How macOS Catalina Improves Mac Security

Security Preferences Icon

Mac owners who have upgraded to macOS Catalina have probably noticed a lot of new features and changes to existing functionality. But they may not have really been aware of how much Apple has improved Mac security. Today we’ll look at some of the changes and how they keep your Mac safe from intrusion.

Safari Download Prompts

One simple change that you may have already encountered is a prompt that appears the first time you try to download a file from a website you’re visiting with Safari:

The new download prompt in Safari
The new download prompt in Safari

If you really meant to download a file from that site and you are confident that you’re not downloading malware, click Allow, and two things occur. First, the file is downloaded, and second, Safari Preferences stores the permission for future use.

To revoke permission for a website to download a file to your Mac, or allow it later on, open Safari > Safari Preferences > Websites > Downloads, and then look for the site in the list of “Currently Open Websites” or “Configured Websites.”

Find that prompt to be annoying? You can shut it off in that same preference pane. A pop-up at the bottom of the pane marked “When visiting other websites” configures Safari to ask you for permission to download from a particular website, to always deny downloads, or to always allow downloads.

Separate System and Data Volumes

Unless you have launched Disk Utility lately, you may not have noticed a significant change in the way that macOS sets up your Mac storage. Now whatever your storage is — hard disk, SSD, or Fusion Drive — it is split into two volumes. The first volume is the System volume, which contains the operating system files, and it is now set with Read Only permissions. The only way that the System volume can be changed is through a signed update from Apple. The idea behind this is sound, as it prevents malware from affecting the operating system.

The other volume is named Data, and it contains your apps, files, and any other data. The System volume is rather small in comparison to the Data volume, usually in the 10 – 12GB range.

Disk Utility shows the two volumes -- System and Data -- that are created by macOS Catalina
Disk Utility shows the two volumes — System and Data — that are created by macOS Catalina

Improvements to Gatekeeper

Gatekeeper has been around for a while in macOS, but it has been improved in Catalina. Gatekeeper is used only to allow apps that are installed from the Mac App Store and signed apps from legitimate Mac developers. The first time you run a newly-installed app, you’ll generally see a warning that says something like, “This app was downloaded and installed from…“ It then asks you for your permission to load the app.

While that keeps your Mac free from malicious code when you first install a new app, it has an obvious security “hole” – an unscrupulous developer could place malware into an update later on. Gatekeeper now checks apps periodically as you run them, making sure that no malicious code has been installed during an update.

App Notarization

Apple is now forcing developers to use an Apple tool to check an app for malicious code before distribution on the App Store. This process is known as “notarization,” a way for Apple to ensure that no malware sneaks its way into the Mac App Store. The App Notarization check is required for apps that work with Catalina.

Developers and advanced users can get around App Notarization if they need to install special apps on their Macs, but for the vast majority of Mac users, those methods are not available. App Notarization is just one more way that Apple has your back in terms of app security.

Activation Lock

Activation Lock is a new security feature in Catalina that won’t work on all Macs – just those that have the new T2 chip inside. Those Macs include the latest MacBooks, the Mac mini, and the iMac Pro, and Apple intends to install the T2 or other similar chips inside future Macs.

To use Activation Lock, your Mac must have the T2 chip. If you’re unsure if it does, you can find out by launching Apple  menu > About this Mac > System Report > Controller.

Next, your Mac must be running macOS Catalina or later. The third requirement is that you’ve enabled two-factor authentication (link to Apple how-to document) for your Apple ID. Finally, you need to leave Secure Boot enabled on its default setting, which is Full Security. Next, select “Disallow booting from external media” under the External Boot section. The settings are visible in the screenshot below:

This dialog is available only on Macs equipped with the T2 security chip
This dialog is available only on Macs equipped with the T2 security chip

Prior to Catalina, you could use the Find My app to locate a lost or stolen Mac, and even erase the drive on it. With Catalina and Activation Lock, a thief is unable to erase your Mac and reuse it without your permission. That permission is granted through your Apple ID. Sure, a thief could just strip your Mac for parts, but it would probably be more work than it’s worth.

Using an Apple Watch to Grant Permission

An Apple Watch prompt to approve a Mac action
An Apple Watch prompt to approve a Mac action

Do you have an Apple Watch? If so, you may have already noticed one new feature of macOS Catalina – the ability to use the Watch to grant permission to the Mac.

As long as your Mac and your Apple Watch are set up with the same Apple ID, certain apps and Catalina utilities now place a prompt for permission onto your Watch. With a double-click on the Apple Watch, you’ve just kept yourself from typing your password again. This is a plus for security, since reducing the need to type in strong passwords means that it’s more likely that people will use them.

Extensions

Apple has been nudging developers to stop using kernel extensions. These are pieces of code that add functionality to the operating system, usually to provide special features. What Apple prefers are system extensions that do not change the system kernel, but instead are part of an app.

Have you used Safari extensions to add functionality to Apple’s browser? You may notice that some of the older Safari extensions don’t work in Catalina and the most recent update to Safari for Mojave. The reason this capability no longer works is that Safari extensions could be downloaded from a variety of websites and be added by individual apps, and this created a security hole.

Adware often found its way onto Macs thanks to Safari extensions that would sneak in and then start popping up browser windows full of advertisements. Apple doesn’t want Safari extensions to be added willy-nilly to Macs, so extensions must now be provided through the Mac App Store. That way, they are pre-checked and much more secure.

Permissions

Starting with macOS Mojave, Apple made sure that Mac apps asked for user permission to access the camera or microphone. In Catalina, Apple has apps ask for permission to do a lot more.

The operating system now asks for permission to access files in your Documents folder or on iCloud. It asks for permission for an app to access Contacts and Calendars. What you’ll notice is that most of this happens shortly after you upgrade to macOS Catalina. Once you’ve given an app permission to do something, it retains that setting.

