Mac app security enhancements
App security in macOS consists of a number of overlapping layers—the first of which is the option to run only signed and trusted apps from the App Store. In addition, each macOS layer adds protection to help ensure that apps downloaded from the internet are free of known malware. Apple operates a threat intelligence process to quickly identify and block malware. Malware defenses are structured in three layers:
1. Prevent launch or execution of malware: App Store or Gatekeeper and Notarization
2. Block malware from running on customer systems: Gatekeeper, Notarization, and XProtect
3. Remediate malware that has executed: XProtect
The first layer of defense is designed to inhibit the distribution of malware, and prevent it from launching even once—this is the goal of the App Store, and Gatekeeper combined with Notarization.
The next layer of defense is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt its spread and to remediate the Mac systems that it’s already gained a foothold on. XProtect adds to this defense, along with Gatekeeper and Notarization.
Finally, XProtect acts to remediate malware that has managed to successfully execute.
These protections, further described below, combine to support best-practice protection from viruses and malware. There are additional protections, particularly on a Mac with Apple silicon, to limit the potential damage of malware that does manage to execute.
When to use Gatekeeper
macOS includes a security technology called Gatekeeper, which is designed to help ensure that only trusted software runs on a user’s Mac. When a user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
Users and organizations have the option to allow only software installed from the App Store. Alternatively, users can override Gatekeeper policies to open any software unless restricted by a mobile device management (MDM) solution. Organizations can use MDM to configure Gatekeeper settings, including allowing software signed with alternate identities. Gatekeeper can also be completely disabled, if necessary.
What are encrypted disk images?
In macOS, encrypted disk images serve as secure containers in which users can store or transfer sensitive documents and other files. Encrypted disk images are created using Disk Utility, located in /Applications/Utilities/. Disk images can be encrypted using either 128-bit or 256-bit AES encryption. Because a mounted disk image is treated as a local volume connected to a Mac, users can copy, move, and open files and folders stored in it. As with FileVault, the contents of a disk image are encrypted and decrypted in real time. With encrypted disk images, users can safely exchange documents, files, and folders by saving an encrypted disk image to removable media, sending it as a mail message attachment, or storing it on a remote server. For more information on encrypted disk images, see the Disk Utility User Guide.