blank Skip to main content

8 Key macOS Security Configurations and How to Use Them for Application Development and Testing

When working on a macOS-related project, your development and quality assurance (QA) teams have to take into account numerous nuances to deliver a secure application. For example, you need to ensure that your application works with all possible macOS security configurations. You have to know how these features work in a specific version of macOS, how an administrator can configure them, and how to ensure stable performance of your solution with various macOS security configurations.

In this article, we overview eight key macOS security configurations, show how to use them to protect macOS devices, and explain what you should take into account when developing a secure macOS application.

This article will be useful for IT engineers working on macOS development projects who want to get a deeper understanding of macOS security features.

Contents:

1. Set up user accounts

2. Limit screen time

3. Check developer ID with Gatekeeper

4. Manage external connections in Firewall

5. Specify an application’s Privacy access

6. Configure Keychain Access

7. Enable Remote Login

8. Acquire superuser access

Conclusion

1. Set up user accounts

In macOS, you can choose between four types of user accounts with different levels of privileges. These privileges can allow or block the ability to use different operating system features.

In macOS, you can create the following account types:

  • Admin. Administrators have all possible access rights. They can change any macOS configurations, install and delete applications, create and manage user accounts, etc. The first user you create in macOS will be of the administrator type. There can be several administrators on one device.
  • Standard. Standard users can manage their own settings, work with files and folders inside their home folder, and download system updates but not install them. A standard user can’t install and delete apps, change profiles of other users, or edit system preferences such as those in the Network and Security preference panes. You can promote a Standard user account to an Admin account. 
  • Sharing only. The only thing users of a Sharing only account can do is remotely access shared files. They can’t log in to a personal user profile in macOS.
  • Guest. There’s only one Guest user account per system, which doesn’t require a password to log in. A guest can’t change any device or operating system settings, manage users, or log in remotely. When the guest logs off, all data created by them is deleted.

To manage users, open the Users & Groups preferences pane in System Preferences as an administrator. You will see a list of users with their account types. If you want to make changes to a user account, click the lock icon and enter the administrator password:

Accessing the Users & Groups preferences pane
Figure 1. Accessing the Users & Groups preferences pane

To promote a Standard user to an Admin, check the option Allow user to administer this computer. You can downgrade Admin users to Standard users by unchecking this box.

Promoting a Standard user account to an Admin account
Figure 2. Promoting a Standard user account to an Admin account

Click Guest User to manage the device’s guest account:

Managing the Guest User account in macOS
Figure 3. Managing the Guest User account in macOS

To create new users, click the plus button in the bottom left corner of the Users & Groups preferences pane and fill out the account creation form:

Creating a new user account
Figure 4. Creating a new user account

If you want to delete a user account, choose the account to delete, click the minus button in the bottom left corner of the Users & Groups pane, and confirm that you want to delete the account:

Deleting a user account
Figure 5. Deleting a user account

Configuring user accounts according to user roles and needs generally helps to improve the security of your network and applications, but you should pay special attention to account creation in the following cases:

  • Several people can use the device. If many people have access to a system that stores sensitive information, you need to protect it from unauthorized access and insider threats. One way of doing this is by creating different user accounts with the level of access they need. For example, you can allow users to read data and take a look at system settings but only allow the system administrator to change data and settings.
  • An organization owns the device. When an organization provides employees with computers for work, it may restrict user privileges in accessing device settings and control such devices with a group policy. macOS allows administrators to do this by creating user accounts with access limitations.
  • The device has several usage scenarios. A user can do numerous tasks with the same computer: write code, create content, watch movies, etc. Creating a separate user account for each task can help customize device and application settings according to a certain usage scenario.

Several types of user accounts mean that developers have to test how their application works with all accounts. A QA team should verify the installation, execution, and uninstallation of an application with different access rights.

Say there’s a feature in your application that only works with administrator privileges. To check how this feature works, you need to test it first with an administrator profile. Then, run the same feature as a standard user and don’t give the application needed permissions. The feature won’t work in this case, but the application should continue working smoothly. Also, in this case, the application may display special notifications like <feature> needs administrator access

QA engineers should add information about such access requests to application logs to help the development team locate any issues that may arise.

Related services

Custom macOS Development Services

2. Limit screen time

macOS administrators can limit user access to certain applications by configuring screen time restrictions. This feature allows for configuring computer downtime, application limits, and content and privacy restrictions. When developing your application, make sure you know how this feature works and how your app should behave under screen time limitations.

You can restrict user screen time by logging in to a new account and opening the Screen Time pane in System Preferences. Then, choose Options and turn on the feature. The next step is to enable Use Screen Time Passcode. The time passcode is a four-digit code required to ignore screen time restrictions or change the Screen Time settings.

