Security news that informs and inspires

You Got the Touch: First Impressions of the 2017 MacBook Pro


I’ll admit it, I’m a huge Apple nerd. So when I was given the chance to upgrade to the latest and greatest MacBook Pro, I jumped at the opportunity. Most of us longtime Mac users are all too aware that with new hardware – and especially major architectural changes – come early adopter woes. To that end, I wanted to share some first impressions after using the MacBook Pro with Touch Bar (or TBP, as some are calling it) as my primary computer for a few weeks.

The Good

Overall, the new MacBook Pro is a joy to use. It’s thin, light and beautiful (though I do miss the glowing Apple logo on the rear display housing). It’s also pretty fast. Below are a few highlights of the new MacBook Pro.

Secure Enclave Processor (SEP)

At Duo, the feature we’re most excited about in the new MacBook Pro is the Secure Enclave Processor (SEP). (We’re a security company, after all). Having access to a SEP on macOS introduces a lot of possibilities, especially when it comes to storing hardware-backed secrets in the SEP (e.g., private keys). There are numerous benefits to storing key material in hardware, including that it’s virtually impossible for attackers to exfiltrate the keys. They could still ask the SEP to perform cryptographic operations with the keys, but they can’t get the keys themselves.

It’s also worth noting that some early MacBook Pro models shipped with a Trusted Platform Module (TPM), which is similar to the SEP, but Apple didn’t ship any drivers for it. iOS devices have shipped with a Secure Enclave Processor since 2013, when the iPhone 5s was introduced (which included the A7 system on a chip).

Touch ID

Another feature of the new MacBook Pro that we’re excited about at Duo – and one that’s made possible by the introduction of the SEP – is Touch ID. Having Touch ID and a SEP opens up multiple possibilities in terms of endpoint security, and we're already researching how we can take advantage of these. (Also, using Apple Pay and logging into macOS with your fingerprint is just plain cool!)

There’s no question that Touch ID is more convenient than typing a password, especially if you use complex passwords (as you should). It seems that support for Touch ID is still in its infancy and not everything in macOS supports it by default, but people have already started experimenting with adding support wherever they can. For instance, one developer forked sudo to support Touch ID. We’ve also been playing around with Touch ID at Duo.

Here’s a hacky Swift snippet we put together that can be used to run shell commands with administrator privileges that will also prompt for Touch ID authentication. The more Swift-like use of the NSAppleScript class doesn’t seem to support the use of Touch ID when prompting for authentication of elevated privileges requested through with administrator privileges.

The script below is useful for quickly running system commands that require administrator privileges and authenticate using Touch ID. However, for production code, the correct way to control elevated privilege is through the Authorization Services API.

import Foundation

let cmd = Process()
let pipe = Pipe()

cmd.launchPath = "/usr/bin/osascript"
cmd.standardOutput = pipe
cmd.arguments  = [
    "do shell script \"/usr/bin/csrutil clear\" with administrator privileges"


let data = pipe.fileHandleForReading.readDataToEndOfFile()
let out = NSString(data: data, encoding: String.Encoding.utf8.rawValue)

print(out ?? "Fail")

The Funnest Mac Ever

OK, OK, I know “funnest” isn’t a real word, but Apple once referred to the iPod touch as “the funnest iPod ever,” and the Touch Bar, in my opinion, makes this the most fun Mac ever. The first thing I did with my new MacBook Pro was install touchbar_nyancat (seriously!). Some other folks around the office were quick to play around with Knight TouchBar 2000. There’s seemingly no end to what useless, but fun things people will create with this new I/O device.

The Bad

The new MacBook Pro hasn’t been all puppies and rainbows. Here are a few of the annoyances I’ve experienced so far.


The keyboard on the new MacBook Pro doesn’t feel great. It’s almost as if someone spilled liquid on it, and now the key switches don’t give enough tactile feedback. Not everyone will agree with me on this, and it’s not as if I was a huge fan of the keyboard on the previous generation MacBook Pro, but I feel like this new keyboard is a step down.

