Mac owners who have upgraded to macOS Catalina have probably noticed a lot of new features and changes to existing functionality. But they may not have really been aware of how much Apple has improved Mac security. Today we’ll look at some of the changes and how they keep your Mac safe from intrusion.
Safari Download Prompts
One simple change that you may have already encountered is a prompt that appears the first time you try to download a file from a website you’re visiting with Safari:
If you really meant to download a file from that site and you are confident that you’re not downloading malware, click Allow, and two things occur. First, the file is downloaded, and second, Safari Preferences stores the permission for future use.
To revoke permission for a website to download a file to your Mac, or allow it later on, open Safari > Safari Preferences > Websites > Downloads, and then look for the site in the list of “Currently Open Websites” or “Configured Websites.”
Find that prompt to be annoying? You can shut it off in that same preference pane. A pop-up at the bottom of the pane marked “When visiting other websites” configures Safari to ask you for permission to download from a particular website, to always deny downloads, or to always allow downloads.
Separate System and Data Volumes
Unless you have launched Disk Utility lately, you may not have noticed a significant change in the way that macOS sets up your Mac storage. Now whatever your storage is — hard disk, SSD, or Fusion Drive — it is split into two volumes. The first volume is the System volume, which contains the operating system files, and it is now set with Read Only permissions. The only way that the System volume can be changed is through a signed update from Apple. The idea behind this is sound, as it prevents malware from affecting the operating system.
The other volume is named Data, and it contains your apps, files, and any other data. The System volume is rather small in comparison to the Data volume, usually in the 10 – 12GB range.
Improvements to Gatekeeper
Gatekeeper has been around for a while in macOS, but it has been improved in Catalina. Gatekeeper is used only to allow apps that are installed from the Mac App Store and signed apps from legitimate Mac developers. The first time you run a newly-installed app, you’ll generally see a warning that says something like, “This app was downloaded and installed from…“ It then asks you for your permission to load the app.
While that keeps your Mac free from malicious code when you first install a new app, it has an obvious security “hole” – an unscrupulous developer could place malware into an update later on. Gatekeeper now checks apps periodically as you run them, making sure that no malicious code has been installed during an update.
Apple is now forcing developers to use an Apple tool to check an app for malicious code before distribution on the App Store. This process is known as “notarization,” a way for Apple to ensure that no malware sneaks its way into the Mac App Store. The App Notarization check is required for apps that work with Catalina.
Developers and advanced users can get around App Notarization if they need to install special apps on their Macs, but for the vast majority of Mac users, those methods are not available. App Notarization is just one more way that Apple has your back in terms of app security.
Activation Lock is a new security feature in Catalina that won’t work on all Macs – just those that have the new T2 chip inside. Those Macs include the latest MacBooks, the Mac mini, and the iMac Pro, and Apple intends to install the T2 or other similar chips inside future Macs.
To use Activation Lock, your Mac must have the T2 chip. If you’re unsure if it does, you can find out by launching Apple menu > About this Mac > System Report > Controller.
Next, your Mac must be running macOS Catalina or later. The third requirement is that you’ve enabled two-factor authentication (link to Apple how-to document) for your Apple ID. Finally, you need to leave Secure Boot enabled on its default setting, which is Full Security. Next, select “Disallow booting from external media” under the External Boot section. The settings are visible in the screenshot below:
Prior to Catalina, you could use the Find My app to locate a lost or stolen Mac, and even erase the drive on it. With Catalina and Activation Lock, a thief is unable to erase your Mac and reuse it without your permission. That permission is granted through your Apple ID. Sure, a thief could just strip your Mac for parts, but it would probably be more work than it’s worth.
Using an Apple Watch to Grant Permission
Do you have an Apple Watch? If so, you may have already noticed one new feature of macOS Catalina – the ability to use the Watch to grant permission to the Mac.
As long as your Mac and your Apple Watch are set up with the same Apple ID, certain apps and Catalina utilities now place a prompt for permission onto your Watch. With a double-click on the Apple Watch, you’ve just kept yourself from typing your password again. This is a plus for security, since reducing the need to type in strong passwords means that it’s more likely that people will use them.
Apple has been nudging developers to stop using kernel extensions. These are pieces of code that add functionality to the operating system, usually to provide special features. What Apple prefers are system extensions that do not change the system kernel, but instead are part of an app.
Have you used Safari extensions to add functionality to Apple’s browser? You may notice that some of the older Safari extensions don’t work in Catalina and the most recent update to Safari for Mojave. The reason this capability no longer works is that Safari extensions could be downloaded from a variety of websites and be added by individual apps, and this created a security hole.
Adware often found its way onto Macs thanks to Safari extensions that would sneak in and then start popping up browser windows full of advertisements. Apple doesn’t want Safari extensions to be added willy-nilly to Macs, so extensions must now be provided through the Mac App Store. That way, they are pre-checked and much more secure.
Starting with macOS Mojave, Apple made sure that Mac apps asked for user permission to access the camera or microphone. In Catalina, Apple has apps ask for permission to do a lot more.
The operating system now asks for permission to access files in your Documents folder or on iCloud. It asks for permission for an app to access Contacts and Calendars. What you’ll notice is that most of this happens shortly after you upgrade to macOS Catalina. Once you’ve given an app permission to do something, it retains that setting.
To see what apps you’ve granted permission to, and what they’re changing, launch System Preferences, click on the Security & Privacy button, then click the Privacy tab. On the left side of this tab (see below) is a scrolling list of different system features like Location Services, Contacts, Calendars, Camera, Microphone, Speech Recognition, and more.
Click one of those features, and on the right side of the tab is a list of apps that have been granted access. For example, in the screenshot above, you can see that Google Chrome has access to the camera on my iMac. With a click of the checkbox, I can disable that access.
Changing some permissions is as easy as clicking the checkbox; to change other permissions, you may need to “Click the lock” to grant permission to do so! That’s where having an Apple Watch comes in very handy.
Finally, Apple has made it necessary for apps that use the crontab Unix function to run something periodically to ask for permission as well. This was a common way for malware to wreak havoc on Macs, as it would inject code and then run it at a preset interval. Catalina blocks that security hole.
Sign in with Apple
Sign in with Apple is a highly-touted feature of the new operating system that lets you sign in to multiple websites and apps with just one password. If you’ve used Facebook or Google to sign in to various apps or websites, then you get the idea of how Sign in with Apple works.
If an app or website supports Sign in with Apple, all you need to do is tap or click the Sign in with Apple button. Review the information that it passes to that app or website, then login with your Apple ID password or Touch ID.
Apple goes one step further than Facebook and Google sign-ins with the addition of Hide My Email. Many times, using Google sign-in will pass your Gmail address to the app or website you’re trying to get an account on. Hide My Email is a private email relay service that creates a unique and random email address that forwards to your personal email. That means that the app or website developer can communicate with you, but you’ve never given up your personal email address.
Apple won’t track your usage of apps or websites. The only thing that they keep is the information needed to ensure that you can sign in and manage your account.
To see what apps are using your Apple ID and manage access, launch System Preferences, click Apple ID and then select Password & Security.
I’m hoping that Sign in with Apple catches on, but so far, I haven’t seen one app or website that is using the service. If you have been able to use Sign in with Apple, please let us know which sites or apps are using it.