Enabling Screen Time limit for a user
Figure 6. Enabling Screen Time limit for a user

With Screen Time limits, you can also define which applications will be available during a certain period of time. Go to the Downtime tab to set the system downtime, turn on the feature, and set the schedule.

Configuring system downtime
Figure 7. Configuring system downtime

Then, go to the App Limits preferences pane to set the daily time limits for applications. Choose an application and set the limit. When the limit is exceeded, the application will be blocked.

Configuring application downtime
Figure 8. Configuring application downtime

You can choose the applications that shouldn’t be blocked during downtime in the Always Allowed tab.

Choosing applications that shouldn’t be blocked
Figure 9. Choosing applications that shouldn’t be blocked

This feature also allows you to block explicit and adult content and set privacy settings for an account. You can do that in the Content & Privacy preferences pane.

Configuring account privacy settings
Figure 10. Configuring account privacy settings

If a user tries to visit a blocked website, they’ll see a warning message. They can add this website to the approved list only if they know the Screen Time passcode.

When you configure Screen Time restrictions for an application and those restrictions are active, the user will see a shaded icon.

Icons for applications with active Screen Time limitations are shaded
Figure 11. Icons for applications with active Screen Time limitations are shaded

When the user tries to launch a blocked application, they’ll see a warning about reaching their time limit. At that point, they can get one additional minute to complete their task or enter the Screen Time passcode to unblock the application. 

macOS application developers also have to pay attention to Screen Time blocking when working on their products. In particular, be sure to check that:

  • Screen Time can stop your application without any crashes or fatal errors
  • A user can continue working with your application if they request one more minute or enter the Screen Time passcode
  • A user can work with the application when it’s unblocked after downtime
  • The application’s scheduled and background processes work as expected with Screen Time limits

There are a lot of different restrictions in the Content & Privacy settings of Screen Time. make sure to check that they don’t crash your application. For example, if you are developing a web traffic filter that can block adult websites, restrict access to such sites with Content & Privacy and check how your app works. If you are working on a video content application, restrict access to adult TV shows and then try to watch them inside the app. If you are developing a video game, you can restrict access to online gaming and try to play online.

Related services

Engineering for Cybersecurity Projects

3. Check developer ID with Gatekeeper

Gatekeeper is a feature that protects macOS from untrusted applications. A macOS user can configure their system to allow or block the execution of applications with unknown and suspicious origins in the Security & Privacy section of System Preferences.

Configuring trusted sources for applications
Figure 12. Configuring trusted sources for applications

A user can allow their device to work only with applications downloaded from the App Store. It’s the most trusted source for downloading because Apple reviews the security of applications before they can be published on the App Store. If an application has any problems, Apple will remove it from the store. 

If a user tries to open an application not downloaded from the App Store, they’ll see the following message:

Trying to launch an application downloaded from an untrusted source
Figure 13. Trying to launch an application downloaded from an untrusted source

There’s also an option to allow launching applications from the App Store and identified developers. In this case, macOS will check the Developer ID and Notarization of the application to be sure that it’s secure. Gatekeeper checks the certificate when the application is installed and at every launch. 

If the certificate isn’t valid, the application cannot be installed. Users can execute an installed application if it was compiled when the certificate was valid, even if the certificate has since expired. If a Developer ID provisioning profile is expired, the application can’t be executed.

That’s why every application should be signed with a Developer ID certificate. To get such a certificate, you have to be identified by Apple and become part of the Apple Developer Program. A Developer ID certificate is valid for five years from the date of creation, so make sure to renew your Developer ID periodically. 

Any application also should be notarized to become trusted by macOS. The Apple Notarization service is an automated process that scans applications for malicious content. If it doesn’t discover issues, it permits macOS to run the application. To check Notarization permissions, Gatekeeper connects to Apple databases and searches for the application.

If a device allows a user to run applications downloaded from identified developers, Gatekeeper will still show a warning message with a note stating that Apple checked it for malicious software and none was detected, and it will allow the user to open the app.

Launching a third-party application verified by Apple
Figure 14. Launching a third-party application verified by Apple

If a user tries to run an untrusted application, they’ll see the following message:

Launching an untrusted application
Figure 15. Launching an untrusted application

An administrator can allow a user to run untrusted applications by setting a corresponding permission in the Security & Privacy preferences pane.

Allowing applications from untrusted sources
Figure 16. Allowing applications from untrusted sources

Gatekeeper can be a nuisance when you need to test your application which is not yet trusted and you don’t want to change security preferences. You can ignore Gatekeeper security features using the following command:

sudo spctl --master-disable

spctl is an application that can be used to communicate with Gatekeeper. It adds the Anywhere option to Security & Privacy settings. This means you will be able to execute any application.

Figure 17. Allowing installation of applications from any sources
Figure 17. Allowing installation of applications from any sources

Note: We strongly recommend you not disable any security feature unless you are sure what you are doing!

