Joe Kissell is starting to hit his stride in the streamed “Take Control of Security for Mac Users” ebook, and this week we bring you Chapter 4, “Beef Up Your Security Settings.” In it, Joe goes beyond quick fixes to delve into more-involved security settings. He starts by explaining how you can use OS X’s Gatekeeper technology to allow only apps from the Mac App Store and identified developers to run, protecting you from potentially malicious programs. Then he moves on to explaining the different types of user accounts available in OS X and how best to use them to increase your security. Finally, he closes with advice about how to share resources on your Mac securely. (Tip: turn
off anything you’re not using!)

Previous chapters remain available. Chapter 1, “Introducing Mac Security” and Chapter 2, “Learn Security Basics,” can be read by anyone, and Chapter 3, “Perform Quick Security Fixes,” is limited to TidBITS members, as is Chapter 4. TidBITS members receive other benefits too, but what’s most important is that the TidBITS membership program has kept TidBITS afloat the last few years — your support truly is essential. If you’re already a TidBITS member, log in to the TidBITS site using the email address from which you joined to
read and comment on these chapters.

The full ebook of “Take Control of Security for Mac Users” will be available for purchase by everyone in PDF, EPUB, and Mobipocket (Kindle) formats once it’s complete.

One of the Mac’s lures is Apple’s famous customer service. Online anecdotes abound about how an Apple Genius fixed or replaced an out-of-warranty product for free or cheap, but such stellar service isn’t universal. In reality, you never quite know what to expect when you take a troubled Mac into an Apple Store. One group that’s painfully aware of this is owners of 15- and 17-inch 2011 MacBook Pros stricken by system-crippling graphics issues, about which Apple has been indifferent.

All computers are complex devices, and hardware problems occur; despite Apple’s boast of “it just works,” Macs are no exception. In the past, Apple has addressed hardware issues with software updates, firmware updates, repair programs, and sometimes even recalls. However, in this case, the complete lack of acknowledgement about the issue, coupled with Apple’s inconsistent handling of the problem, has been perplexing.

TidBITS reader Hal Feldman encapsulated his frustration in an email message to Tim Cook:

For more than 25 years I have bought lots of devices and have been a shareholder. What baffles me is how Apple is handling the 2011 MacBook Pro issue. I have been through a string of eight visits to the Apple Store, and the last thing I was told was a logic board swap was not working and Apple would not further repair the machine.

In one of many ongoing threads about this issue at the Apple Support Communities (with about 12,000 posts and over 3.9 million views), a slew of users have expressed similar disappointment, after either being told by Apple that they would have to pay expensive repair costs or continuing to experience problems after repairs were performed.

In addition, Apple has been unclear about whether or not any particular 2011 MacBook Pro is even eligible for repair. In some cases, users have been refused at one Apple Store, only to visit another that’s happy to accept the MacBook Pro and send it in for a logic board swap.

This affected me toward the end of 2013, when my 17-inch 2011 MacBook Pro began showing small graphic artifacts. At first, I figured the problem was related to pre-release versions of Mac OS X that I was testing for Apple. Unfortunately, the problems worsened, and by October 2013, my MacBook would work for only a short time before displaying a massive array of graphic artifacts, then grinding to a halt. A few weeks later, the MacBook refused to boot, displaying only vertical stripes.

When I took it to an Apple Store, I was quoted about $1,500 for an out-of-warranty repair. That forced the decision of whether to repair the system, or retire it and purchase a new one for $1,999. I reluctantly chose the later.

More recently, it appears that Apple has quietly changed the repair policy for these 2011 MacBook Pros. A few months ago, I again dropped by an Apple Store with my old MacBook, and was surprised to be quoted $310 for the same repair. This price is less than the cost of the logic board itself (roughly $800–$900, according to iFixit), so it seems that Apple would basically be charging me only for shipping and labor. I don’t know if everyone with similar problems is being quoted that lower fee, or if I just got lucky. Regardless, I took Apple up on the offer, and my MacBook worked fine after returning from being
serviced.