The Touch Bar giveth and the Touch Bar taketh away. The top row of keys on the new MacBook Pro were replaced with the Touch Bar. This has many advantages, one of which is that the keys themselves become contextual depending on which application you’re using.

However, because I’m a Vim user, I found it annoying that the Escape key is located slightly to the right of where you’d expect. I ended up remapping the Caps Lock key to the Escape key for this reason, but that takes getting used to. If you’re interested in doing the same, a quick trip to System Preferences > Keyboard > Modifier Keys will give you what you need.

To remap your keys, go to System Preferences > Keyboard > Modifier Keys

Another minor annoyance I’ve experienced with the keyboard is the arrow keys. The left and right arrow keys are significantly taller than their up and down counterparts. Presumably, this was done for symmetry – and I must admit, looking at the old MacBook Pro keyboard, I wonder how Jony Ive waited so long to make the change – but I frequently end up misfiring when trying to hit the up arrow key, instead hitting the right Shift key.

Adapters, Adapters, Oh My!

Such adapters.

Such adapters. Wow. Yes, the adapter issue has already been discussed at length elsewhere, but I want to point out that when I first got the new MacBook Pro, about the only thing I could do with it was play around with touchbar_nyancat.

At Duo, we’re strong believers in using hardware-backed SSH keys, so my shiny new MacBook Pro was mostly useless until I took a trip to the Apple Store to pick up a USB-C to USB-A Adapter so I could use my YubiKey 4 Nano, which I need in order to access our source code.

We also use U2F pretty heavily, and Yubico doesn’t yet make a USB-C version of these keys. Fortunately, there’s also third-party USB-C to USB-A adapters that have a smaller form factor without the wire. I also needed the Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter to connect to my Thunderbolt dock and use my external display, and a USB-C to Lightning cable to connect my new iPhone 7+ to the MacBook Pro, which is useful for doing iOS development.

The fact that I can’t, out of the box, connect my $3,500 MacBook Pro to my $869 iPhone 7 Plus to do development with Xcode is surprising. The beautifully designed MacBook Pro ends up looking rather ridiculous with these rat tails (as my coworker calls them) attached to my computer, which in the case of the USB-C to USB-A adapter pretty much stays plugged in all the time. Yubico can’t release a USB-C YubiKey 4 soon enough.

Secondary Displays

Another annoyance with the new MacBook Pro is that it frequently doesn’t recognize my external display. Although it’s possible this is an anomaly, several of us using the new MacBook Pro are experiencing the same problem. It’s usually fixed by unplugging the Thunderbolt 3 (USB-C) to Thunderbolt 2 adapter, then plugging it back in, or power-cycling the display, but I don’t find this to be acceptable behavior.

The Ugly (A Touch of Frustration)

Again, because this is a first-generation product, it’s no surprise that there are rough edges here and there. Some of the following issues could be macOS Sierra-related, or something else entirely (like bad configuration copied over during the migration to my new MacBook Pro). Nevertheless, I wanted to document these issues in hopes that anyone else experiencing them might find my workarounds helpful, or at least take solace in knowing that they’re not alone.

Touch ID + Migration Assistant

Touch ID is great, but it’s not without problems. In fact, it caused one of the most frustrating experiences I had transitioning to the new MacBook Pro. When I received my new MacBook Pro from our IT team it already had an account for me on it, with the same username I was using on my previous MacBook Pro. I decided to run Apple’s Migration Assistant to transfer my applications, data and settings to my new machine, and to replace its existing user account.

During the migration, both my old and new MacBook Pro activated the screen lock after a certain amount of inactivity. It’s a worthwhile security feature of macOS, and one that we enforce on Duo-owned Macs, but unfortunately it meant I had no way to unlock the Macs and view progress or see whether the migration completed.

This is because the user that’s logged in during the migration process is “Setup User,” which is a system account for which I have no password. The shortname of this account is _mbsetupuser. You can verify the RealName of the account with dscl.

