End-User Security Features
macOS and iOS have many built-in security features, including industry-standard digital signatures and encryption for Apple’s Mail app, and authentication for the Safari web browser.
In iOS, these features are largely invisible to the user, because security is handled by the system without the user’s intervention.
In macOS, the following four features are most visible to users:
The Security system preferences pane
FileVault, which users can configure through the Security system preferences pane
The Accounts system preferences pane
The Keychain Access app
These features are described in this appendix.
Security and Privacy System Preferences
Security and Privacy system preferences in macOS let the user configure FileVault and control some aspects of authorization on the computer. For example, users can indicate whether a password should be required after sleep or the screen saver begins.
At the bottom of the dialog is the lock icon provided by the authorization view (see Designing Secure User Interfaces in Secure Coding Guide). When this icon shows a closed lock, authorization is required before the user can change the settings in this system preferences pane.
FileVault and Encrypted Volumes
When the user turns on FileVault, macOS uses 128-bit AES encryption to encrypt everything on the root volume (or everything in the user’s home folder prior to OS X 10.7).
The system automatically decrypts files upon access if an authorized user is logged in, but the files remain encrypted on disk. This provides maximum security for a user’s files if all of the following are true:
All sensitive data is stored on an encrypted volume (or in the user’s home directory prior to OS X 10.7).
Permissions are set appropriately to protect the data from other users on the system.
Automatic login is disabled.
A password is required to wake from sleep or to wake from the screen saver.
A user can also create new external volumes with FileVault encryption using Disk Utility. Alternatively, if a user wants to securely store files somewhere other than a FileVault-protected volume (such as on an external hard disk or removable media), the user can create an encrypted disk image.
For more information about FileVault, see Apple Knowledge Base Article HT4790.
Users and Groups System Preferences
When a user installs macOS on a computer, that user automatically becomes a member of the admin
group (described in The Admin Group). Subsequently, the user or any other member of the admin
group can use the Users & Groups system preferences panes to add new users to the system.
For each new user, the administrator can specify whether that user should be a member of the admin
group. If not, the administrator can limit the system features and apps to which that user has access.
Keychain Access
Keychain Access is an macOS utility that lets users see and modify the passwords, certificates, and other data that are stored in their keychains.
With Keychain Access, users can:
Create new keychains
Add and delete keychain items
Lock and unlock keychains
Choose one keychain to be the default
See which certificates are available for use by email and web apps, who owns each certificate, and who issued each certificate
See and change passwords stored for various apps, tools, and websites
Securely store other secrets, such as passwords, credit card numbers, and notes
When a keychain is locked and an app or other tool needs to gain access to a keychain item, Keychain Services prompts the user for a password.
In addition, the Keychain Access menu includes items to open the Certificate Assistant and Kerberos Ticket Viewer utilities. The Certificate Assistant enables users to create certificates, request certificates from a certificate authority, create a public/private key pair, or evaluate a certificate. The Kerberos Ticket Viewer lets users see any Kerberos tickets in use on the system, and enables them to renew or destroy a ticket, or change a ticket’s password. Kerberos is described in more detail in Authentication, Authorization, and Permissions Guide.
Apple’s Mail app and other email apps can extract a public key from the signing certificate of any signed email and use it to encrypt messages sent to the owner of that key. See Digital Signatures in Cryptographic Services Guide for more information about digital signatures, and see Help in the Mail app for details on sending encrypted email.
Copyright © 2012 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2012-12-13