So if you have a 2011 MacBook Pro that’s acting up, how do you get the service you need? Commonly, when your Mac needs repairs, you have to start playing a game with Apple, and jump from store to store or from technician to technician, hoping one will sympathize with you. In addition, the price you’re quoted may fluctuate depending on when you take your system in and with whom you talk. While some have used this to their advantage, others might not be so lucky, or have the time to haggle with Apple employees.

No user should have to invest this kind of time or money into what is obviously defective hardware. Yes, these MacBook Pros are out of warranty, but many are probably still covered by AppleCare, and given the widespread nature of the problems, Apple would do well to create a repair program.

This defect has drawn the attention of law firm Whitfield Bryson & Mason LLP, which has taken up the case and is pursuing a lawsuit against Apple in California, Colorado, Florida, Illinois, Indiana, Puerto Rico, and Vermont. In part, the lawsuit claims Apple continued to charge users for the repairs despite knowing about the defective hardware and demands Apple reimburse affected customers in those states for costs incurred for the repair of their systems.

So far, the firm has surveyed thousands of Apple customers who have been affected by this issue, and has performed tests on faulty systems to gather evidence about the problem. Apple was due to file a motion for dismissal of the case on 29 January 2015, and Whitfield Bryson & Mason is expected to respond by 5 March 2015. While other recent lawsuits against Apple for faulty logic boards have been dismissed, this one is far more specific in nature and is expected to go to trial.

There’s no telling in what way or how quickly this lawsuit will be resolved, but for now, if you need repairs to your 2011 MacBook Pro, you’ll have to play the game with Apple’s support system, most likely paying out of pocket. That said, be sure to keep all documentation of your repairs, and try to find original receipts and proofs of purchase for your system, which will likely be needed to collect should the lawsuit be won. (The suit covers only people in the states and territories listed above, so you’d need to take further steps if you reside elsewhere.)

Finally, even if Apple ends up compensating plaintiffs for repairs, the problem may disappear only with the eventual retirement of the system. Just the other day, upon waking my repaired 2011 MacBook Pro from sleep, I saw the same kind of minor graphic artifacts that I started noticing when the issue began in 2013. Replacing the MacBook Pro may be the best solution in the end.

[Topher Kessler is a freelance journalist focused on troubleshooting and repairing Apple’s OS X and iOS products. He was the primary author for CNET’s MacFixIt blog, has written for Macworld, and currently hosts and maintains the Mac troubleshooting site MacIssues.com.]

Many of my Mac-using colleagues use Web browsers other than Apple’s Safari, and I would be the last person to tell them they are wrong to do so. But I like to use OS X’s default browser, not only because it familiarizes me with the Web-browsing experiences of many millions of other Mac users, but also because it encourages me to explore the software to see all that it has to offer. And Safari has a lot to offer once you know where to look. Here are some less-than-obvious tricks and techniques I’ve picked up in my explorations that can help solve problems and answer common questions.

What’s the Address? — When Safari 8.0 debuted alongside OS X 10.10 Yosemite, many reviewers were disappointed, if not aghast, that its integrated “smart” address and search field displayed only the top-level domain name for the current page instead of the full URL. For example, if you go to any page on our Web site, the address field shows only tidbits.com. That’s not a huge deal, because a single click in the address field reveals and selects the complete URL, making it easy to copy for later pasting. And for many users, showing only the truncated name is a good thing, since hiding the long and often obscure strings that follow the top-level site address makes
it easier to see if you are at the site you intended. But it is disappointing if you’re old school and like to see exactly where you are on the Web.

For such advanced users, the solution is simple: take a quick trip to Safari > Preferences > Advanced and select the very first checkbox — Show Full Website Address — to relieve the pain.

(Quick tip: As long as you’re turning on full addresses, click the checkbox at the bottom of the preference pane to show the Develop menu in the menu bar. This menu, full of commands to delight the hearts of Web developers, comes in handy even if you aren’t a Web developer, as you’ll see shortly.)

Total (Un)Recall — Safari 8 brought us the Private Window feature (File > New Private Window), which, when you browse in one, enables you to go to various sites without having Safari store the history of those visits. This keeps anyone else using your Mac from easily seeing where you have been. Private windows can come in handy if, say, you are shopping for an anniversary present for your spouse. It’s a fine feature, but it requires you to think ahead; it won’t do you any good if, while using Safari’s normal non-private windows you happen upon, and then impulsively buy, a great gift for your spouse. Also, when private browsing is active, the sites you visit won’t
recognize you, meaning that you have to manually log in to make purchases. When shopping, private browsing may be private, but it’s also inconvenient.

