قالب وردپرس درنا توس
Home / Mac / 10 Non-intrusive security changes in macOS Catalina

10 Non-intrusive security changes in macOS Catalina



macOS Catalina has some interesting new features, including screen time and sidecar, and new apps, including music, podcasts and Apple TV, which essentially replace iTunes. But behind the scenes, macOS Catalina has a number of new security features designed to ensure that the Mac remains a safe and secure environment, protecting users from exploitation and malicious software without creating obstacles or restrictions on how to use your Mac.

this article, we will look at some of the security changes in macOS Catalina, and how they will affect users and developers.

macOS Catalina Security

Catalina's security is spread over a number of areas, including: [19659005] System Security: Protects the operating system foundation.

  • Data Security: Protects user data from unauthorized access.
  • App Security: Protects a Mac and its users from malware, and ensures that apps run in a secure environment.
  • Device Manager: Prevents unauthorized use of Macs (and other Apple devices), and deletes data on lost or stolen devices.
  • The security features provided with macOSCatalina are designed to address one or more of the categories mentioned above.

    System Security

    There are a number of changes to the system designed to protect the integrity of the system and keep it safe from malicious software and unsafe apps. [1

    9659002] Read-only system volume: The boot drive is no longer a single volume; it now consists of two APFS volumes: a read-only system volume containing macOS, and a data volume containing all the user's data, documents, images, user-installed apps, just about anything that is not part of macOS.

      macOS Catalina uses a new APFS feature divides the boot drive into two volumes, a read-only system, and a read-write data volume.
    Disk Utility shows that the only Macintosh volume you see in the Finder is actually a read-only volume (orange) and a data volume (red).

    By mounting the system volume as read-only, it is almost impossible for any type of malware, or for that matter, an unreliable app, to modify or compromise the system.

    One way to think about this is as an improvement to SIP (System Integrity Protection), which was used in earlier versions of OS to protect specific directories used by OS. With Catalina, the entire system volume is protected; not just individual directories.

    The read-only system volume prevents any changes to the system, other than those provided with Apple signed code, which can perform volume updates.

    The read-only system and data volume are part of an APFS volume group and are displayed as a single volume in the Finder. The Mac performs this trick using a new type of file linking system known as company links. Business links have many uses, but one used in Catalina is to map different files and directories on the system volume to printable shadow locations on the data volume.

    The read-only system volume and writable data, along with the new company link, have implications for how backup systems work. Make sure your preferred backup system is macOS Catalina ready before you start using Catalina beyond a test or evaluation phase.

    Kernel Extensions: Kexts (kernel extensions) are slowly being replaced with system extensions, which will be outside the protected system volume. Catalina will be the latest macOS running existing kexts. Developers working on new drivers (common use for kexts) must use system extensions, which run on user space rather than in the system core.

    Existing kernel extensions that were installed before the installation of Catalina will be able to run, although they may be subject to user-approved kernel extensions loading. Even if you have used a kext before, you may need to get an approval the first time it is loaded.

    Installing kexts or system extensions is likely to require a Mac reboot.

    Moving kexts to system extensions running as separate processes outside the system ensures that if something is wrong with an extension, either from bad design or an attack from malware, the system itself is not affected.

    32-bit Apps / i386 code: As expected, Catalina has removed all support for 32-bit code. This means that a number of older apps that have not been updated to 64-bit will stop running. You can check if your existing apps are 64-bit using the instructions in How to tell if your Mac software is 32-bit or 64-bit. You can also try Go64, a free app from St. Clair software that finds 32-bit apps and finds upgrade information for them.

      About this Mac, you can see which apps are 32-bit.
    You can use the About Mac system system report to see if apps are 32-bit or 64-bit. I guess I don't want to use EyeTV in Catalina.

    App Security

    In the system default configuration, apps and services that you have downloaded to your Mac must undergo a number of tests to ensure that they are malicious software and from known developers.

    You can still run apps that do not meet security requirements, but that will require you to make a change or two of the Gatekeeper default settings.

    Gatekeeper: On the surface, there doesn't seem to be too much change in Gatekeeper. But on the inside, the concierge has improved dramatically. It can still be set to allow only apps from the App Store, or from the App Store and identified developers; You can also use a Terminal command to enable running apps from any source.

    But now Gatekeeper will scan apps for both a valid signature and for known malicious content. This enhanced check is performed at random intervals and is designed to ensure that an app has not been tampered with after it was installed on the Mac.

      Gatekeeper settings are in the Security and Privacy Settings pane.
    In its default configuration, Gatekeeper only allows apps downloaded from the App Store or from Apple developers to run.

