macOS Catalina, the next Mac release, dramatically tightens security and removes 32-bit compatibility. That will cause incompatibilities with music software, requiring updates. Here’s what you need to know.

Catalina compatibility checklist

macOS Catalina (10.15) is expected to ship in October, replacing Mojave (10.14).

What’s impacted:

DAWs and other software using plug-ins: Requires updates to work.

Drivers: Installation and operation requires update to work.

32-bit software, software that accesses 32-bit libraries: Incompatible. Cannot be used past macOS Mojave.

Software using legacy video libraries: Incompatible. Cannot be used past macOS Mojave.

Plug-ins: May require update for full compatibility – but may run inside updated DAWs, and will install if the user overrides OS’ installer requirements.

Hardware: If a driver is required for operation, you’ll need an updated driver and installer. Driverless (class-compliant) audio and MIDI gear is unaffected.

Tightened Mac security

It’s worth acknowledging that security concerns are justified, even for consumer operating systems. Malware tools targeting users may be designed to exploit your computer’s resources, steal data, and impersonate you or even steal your money. At best, they can at least make your system unstable.

It’s also not just “a Windows thing”; recent attacks have singled out the Mac, too. For instance, security researchers uncovered an insidious piece of code found in downloads from a piracy website called VST Crack, embedded in pirated versions of software including Ableton Live. The software would embed itself on your system and start mining cryptocurrency. These threats do not impact the legitimate copies of the same software, so yes, this is an added risk when you pirate software.

All OS vendors regularly patch security holes; the approach in macOS Catalina (10.15) is more proactive. Apple are making some changes to the way the OS itself notifies you of activity by software and asks for your approval, a bit more like you had seen previously in iOS or Android. They’re also implementing tougher defaults for installers. And since malware works by running additional code on top of other code or memory, Apple are adding protections against running that code.

The issue here is not that these changes are unwarranted or even entirely unexpected, but that they bring a lot of change at once that will require you to update software – especially music software – in order for it to work properly, or at all.

Let’s look at those two changes separately: one is the change for installers (called “notarization”), and the second is a new set of requirements for how software is granted access to vital information (the “hardened runtime”).

The two requirements are related, because Apple won’t approve installers unless they also comply with the hardened runtime standards. So let’s take a look at the hardened runtime and entitlement permissions first.

Entitlements and the hardened runtime

Let’s recall here how malware works: it runs additional code that you didn’t intend to run, then gives that code access to something vital on your system (like your data, or microphone). So obviously, what Apple is doing is attempting to prevent those two things.

The first thing you’ll notice on macOS Catalina is that the Mac starts asking you for permission a lot more often. So now, the first time you print a score from notation software or try to open a file dialog to browse the desktop, you’ll get a pop-up asking if you really want to do that. That’s a bit annoying, but it’ll only happen once, and then will remember your permissions. And the reason it’s there is, of course, malware might otherwise perform the same task without your consent. You’re already familiar with this behavior from phone apps on Android and iOS; this is effectively the same idea, now on your desktop computer.

With a common, monolithic app, providing these permissions (called “entitlements”) is fairly easy. But music software isn’t monolithic. Your DAW is running all sorts of libraries and plug-ins and so on. Unfortunately, the exploits Apple is targeting in malware – “code injection, dynamically linked library (DLL) hijacking, and process memory space tampering” – also look a lot like the behaviors your DAW performs normally. And your DAW also needs to handle entitlements for plug-ins. In addition to the DAW needing your permission to access certain folders, for example, it also needs to ask your permission if a sample instrument like KONTAKT wants to access files, as well.

Here’s the bit you’ll really need to care about – if you’re upgrade to macOS Catalina, you will need to be prepared to upgrade your DAW, too. Providing this compatibility is complicated, so it’s likely that most developers will be able to support only their latest release – meaning you may require a paid update to that first.

The good news is, theoretically this burden falls on the DAW, not individual plug-ins. (Plug-ins may still require an update, because of the removal of 32-bit code and other portions of the OS required for compatibility, and because of new installer requirements.) But you will need to update any software working with plug-ins, or you may find software won’t run properly or will fail to run altogether.