Here’s what will do you some good in those cases: after you finish shopping (or whatever else you were doing) choose Safari > Clear History and Website Data. This produces a dialog that lets you clean up your history after the fact, with a useful pop-up menu that lets you decide just how much history you want Safari to forget. The default is to clear the last hour’s worth of browsing, but you can clear the history for the entire day, this day and the previous day, or all history! (Of course that risks running afoul of an updated version of Santayana’s dictum, that those who clear all history are condemned to repeat it.)

Bypass Flash — Adobe’s Flash, as has been well documented over the years, can present security and performance problems, so much so that many users prefer to run their Macs without installing Flash at all. In fact, Flash isn’t even available for Apple’s iOS devices. On your Mac, it’s often not available even when it is installed, if the version of Flash that you have happens to be a version that has known security issues: Apple, looking out for your best interests, blocks you from using it. Instead, you see a “Flash out-of-date” warning.

However, you can often bypass Flash completely and still have a satisfactory browsing experience, at least when it comes to streaming video in Flash format. That’s because many Web sites provide non-Flash versions of their pages for users of mobile devices like iPhones and iPads. If you have activated the Develop menu (as I recommended above), and encounter a Flashy page, you can choose one of the iOS items on the Develop > User Agent sub-menu (for example, Safari iOS 8.1 — iPad). This command reloads the page,
telling the site that you are on iOS. In many cases, you’ll see the streaming content in HTML5 format instead. This doesn’t always work: I’ve found that many local TV stations tend to serve Flash video only on their sites, because doing so enables them to tack ads onto the beginning of their videos. If this trick fails, try the site in Google Chrome, which encapsulates an always-updated version of Flash.

Check Your Cookies — Finally, if you are concerned about cookies — those bits of information that nearly all Web sites store in your browser whenever you make a visit, and that may contain heaven-knows-what information about you and your visit — the Develop menu has another tasty treat for you: Develop > Show Web Inspector (Command-Option-I).

This command opens a pane at the bottom of the Safari window that shows you all sorts of geeky details about the page you are viewing. To see the ingredients of the cookies, click Resources at the top of the pane, then open up the Cookies item. In nearly all cases, the information stored in cookies is benign, and is simply recorded to make your next visit a little more convenient — for example, TidBITS uses cookies to help your browser remember that you are a logged-in TidBITS member so you don’t have to log in every time you visit.

However, if you don’t like what’s in a cookie, you can easily toss it. Click the cookie in question, Control-click the data you want to expunge, and choose Delete from the contextual menu. Cookie crumbled!

Yes, Safari may not be a perfect Web browser, and other browsers, such as Chrome or Firefox, certainly have much to recommend them. However, beneath Safari’s seemingly simple surface is a lot of advanced functionality that may surprise you. If you have abandoned it for something else, it might be worth a second look.

When Microsoft rolled out iOS versions of its Word, Excel, and PowerPoint productivity apps early last year (see “Office for iPad: A Deep Look,” 3 April 2014), another of its flagship Office apps, Outlook, was glaringly absent. But an iOS flavor of the ubiquitous mail, calendar, and contact app seemed inevitable.

After all, a Mac variation of Outlook has been available for years (alongside the original Windows version) and even saw a big update in October (see “Microsoft Outlook 15.3 for Mac,” 2 November 2014). What’s more, Microsoft in December snapped up tech startup Acompli, which had developed a mobile app for email, scheduling, contact management, and more.

Sure enough, Microsoft last month released upgraded iOS and Android versions of the Acompli app, but under a familiar name: Outlook. Both are free.

The new Outlook is being positioned as a no-brainer for those already invested in Office-type productivity, and as a highly integrated messaging, scheduling, and contact-management hub for those who don’t want to juggle individual apps.

