How macOS Catalina’s New Security Features Work
macOS Catalina introduces new security controls. For example, apps are now required to ask your permission before accessing parts of the drive where documents and personal files are kept. Let’s take a look at what’s new for security in Catalina.
Some Apps Require Permission to Access Your Files
Apps now have to request permission to access certain parts of your file system. This includes your Documents and Desktop folders, your iCloud Drive, and any external volumes that are currently connected to your Mac (including flash drives, memory cards, and so on). This is the change that’s been getting the most headlines.
Apple has been pushing permission-based access for a while on iOS, and we’re seeing more of these security policies make their way into macOS. When you first upgrade to Catalina, this can result in a blizzard of permission request dialog boxes. This has led some to compare the feature to Windows Vista’s full-screen security prompts (but in reality, it’s nowhere near as egregious).
Unedited Catalina first-run experience.
And I haven’t even begun to do actual work yet.
This could be Apple’s shining Windows Vista moment. pic.twitter.com/CxuVhA3BxV
— Tyler Hall (@tylerhall) October 7, 2019
From a security standpoint, it’s a change to be welcomed, though it can take some time to get used to. Not every app will request access, either. In our tests, we were able to open and save files using markdown editor Typora, but navigating to the Documents folder in Terminal using the
cd ~/Documents/ command prompted a request for permission.
Head to System Preferences > Security and Privacy > Privacy and click on the “Files and Folders” option to see any apps that have requested access. You can also grant access to your whole disk by clicking “Full Disk Access.” Note that some apps, like duplicate file finders, will require that you allow access to your entire drive using this menu.
To make changes, first, click on the lock icon in the bottom-left corner of the window, then input your admin password (or use Touch ID if you have a fingerprint reader). You can then check the box next to the app in question to grant access.
Input Monitoring, Screen Recording, and Safari
Disk access isn’t the only change to permissions in macOS Catalina. Apple now requires that apps ask for permission to log keyboard input and make screen recordings. You will find options for each of these under “Input Monitoring” and “Screen Recording” in System Preferences > Security and Privacy > Privacy.
Input Monitoring refers to any text input that isn’t handled by the operating system, just like the “Allow Full Access” setting on iOS for third-party keyboards. This could help protect against keyloggers. Screen Recording restrictions block apps from recording anything on your screen without permission. This restriction affects apps like Apple’s own QuickTime Player, prompting you to “Open System Preferences,” click the lock to authorize changes, and then manually grant permission.
In Safari, you will also be asked to allow or deny requests to download files from specific domains or to share your screen. You can fine-tune your choices by launching the browser then clicking Safari > Preferences > Websites. You can permanently grant permission, deny outright, or prompt the website to ask you every time using the provided controls.
macOS Is Now Stored on a Separate Disk Volume
During the installation process for macOS Catalina, your main system volume is split in two: one read-only volume for core system files (your operating system) and another volume for data that allows both read and write access. You won’t need to do anything; the installer takes care of it for you.
This places all of the operating system’s most important files in a single read-only volume that cannot be modified by you or any of your apps. You won’t be able to see the second volume unless you open Disk Utility. In the sidebar, you should find two volumes a regular old “Macintosh HD” (your operating system) and a “Macintosh HD Data” for everything else.
This change is something most users will not notice. It does not affect how your computer runs on a day-to-day basis, and the only time the read-only volume will be affected by anything is when you update your Mac. All you need to know is that the change makes it even more difficult for rogue apps to damage the part of your drive where the operating system’s most sensitive data is kept.
Gatekeeper Gets a Power Up
Gatekeeper is the technology that steps in whenever you try to run an app that isn’t from the Mac App Store and hasn’t been signed using an authorized developer certificate. Gatekeeper stops you running dodgy apps on your Mac, for better or worse, and in Catalina, it’s getting an upgrade.
Apps will now be checked for malware using Gatekeeper each time they run. Previously this only happened the first time you tried to open the app. To speed the process up, Apple has launched a new notarization process where developers must submit their apps to Apple to have them pre-approved as safe.
If Gatekeeper sees that an app has been notarized, it knows not to scan it for malware every time it is launched. As of macOS Catalina, any developer who has signed their app with an Apple Developer ID certificate must also submit their apps for notarization by Apple to pass Gatekeeper’s checks. This translates to more red tape and hoops for developers but more peace of mind for consumers.
Remember, you can still install and run apps that aren’t signed with Developer certificates or downloaded from the Mac App Store:
- Launch the app you’re trying to run and acknowledge the Gatekeeper warning that prevents the app from running.
- Head to System Preferences > Security and Privacy > General and look for a note at the bottom of the screen about an app launch being denied.
- Click on “Open Anyway” to bypass Gatekeeper and launch the app.
Activation Lock Comes to Macs with a T2 Chip
Activation Lock was first added to iPhones to deter thieves. The feature locks any iOS device to your Apple ID, requiring that you log in using your credentials if you want to restore the device to factory settings. This is so that a thief can’t steal your phone or tablet, reset it to factory settings, then resell it as a used device.
That same technology is now making its way into macOS Catalina. It only works if your Mac has Apple’s T2 chip, a custom piece of silicon that rolls the “System Management Controller, image signal processor, audio controller, and SSD controller” into a single piece of hardware. The T2 chip is currently found on the following Mac computers:
- MacBook Pro 2018 or later
- MacBook Air 2018 or later
- iMac Pro (all models)
- Mac mini 2018 or later
To take advantage of Activation Lock, make sure that the “Find My Mac” service is enabled under System Preferences > Apple ID > iCloud. If you intend to sell your Mac, make sure you disable the “Find My Mac” service before you do so. You should also reinstall macOS and wipe any personal data before you sell it.
Not sure which Mac you have? Click on the Apple logo in the top-left corner and then choose “About This Mac” to see the year, model, and other technical specifications.
“Find My” Helps You Locate Devices and Friends
Apple has overhauled its “Find My iPhone” service and rebranded it as simply “Find My” instead. The service was previously only available via iCloud.com and through iPhone and iPad apps. But, in macOS Catalina, Apple has included a dedicated “Find My” app for keeping track of all of your devices.
The new app includes the ability to track not only devices linked to your Apple ID but also your friends. Previously Apple’s “Find My Friends” app was used for this purpose, but the “Find My” app will be pulling double duty going forward. You can share your location using this app by clicking on “Share My Location,” entering your email address, and clicking Send.
Remember that “Find My” only works with other Apple users. The person you are sharing your location with will need an Apple ID and access to the “Find My” service either via an iPhone or iPad or a Mac to partake. You can also share your location using your iOS device from the Messages app, which is generally a better idea since most of us walk around with our phones rather than our MacBooks.
Click on the “Devices” tab to see all of your devices, along with their current and last-known locations. Click on a device to select it then click the “i” information button to see more options. Depending on the device, you may be able to play a sound, mark the device as lost, and even erase the device remotely.
All the Small Things
As is the case with every new macOS release, there are a lot of smaller changes that you might not notice at first. One of the best is the ability to approve admin requests on your Apple Watch. If you can use your Apple Watch to unlock your Mac, you can use it to grant admin permission to install apps, delete files, and more.
Safari steps up its security game by letting you know if your passwords are too weak. Safari will also suggest new “strong” passwords and save them to your iCloud keychain. The Notes app will also now allow you to share read-only notes. Click on the “Add People” button then change the “Permission” field to “Only people you invite can view” to share a note without full write permissions.
These are just a few of the changes in macOS Catalina, which is available now.