➜ Start

Start
SilentKnight checks your Mac’s key security systems to ensure they’re up to date and enabled. This reference
explains each item shown in its window.

➜ Check
➜ Mac model ➜ XProtect
➜ Firmware ➜ MRT
➜ SIP & Security ➜ TCC
➜ XProtect ➜ KEXT
➜ FileVault ➜ Gatekeeper
➜ Apple Studio Display
➜ Updates ➜ Install all updates ➜ Install Named Update…
➜ Report ➜ Disable softwareupdate ➜ Download not install
The Eclectic Light Company blog – https://eclecticlight.co
 ➜ Start
% ❌
Check
When you first open SilentKnight, it runs its standard checks and completes the result boxes. Click on the
Check button, or use the Check command in the File menu, to repeat those checks and generate a new
report.

SilentKnight connects to my GitHub server and downloads the current firmware version for this model,
then connects to obtain the current list of security data versions. The app checks those versions found on
your Mac, compares them, and displays the results.

Those considered to be up to date are prefaced by the emoji or to indicate a ‘pass’. Those
considered to merit further checking or action on your part are prefaced by . Those which appear to be
out of date or worth attending to are prefaced by . Items updated in the last 24 hours are shown with a
by them.

If you haven’t disabled the softwareupdate feature, the app also connects to Apple’s update servers and asks
them whether there are security or system updates available for your Mac. This takes longer to complete: while
waiting for the result, a circular busy spinner is displayed next to the Updates box. If there are updates available,
the Install all updates button next to the spinner is shown, so you can decide whether to download and install
them. If you only want to install some of the updates, use the Install Named Updates… command in the File
menu to open a separate Updater window.

➜ Disable softwareupdate
➜ Install all updates ➜ Install Named Update… ➜ Download not install
The Eclectic Light Company blog – https://eclecticlight.co
 ➜ Start

Mac model

This displays the specific model of Mac using a standard code, in which type of Mac is given first, e.g.
MacBookPro, then two digits separated by a comma to identify the series and specific model, e.g. 10,2.
Use these when referring to your Mac so that others can know exactly which it is.

This information is obtained using:

let platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"))
let modelAsCFString = IORegistryEntryCreateCFProperty(platformExpert, "model" as CFString, kCFAllocatorDefault, 0)

It’s used to look up the expected firmware version, so if an error occurs when obtaining the Mac model, the
firmware version given is almost certainly incorrect too.

➜ Firmware

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start
⚠
Firmware

SilentKnight looks up the firmware version, and compares it with that believed to be current for supported versions
of macOS (Catalina, Big Sur, Monterey). If the version found is older than that expected, you will be warned. If
your Mac is running beta software, its firmware may have a different version.

Macs running Mojave and earlier haven’t had firmware updates for some time, and are now left running older
versions, which can’t be checked against current release versions. Older systems, and some Mac Pro models, still
use a different version numbering system. SilentKnight can’t determine whether those older versions are the latest
available, so shows the result with a warning triangle, so that you can check the version manually:

This information is obtained using

let theEntry = IORegistryEntryFromPath(0, "IODeviceTree:/rom")
let efiAsCFString = IORegistryEntryCreateCFProperty(theEntry, "version" as CFString, kCFAllocatorDefault, 0)

➜ SIP & Platform Security

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

SIP & Platform Security

System Integrity Protection or SIP ensures that nothing can tamper with your Mac’s system files, and now
extends to all the bundled apps in macOS and more besides. Although sometimes it can be helpful to
disable SIP, you should never run a Mac for any longer than is essential with SIP turned off.

If SIP is turned off, turn it back on by restarting your Mac in Recovery mode holding Command-R, opening
Terminal there and typing in the command
csrutil enable; reboot
When you press Return, your Mac will then restart in regular mode again with SIP turned back on.
To check SIP, SilentKnight runs the shell command
csrutil status

In Big Sur and later, this also checks and reports whether the Signed/Sealed System Volume (SSV) is correctly sealed.

Apple silicon Macs have several additional protections in their Platform Security as well as SIP and the SSV. To
evaluate those, SilentKnight checks all that are available, and summarises results in the box normally used for
SIP. Full details of each security setting are then given in the text box at the bottom of the window.

➜ XProtect

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

XProtect

XProtect is responsible for checking apps and some other files for tell-tale signatures indicating that they are
malicious. It should always be enabled: if it’s reported in its box at the left to be disabled, contact Apple support as
a matter of urgency, as your Mac may have already been attacked by malware. Apple periodically updates its
signature and malware definitions using pushed security updates.

To determine the current version of XProtect data files installed, SilentKnight obtains the version number
of /System/Library/CoreServices/XProtect.bundle. In macOS 10.15 and later, that is both /Library/Apple/System/
Library/CoreServices/XProtect.bundle and XProtect.app, for which it gives both version numbers. The second
version number is for the new XProtect Remediator app, which is progressively taking over from MRT for
remediating the effects of malware.

