Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Operating system integrity
- Activating data connections securely
- Verifying accessories
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorisation with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Controlling app access to files in macOS
Apple believes that users should have full transparency, consent and control over what apps are doing with their data. In macOS 10.15, this model is enforced by the system to help ensure that all apps must obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive and network volumes. In macOS 10.13 or later, apps that require access to the full storage device must be explicitly added in System Settings (macOS 13 or later) or System Preferences (macOS 12 or earlier). In addition, accessibility and automation capabilities require user permission to help ensure they don’t circumvent other protections. Depending on the access policy, users may be asked, or required, to change the setting in:
In macOS 13 or later: System Settings > Privacy & Security > Privacy
In macOS 12 or earlier: System Preferences > Security & Privacy > Privacy
Item | User prompted by app | User must edit system privacy settings |
---|---|---|
Accessibility | ||
Full internal storage access | ||
Files and folders Note: Includes Desktop, Documents, Downloads, network volumes and removable volumes | ||
Automation (Apple events) |
A user who turns on FileVault on a Mac is asked to provide valid credentials before continuing the boot process and gaining access to specialised startup modes. Without valid login credentials or a recovery key, the entire volume remains encrypted and is protected from unauthorised access even if the physical storage device is removed and connected to another computer.
To protect data in an enterprise setting, IT should define and enforce FileVault configuration policies using a mobile device management (MDM). Organisations have several options for managing encrypted volumes, including institutional recovery keys, personal recovery keys (that can optionally be stored with MDM for escrow) or a combination of both. Key rotation can also be set as a policy in MDM.