To see what apps you’ve granted permission to, and what they’re changing, launch System Preferences, click on the Security & Privacy button, then click the Privacy tab. On the left side of this tab (see below) is a scrolling list of different system features like Location Services, Contacts, Calendars, Camera, Microphone, Speech Recognition, and more.

Permissions granted to apps can be revoked or changes in the Security & Privacy pane of System Preferences
Permissions granted to apps can be revoked or changes in the Security & Privacy pane of System Preferences

Click one of those features, and on the right side of the tab is a list of apps that have been granted access. For example, in the screenshot above, you can see that Google Chrome has access to the camera on my iMac. With a click of the checkbox, I can disable that access.

Changing some permissions is as easy as clicking the checkbox; to change other permissions, you may need to “Click the lock” to grant permission to do so! That’s where having an Apple Watch comes in very handy.

Finally, Apple has made it necessary for apps that use the crontab Unix function to run something periodically to ask for permission as well. This was a common way for malware to wreak havoc on Macs, as it would inject code and then run it at a preset interval. Catalina blocks that security hole.

Sign in with Apple (image via Apple.com)
Sign in with Apple (image via Apple.com)

Sign in with Apple

Sign in with Apple is a highly-touted feature of the new operating system that lets you sign in to multiple websites and apps with just one password. If you’ve used Facebook or Google to sign in to various apps or websites, then you get the idea of how Sign in with Apple works.

If an app or website supports Sign in with Apple, all you need to do is tap or click the Sign in with Apple button. Review the information that it passes to that app or website, then login with your Apple ID password or Touch ID.

Apple goes one step further than Facebook and Google sign-ins with the addition of Hide My Email. Many times, using Google sign-in will pass your Gmail address to the app or website you’re trying to get an account on. Hide My Email is a private email relay service that creates a unique and random email address that forwards to your personal email. That means that the app or website developer can communicate with you, but you’ve never given up your personal email address.

Apple won’t track your usage of apps or websites. The only thing that they keep is the information needed to ensure that you can sign in and manage your account.

To see what apps are using your Apple ID and manage access, launch System Preferences, click Apple ID and then select Password & Security.

I’m hoping that Sign in with Apple catches on, but so far, I haven’t seen one app or website that is using the service. If you have been able to use Sign in with Apple, please let us know which sites or apps are using it.

Steve Sande
the authorSteve Sande
Contributing Author
Steve is the publisher of Apple World Today, a website providing news, reviews and how-tos for the world of Apple, as well as an author on The Rocket Yard. He's an avid photographer, an FAA-licensed drone pilot, and a really bad guitarist.
Be Sociable, Share This Post!

Leave a Reply

Comment

Name

8 Comments

  • appreciated!!! my point of view is that never upgrade Catalina before your backup app is 100% compatible

  • How can we mount the “Data Drive” in Catalina on the desk top so that I can drag folders from my desktop into the data drive for storage. I have my “Macintosh HD” icon on the desktop once I figured out how to do that, but the new OS won’t allow me to move my folders into it…like I could with Mojave. Then I read in this article that the HD is split into two, but I don’t see the data drive in the finder… HELP! I can’t imagine that I will have to keep all of my folders and projects on the desktop. I can see what Apple is doing, but they are making the darn thing more complicated and less fun than a windon’t machine. Please help me out.

  • I already made the decision not to update to Catalina because of the lack of support for 32 bit apps, but with the increased level of security, I wonder how much more difficult it will now be to install third party apps that require custom drivers or system extensions.

    • The thing about Apple…It USED to be the most user-friendly computer on the market. Now, I’m not so sure. They keep on making and forcing us to make all of these changes without consumer input. I liked my Mac because it’s easy to work on and not complicated. I too am getting tired them making so many changes that make it next to impossible to install and use 3rd party apps and programs. I’ve installed Catalina and I DO NOT like it! I’ve had Macs all the way back to the Apple IIE and GS and this is the least consumer-friendly OS they’ve come out with. Maybe they’re trying to force us to use only their apps, but that isn’t going to cut it. Maybe they should come up with a computer that is meant for people that actually need 64bits and leave the rest of us with a computer we can work with and configure for OUR OWN use…

      • I mostly agree with your comments, Jerry. But MacOS Mojave already handles 64 bit apps very well. I use many such apps. But I need support for both 32 bit and 64 bit apps.

        • Since Apple made the announcement long ago that they were dropping support for 32 bit apps, it makes me wonder what kind of support you are getting for your 32 bit apps?

          Do you 32 bit app vendors see a future in supporting MacOS applications or creating new ones?

          I wonder about their business judgement and future viability as a business. Don’t you?

          Yes, I have a 32 bit game I play on my 2007 MacBook on vacation.

      • You have been using 64 bit apps for years now if you kept your operating system up to date each year. Apple has been listening to users and at the same time cannot listen to users. A great deal of users were complaining about iTunes being bloated, now it is broken up now. Apple cannot listen to users because that would mean keeping old code that doesn’t meet current security standards, which means more potential security problems. Listening to users means keeping optical drives and old ports in computers. Reliability has increased by removing optical drives. 64 bit allows for more memory to be used, and faster processing. You can’t process 4K video on 32 bit. 32 bit code hasn’t been updated in years. You can still use 3rd party apps on your Mac and you will always be able to use 3rd party apps. Apple has to keep improving security, otherwise it could be known as a malware ridden price of garbage. The reason I moved to Macs is because Windows was virus hell, and I was always fixing friends and family’s computers. Apple gets reamed whenever there is a bug or security hole. Someday Apple will be moving to 128 bit CPUs.