System Preferences app in macOS Sequoia
1 Facebook x.com Reddit
macOS has security policies that restrict apps from running outside the system's normal protection policies. Here's how macOS Sequoia may override system policies in some cases.
Apple's macOS is one of the most secure operating systems in the world. However, no operating system is foolproof, and security breaches are still possible.
Over the past decade, Apple has added several additional security features to macOS that help improve security. These include, but are not limited to:
- Developer ID
- Gatekeeper
- App Notarization
- Digital Application Signatures
- System Integrity Protection (SIP)
The Developer ID and Gatekeeper are two app-related security features that check and authorize Mac apps to allow or prevent them from running. Gatekeeper prevents apps from running unless they are verified to be from a registered Apple developer or from the Mac App Store.
It is also possible for apps that only require a Developer ID to run when downloaded from outside the Mac App Store if they have been verified by Apple.
Gatekeeper is what causes the Verification progress window to appear in Finder the first time you launch a newly downloaded app. This window appears while Gatekeeper verifies signed digital receipts for all components of the app when it first runs.
In the macOS System Preferences app, you can choose whether to allow only apps verified by Gatekeeper (App Store) to run. You can also allow Gatekeeper and apps from registered Apple developers via Developer ID.
If you try to launch a macOS app without any of these security features, you'll get a warning in the macOS Finder that the app can't be opened. To dismiss this warning, click Done, then return to System Preferences -> Privacy & Security and click Open Anyway:
A downloaded installer app that fails Gatekeeper verification.
App notarization improves the security of Mac apps and disk images by allowing Apple to verify that they do not contain malicious components.
An app signature is an encrypted signature that is provided by a Mac app when it is created by a developer and when it is downloaded from the Mac App Store. Digital signatures ensure that an app is not tampered with and that its contents have not been modified after distribution.
System Integrity Protection (SIP) is a system-wide security feature that Apple added in macOS 10.11 El Capitan in 2015. SIP protects critical operating system files from unauthorized access, and parts of macOS even from the UNIX root user if enabled.
You can disable and re-enable SIP in the Terminal app on macOS, but Apple doesn't recommend doing so because it exposes your Mac to security risks.
Together, these security components are known as Runtime Protection in macOS.
Terminal Apps
Apple provides other runtime protections for standalone binary applications that run the Terminal app. These include extended attributes (xattrs) and other system-level protections.
Some Terminal command-line applications may not run with the system's default security policies. Apple does this to protect users from untested, malicious third-party Terminal command-line tools.
These restrictions only apply to some applications.
In some cases, regular macOS apps that you double-click may need to run individual command line tools or other software components.
Enabling apps to run other apps
If you want to be able to run an app that needs to run outside macOS system security policies in macOS Sequoia, go back to the System Preferences -> Privacy & Security pane. You'll need to check each subpage for a toggle to enable it.
For example, some command line developer tools need to run outside system security policies to run other commands, process files, or perform other restricted actions.
In this example, go to the System Preferences -> Privacy & Security -> Developer Tools pane, and you'll see the following toggle:
Check Privacy & Security for the dedicated security policy toggle.
Unfortunately, macOS currently doesn't have an option to enable this at the machine level, and it probably shouldn't, as it would expose your Mac to other security risks.
But it can be enabled on an app-by-app basis, if the app supports it. Again, this feature won't be available for all apps, so you'll have to check each one individually.
In most cases, you won't need to override macOS security policies, but some apps may require it in certain cases.
For more information on Gatekeeper and macOS Runtime Protection, see the relevant section of Apple's Platform Security Guide.
For a full discussion of Gatekeeper, Developer ID, and using System Preferences to open apps, see Apple Tech Note 102445, “Securely open apps on your Mac.”
Follow AppleInsider on Google News