$ dscl . -read /Users/_mbsetupuser RealName  
  Setup User

Normally, you can hold down Control-Command-Option-Delete-Return to log in with your username and password, but this didn’t work! I could see the username and password fields, but every time I typed a character on the keyboard it would briefly appear on screen, only to disappear. So I decided to let the Mac sit overnight to finish the migration, then force shut down both machines in the morning and hope for the best. Fortunately, Migration Assistant launched again on reboot, telling me that the transfer was successful. After one final reboot I was off to the races.

I then noticed that I was no longer able to log into macOS with Touch ID. This was frustrating but understandable, because the account previously associated with Touch ID no longer existed.

Unfortunately, when I tried to re-enable Touch ID in System Preferences > Touch ID, I received the following error: error 1

The fix was to remove a directory named with a universally unique identifier (UUID), in /Library/Catacomb/, then reboot.

rm -rf /Library/Catacomb/<UUID>	

Upon logging in again, I was able to set up Touch ID again. Success! Later, I also realized that Migration Assistant normally includes a Touch ID setup step, but because both screens locked during the migration process there was nothing I could do other than shut them down.

System Integrity Protection Disabled?

System Integrity Protection, or SIP, is a security feature introduced in OS X El Capitan meant to reduce the damage that malicious software can do. It protects system files and directories from being modified, even by the root user. It also protects processes from code injection and prevents unsigned kernel extensions from running. SIP is enabled by default on all Macs, but reports emerged of the feature being disabled on the new Touch Bar MacBook Pros.

Fortunately, Apple added a new clear verb to the csrutil command in macOS Sierra 10.12.2, which, despite saying in the output of csrutil that it must be run from the Recovery OS, allows you to restore SIP to factory settings after a reboot.

System Integrity Protection

$ sudo csrutil enable
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

$ sudo csrutil clear
Successfully cleared System Integrity Protection. Please restart the machine for the changes to take effect.

I think it goes without saying that having to reboot your new Mac to enable a security feature that should be turned on by default is problematic, even if Apple made it possible to restore the default SIP configuration outside of the Recovery OS. This is even more of a nuisance in enterprise environments with lots of Macs, especially if new Macs were deployed before realizing the feature was disabled.

Shutdown During Sleep

Another problem that many of us have experienced using the new MacBook Pro is that it seems to shut down after a few hours when the lid is closed. This meant spending an extra few minutes each day restoring state, rather than simply resuming from a low power state.

The Resume feature in macOS alleviates this somewhat, but isn’t perfect. For instance, you would need to reopen Vim buffers in iTerm2 and restart Docker containers and Vagrant VMs, among other things.

Knowing that the System Management Controller has some control over sleep, wake and power issues, I reset it. Previously, one way Mac computers would signal to the user performing the SMC reset that it was successful was for the LED on the MagSafe power adapter to briefly change states from amber to green and back. But because the new MacBook Pro uses a USB-C power adapter, MagSafe (and thus the MagSafe LEDs) are no more, so I couldn’t easily tell if the SMC reset worked as expected.

Ultimately, resetting the SMC didn’t resolve the issue with the machine failing to resume from sleep, so I resorted to manipulating power management settings with the pmset command-line utility (specifically, increasing the autopoweroffdelay, which is the time in seconds before the machine writes the hibernation image to disk and goes into a low-power sleep mode).

Imaging (#macadmins)

If you’re a #macadmin, you should also be aware of some of the difficulties members of the community have had when imaging the new Touch Bar MacBook Pro. Erik Gomez has a great writeup that goes into greater detail, but the gist of it is to only target the “Macintosh HD” volume if you plan on deploying a custom image to the newest MacBook Pro. Otherwise, you may end up bricking your touchOS firmware.

Final Thoughts

If you’re thinking of taking the plunge for the NyanCat Pro – err MacBook Pro – I think you’ll be pleasantly surprised. It’s not without its quirks, but overall the Touch Bar, Touch ID, and the introduction of a Secure Enclave Processor on macOS make me excited about what’s ahead.