Multi-service compatibility is another Outlook draw. It works with Google, Yahoo, and iCloud, along with Microsoft’s Exchange ActiveSync and Outlook.com (but not generic IMAP accounts). Cloud-storage services Box, Dropbox, Google Drive and, of course, Microsoft’s OneDrive are also along for the ride.

In a holdover from the Acompli period, Outlook has a streamlined interface with Mail, Calendar, Files, and People buttons (plus Settings) along the bottom for easily switching from mode to mode.

It’s worth noting that Apple’s Mail, Calendar, and Contacts apps collectively do most of what Outlook does – and support one service, AOL, that Outlook doesn’t, along with conventional IMAP accounts – but there is something to be said for having all your information in one place. That has long been a Microsoft design goal.

Mail — Once your various email accounts have been set up, they’re accessible in Outlook’s Mail view via a menu that swoops in from the screen’s left edge. That menu offers single-tap access to the inbox for each account, as well as a consolidated inbox, and account subfolders are available with another tap or two.

Mail can be filtered in a number of ways. Most notably, messages can be displayed in Focused and Other views, with the former option showing only important missives. Outlook had an initially flawed grasp of what that meant for me – spam made the cut in certain cases, alongside messages from my mother and my best friend – but the app learns over time. Separately, a Quick Filter menu narrows options to unread email, flagged emails, or messages with file attachments.

Outlook has familiar Mailbox-style swiping gestures, which can be customized. By default, the app archives a message with a leftward swipe, and prompts to schedule a message to return to your inbox later with a rightward swipe. Either gesture can be reassigned to delete, move, flag, or mark as read/unread. Pressing and holding a message listing opens a bulk editing mode for selecting multiple messages.

One note about Gmail accounts: they work properly in Outlook when accessed via IMAP and I had no trouble there. However, Gmail accounts that are part of the paid Google Apps for Work service also support Exchange ActiveSync, but Outlook for iOS doesn’t support accessing Gmail via Exchange ActiveSync. Microsoft said this is a minor issue, because of tweaks it has made to how Gmail performs via IMAP. For instance, Outlook checks for new messages continually, not at 15 minute intervals, as is often the case in IMAP setups.

You can choose which account to send email from, and you can set a per-account signature, but for those who forward mail into Gmail, for instance, you cannot set an arbitrary return address.

That points out the most notable account-setup limitation: Outlook for iOS lacks an “Other email” option for generic IMAP accounts, which is odd since Outlook for Android does offer such a menu choice (with IMAP configuration options). Hopefully Microsoft will add this to the iOS version soon.

Calendar — As with email, Outlook consolidates calendars from various services, including Google, iCloud, and Yahoo, along with Outlook.com and Exchange ActiveSync.

The calendar function is otherwise predictable, with an agenda view, a week view, and a combination day and month view. Events can be assigned reminders, and setting up a meeting is simple enough. Calendar colors are customizable.

Notably absent from the calendar lineup are Facebook events, which can be accessed using Apple’s Calendar app, along with third-party apps like the Sunrise Calendar app (my default). In a related twist, Microsoft earlier this month acquired the Sunrise calendar app, so Outlook might get a Facebook event infusion before long.

Files — This Outlook view got my attention because hunting down files attached to email messages can be a pain. Now such files are shown in their own tidy lists corresponding to each mail service, along with file-storage services Box, Dropbox, and OneDrive. When I configured my Google account, Outlook also added my Google Drive.

Listed documents can’t be edited within Outlook, but Microsoft gives each mail account the option of attaching files to outgoing messages, sharing them via whatever services the user has configured for that purpose, or saving them to any of the file-storage accounts. Files already in Box, Dropbox, OneDrive, or Google Drive can be shared out or sent as attachments.

File management is one area where Outlook shines in comparison to Apple Mail, which has no file-only view, and doesn’t let you attach files from, or save files to, the likes of Box and Dropbox. I suspect many people will jump to Outlook for this reason alone.

People — Outlook’s integrated approach carries over to the app’s People view, which lists contacts from each service in its own tidy list, or in a consolidated multi-service view. It’s easy to compose a new message to a person by tapping the pencil button next to that person’s name.