You can verify an application’s Developer ID and Notarization with the following command:

spctl -vv -a '<your app>.app'

In this command, -a is the parameter for getting evaluation results for the app, and -vv returns additional information.

If your application is signed by a valid Developer ID and has a valid Notarization, the command will return the message Notarized Developer ID and the developer’s information. For example, let’s check the Google Chrome app:

Checking Developer ID and Notarization of Google Chrome
Figure 18. Checking Developer ID and Notarization of Google Chrome

As you can see, Google Chrome is trusted by macOS.

If the application you’re interested in is created by a trusted developer but isn’t notarized, you won’t see the word Notarized in the source field:

Checking Developer ID and Notarization of an unnotarized application
Figure 19. Checking Developer ID and Notarization of an unnotarized application

If the application doesn’t even have a Developer ID signature, you’ll see a no usable signature message:

Figure 20. Checking an application without a trusted developer’s signature
Figure 20. Checking an application without a trusted developer’s signature

Before delivering any macOS product, use the command listed above to check the application’s Developer ID and Notarization. It will help your end users avoid possible issues with launching the application. You can also download the installer for your application from any internet resource and install it to simulate the user experience.

Read also:
How to Reverse Engineer an Undocumented macOS API to Use It in a Swift Project

4. Manage external connections in Firewall

macOS has a built-in firewall that can secure applications from unauthorized internet access. It helps block any incoming connections and allows access to the applications you want.

To configure Firewall, visit the Firewall tab in the Security & Privacy preferences pane:

Accessing Firewall configurations
Figure 21. Accessing Firewall configurations

Then, click Firewall Options to configure the Firewall. You can block all incoming connections to prohibit anyone and anything from connecting to macOS. This is the most secure Firewall configuration, but some applications may not be able to provide online features when it’s enabled.

Blocking all connections with Firewall
Figure 22. Blocking all connections with Firewall

You can also choose to allow incoming connections for specific applications. If you are testing a client–server application and you see any issues with client–server connections, check the Firewall configuration and try adding your app to the allowed list.

Allowing specific internet connections with Firewall
Figure 23. Allowing specific internet connections with Firewall

Read also:
How to Work with the File Provider API on macOS

5. Specify an application’s Privacy access

Some applications need access to advanced macOS features to work correctly. But malicious applications may also request access to those features to steal users’ personal data. By default, macOS blocks access to Location Services, Contacts, Photos, Microphone, Device Disk, Screen Recording, Bluetooth, and other features to protect a user from security threats.

If a user installs an application that requests access to blocked features, the user has to provide access in the Privacy tab of the Security & Privacy preferences pane.

Providing an application with access to Location Services
Figure 24. Providing an application with access to Location Services

When developing an application that requires access to sensitive features and resources, make sure to include an access request in the installer. The request can look like this: Please give <App name> access to the Camera. Also check how your application will behave if a user doesn’t provide access to necessary features, or if the user provides and then revokes access.

6. Configure Keychain Access

Keychain Access is a default macOS app for password management that stores a user’s credentials, reducing the number of passwords a user has to remember. You can find Keychain Access in the Utilities folder of your Applications list. Open it to find and configure any stored credentials.

Accessing credentials stored in Keychain Access
Figure 25. Accessing credentials stored in Keychain Access

To secure credentials, this application uses the Transport Layer Security (TLS) protocol and public key certificates. Let’s examine how they work.

TLS is a cryptographic protocol designed to secure communications in a computer network. It’s widely used in applications that use HTTPS, such as email, instant messaging, and voice over IP.

A public key certificate includes information about the public key, its owner, and the digital signature of an entity that has verified the certificate’s contents. If the signature is valid and software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s subject. 

In email encryption, code signing, and e-signature systems, a certificate’s subject is typically a person or an organization. In TLS, a certificate’s subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role of identifying devices. 

If you try accessing any secured resource, its certificate needs to be trusted by macOS. By default, macOS has a list of trusted certificates. If you want to access a resource without a trusted certificate, you’ll see the following message:

Trying to access a resource without a trusted certificate
Figure 26. Trying to access a resource without a trusted certificate

Only an administrator with corresponding credentials can add a resource to Keychain Access. Click Show Details and then Visit Website to add a certificate to Keychain Access.

Adding a resource to Keychain Access
Figure 27. Adding a resource to Keychain Access

After that, you can open the certificate details and change the certificate’s settings.

Configuring certificate settings
Figure 28. Configuring certificate settings

When developing and testing a client–server macOS application, you need to know how to work with Keychain Access and manage security certificates inside it. If your application creates a certificate during installation, make sure to do the following: 

  • Provide your application with all permissions when it asks for administrator access, then check the certificate inside Keychain Access. 
  • Don’t provide administrator permissions for certificate installation, or don’t make the connection trusted. Check the application installation process and the application behavior. Your app should show a notification about certificate issues. Also, it should add information about these issues to the application logs. However, it shouldn’t crash. 
  • Check the behavior of your application when you make its certificate untrusted or delete the certificate altogether. 
  • Make application certificates expired by changing the date in macOS to any future date. Check how the application behaves in this case. 

