
When you click on the Check blog button at the far right of the window, LockRattler opens a
browser window, and displays one of three special pages on the Eclectic Light Company blog
which list the current versions of those security data files. It determines which version of
macOS your Mac is running in order to fetch the correct page for that Mac. You can then
check the version numbers listed there against those found.
Apple doesn’t maintain a list of current version numbers. I maintain the lists used by
LockRattler myself, and there will be a short delay in updating them when Apple releases
each new security update.
I also maintain fuller lists of the current versions of those, related files and EFI firmware
versions on my blog at https://eclecticlight.co which provide additional information. Direct
links are embedded in LockRattler’s Help book, which is accessed through the Help menu.
Also in that menu is the command Browse updates, which opens a list of software updates
available from the Eclectic Light Company blog.
To view the Eclectic Light Company listing of current firmware version numbers, use the
Firmware versions command in the Help menu, which will open the correct article in my
blog.
In addition to those basic tests, LockRattler obtains seven useful pieces of information about
the updates which have been installed. These are obtained from the record of software
installations and updates in /Library/Receipts/InstallHistory.plist.
• Next to the XProtect version, it gives the date and time of the last XProtect update, and
the version number for that. That should match the actual version number given. In
10.15 and later, that will be the more recent of the regular and Remediator updates.
• Next to the Gatekeeper version, it gives similar information for Gatekeeper’s data
files, which should match the actual version number given.
8
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
⚠
• Next to the KEXT block version, it gives similar information for that extension. This
may not match the version number given to the left, as on at least two occasions, Apple
has updated this as part of a security or system software update.
• Next to the MRT version, it gives similar information for MRT, which should match
the actual version number given.
• Next to the TCC version, it gives similar information for TCC, which should match the
actual version number given.
• Below Software update, it gives the date and time of the last macOS update installed,
and its official name.
• Below that, it gives the date and time of the last Security Update installed, and its
official name. If there has been no Security Update installed since the last macOS
update, LockRattler now reports that as No security update installed.
Dates and times given for software updates are stated in UTC, not local time, for
consistency no matter where you are. Similarly, results given for tests are exactly those
supplied by macOS, and are not interpreted or altered in any way.
Whenever you open LockRattler, it may check to see if an update to the app is available. This
doesn’t use the popular Sparkle mechanism for updating in place, but works as detailed here.
Once the app has successfully completed its integrity check, it looks at whether update
checking has been turned off in its preferences file. If that has, it abandons any attempt to
check for updates. If checking is allowed, it then checks when it last checked for updates. If
that was more than 12 hours ago, it continues to perform the check. It then connects to my
GitHub server, from where it downloads a list of current versions of my apps. It doesn’t
upload any data to the GitHub server at all, and no statistics beyond GitHub normal
connection figures are collected either: no personal identifiers are recorded.
If there is an update available, LockRattler then checks that its location is on this WordPress
blog, and posts a dialog which invites you to download the update.
If you click on the Download button, it then points your default browser at that update,
which should trigger the update to be downloaded to your normal downloads folder. The
update is received as a regular Zip archive, and is exactly the same as you would download
from the Downloads page on my blog. It also carries a quarantine flag, so that when you
unZip it and install the app inside, it undergoes normal first run ‘Gatekeeper’ security checks.
9
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
If you click on the Ignore button, LockRattler won’t remind you about it again for another 12
hours.
An additional item at the end of the Help menu explains the update status. If no update check
is performed, or the check fails, the last item reads Update not checked. If the check is
performed and update information is obtained, even when no update is available or you
decline to download it, that menu item reads Checked for update and is ticked (but still
disabled).
You can customise this behaviour by changing LockRattler’s preferences. The keys to use
are:
• noUpdateCheck, a Boolean. When set to true, this disables all update checking.
Default is false.
• updateCheckInt, a real number (Double). When set to a value greater than 1.0, the
minimum time interval between checks, in seconds. Default is 43200, which is 12
hours. If you set it to any value less than 1, LockRattler will reset it automatically to
that default.
Support
Additional information and support are available from the LockRattler Support command
in the Help menu. This opens the app’s product page in your default browser, providing
useful information about updates and a link to the support page on which you can post
comments and questions.
10
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
Log file private data: not saved in log
FileVault is Off.