Tap a person’s name and Outlook shows pending meetings and recent file attachments associated with that person, along with recent messages (covering about the last four days). It would be nice if Outlook could expand the scope of the email search, but there’s apparently no way to do that.

Security Worries — I’ll end with a potential red flag for Microsoft Exchange ActiveSync–focused organizations that are weighing whether to deploy the iOS and Android versions of Outlook.

Security experts have pointed to an apparent flaw in the app that some have considered worrisome enough to halt Outlook’s deployment within organizations using Exchange ActiveSync. Those that have taken this step include the University of Wisconsin and the European Union parliament.

The flaw, discovered by security company Rapid 7, is related to ActiveSync security policies put in place by device administrators to, among other things, prompt device users to create security passcodes.

But, as Rapid 7’s Dirk Sigurdson details, Outlook for iOS and Android ignores ActiveSync policies set up at the server level (apart from Remote Wipe and PIN lock enforcement). He writes:

Your company can define a sophisticated passcode or encryption policy that will have absolutely no impact on devices if this new email client is used by your employees. … If your organization is dependent on ActiveSync policies in any way you should immediately block ActiveSync access to Outlook for iOS and Android.

Microsoft says that the next Exchange ActiveSync policies to be added will be wiping the device after a number of failed password attempts and requiring a PIN after an activity timeout.

Separately, developer and mobile device management expert René Winkelmeyer has expressed concerns about another Outlook design decision held over from the Acompli days. This feature stores user credentials on a cloud service in order to enable Outlook to check quickly for new mail, contacts, and events for accounts using Exchange ActiveSync, iCloud, and Yahoo. It does not store Gmail account credentials, or credentials for accounts that rely on OAuth, like Outlook.com, Dropbox, and Box.

According to Acompli’s security policy, “Each user’s credentials are double-encrypted using a server per-account unique key and then using a client device unique key, therefore the credentials can only be unlocked by the collaboration of both the server and the app at runtime.” A separate Outlook security document clarifies: “This architecture means that in order to gain access to your password, you would have to have access to both our cloud service and have physical access to the unlocked device. This applies to both us as well as anyone who would attempt to gain access from the outside.”

Nevertheless, this a problem for organizations whose security requirements state that their users’ credentials cannot be stored outside of company servers. If you’re concerned about this data storage, removing the account from within the Outlook app offers an option to delete both the account from the device and from the cloud service.

Microsoft has responded to these security concerns with the following statement:

Microsoft values the privacy and security of our customers and we are committed to making Outlook for iOS and Android both loved by users and trusted by IT. That means putting customers in control of their data, both through the design of our products and through transparency on how data is used. We are delivering additional security and management features in the coming months. In the meantime, we’ve provided detailed guidance for IT administrators seeking to restrict use of this app at this time in their organizations.

Bottom Line — In the iOS realm, Outlook has entered a crowded field with dozens of mail and calendar apps jockeying with Apple’s stock apps for user loyalty. But Outlook stands out because it consolidates functions from a number of different apps into a single, simple-to-navigate interface, and because it assembles a variety of email and cloud storage services into an integrated information hub. Its file management features are another big plus.

Large organizations, particularly those dependent on Exchange ActiveSync, may wish to wait until Microsoft has more fully addressed the security concerns before investigating Outlook further. For the rest of us, though, Outlook seems destined to carve out a major slice of the iOS market on the strength of its name and undeniably useful features.

Hazel 3.3.4 — Noodlesoft has released Hazel 3.3.4 with a number of fixes and improvements for the file cleanup utility. The update fixes a crash when editing a time recurrence, adds decimal value conditions to a number of fields, makes it so the Passes JavaScript condition works, resolves an issue that prevented Hazel from not waking to delete oversized files in the trash, and fixes a bug that made it possible to delete the last condition or action if you clicked fast enough. ($29 new, free update, 8.9 MB, release notes, 10.8+)

Read/post comments about Hazel 3.3.4.

