At this year's WWDC, Apple's show to tell programmers how to build augmented reality games and move their iPad apps to the Mac, the company revealed a number of changes coming to MacOS. Some of those are under the hood, of concern to developers, but anyone with a Mac will see them, too.
We're spotlighting six of the MacOS Catalina security changes. The biggest ones you're likely to notice are new permission requirements for apps that record the screen or keyboard or that write data onto sensitive file system areas like your documents or desktop folders.
Whether you're a developer or just an Apple customer, though, some of the changes will look familiar if you have experience with iPhones and iPads. That's because some of the security improvements follow Apple's general direction of bringing MacOS closer with its mobile operating systems, iOS for iPhones and its new iPadOS cousin for tablets.
Good security is a challenge. Tech companies must find the right balance, locking machines down but not so hard that ordinary humans can't use them. Newer products like the iPhone have firmer security controls built in and enforced through the App Store. But that's harder with the Mac, with its origins as an all-purpose machine that offers owners and developers a lot of power.
If you're curious about MacOS Catalina security changes, you can find out more by checking Apple's presentations on the new permission requests, system extensions, app notarization, and the WWDC Platforms State of the Union talk.
User data controls
On mobile phones, apps need your permission before they're allowed to use the camera, a feature that keeps app developers from doing things like surreptitiously spying on you. Similar permissions are coming to the Mac with Catalina.
Specifically, apps will have to get your permission if they're going to record your screen or your typing. Ordinary use of the keyboard for mere typing doesn't trigger the request, but anything like a keylogger does.
WWDC 2019: A quick visual recap of Apple's Worldwide Developers Conference keynoteSee all photos
As with phones, you have to approve the request only once. And you can revoke permission later if you change your mind.
File system protections
MacOS Catalina also will ask your permission for apps that want access to sensitive data and file storage. Again, this is like on phones where apps need permission to reach your contacts, photos, calendar entries and reminders.
For storage, apps will need permission to reach a number of folders where most of us store our data: desktop, documents, downloads, iCloud Drive, external drives, network drives and third-party cloud storage systems like Google Drive, Dropbox and Microsoft OneDrive.
Mac activation lock
On newer Macs equipped with Apple's T2 processor, a feature called activation lock will let you be able to brick your Mac if it's stolen or lost the same way you can disable a missing iPhone. The T2 chip is in newer Macs like the MacBook Air redesign that arrived in 2018.
Apple hopes activation lock will deter thieves who'll learn they can't use it or install a new copy of MacOS. Still, they can sell it for spare parts, as happens with stolen smartphones.
New Gatekeeper scrutiny
MacOS already ships with a feature called Gatekeeper designed to keep malware off your machine. Gatekeeper checks apps today when they're first launched, but on MacOS Catalina, it'll keep on checking frequently.
Currently, Apple has it set to check on future launches, though not every one. It's not a computationally onerous task, so you probably won't even notice.
Apple also is making an option called notarization mandatory for developers with Catalina. Apple's notarization process checks software for known malware, and today's MacOS shows a yellow warning alert when you try to run non-notarized software.
Ultimately, the decision to run software rests with you. "You can always choose to run any software on your system," Apple said.
Protections for low-level system software
For low-level software some developers write -- the "drivers" used to let a device handle specific hardware like webcams or printers -- Apple is steering developers toward a safer approach.
In MacOS, developers could write extensions that interface directly with the lowest-level part of the operating system, called the kernel. Now it's begun gradually banishing kernel extensions in favor of system extensions, which are walled off from the kernel so they don't get low-level privileges.
Catalina will be the last MacOS version that'll run kernel extensions "without compromises," Apple said. And in an unspecified future MacOS version, Apple will prohibit any kernel extensions whose jobs can be done with a system extension.
Read-only system file partition
File system software, which controls how data is read from and written to storage systems, is a privileged part of an operating system. MacOS Catalina gets a new restriction designed to keep malware from taking advantage of the file system.
Specifically, MacOS system files are stored in a separate read-only partition. That paves the way for features that block malware from overwriting or modifying the Mac's core software. It should also make it easier to reset a Mac the way you can an iPhone.
Unfortunately, some software -- especially older Unix-era programs -- stores perfectly legitimate data in the system partition. Apple has some ways to mitigate the problem and improve compatibility, though.
So yes, there are inconveniences. But that's the price we all have to pay to try protect our hardware.