Firmware password: Password Enabled: No
Software update: Automatic check is on.
Checked by LockRattler 4.25 at: 2019-10-13 10:41:36 +0000
Change List
4.37 release:
• removed eficheck, as it’s now moribund or broken.
4.36 release:
• High Sierra and later only
• fixed issue with SIP reporting
• updated links etc. for Ventura.
4.35 release:
• added support for XProtect Remediator checking in macOS 10.15 and later.
4.34 release:
• added support for Ventura.
4.33 release:
• removed check for log privacy, as this mechanism is no longer used
• added (as the replacement) support for checking the firmware of the first connected
Apple Studio Display.
4.32 release:
• fixed a bug which could lead to incorrect SSV reporting on M1 Macs (thanks to Jim
for reporting that)
• addressed issues with M1 Platform Security reporting in non-English languages.
4.31 release:
• added support for Monterey
• improved detection of system updates for later versions of macOS.
4.30 release:
• added support for Apple Silicon Mac Platform Security
• added support for checking the SSV in Big Sur.
4.29 release:
• reworked logic catering for T2 and Apple Silicon models
• minor tweaks to Help menu, new page for firmware updates for 11.0.
4.28 release:
• added reporting of Apple Silicon firmware version (iBoot) and changed title.
4.27 release:
• added option for downloads only.
4.26 release:
• final tweaks for Big Sur
• Universal App.
4.25 release:
• fixed (at last, I hope) problems with updating bundle versions after installing updates.
• added support for Big Sur.
11
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
4.24 release:
• added support for KEXT exclusion extension for Catalina.
4.23 release:
• changed handling of GKE bundle info for Catalina
• updated Help book for GKE, Catalina and more
• added size and position saving for windows
• adjusted main window controls and outputs
• various minor improvements, particularly for Catalina
• ported to Swift 5.1 in Xcode 11.1.
4.22 release:
• added new paths for Catalina beta 4
• added macOS version to saved report
• added new blog versions page for Catalina
• updated Help book.
4.21 release:
• disabled KEXT block for Catalina
• tweaked system updates for Catalina
• added automatic check for updates.
4.20 release:
• changed window title to give current macOS version
• added code to perform signature check on each launch.
4.19 release:
• added LockRattler Support command
• ported to Swift 5 and Xcode 10.2.
4.18 release:
• added checks to see if results have changed, and display in red if they have
• greatly extended preferences file to store previous results
• updated Help book accordingly.
4.17 release:
• offers default report file name incorporating date and time
• datestamp in report changed to the time at which checks were last run.
4.16 release:
• reports TCC updates correctly
• now reports No security update installed if none has been installed since last macOS
update
• removed terminating ) from iBridge firmware version.
4.15 release:
• detects T2-equipped systems correctly (at last).
4.14 release:
• detects systems which lack eficheck tool
• those with T2 chips should not try running eficheck, but give iBridge firmware version
instead
• added EFI firmware versions link to Help menu.
4.13 release:
• added two EFI firmware checks
12
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
13
LockRattler 4.37 for macOS High Sierra to Ventura
Manual
Howard Oakley https://eclecticlight.co
4.2b1:
• Put command execution into background thread
• Added busy spinner
• Added Install update named: button and text box
• Updated Help book.
4.1 release:
• Removed Trigger background check when running on El Capitan due to errors
• New app icon, thanks to blackspike.com
• Updated Help book and copyright info.
4.1b4:
• Added Trigger background check
• Added List all pending updates
• Updated Help book
• Completed Tooltips.
4.1b3:
• Changed Check for security updates command for El Capitan only
• Detects which version of macOS is running, and decides on window contents
accordingly
• More meaningful text generated when no updates are found
• Removed Gatekeeper Disk info from El Capitan reports.
4.1b2:
• Set bundle version checks to return suitable message if bundle not found
• Set El Capitan Check for security updates to use elevated privileges.
4.1b1:
• Added Check for security updates feature
• Included access to update history, giving results in additional text fields.
4.0 release:
• Titled window LockRattler rather than default Window.
4.0b2:
• Altered behaviour to quit when the window is closed
• Rebuilt to standard, rather than archive, package.
4.0b1:
• Completely rewritten in Swift 4 and built using Xcode 9.2.
2 May 2023.
14