Understanding macOS Catalina Security and Privacy Features
It’s official: macOS 10.15 Catalina has now been released to the public.
The latest Mac OS has a number of new features, including several key enhancements to security and privacy. But Apple’s release notes can sometimes be a bit heavy on jargon, leading users to wonder what the latest, greatest macOS updates actually mean!
In this article, we’ll take you on a tour of Catalina’s security and privacy features, explaining their significance and letting you know how they keep you safe.
Enhanced Gatekeeper and mandatory app notarization
What Apple says: “Gatekeeper will ensure that all new apps you install—from the App Store or the internet—have been checked for known security issues by Apple before you run them the first time and periodically thereafter. This extends the protection from the app’s source to include automated checks for what’s in the app.”
What This Means: Gatekeeper is a security feature of macOS. Its core function is to make sure that all apps being downloaded are legitimate (i.e. not malware or spyware disguised as a real app).
It does this, in part, by enforcing code signing, which is a way of using digital signatures to verify that an app’s code actually comes from the official author of the software, and has not been tampered with by malicious actors in any way.
Notarization, for its part, is an automated process by which Apple preemptively checks a developer’s apps for malicious content and code-signing issues. Developers upload their software to Apple’s notarization service, where it is then scanned. If the system doesn’t find any issues with the code content or the developer’s digital signature, it marks the app as safe so that Gatekeeper knows that it has been through the security review process.
In the past, apps were checked by Gatekeeper before installation to verify the developer signatures and source code, and thereafter considered safe. In Catalina, Gatekeeper will also periodically check already installed apps for safety and signature validity as an added security measure. In addition, in macOS Catalina, apps will not be allowed to run at all if their developers have not first put them through Apple’s notarization process.
By enforcing notarization for third-party apps, and extending Gatekeeper’s functionality to encompass periodic security audits of app content, macOS Catalina will provide users with the safest app experience yet.
Better Data Protections
What Apple says: “macOS Catalina checks with you before allowing an app to access your data in your Documents, Desktop, and Downloads folders; iCloud Drive; the folders of third-party cloud storage providers; removable media; and external volumes. In addition, you’re asked before an app can perform key logging or capture a still or video recording of your screen.”
What this means: Apps running on your Mac do sometimes require access to other files and folders on the system, and may have legitimate reasons to perform key logging or take a video of your screen. For example, a workflow app may need to access your calendar or contacts. An app designed to capture YouTube videos may need to record your screen.
Ever since macOS Mojave, Apple has offered a suite of privacy protections known as Transparency, Consent, and Control (TCC). These are designed to inform users about what apps are trying to do on their system—and give them more control over what data those apps can access.
In macOS Catalina, TCC has been expanded to cover your personal data in the areas outlined in the above release note. Now, if an app needs to access these file locations, you will see a prompt letting you know that it’s trying to do so, and asking you for your approval. This will give you more control over what’s happening on your system—and what data you’re sharing with apps and developers.
Activation Lock for Mac
What Apple says: “All Mac models with the Apple T2 Security Chip now support Activation Lock—just like your iPhone or iPad. So if your Mac is ever misplaced or lost, the only person who can erase and reactivate it is you.”
What this means: Activation Lock has long been a feature of iOS security. It is a part of the Find My functionality, which is meant to help users who have lost their devices or whose devices have been stolen.
When Find My is enabled, Activation Lock is automatically turned on. This makes it impossible for anyone to turn off Find My, erase the device, or reactivate it without your Apple ID. If you use the Mark As Lost feature in Find My, your device will be locked with a passcode and will display a message of your choosing (generally something with a way to contact you in case some Good Samaritan has found your lost device and wants to return it to you). In a worst-case scenario, you can even erase your device remotely—without turning off Activation Lock. This makes sure that your sensitive data is no longer in someone else’s hands, and effectively “bricks” the device for any thief wanting to resell or reuse it.
In macOS Catalina, this feature is now available for Macs as well. The only stipulation is that your machine must contain the T2 Security Chip. To check if you have this, go to Apple menu > About this Mac > System Report > Controller. If your computer has the chip, it will be listed there.
An OS in a Dedicated System Volume
What Apple says: “macOS Catalina runs in a dedicated, read-only system volume — which means it is completely separate from all other data and helps improve the reliability of macOS.”
What this means: When you hear the word “volume” in the context of computers, it simply refers to a data storage area with a filesystem for managing the storage and retrieval of said data.
When Apple says that its new OS will run in a dedicated, read-only system volume, it just means that the core files of macOS Catalina will be kept in their own storage area, separate from everything else on your machine. The fact that this volume is “read-only” means that it’s impossible for other apps or processes to alter the core OS files. The only way to change these would be through an official OS update.
Previously, Apple protected core system files with something called System Integrity Protection (SIP), which stopped even users with administrative or “root” permissions from altering certain files. Catalina takes the protection of its core system files a step further by keeping them walled off from everything else, secure in an unalterable volume of their own.
An End to Kexts
What Apple says: “Previously many hardware peripherals and sophisticated features needed to run their code directly within macOS using kernel extensions, or kexts. Now these programs run separately from the operating system, just like any other app, so they can’t affect macOS if something goes wrong.”
What this means: The “kernel” of an operating system refers to the core functionality of the OS that has control over all of the basic functions of the computer. In order to run hardware peripherals like printers or scanners, or even certain kinds of apps, code to provide that additional functionality had to be added to the macOS kernel. This was accomplished by adding packages of signed code called “kernel extensions”, or “kexts”.
However, since kexts essentially involved adding code to the macOS kernel, they always presented some security and privacy risks, and were thus the focus of the Apple security initiatives like secure kernel extension loading, which was introduced in High Sierra. Kexts also, in Apple’s view, posed a threat to the stability and reliability of the overall system.
Starting in Catalina, kexts will be replaced with System Extensions and device drivers created with DriverKit. These tools will allow developers to offer additional functionality in macOS without the security and stability risks associated with kexts, because these extensions and drivers will run in user space instead of inside the kernel.
How to upgrade
Aside from the security and privacy features discussed above, macOS Catalina has a wide range of attractive features and functions that will appeal to many Mac users.
If you’d like to upgrade your system, Apple has provided detailed instructions on how to do so