Apple laid out its plans for the changes in macOS security coming in macOS 10.15 Catalina at WWDC in June. Since then, ten beta releases of Catalina have passed under the bridge, and quite a bit has changed. This article looks at the changes we should expect to see in the first release of Catalina this month – which could, of course, be just a few days away.
Read-only system volume
The biggest single change coming in Catalina takes System Integrity Protection a step further by separating almost all of the system onto a new read-only volume. In place of a single boot volume such as Macintosh HD, Macs running Catalina have two linked volumes named Macintosh HD and Macintosh HD – Data, with the latter containing all the files and folders which are write enabled, including many from top-level hidden folders and /System itself.
This new separation isn’t optional, and Apple has gone to considerable lengths to make it as seamless as possible, including the addition of a new type of bi-directional link which it terms a firmlink. For example, all your regular command tools remain accessible through their normal paths. However, some less-used paths have changed, notably to writable items which were in /System/Library, so some scripts which rely on those will need to be modified.
For the few users who have turned SIP off, partially or completely, this will prove a challenge, of course.
Apple is moving developers away from creating third-party kernel extensions. Not only do these require user consent in the Security & Privacy pane, as they have in Mojave, but a new extension won’t be loaded until you restart your Mac. This can interrupt installation scripts, and some installers might struggle to resume properly once your Mac has restarted.
As in Mojave, all third-party extensions which have been signed since April 2019 must now be notarized, but as usual those which have already been installed before upgrading to Catalina should be retained and continue to work, as long as they are compatible and not blacklisted.
Catalina is also very careful in the LaunchAgents, LaunchDaemons and Preference Panes which it accepts. When you upgrade, you may find a folder of Relocated Items containing suspect items which macOS has discovered. So far, this hasn’t been documented particularly well either.
Hardening and notarization
Apple’s original plan was for all newly-installed third-party software not from the App Store to have to be notarized, and at WWDC Apple announced that all apps signed by developers from 1 June 2019 had to be notarized. Although this hasn’t changed, the requirements for notarization have.
In that original plan, legacy apps could be notarized without meeting new stringent requirements such as hardening and deep code-signing, but all newly-signed apps were required to meet those. Between September 2019 and January 2020, Apple has relaxed its requirements across the board, and allowed newly-signed apps to merely have undergone Apple’s malware checks to be notarized.
This means that for new apps, hardening and deep signing aren’t mandatory until next year. What is required is that the app has been checked by Apple for the presence of malware. The result is that some notarized apps are hardened and meet Apple’s strict rules, but others aren’t.
There is considerable controversy over whether hardening and deep signing bring much security benefit. Apple claims that these should make those apps significantly more robust in the face of malware, and eventually this should prove better for users. But that isn’t really going to gather pace until Apple restores its stringent rules for notarization in January.
None of this prevents a user from running a new app (complete with quarantine flag) which isn’t signed at all, or which is signed but not notarized. If you double-click an app which isn’t notarized and it has a quarantine flag set, so hasn’t yet cleared its first run checks, macOS informs you that the app can’t be opened because it can’t be checked for malicious software.
Select the same app icon and use the Finder’s menu command to open the app, and a similar dialog appears, this time also offering to open the app for you. Once that app has cleared its first run, no further warning dialogs should be shown.
Those apply to newly-installed third-party software not obtained from the App Store, and apply when it’s first run. They don’t apply to apps which have already passed their first run checks, so all your existing apps which aren’t notarized should still run fine. But Catalina also checks every app, regardless of its quarantine status, for malware using XProtect, when that app is opened. Unlike performing a full signature check, this adds very little time to the launch process.
However, over the last couple of years Apple has let XProtect lie fallow and its current list of malware signatures isn’t as comprehensive as it could be. For this additional scanning to be worthwhile, Apple will need to support XProtect better in the future.
Catalina extends the privacy protections introduced in Mojave, which will, for example, affect many apps which access files in your Documents folder without presenting an Open File dialog. For most users, this will mean adding more apps to the Full Disk Access list in Security & Privacy, something we’re already getting used to.
Many conventional document-based apps will be unaffected by this. But the more an app tries to work with protected resources, the more of a pain it will be to configure its privacy settings. Well-designed apps which have been specifically updated for Catalina should walk you through getting these settings right; they’re also the most likely to be properly hardened, deep signed, and notarized under strict rules.
In early August, Apple announced an expanded Bug Bounty programme which includes macOS, but so far doesn’t appear to have started that. As a result, some macOS security researchers may be sitting on small collections of vulnerabilities which they have discovered in Catalina. Don’t be surprised if these lead to some turbulence in the first months of Catalina’s public release cycle.
On the other hand, Catalina introduces developer support for major new features which enable third-party anti-malware products to watch for suspicious behaviour. Digita Security, now part of Jamf, is already pioneering this with its GamePlan, aimed at enterprise users. Expect to see more products in the coming months.
For the first time in several years, Apple has delayed releasing a major new version of macOS until well after its corresponding iOS release. This should indicate that it intends the first release of Catalina to have fewer bugs than did Mojave or the more disastrous High Sierra. We’ll see how well this works out in a few days or weeks.
Once you’ve upgraded to Catalina:
- Prefer to install notarized third-party apps when they’re from outside the App Store.
- If you need to ‘first run’ a non-notarized app, use the Finder’s Open command to be given the option.
- Most won’t notice the new read-only system volume, unless you run scripts which access system paths, which could have moved.
- Beware of installing third-party software which relies on extensions: ensure they’re notarized and compatible with Catalina.
- Bear with the additional privacy dialogs, and be ready to add more apps to the Full Disk Access list.
- Watch for new security products built specifically for Catalina.