10 Ways macOS Catalina Makes Your Mac More Secure

Hi this is Gary with MacMost.com. On this episode let's take a look at ten new security features in macOS Catalina.

MacMost is brought to you thanks to a great group of supporters. Go to MacMost.com/patreon. There you can read more about it. Join us and get exclusive content.

So a lot of what you get with macOS Catalina involves security. A lot of it is completely invisible to the typical Mac users. So the first one is Activation Log. Activation Log involves a piece of hardware that's on some of the latest Macs, particularly the MacBooks. Also the latest Mac Mini and the iMac Pro and soon it will be on all Macs. Now you can already use Find My Mac or the Find My app in Catalina to erase the drive on a lost Mac or locate it. 

But if somebody steals your Mac and it's running Catalina and has the T2 chip in it they won't actually be able to erase the Mac and reuse it without your permission. It requires authentication through your Apple ID. So it makes stealing a Mac kind of useless because they can't do anything except maybe strip it for parts. This sort of security has already been available for a little while on iPhones and iPads. So it's great to see it come to Mac.

Now on macOS Mojave an app already had to ask permission if it wanted to use the camera or the microphone. But now it has to ask permission for a lot of different things. Particularly it needs to ask permission if it's going to access files. If it wants to access files in your Documents folder it's going to ask you. If it wants to access files on iCloud it's going to ask you and a whole bunch of other different locations. It also needs to ask permission for all sorts of things like access to Calendar, Contacts, etc. So the first time you run an app it's going to ask permission. You grant it and then you're set. 

But you can always go back and control these permissions in System Preferences. Just go to Security & Privacy and you'll see a list of different things, under Privacy, like Locations of Files and Calendar contacts. Even screen recordings and keyboard recording. You can revoke access to any app or if you accidentally didn't give access to an app where it's important you can give it access here. Also if an app wants to set something to run periodically on your Mac, it's called the cron tab, it has to ask permission for that too. This is critical because that's one of the primary ways that something like adware or malware will mess with your Mac. Now there's an extra layer of security to prevent that.

Now there's also a new feature in Safari that gives you a prompt the first time you try to download something from a website. It asks if you really want to download a file from this site. So it's one of the permissions now stored in Safari Preferences. So you can go and revoke or grant permission to a website later on.

So a useful feature for Apple Watch users is the ability to approve things using your Apple Watch. You have your Apple Watch setup with the same Apple ID as your Mac. Then you get a prompt for permission but now you can just tap your Apple Watch to grant permission instead of using your password. This is great for security because the less you actually have to use your password for minor things the more likely people are to use a nice long secure strong password.

So a huge change that you may not have noticed is your Mac hard drive is now divided into two volumes. One is the System volume and the other is everything else. All your data and files and apps, everything. The System volume is going to be Read Only. So files can't be modified or added to this volume. So the System is basically locked down. The only thing that can change it are signed updates from Apple. This will prevent malware from actually getting into your system and making any changes. It's a huge security improvement. If you look in Disk Utility you can actually see these two separate volumes. But everything else appears normal. You still see this System folder in the Finder if you look at the main computer level and it really doesn't effect typical Mac users at all except it'll make things a lot more secure.

Another change is that something called kernel extensions are being deprecated. That means that even though developers can still use system kernel extensions in macOS Catalina they are a little bit harder to install. The developer should be moving to using the new type of system extensions which aren't part of the system but part of the app itself.

Now something that is gone in Catalina is the ability for Safari to run older Safari extensions. It used to be that you could install Safari extensions pretty easily from different websites and apps could throw them in there too and this was a security problem. As a matter of fact a lot of adware used extensions in Safari. They would add these extensions and then you get ads all over the place. Now for awhile Apple has said they are getting rid of these and have allowed developers to have extensions as part of the Mac App Store. This means that those extensions are vetted and more secure. So it does mean that if you have an older extension it's going to stop working in Catalina. As a matter of fact it will stop working in the most recent version of Safari for Mojave as well. It's up to the developer to provide an App Store version of that extension.

Now Gatekeeper has been a feature of macOS for awhile. You can set it to only allow apps installed from the Mac App Store or apps installed from the Mac App Store and signed apps from legitimate developers. Gatekeeper also took a look at these apps when you first ran them to make sure there was no malicious code. But now Gatekeeper is actually going to keep looking at apps periodically as you run them over time. So if somehow an app has updated itself and now is malicious it will then be caught by Gatekeeper.

Apple is also enforcing a security procedure called Notarization which is when a developer creates an app and prepares it for distribution they have to use an Apple tool to basically check it for malicious code. Notarization is now required for apps to run in Catalina. So you know every app has gone through at least one filter before it gets to you. Now for developers and advanced users there are still ways to get around this and install basically anything you want on your Mac. But they are pretty hard to get to for typical Mac users. It will make most Macs much safer.

One big new feature that you've probably heard about is something called Sign in with Apple. So this is Apple's answer to the sign in with Facebook or sign in with Goggle features of websites and apps where instead of having to create an user account you can use the user account for one of those services. But Apple takes things a few steps further because Apple doesn't pass along any private information to the developer of the site or the app. It also allows you to make your email address anonymous. So it could provide an email address that basically just forwards  to your real one so the website or app doesn't actually have your real email address.

While this is kind of a new feature or macOS Catalina it should work also with previous versions of macOS as it's rolled out. Apple is actually going to insist that it's used in apps in the iOS and Mac App Stores if the app is using these things at all. If it's using sign in with Facebook or sign in with Goggle it has also got to use sign in with Apple. I'll be taking a closer look at Sign in with Apple in a future video.

For all of us that are interested in security, not just for us but for all Mac users, Catalina is a huge step forward with these new features.