Here are 6 MacOS Catalina security changes coming from Apple this fall

Some of these changes announced at WWDC will look familiar to iPhone owners.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors | Semiconductors | Web browsers | Quantum computing | Supercomputers | AI | 3D printing | Drones | Computer science | Physics | Programming | Materials science | USB | UWB | Android | Digital photography | Science Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
4 min read
Apple says features like notarization, user data controls and Gatekeeper will improve security in MacOS Catalina.

Apple says features like notarization, user data controls and Gatekeeper will improve security in MacOS Catalina.

Stephen Shankland/CNET

Computer security is never done. Which is why Apple is hardening MacOS 10.15 Catalina, the operating system it plans to release this fall.

At this year's WWDC, Apple's show to tell programmers how to build augmented reality games and move their iPad apps to the Mac, the company revealed a number of changes coming to MacOS . Some of those are under the hood, of concern to developers, but anyone with a Mac will see them, too.

We're spotlighting six of the MacOS Catalina security changes. The biggest ones you're likely to notice are new permission requirements for apps that record the screen or keyboard or that write data onto sensitive file system areas like your documents or desktop folders.

Whether you're a developer or just an Apple customer, though, some of the changes will look familiar if you have experience with iPhones and iPads . That's because some of the security improvements follow Apple's general direction of bringing MacOS closer with its mobile operating systems , iOS for iPhones and its new iPadOS cousin for tablets .

Good security is a challenge. Tech companies must find the right balance, locking machines down but not so hard that ordinary humans can't use them. Newer products like the iPhone have firmer security controls built in and enforced through the App Store. But that's harder with the Mac, with its origins as an all-purpose machine that offers owners and developers a lot of power.

If you're curious about MacOS Catalina security changes, you can find out more by checking Apple's presentations on the new permission requests, system extensions, app notarization, and the WWDC Platforms State of the Union talk.

User data controls

On mobile phones , apps need your permission before they're allowed to use the camera, a feature that keeps app developers from doing things like surreptitiously spying on you. Similar permissions are coming to the Mac with Catalina.

Specifically, apps will have to get your permission if they're going to record your screen or your typing. Ordinary use of the keyboard for mere typing doesn't trigger the request, but anything like a keylogger does.

WWDC 2019: A quick visual recap of Apple's Worldwide Developers Conference keynote

See all photos

As with phones, you have to approve the request only once. And you can revoke permission later if you change your mind.

File system protections

MacOS Catalina also will ask your permission for apps that want access to sensitive data and file storage. Again, this is like on phones where apps need permission to reach your contacts, photos, calendar entries and reminders.

For storage, apps will need permission to reach a number of folders where most of us store our data: desktop, documents, downloads, iCloud Drive, external drives, network drives and third-party cloud storage systems like Google Drive , Dropbox and Microsoft OneDrive .

Mac activation lock

On newer Macs equipped with Apple's T2 processor, a feature called activation lock will let you be able to brick your Mac if it's stolen or lost the same way you can disable a missing iPhone. The T2 chip is in newer Macs like the MacBook Air redesign that arrived in 2018.

Apple hopes activation lock will deter thieves who'll learn they can't use it or install a new copy of MacOS. Still, they can sell it for spare parts, as happens with stolen smartphones.

New Gatekeeper scrutiny

MacOS already ships with a feature called Gatekeeper designed to keep malware off your machine. Gatekeeper checks apps today when they're first launched, but on MacOS Catalina, it'll keep on checking frequently.

Currently, Apple has it set to check on future launches, though not every one. It's not a computationally onerous task, so you probably won't even notice.

With MacOS Catalina and beyond, Apple is steering developers away from low-level software called kernel extensions that can give malware lots of power.

With MacOS Catalina and beyond, Apple is steering developers away from low-level software called kernel extensions that can give malware lots of power.


Apple also is making an option called notarization mandatory for developers with Catalina. Apple's notarization process checks software for known malware , and today's MacOS shows a yellow warning alert when you try to run non-notarized software.

Ultimately, the decision to run software rests with you. "You can always choose to run any software on your system," Apple said.

Protections for low-level system software

For low-level software some developers write -- the "drivers" used to let a device handle specific hardware like webcams or printers -- Apple is steering developers toward a safer approach.

In MacOS, developers could write extensions that interface directly with the lowest-level part of the operating system, called the kernel. Now it's begun gradually banishing kernel extensions in favor of system extensions, which are walled off from the kernel so they don't get low-level privileges.

Catalina will be the last MacOS version that'll run kernel extensions "without compromises," Apple said. And in an unspecified future MacOS version, Apple will prohibit any kernel extensions whose jobs can be done with a system extension.

Read-only system file partition

File system software, which controls how data is read from and written to storage systems, is a privileged part of an operating system. MacOS Catalina gets a new restriction designed to keep malware from taking advantage of the file system.

Specifically, MacOS system files are stored in a separate read-only partition. That paves the way for features that block malware from overwriting or modifying the Mac's core software. It should also make it easier to reset a Mac the way you can an iPhone.

Unfortunately, some software -- especially older Unix-era programs -- stores perfectly legitimate data in the system partition. Apple has some ways to mitigate the problem and improve compatibility, though.

So yes, there are inconveniences. But that's the price we all have to pay to try protect our hardware.