How macOS Catalina’s New Security Features Work

Hands holding a lock on a MacBookIssarawat Tattong /

macOS Catalina introduces new security controls. For example, applications must now request your permission before accessing parts of the drive where documents and personal files are kept. Let's see what's new for Catalina's safety.

Some applications require permission to access your files

MacOS Catalina disk access permission dialog

Applications must now request permission to access certain parts of your file system. This includes your Documents and Desktop folders, your iCloud drive, and any external volumes currently connected to your Mac (including USB flash drives, memory cards, and so on). It's the change that makes the headlines.

Apple has long advocated access based on permissions on iOS, and more and more of these security rules are built into macOS. When you upgrade to Catalina, this may result in a multitude of authorization request dialogs. This has led some to compare this feature to Windows Vista's full-screen security prompts (but in reality they are not nearly as blatant).

Unpublished experience of Catalina.

And I have not even started doing real work yet.

This could be the bright moment of Apple's Windows Vista.

– Tyler Hall (@tylerhall) October 7, 2019

From a security point of view, it's a welcome change, although it may take some time to get used to it. Not all applications will request access. During our tests, we were able to open and save files using the Markdown Typora editor, but by browsing in the Terminal Documents folder using the cd ~ / Documents / command, a prompt for authorization has been requested.

Go to System Preferences> Security & Privacy> Privacy and click on the "Files & Folders" option to view all applications for which access has been requested. You can also grant access to your entire drive by clicking "Full Disk Access". Note that some applications, such as duplicate file sensors, require that you allow access to all of your disc using this menu.

MacOS Catalina security and privacy settings

To make changes, first click on the lock icon in the lower left corner of the window, then enter your administrator password (or use Touch ID if you have a fingerprint reader). You can then check the box next to the application in question to grant access.

Entry monitoring, screen recording and Safari

MacOS Catalina screen registration permission prompt

Disk access is not the only change to permissions in macOS Catalina. Apple now requires applications to request permission to record keyboard entries and record records. You'll find options for each under "Input Monitoring" and "Screen Recording" in System Preferences> Security & Privacy> Privacy.

Input monitoring refers to any text input that is not managed by the operating system, as well as the "Allow full access" setting on iOS for third-party keyboards. This could help protect against keyloggers. Screen saving restrictions prevent applications from recording anything on your screen without permission. This restriction applies to apps like Apple Quick Time Playerby inviting you to "Open System Preferences," click the lock to allow changes, and then manually grant the permission.

In Safari, you will also be asked to allow or deny requests to download specific domain files or share your screen. You can refine your choices by launching the browser and then clicking Safari> Preferences> Websites. You can grant a permanent permission, decline directly or invite the website to ask you each time using the controls provided.

macOS is now stored on a separate disk volume

MacOS Catalina read-only volume visible in Disk Utility

During the macOS Catalina installation process, the volume of your main system is divided into two: a read-only volume for the main system files (your operating system) and another volume for the data allowing read and write access. You do not need to do anything; the installer takes care of it for you.

This places all the most important operating system files in a single read-only volume that can not be modified by you or any of your applications. You will not be able to see the second volume unless you open the disk utility. In the sidebar, you should find two volumes: a standard "Macintosh HD" (your operating system) and a "Macintosh HD – Data" for everything else.

This change is something that most users will not notice. This does not affect the day-to-day operation of your computer, and the only time the read-only volume will be affected is updating your Mac. All you need to know is that the change makes it even more difficult for malicious applications to damage the part of your drive where the most sensitive data from the operating system is kept.

Gatekeeper Gets a Power Up

Gatekeeper blocked an application prompt

Porter is the technology that occurs each time you try to run an application that is not from the Mac App Store and has not been signed using an Authorized Developer Certificate. Gatekeeper prevents you from using suspicious applications on your Mac, for better or for worse, and in Catalina, it gets an upgrade.

Applications will now be monitored with the help of Gatekeeper to detect malware every time they run. Previously, this only happened the first time you tried to open the application. To speed up the process, Apple has launched a new notary process where developers must submit their applications to Apple for pre-approval as safe.

If Gatekeeper finds that an application has been notarized, it knows that it should not be searched for malicious programs every time it is launched. From macOS Catalina, any developer who has signed their application with an Apple Developer Identity Certificate must also submit their applications to Apple to be notarized to pass Gatekeeper checks. This translates to more paperwork and hoops for developers, but more peace of mind for consumers.

Do not forget that you can still install and run unsigned applications with developer certificates or downloaded from the Mac App Store:

Launch the application you are trying to run and report the gatekeeper warning that prevents it from running.
Go to System Preferences> Security & Privacy> General and look for a note at the bottom of the screen indicating that launching an application is denied.
Click "Open Anyway" to bypass Gatekeeper and start the application.

The activation lock comes on Mac with a T2 chip

Apple T2

Activation lock was first added to the iPhone to deter thieves. The feature locks any iOS device on your Apple ID, which requires you to sign in with your credentials if you want to restore the device to the factory settings. This is so that a thief can not steal your phone or tablet, reset it to the factory settings, and resell it as a used device.

This same technology is now making its way into macOS Catalina. It only works if your Mac is equipped with Apple's T2 chip, a custom silicon coin that converts the "System Management Controller, Image Signal Processor, Audio Controller, and SSD Controller" into one. hardware component. The T2 chip is currently on the following Mac computers:

MacBook Pro 2018 or later
MacBook Air 2018 or later
iMac Pro (all models)
Mac mini 2018 or later

To take advantage of the activation lock, make sure that the "Find my Mac" service is enabled under System Preferences> Apple ID> iCloud. If you plan to sell your Mac, be sure to disable the "Find My Mac" service before you do so. You should too reinstall macOS and erase all personal data before selling it.

You do not know what Mac you have? Click on the Apple logo in the upper left corner, then choose "About this Mac" to see the year, model and other technical specifications.

Find My helps you locate devices and friends

Apple redesigned its "Find My iPhone" service and renamed it simply "Find My" instead. Previously, the service was only available via and via iPhone and iPad applications. But in macOS Catalina, Apple has included a dedicated "Find My" application to track all your devices.

The new application includes the ability to track not only devices related to your Apple ID, but also your friends. Previously, Apple's "Find My Friends" application was used for this purpose, but the "Find My" application will become a double duty. You can share your location using this app by clicking "Share My Location", entering your email address, and then clicking Submit.

Remember that "Find My" only works with other Apple users. The person with whom you share your location needs an Apple ID and access to the "Find My" service via an iPhone, iPad or Mac to participate. You can also share your location with the help of your iOS device from the Messages app, which is usually a better idea since most of us are browsing with our phones rather than using the phone. with our MacBooks.

Click on the "Devices" tab to see all your devices, as well as their current and known locations. Click on a device to select it, then click the "i" information button to view more options. Depending on the device, you may be able to play a sound, mark it as lost and even erase it remotely.

All the small things

As is the case with each new version of macOS, there are a lot of minor changes that you may not notice at the beginning. One of the best is the ability to approve requests from the administrator on your Apple Watch. Whether you can use your Apple Watch to unlock your Mac, you can use it to give administrators permission to install applications, delete files, and more.

Safari strengthens its security game by letting you know if your passwords are too weak. Safari will also suggest new "strong" passwords and save them in your iCloud keychain. The Notes application will also allow you to share read-only notes. Click the "Add People" button, then change the "Permission" field to "Only people you invite can see" to share a note without write permission.

These are just some of the changes in macOS Catalina, which is available now.

RELATED, RELATED, RELATED: What's new in macOS 10.15 Catalina, now available

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.