When updated, the new data takes immediate effect. You don’t need to restart your Mac.

To check that XProtect blacklist protection is enabled, it runs the shell command
spctl --status
which should always return that assessments are enabled.

➜ FileVault
The Eclectic Light Company blog – https://eclecticlight.co
 ➜ Start

FileVault

FileVault protects the contents of disks by encrypting them. Internal storage of Macs equipped with T2
chips and Apple silicon models are always encrypted, although their default encryption doesn’t use your
password. If there’s any risk that someone else could gain access to private or sensitive data on your Mac,
you should turn FileVault on. This is an option which you control in the Security & Privacy pane of System
Preferences.

To check whether FileVault disk encryption is turned on, SilentKnight runs the shell command
fdesetup status
This only applies to the internal storage, although external drives can also be encrypted using FileVault when you
wish to protect them.

➜ Updates

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

Updates

When SilentKnight starts up, and when you click the Check button, it connects to Apple’s servers and asks
them for a list of all system and security updates available for your Mac, using the following command:
softwareupdate -l --include-config-data
or, in El Capitan,
softwareupdate -l

This doesn’t require you to authenticate, even in El Capitan, and should still work when automatic updates
are disabled. When updates are available, this in turn displays the Install all updates button, allowing you
to download and install them when you wish. If you only want to install some of the updates, use the
Install Named Updates… command in the File menu to open a separate Updater window.

You can disable this softwareupdate check if you wish.

➜ Gatekeeper
➜ Install all updates ➜ Install Named Update… ➜ Download not install
➜ Disable softwareupdate
The Eclectic Light Company blog – https://eclecticlight.co
 ➜ Start

Gatekeeper

Gatekeeper data files include lists of revoked developer security certificates and other vital information
which was used when macOS checks the authenticity of apps and some other items. More recently, this
has become disused. Because of that, newer Macs may now have very old versions of Gatekeeper
installed. When that’s found, it’s simply reported as being unused.

These data files are stored at /private/var/db/gkopaque.bundle, and it’s that bundle’s version number which
SilentKnight checks and displays.

Catalina and later have additional data stored at /private/var/db/gke.bundle (which used to be tiny), so in
10.15 and later the version of that bundle is given after the number for the main gkopaque.bundle, e.g.
181, 8.0. If either is out of date in Catalina or later, a warning results.

When updated, the new data takes immediate effect. You don’t need to restart your Mac.

➜ MRT

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

MRT

If the macOS 10.14 and earlier detects that malware is present, it calls on the Malware Removal Tool MRT
to remove it. In macOS 10.15 and later, this task is being progressively taken over by XProtect
Remediator, whose version is reported as the second figure for XProtect.

The app’s data are contained within the app at /System/Library/CoreServices/MRT.app (in 10.15 and
later /Library/Apple/System/Library/CoreServices/MRT.app), and the version given here is that of that app.

When updated, MRT may be run automatically to check for any malware which needs to be removed. As
MRT is normally only run after starting up, you may prefer to restart after updating, to ensure that the new
version scans your Mac promptly. It’s also possible to run MRT manually, but that doesn’t appear as
reliable as restarting.

➜ TCC

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

TCC

macOS Mojave introduced new protection for private data in Transparency Consent and Control or TCC.
That uses private data which Apple periodically changes using its pushed update service to
replace /System/Library/Sandbox/TCC_Compatibility.bundle (in 10.15 and later /Library/Apple/Library/
Bundles/TCC_Compatibility.bundle).

SilentKnight shows the version number of that bundle. This differs considerably between Mojave and
Catalina and later.

When updated, the new data takes immediate effect. You don’t need to restart your Mac.

➜ KEXT

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

KEXT

macOS uses a kernel extension exclude list to prevent some old and conflicting kernel extensions from
being loaded. This is obtained from that extension, at /System/Library/Extensions/
AppleKextExcludeList.kext, or in Catalina and later at /Library/Apple/System/Library/Extensions/
AppleKextExcludeList.kext.

When updated, the new data is used when you next start your Mac up.

➜ Install all updates

➜ Download not install
➜ Install Named Update…
➜ Disable softwareupdate

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start
❌
Apple Studio Display

When you have one or more Apple Studio Displays connected, a new row appears at the foot of the
information before that about updates. This states the display recognised, and on the right the current
firmware versions are given for each connected Studio Display. If SilentKnight isn’t able to find an Apple
Studio Display, this row remains blank.

Firmware updates for Studio Displays are pushed in the normal way through Software Update. When one
is available, don’t try to download or install it using SilentKnight, but use Software Update instead.