It’s also likely that even with updates, some software will not work properly immediately after Catalina’s launch. Developers are still learning how to use this new feature of the operating system, and Apple’s frequent OS updates mean they have little time to do so. Also, an additional side effect of the new security requirements is to break the ability of plug-in developers to debug their plug-ins in DAWs, meaning testing is – for now – more difficult. That may slow compatibility and testing.

If you plan to use an older version of a DAW, you’ll want to avoid updating past macOS Mojave (10.14). If you do intend to update – or to buy a new Apple machine once Catalina is pre-installed and required by default – you should plan to use the very latest version of your DAW, and double-check that Catalina is supported. And even with listed Catalina support, expect there could still be some wrinkles immediately after the OS ships.

Once those pieces are in place, though, you will be able to use DAWs and plug-ins as you always have – just with some more pop-ups the first time you do something like access the file system or connect audio hardware.

(One illustration of how entitlements requirements might surprise you – someone on Reddit noticed the Live “computer keyboard” setting, which passes QWERTY keys to MIDI notes, suddenly broke in the Catalina beta. That makes sense; it would require the entitlements provided by the coming Live 10 update. And obviously, malware would love to be able to take your computer keyboard input and route it somewhere else without asking.)

Installer requirements and drivers

The other change in macOS Catalina is to require installers to be “notarized” by default (whereas previously it was a non-mandatory option). This means developers will submit installers to Apple for verification, and that they fulfill certain requirements for how those installers are built. (These requirements largely have to do with how they link against the Mac SDK and following new guidelines like the hardened runtime.)

Here’s what you see now, on macOS Mojave. (See Apple’s support article on these safety restrictions.) Catalina introduces new requirements for the “identified developer” section – that is, how they require developers to build their installers and verify them with Apple. But as in the current macOS, you’ll be able to control what you run in a similar fashion, even with tougher defaults.

This is not the same as the App Store approval requirements on iOS (or similar stores from Google and Microsoft). Apple aren’t looking at the software itself, only verifying the installer is built according to their standards. The process takes something like an hour currently, not days or weeks as the stores can. And most importantly, Apple will allow users to override the installer requirement. As with Gatekeeper in current versions of macOS, you’ll get a dialog telling the installer or app was blocked, but you’ll still be able to choose to run something anyway. (Right-click, choose open, and you’ll be given option.)

Notarization is the “Apple checked it for malicious software” bit. It’s available in the current macOS, but in 10.15 it’s required by default. That is, Apple developers not only register their ID, but also submit the software for a check with Apple, too.

Apple developer documentation on the notarization feature:
Notarizing Your App Before Distribution

Unverified plug-ins may also continue to work inside DAWs – depending on the DAW you’re using. This means in theory, you’ll be able to install and attempt to use plug-ins, even if they haven’t been updated for Catalina. You would need to override plug-in notarization requirements for the installation from dmg (Disk Image) files, but once a file was installed, a DAW may be able to support it, theoretically. Your mileage may vary when it comes to actual use, however; the advantage of the installer requirement may be that it gives a clue that a developer has tested on Catalina.

PreSonus has just announced for their Studio One DAW that not only will you need to update Studio One itself, but many plug-ins will also need an update. In their case, plug-ins built before June 1, 2019 will still need to be signed (the earlier method of verification for Apple developers). Plug-ins built after that date will need to fulfill Catalina’s tougher requirements – notarization and the hardened runtime.

Drivers for hardware will hit a hard wall. Unverified drivers will not function on the new OS. This means if you have older hardware that doesn’t have updated drivers and installer, you won’t be able to use it. There’s no ability to override this requirement.

Here’s what happens if you try to use a plug-in in PreSonus Studio One if the developer has not fulfilled Apple’s security verification requirements for the software. You’ll need to acquire updates for all of your plug-ins, accordingly.

End of the road for 32-bit and legacy libraries

Just as significant as the security changes, Apple is ending support for 32-bit code starting with Catalina. This is a hard barrier – you won’t be able to use “bridge” tools for 32-bit plug-in compatibility, for instance. Any 32-bit app, library, or plug-in will simply refuse to run.