Keep in mind that Keychain Access features change in different macOS versions. For example, in macOS 10.15 and earlier versions, you can make a certificate trusted by executing the following script as a superuser:

sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certfile>

In later macOS versions, you can’t do that. Also, in macOS 11 and 12, a user needs to manually approve application certificate even if they run a Terminal command to make the certificate trusted. This is done for security reasons: scripts can’t make any certificate trusted without the user’s permission. In these versions of macOS, check both UI and silent installation options using Terminal commands, as you may face silent installation issues on macOS 11 and later.

Read also:
Protect Your Web Applications from Password Cracking with Fail2ban

7. Enable Remote Login

Accessing macOS remotely allows developers to reproduce and fix an issue a user has trouble with. The OS provides a default feature for accessing remote systems, so you don’t need to install third-party software.

By default, all remote access features are disabled, but you can configure them in Sharing preferences. Enabling Remote Login will show you a message this:

Enabling remote access to a system
Figure 29. Enabling remote access to a system

Use this command and your password to get access to another user’s system.

You can also enable Virtual Network Computing (VNC) access in Screen Sharing, which will allow you to share your screen. When you enable this feature, you will see a similar message:

Enabling remote access via VNC services
Figure 30. Enabling remote access via VNC services

Note that to start screen sharing, you need to open Computer Settings and set the password that will be used to access your system.

You can enable Apple Remote Desktop in the Remote Management service. It gives you the ability to remotely execute any scripts and use all Terminal capabilities. You can connect to another device via Apple Remote Desktop from any operating system. Apple Remote Desktop is the optimal way to establish a remote connection with a slow internet connection since it doesn’t load the macOS GUI.

The VNC service provides you with a remote connection to the macOS GUI. As a developer or QA engineer, you can use VNC to test your application on another Mac device with a different macOS version. You can also connect to your end user’s macOS device and debug any issues with your application.

Enabling Apple Remote Desktop
Figure 31. Enabling Apple Remote Desktop

8. Acquire superuser access

Root is a superuser that has unlimited access to all system features and files. This user is helpful when an administrator account can’t provide the required level of permissions. For example, an administrator can’t change system files, but a superuser can. You can obtain root access rights via the Terminal and in the GUI. Let’s take a look at the Terminal option.

When you run a command and see the Permission denied message, run the same command with the word sudo before it. You’ll need to enter the root password, and then the command will be executed without access issues.

To become a superuser inside Terminal without needing to enter sudo before each command, use the sudo su command. You’ll also need to enter the root password. When this command is executed, you’ll gain superuser access in this Terminal session.

To gain superuser access via the GUI, you need to be an administrator. There’s no way of logging into macOS as a superuser by default, but there’s a workaround. Open Login Options in the Users & Groups preferences pane and click Join.

Changing Login Options in macOS
Figure 32. Changing Login Options in macOS

In the opened form, select Open Directory Utility, then click the lock icon in the bottom left corner and enter the administrator credentials.

Logging into Directory Utility
Figure 33. Logging into Directory Utility

In Directory Utility, open the Edit menu, select Enable Root User, and set a password for the root user.

Enabling root user via the macOS GUI
Figure 34. Enabling root user via the macOS GUI

Now you can log in and out of macOS as the root user. On the login screen, choose Other, enter ‘root’ as the username and enter the password you created for the root account.

Logging in to the root account
Figure 35. Logging in to the root account

If your application has features that require root access to work, check how they perform if a user doesn’t have root access rights. Ideally, in this case the application should display a message about the permission issue, add this information to its logs, and continue working without crashing.

Related services

Remote Access and Management Solutions

Conclusion

macOS has a robust set of built-in security features that macOS developers need to be aware of and configure properly to protect their systems and applications. Also, Apple often reworks and improves these security features, so with a new macOS release, you need to make sure your software works properly with the latest versions. 

One way of doing that is by studying all macOS changelogs, learning the ins and outs of the system, and supporting your applications yourself. A better option is to outsource this task to Apriorit’s professional macOS development team that focuses on cybersecurity. 

Our macOS experts deeply understand how different versions of the macOS operating system work, how to develop applications for various purposes and industries, and where to look when testing macOS apps.

Reach out to start building a secure macOS solution hassle-free!

Tell us about your project

Send us a request for proposal! We’ll get back to you with details and estimations.

By clicking Send you give consent to processing your data

Book an Exploratory Call

Do not have any specific task for us in mind but our skills seem interesting?

Get a quick Apriorit intro to better understand our team capabilities.

Book time slot

Contact us