Display firmware versions are checked against the current version stored in the GitHub database, and any
discrepancy is marked with a and reported in full in the scrolling text below.

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start
⚠
Install all updates

The Install all updates button only appears when SilentKnight has discovered that there are updates available for
your Mac, although you can always force them to be downloaded and installed using the menu command. When
you click on this button, the app runs the command:
softwareupdate -ia --include-config-data
or, in El Capitan,
sudo softwareupdate -ia

If you are running El Capitan, you need to authenticate before this command can be run, but that is not required in
Sierra or later. This tries to connect to Apple’s servers, and downloads and installs all pending updates for you.

This automatically installs all pending system and security updates, whether you want them or not. When large
updates such as macOS updates are available, install those first using Software Update, or use the Install Named
Update… command in the File menu to download and install individual updates instead.

When updates have been installed, SilentKnight runs through its checks again and refreshes version numbers
shown, so you can check that they have been installed correctly.

➜ Install Named Update… ➜ Download not install

➜ Disable softwareupdate
➜ Report

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

Install named update

The Install Named Update… command in the File menu opens SilentKnight’s Updater window, in which you can install as many
individual updates as you wish.

When SilentKnight checks for updates, it shows the list of available updates in the main scrolling text view of the main window. For
each update available, this normally lists the name of that update (without any embedded spaces) in the first of a pair of lines. Select
that name and copy it from that window. Then paste it into the text box at the top of the SilentKnight Updater window. Click on the
Install Named Update button to download and install it. Repeat this procedure for each update you wish to install.

If the command returns an error, it’s most probable that you gave the wrong name. Try copying and pasting a different part of the
listing from the main window until it works. Closing the Updater window doesn’t quit the app.

When you click on this button, the app runs the command:
softwareupdate -i --include-config-data updatename
or, in El Capitan,
sudo softwareupdate -i updatename

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

Disable softwareupdate
macOS High Sierra and Mojave Security Update 2020-003, and Catalina 10.15.5, changed the way that Software
Update works. This prevents you from turning off the red badge which indicates that an unwanted update is
waiting to be downloaded and installed. It’s possible to alter this, but when you next access Software Update, the
red badge will reappear. To ensure that this doesn’t happen when using SilentKnight, there is an option which
stops SilentKnight from checking Apple’s update servers for available updates.

To disable checking for available updates, select the Check Updates item in the SilentKnight menu (where you’d
expect Preferences to be). That menu command will then change to read Don’t Check Updates. When you next
open SilentKnight, the softwareupdate check won’t be run. You can also set that in SilentKnight’s preferences file
by entering the following command:
defaults write co.eclecticlight.SilentKnight noCheckSWU true

To enable softwareupdate checks again, simple select the Don’t Check Updates command. It will change back to
Check Updates, and when you next click on the Check button or open SilentKnight, the normal softwareupdate
check will be run. You can also use the command
defaults write co.eclecticlight.SilentKnight noCheckSWU false

➜ Report

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

Download not install

By default, SilentKnight both downloads and installs updates. There are occasions when you may prefer only to
download the update for the time being, and decide whether to install it later. For example, a bug in MRT version
1.68 caused problems on many Macs. If you wish to be cautious, you could just download future updates to MRT
then, after a couple of days, if the latest update appears to be problem-free, you could install it.

To disable automatic installation, select the Install Updates command in the SilentKnight menu. It will then
become unticked and show the words Download Updates. Select those again to turn automatic installation back
on.

To remind you that updates are only being downloaded, when installation is disabled a warning
triangle is displayed in SilentKnight’s windows, and all menu commands and buttons which normally
read Install … are changed to read Download … instead.

Downloaded updates are saved in the /Library/Updates folder, which is automatically opened for you after
downloading is complete. Apple’s documentation (from 2012) warns that those Installer packages “are not
designed to be installed by double-clicking the packages in that directory: always use [softwareupdate] --install or
the App Store to actually perform the install.” However, in Mojave and later that doesn’t appear necessary.
Downloading can also result in spurious errors being reported when the update is in fact perfectly good.

➜ Install named update

The Eclectic Light Company blog – https://eclecticlight.co

 ➜ Start

Report

In addition to displaying brief information in the boxes above, SilentKnight also provides more in the scrolling text
area in the lower part of its window. This may include errors encountered when trying to obtain some of those
values.

It also lists the latest dates of installation of security data files, which are derived from that Mac’s install history
at /Library/Receipts/InstallHistory.plist. Those are checked again after the installation of any updates, and should
confirm that the update has been correctly received and installed. The emoji is shown by new versions for 24
hours.

Select all and copy the contents of the report to paste in as plain or rich text, or use the Export… command to
save this to a file in plain text. Use ⌘+ and ⌘– to enlarge or shrink the text size as you wish.

The Eclectic Light Company blog – https://eclecticlight.co