    Notarization: Developers may have been able to notarize their apps, essentially using an automated set of tools provided by Apple to scan the app for malicious content before it becomes available for distribution. With Catalina, notarization becomes mandatory.

    Data Protection

    Apps and services must behave in an expected manner. Apps should not attempt to access user data or hardware and peripherals without specific user permissions.

    User Data Protection: Your Mac already had some form of user protection, which requires you to approve apps that want to access your camera or microphone. Catalina extends this by requiring user permission to register the screen or keyboard.

    In addition to asking for permission to use devices, user protection will also ask if an app wants to access sensitive data, such as contacts, calendar, and photos, or wants to access any number of file system locations such as downloads, garbage, desktop, documents, iCloud drive, even most third-party cloud storage systems.

    Security and privacy settings will keep track of which apps and services you have granted access to, so you can revoke access at any time. [19659040] The Security and Privacy tab contains the list of apps that have been denied or granted access to various services. "class =" wp-image-51138 "srcset =" https://blog.macsales.com/wp-content/uploads/2019/07/UserDataProtection1280.jpg 1280w, https://blog.macsales.com/wp- content / uploads / 2019/07 / UserDataProtection1280-190×163.jpg 190w, https://blog.macsales.com/wp-content/uploads/2019/07/UserDataProtection1280-140×120.jpg 140w, https://blog.macsales. com / wp-content / uploads / 2019/07 / UserDataProtection1280-284×244.jpg 284w, https://blog.macsales.com/wp-content/uploads/2019/07/UserDataProtection1280-190×163@2x.jpg 380w, https: //blog.macsales.com/wp-content/uploads/2019/07/UserDataProtection1280-140×120@2x.jpg 280w, https://blog.macsales.com/wp-content/uploads/2019/07/UserDataProtection1280-284×244 @ 2x.jpg 568w "sizes =" (max-width: 1280px) 100vw, 1280px "/>

    The security and privacy settings pane will keep track of which apps you have allowed or suspended access to protected areas, devices, and services.

    Sign in with Apple: Apple steps up to compete Join the popular Sign in with Google or Facebook services that appear to be everywhere you go online. Of course, Apple is taking the concept to a better place.

    Apple's sign-in service is attractive because it promises a higher level of privacy and security than Google and Facebook services, whose primary goal is to collect user data for their advertising business.

    Apple is not in the advertising business and promises that information will not be used to sell ads or to track you. In addition, third-party systems using the Apple Login Service will not receive any personal information other than any information you have agreed to share, such as your email address.

    Apple goes a step further and offers to hide your real email address and use an Apple-generated e-mail address. If you choose this route, the third party will receive an address such as 43a3cfb2ea@privaterelay.appleid.com. Email sent by a third party will be forwarded by Apple to your iCloud email address (or the one registered with your Apple ID). You can interact by using the obscured email address without ever revealing the real one to the third party service.

    Sender Blocking in Mail: It's nice to see Apple pay attention to the Mac's Mail app. In Catalina, you can block a sender who can spam your inbox, try to get personal information through phishing, or just someone you don't want to see your inbox anymore.

    <img src = "https://blog.macsales.com/wp-content/uploads/2019/07/MailBlock1280.jpg" alt = "Mail now supports blocking a sender. [19659048] Email Blocking Mail may not offer much in the way of genuine security, but it makes it easy to get rid of annoying messages.

    Sender blocking is done by selecting the sender's name in an email header and then selecting Block.

    Device management [19659004] You should be able to secure your Mac if it is lost or stolen and hopefully find the missing device.

    Activation Lock: If your Mac is configured with a T2 processor and MacOS Catalina supports Activation Lock, which lets you delete or disable a lost or stolen Mac and prevents anyone from using the device. Should you regain possession of your Mac, you can use Activation Lock to reactivate your Mac, even if all deleted data is still missing.

    Find my Mac: Although not a new feature, Find My Mac has got functionality that can allow you to find a lost Mac, even if the Mac is asleep. Find My Mac can now use Bluetooth to find other Apple devices nearby, and forward an encrypted data packet to Apple containing your Mac's current location. The owner can access this information from his or her iCloud account.

     Find my Mac returns to macOS Catalina.
    Find My Mac can be configured from the Internet Accounts Settings pane. Make sure you have Wi-Fi access when you first set it up; Otherwise, you can see the message "Mac can't be located" as I did.

    Wrap Up

    There are a number of new security-related features in macOS Catalina; I only looked at the 10 I thought would be of most interest to our readers. If you are a developer, you will probably have a completely different list for the top ten changes.

    I hope this list will help you predict what changes will come when you decide it's time to upgrade to macOS Catalina. What changes to macOS Catalina are you most concerned about or looking forward to? Let us know in the comments below.


    Source link