WilliamLam.com

How to exclude VCSA UI/CLI Installer from MacOS Catalina Security Gatekeeper?

by // 9 Comments

A couple of weeks ago I had upgraded my personal home computer to the latest MacOS Catalina (10.15) and one of the first issues I ran into was being able to access my vCenter Server. It turned out this was due to changes to MacOS security (which is a good thing) but certainly caught me and others off guard. In fact, I spent quite some time searching online and eventually found this workaround here.

After sharing this tidbit online (which several others also ran into) I came to learn that both Duncan Epping blogged about this issue back in Nov 2019 here and Christian Mohn blogged about this in Dec 2019 here. Sadly I did not come across either of their blogs using "NET::ERR_CERT_REVOKED macos catalina" in Google. I had assumed this was a Chrome issue and simply landed on the first few links and looking back, I now see Duncan's blog was #6 in the search results (doh!)

Today, I ran into another issue when attempting to use the VCSA CLI Installer, the following error was thrown:

“vcsa-deploy.bin” cannot be opened because the developer cannot be verified


This is again due to a security change in MacOS Catalina which now prevents terminal-based applications which are not notarized from running. For a single application/binary, you can go into System Preferences->Security & Privacy and allow anyway. For more complex applications like the VCSA CLI Installer which has a number of libraries and scripts, this will take awhile and end up frustrating end users. The updated security enhancement is actually a good thing and I did not want to disable the Gatekeeper service but I was interested in disabling it for the VCSA CLI Installer. While searching online, I came across this Hashicorp Terraform thread where folks were having the exact same issue and I found out there was a way to disable the MacOS Security Gatekeeper for a specific application.

To do so, we just need to recursively remove the metadata attribute "com.apple.quarantine" for the extracted VCSA ISO by running the following command:

sudo xattr -r -d com.apple.quarantine VMware-VCSA-all-6.7.0-Update-15132721

After the quarantine attribute has been removed, you can now run the VCSA CLI Installer (including UI Installer) without being prompted with an error. Hopefully VMware will consider notarizing future releases of the VCSA Installer and I will be sharing this feedback internally if it has not already.

ESXi on the new 2019 Apple Mac Pro

by // 85 Comments

Inquiries from customers on the support for ESXi on the latest 2019 Apple Mac Pro 7,1 has slowly been trickling in since the release of the system in late December. Officially, VMware currently does not support this platform and until we have a unit in-house to investigate further, this is the official stance.

With that said, several folks from the community have reached to me and shared some of their findings as it relates to ESXi with the new Mac Pro. A huge thanks goes out to Mike Rimmer who was able to go through the installation process and identified that the on-board NICs were not automatically detected by ESXI and the installation was unable to proceed. With the extensibility of the Mac Pro, Mike was able to add a supported Intel-based NIC to the system so that we could further understand the issue.

Upon closer investigation, it looks like the new Mac Pro uses two Aquantia based 10GbE NIC which is simliar to the 2018 Mac Mini which requires the Aquantia ESXi driver which was developed earlier last year.

AQC107 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion]
Vendor ID: 0x1d6a
Device ID: 0x07b1

Although Mike did not have a chance to confirm this assumption, I did get validation from another customer who made the same observation when he attempted to install ESXi and once the Aquantia ESXi driver was incorporated into the latest ESXi 6.7 Update 3 image, both on-board NICs were automatically picked up by ESXi and installation was successful.

UPDATE (09/02/21) - Per this official blog post, VMware will no longer pursue hardware certification for the Apple 2019 Mac Pro 7,1 for ESXi.

UPDATE (04/28/20) - ESXi 6.7 Patch 02 resolves a number of the issues mentioned below, please take a look at this blog post here for more details.

UPDATE 1 (01/16/19) - Thanks to our Graphics team who was kind enough to loan me their 2019 Mac Pro which literally came in yesterday! I had an idea which I wanted to run an experiment on which was to add a PCIe card w/M.2 NVMe SSD and see whether or not the Apple T2 Security Chip would have any affect on whether or not ESXi would be able to see the device. I was not super optimistic but I had a need for an additional M.2 device, so I went ahead and purchased a $15 PCIe adaptor. I was pleasantly surprise to see that ESXi not only detected the device but I was able to format a local VMFS volume and power up a functional VM! I guess this makes sense as only the Apple SSD's are cryptographically tied to the T2 chip and other PCIe devices would not be and this would allow customers to take advantage of this system right now for running non-MacOS guests (yes, T2 still affects the SMC).

I also ran another experiment by connecting a Thunderbolt 3 chassis which also had a supported M.2 NVMe to see if I was going to be lucky again. Although it looks like ESXi 6.7 Update 3 has resolved the PSOD'ing issue, ESXi was not able to see anything on the other end.

Note: Secure Boot must be disabled on the Mac Pro before you can install ESXi, you can find the instructions in this Apple KB.


This was certainly some good news but like the 2018 Mac Mini, the new 2019 Mac Pro also ships with the Apple T2 Security Chip which has proved challenging for ESXi as mentioned here along with some known caveats. For now, I would hold off making any purchases of the new Mac Pro if you intend to run ESXi. VMware does officially support ESXi on the last current generation of Mac Pro 6,1 along with Mac Mini 6,2 and Mac Mini 7,1 which are all on the official VMware HCL.

I will continue to update this article as new information and findings are shared with me.

Apple Mac Mini on VMware HCL!

by // 15 Comments

For the past 6 years, the Apple Mac Mini has been one of the most popular hardware platforms for Virtualizing MacOS running on VMware vSphere enabling our customers to develop and build iOS and MacOS applications. With that said, VMware has historically only supported two Apple hardware platforms: Xserve (now EOL'd) and the Mac Pro (6,1) which is officially listed on VMware's Hardware Compatibility list and this has been officially supported by VMware since 2012 when we first introduced support for MacOS Virtualization with the vSphere 5.0 release.

As many of you know, I have been a huge advocate of this platform for a number of years now and I have been working with various Engineers over the years to ensure that we have the exact same user experience when working with ESXi on the Mac Mini as you do with the Mac Pro. I still recall in the early days where it took several "hacks" to get ESXi to successfully boot and install.

Today, ESXi installs on the Mac Mini just like any other x86 platform. It runs amazing well for our customers, especially for a consumer device, who have deployed them in their datacenters ranging from a couple hundred to several thousands for some of our larger Enterprise customers, one such example is MacStadium, the largest Apple Infrastructure-as-a-service provider which many of the Fortune 100/500 companies are leveraging to provide them with a platform to build and develop for the Apple eco-system.

UPDATE (08/27/20) - Apple 2018 Mac Mini 8,1 has been added to VMware HCL which supports both ESXi 6.7 Update 3 (Patch 03) & ESXi 7.0b

[Read more...]