Microsoft Office 2011 14.4.8 — Microsoft has updated Office 2011 to version 14.4.8, fixing a frustrating bug in Outlook that caused repeated password prompts for Office 365 Exchange Online accounts. The update also addresses an issue in PowerPoint that prevented text boxes from being manipulated using a keyboard if different input methods were utilized, and it fixes a problem in Outlook that caused messages to be displayed incorrectly when certain .pst files with Rich Text Format (RTF) encoding were imported. (Free update from the Microsoft Download
Center or through Microsoft AutoUpdate, 114 MB, release notes, 10.5.8+)

Read/post comments about Microsoft Office 2011 14.4.8.

BusyCal 2.6.4 — BusyMac has released BusyCal 2.6.4, which adds integration with the company’s just-released BusyContacts contact management app. BusyCal also fixes several unspecified CalDAV and Exchange syncing bugs, fixes a Google 409 error when modifying a repeating event, adds support for iCloud symbolic calendar colors, fixes a custom date format crash on OS X 10.10 Yosemite, discards snooze alarms if a conflict with the server occurs, and adds black to the calendar and tag colors. ($49.99 new from BusyMac or the Mac App Store, free update, 10.3 MB, release notes, 10.9+)

Read/post comments about BusyCal 2.6.4.

PDFpen and PDFpenPro 7.0.2 — Smile has released version 7.0.2 of PDFpen and PDFpenPro, a small maintenance update for the recently upgraded PDF editing apps (see “Smile Releases PDFpen 7 and PDFpenPro 7,” 16 January 2015). Both editions add a Share button to the default toolbar, fix an issue where signatures were compressed when a PDF was resized, fix several crashes, ensure that changes to OCR sound preferences persist across application relaunches, and update French, German, Italian, Japanese and Spanish
translations. Note that as of this writing, the Mac App Store editions of PDFpen and PDFpenPro were still stuck at version 7.0. ($74.95/$124.95 new with a 20 percent discount for TidBITS members, $30 upgrade from version 6 from Smile Web site, free updates from version 7.0, 51.6/52.2 MB, release notes, 10.7+)

Read/post comments about PDFpen and PDFpenPro 7.0.2.

In ExtraBITS this week, Aperture is leaving the Mac App Store, The New Yorker profiles Apple design head Jony Ive, Managing Editor Josh Centers chats with the Tech Night Owl, U.S. carriers now have to unlock your paid-off smartphone, and Apple’s Activation Lock is preventing iPhone thefts.

Aperture to Depart the Mac App Store — Apple has confirmed that it will be removing Aperture for sale from the Mac App Store after Photos for OS X launches in a few months. Regardless, previous purchasers will still be able to redownload it as necessary. If you’ve never used Aperture, now would not be a good time to start, but if you need to purchase an extra copy to tide you over for a while, it’s now or never.

Read/post comments

Jony Ive Profiled by The New Yorker — The New Yorker’s Ian Parker has written an exhaustive profile of Sir Jonathan Ive, Apple’s head of design. Set aside some time for this one, as it’s the very definition of a long read, but if you’re at all interested in Apple’s design process, it’s worth it. Two tidbits of note: Ive gave director J.J. Abrams some ideas for lightsaber designs for the upcoming Star Wars movie, and Ive goes on at length about car design, adding fuel to the rumors that Apple is working on one of its own.

Read/post comments

Josh Centers Discusses Net Neutrality, Apple Pen with the Tech Night Owl — Managing Editor Josh Centers joined the Tech Night Owl podcast to explain his take on net neutrality, why Apple may be working on an Apple Pen, and ponder the possibility of an Apple Car.

Read/post comments

U.S. Carriers Required to Unlock Paid-off Smartphones — If you’ve paid off your cellular contract, your carrier is now required to unlock your mobile phone upon request. This is part of a 2013 agreement between the FCC and the carriers. The carriers must also unlock prepaid devices after one year of activation, assuming reasonable time, payment, or usage requirements. Contact your carrier for details.

Read/post comments

Smartphone Kill Switches Are Preventing Thefts — So-called “kill switches,” such as the Activation Lock feature in iOS 7 and 8, are making real progress in preventing smartphone thefts. After Apple added the feature in September 2013, iPhone thefts dropped by 25 percent in New York City, 40 percent in San Francisco, and 50 percent in London in the following 12 months. Be sure to enable it if you haven’t already done so by turning on Find My iPhone in Settings > iCloud.

Read/post comments