Message ID: MC911615
Note: If your organization does not use macOS, you can safely disregard this message.
Microsoft Word, Excel, and PowerPoint in Office for macOS Version 16.91 only load dynamic libraries that are codesigned with a valid Apple Developer ID. As a result, Office add-ins or Open Database Connectivity (ODBC) drivers that rely on unsigned or ad-hoc-signed dynamic libraries don’t work as intended.
However, most dynamic libraries used with Office apps are already codesigned, so this change is unlikely to affect most users.
In this message, when non-Microsoft products is mentioned, it specifically refers to products and applications that enhance or extend Office functionality (like add-ins or integrations). This doesn’t include all non-Microsoft software installed on your device.
[When will this happen:]
This change is expected to be live in production in mid-November 2024.
[How this affects your organization:]
Reason for the change:
Microsoft requires executable code from non-Microsoft products be codesigned with a valid Apple Developer ID. This requirement ensures that only verified and properly signed code runs within Office applications, promoting code integrity and compliance with macOS development standards.
Workflow changes for users:
If your workflow uses unsigned dynamic libraries within Word, Excel, or PowerPoint for macOS, it no longer works as intended. You need to get an updated version of the product from the original software developer.
[What you can do to prepare:]
Actions required for developers:
If your product uses dynamic libraries, make sure they’re codesigned with an Apple Developer ID. Unsigned or ad-hoc-signed libraries are no longer allowed to load into Office app processes. For more information on the Apple Developer program and tools, see the Apple Developer Program. Office applications support libraries codesigned for distribution through any Apple-supported distribution mechanism, including direct download by your customers.
Steps for admins:
- Verify Deployed non-Microsoft Products: Check if you have any non-Microsoft products deployed to your users. These products often:
- Extend Office functionality by adding menu or ribbon controls.
- Communicate with other applications to share content with Office.
- Support external data connections such as ODBC.
- Confirm codesigning compliance: Make sure that any non-Microsoft products follow best practices and codesigned any dynamic libraries included in their products. If any libraries aren’t codesigned, contact the product developer for updates.
- Monitor system logs: Inspect the system console logs for Library Load Constraint Rejection messages. These messages from macOS identify any dynamic library that the OS rejects from loading into an Office app process.
- Consider proactively blocking all non-Microsoft libraries: To block these libraries, set the Office preference DisableVisualBasicExternalDylibs to true using Mobile Device Management (MDM) software. For more information, see the Apple Platform Deployment guide.
Warning: Blocking all non-Microsoft libraries from running within Visual Basic macros is a significant action and should only be considered if absolutely necessary for your organization’s requirements on macOS computers.
Source: Microsoft
Alright, admins and users, gather ’round! We’ve got some news that’s hotter than a fresh cup of coffee on a Monday morning. Microsoft is rolling out an update for Word, Excel, and PowerPoint on macOS, and it’s all about keeping things neat and tidy with codesigned dynamic libraries.
Now, before you start panicking and imagining your Office apps throwing tantrums, take a deep breath. This update is mostly a housekeeping move to ensure that only properly signed code gets to play in the Office sandbox. Think of it as a bouncer at a club, making sure only the cool, verified kids get in.
For most of you, this will be a non-event. Your dynamic libraries are probably already codesigned, so you can continue your Office shenanigans without a hitch. But if you’re using some unsigned or ad-hoc-signed dynamic libraries, it’s time to get those updated. No more sneaking in through the back door!
Admins, you’ve got a bit of homework. Check your deployed non-Microsoft products and make sure they’re all playing by the new rules. If you find any rebels, it’s time to have a chat with the developers and get those libraries codesigned. And don’t forget to keep an eye on those system logs for any misbehaving libraries.
Developers, this is your cue to shine. Make sure your dynamic libraries are codesigned with an Apple Developer ID. It’s like getting a stamp of approval from Apple, ensuring your code is legit and ready to roll.
So, what do you think about this update? Is it a minor bump in the road or a major detour? Share your thoughts in the comments below!