It may not be immediately obvious that software makes use of 32-bit code, either. A 64-bit application may still make use of a 32-bit library. For instance, Ableton tell CDM that they found their previous versions of Live would attempt to call a 32-bit library on startup. These apps may not fail gracefully; they may simply crash. This means even if you’re using a 64-bit and 64-bit plug-ins, you will want to verify compatibility with the vendor before upgrading.

If you have 32-bit plug-ins or older software you rely on, you will likely want to stay on macOS Mojave. Once you upgrade, this software will cease to work. This may also mean you want to retain an older Mac running Mojave or earlier, for backwards compatibility.

Apple has also ended long-deprecated libraries, including the older video library (called QTKit).

Case study: Ableton Live

Ableton provided CDM with access to their compatibility process. An update to Live 10 will support Catalina’s new requirements at launch. This involved a series of changes, which may be typical for DAW developers. In Ableton’s case, it meant the following updates:

·         Rebuilding the installer with notarization support and its requirements

·         Removing all 32-bit code and libraries (including one 32-bit library that will cause previous versions of Live to crash on launch)

·         Providing full compatibility with Max

·         Transitioning video code to the latest AVFoundation (from a now-unsupported version of QuickTime)

The move to AVFoundation is good news for anyone working with video – even if you use an older macOS version like Mojave. There’s improved video export performance and new codec options.

Ableton also say you should expect that these updates mean you can use Live with existing plug-ins under Catalina. Based on what plug-in developers tell me, though, you should still anticipate there may still be some issues to resolve with individual plug-ins if you upgarde, and DAW developers like Ableton may not be aware of all of these situations on internal testing alone.

Because of the number of changes to be made, Live 9 will not support Catalina. Conversely, as Apple deprecates older OSes, Live 10 won’t support some of the older versions of macOS. Here’s what will be compatible:

Live 9: macOS 10.7 – 10.13 officially supported; 10.14 unofficially supported

Live 10: macOS 10.11 – 10.15 supported (macOS 10.15 requires the Live 10.1.2 update for Catalina, minimum)

Ableton have also published a technical note. The headline is about Live 9, but it also includes useful resources for Live 10 users:

Live 9 is not compatible with macOS 10.15 Catalina

Compatibility with other software

Many developers CDM contacted were not yet ready to make an official statement on Catalina. Off the record, a significant number of developers reported problems.

Native Instruments published a blanket statement saying simply none of their products are compatible:

macOS 10.15 (Catalina) – Compatibility with Native Instruments Products

PreSonus has published a technical note explaining that you’ll need not only an update to their Studio One DAW, but also to most (or all) of your plug-ins, as illustrated above:

Studio One 4 on Mojave and Catalina – Notarization, Hardened Runtime, and how it affects 3rd-party plug-ins

Apple has not necessarily had full support for a new OS even for its own pro software; I’ve contacted Apple to ask if Logic Pro will support Catalina at launch but have not yet gotten a response. (There is a precedent of Apple’s own pro apps sometimes lagging their OS, before you make the assumption that they two will be in sync.)

How should you upgrade, and when?

Here’s a simple piece of advice: don’t update to Catalina immediately. As with any major OS change, music installers, drivers, and DAWs will benefit from more time and testing. Since musicians have complex and diverse setups, odds are you rely on something that won’t be immediately compatible, or that interactions between tools could create unexpected results.

If you do update, you should absolutely make a full backup so you can easily roll back. Time Machine backups can also provide some ability to remove OS updates.

You can also create an external installation of the OS on any drive that is formatted to macOS extended Journaled. It’s probably worth buying an inexpensive drive to test first, especially with an update this significant.

Macworld has two helpful articles (also linked by Ableton):

How to dual-boot Mac: run two versions of macOS on a Mac

How to downgrade macOS from Mojave to an older version

If you’re a developer and want to share your compatibility information, please get in touch.

https://www.apple.com/macos/catalina/