Apple + Recommended + Security & Privacy

macOS High Sierra: Security and Privacy Features Overview

Posted on September 27th, 2017 by

macOS High Sierra: Security and Privacy Features Overview

Apple's 13th release of the modern UNIX based operating system, macOS High Sierra, has arrived! macOS High Sierra introduces a slew of new features and core technologies that improve salient functions of your Mac. There are several new security and privacy features as well, which I will cover in this article. But before diving into that, first a little bit about Apple's naming scheme of the operating system (OS).

Is an upgrade to macOS High Sierra worth it?

I've heard this several times over the past years: "It has pretty much the same name, so there's really nothing new." Because the name is almost identical (with one exception), some Mac users assume it's just a minor upgrade with merely a handful of new features and enhancements. So there's really no need to upgrade anytime soon, right?

This notion cannot be further from the truth. Let's take a look at some previous OS upgrades and the naming schemes they received:

2005
Mac OS X 10.3 Panther -> Mac OS X 10.4 Tiger (this is that exception)
2009
Mac OS X 10.5 Leopard -> Mac OS X 10.6 Snow Leopard
2012
Mac OS X 10.7 Lion -> OS X 10.8 Mountain Lion
2017
macOS 10.12 Sierra -> macOS 10.13 High Sierra

Despite the similar-named operating system releases, what's most exciting for Mac users is that each new OS upgrade is historically the best. Why? Because every few years Apple sits down with all their teams and focuses less on new features and more on improving what's already there. Apple developers rewrite existing code, optimize performance, enhance the user experience, and more.

This was first done in 2005 with Tiger, and even though it received a different name (Fluffy Panther just didn't sound right), this is exactly what they did: optimize and enhance upon what they previously created. Tiger and Snow Leopard are by far my two favorite versions of OS X, and since Sierra was already a very nice OS to work with, High Sierra promises to be high on the list of best macOS versions to date.

So while the names of some new OS's are nothing to get excited about in and of themselves, what's under the hood is what matters most, and with a similar sounding name you can typically be sure it comes with massive improvements to its predecessor.

Now for the fun part. With the release of macOS High Sierra 10.13, Apple also introduced some new security and privacy enhancements worth noting. Here's an overview of High Sierra's new security features.

Basic Security Features

You can read about the basic and existing security features of High Sierra on Apple's website; it covers FileVault, Gatekeeper, iCloud keychain and more. We want to tell you about some of the more notable changes and enhancements.

Apple File System (APFS)

Announced last year, Apple's new File System (APFS) will be the default as of macOS High Sierra on the Mac. iOS devices have been running the new file system since iOS 10.3, and Apple has finally introduced it to the Mac. Designed to make the best use of Flash technology (Solid State), it brings faster performance and better security.

The security aspect comes from the file system's built-in encryption capabilities, crash-safe protections and easy backup capabilities.

Switching over an entire file system is quite an impressive feat. You may recall the iOS 10.3 update taking much longer than usual to download — this was because your iOS device was switching file systems. On a Mac with potentially hundreds of gigabytes of data, this process may take a long time. This also brings with it a big risk. High Sierra essentially has to rip the carpet from underneath your data (without messing up a single bit), and at the same time put a new carpet in place! If something goes wrong, you can imagine the catastrophic effects this can have on your data.

Before upgrading to a new operating system, especially before upgrading to High Sierra, make sure you have a backup of all your data! Double check those backups and if there's time left before dinner, triple check them. Apple stated that the High Sierra APFS upgrade is "nondestructive," but you're always better off safe than sorry. Trust us! Backing up your Mac is imperative. 🙂

There are also a few things to keep in mind if you share files between multiple Macs and/or macOS Servers.

Intelligent Tracking Prevention

Apple's Safari web browser now includes Intelligent Tracking Prevention, which uses machine learning to identify advertisers and others who track your online behavior, and is designed to remove the cross-site tracking data they leave behind. I mentioned this feature last week when iOS 11 became capable of doing this, and now the Mac will have the same feature. For those of you who value browsing privacy, this is no doubt a welcome feature!

TLS Connections

You use TLS connections countless times a day; for example, when you connect to an https:// website, like that of your bank, or when you send and receive an iMessage, use VPN connections, File Transfers and with many other applications. As the successor to SSL, TLS is more secure and is the current standard protocol that provides security and privacy on the web. To establish the trust between you and the server you connect with, TLS uses certificates to prove that, for example, your bank's website is indeed your bank's website.

High Sierra removes support for TLS connections using SHA-1 certificates. SHA-1 is a cryptographic hash function that is still widely used today, but no longer strong enough to provide the security as intended. SHA-1 has been on its way out for a while and Apple is urging developers and website operators to move to the much more secure SHA-256.

Before High Sierra, Safari would warn you when visiting a website that uses a SHA-1 certificate and a few hoops had to be jumped through to get such a website to load.

TLS Connections
In High Sierra, such connections will simply not work. This goes for websites, Mail, Calendar, VPN and other services.

While a good step forward in security, you may want to check your Mail host, any websites you own or manage, and VPN services you use to make sure they will still work after upgrading to High Sierra.

User Approved Kernel Extension Loading

Kernel Extensions (or kexts for short) are used to add functionality to the core part of the operating system. It allows an application to have additional code loaded by the OS when the computer starts up, which in turn can provide that software with more capabilities. A good example of software that uses Kernel Extensions is Mac antivirus software. Unfortunately, malware can also install Kernel Extensions, which can allow it to intercept keystrokes and more.

To get more control over what is allowed to install a kernel extension, High Sierra will warn you the first time if such an extension is about to be loaded. Unless you approve, a kernel extension will not be allowed to load. This, in theory, means you can install your favorite antivirus application, but malware on the other hand cannot install and run the components it requires to perform its malicious functions. Of course, it's up to you and how carefully you're paying attention to allow only software you truly use that will determine the effectiveness of this defensive mechanism.

It's also worth noting that kernel extensions will not require authorization under two circumstances:

  1. If they are on a Mac before an upgrade to macOS High Sierra.
  2. If they are replacing previously approved extensions.

Firmware validation

macOS High Sierra runs a check on your Mac's firmware weekly to make sure it has not been tampered with, a new feature known as firmware validation. The check compares your Mac's hardware ID against a database of firmware versions that should be installed on each model. If it's different than what it should be, you get a warning.

Firmware validation warning

At this point, though, most people will likely never see this warning; however, if firmware changes are detected, you can send a report to Apple or Ignore. There are some firmware hacks out there that allow you to run High Sierra on unsupported hardware (both Hackintosh and real Macs alike), which will likely trigger this warning, but in those cases users can ignore it if they wish.

All in all, High Sierra promises to be a great update that not only brings some shiny new features but lots of under the hood improvements. After backing up your data and making sure your hardware and software is compatible, we encourage you to install the upgrade. (RELATED: How to Prepare Your Mac for macOS High Sierra.)

Before You Go...

High Sierra will be the last macOS to run 32-Bit software. This not only means saying goodbye to QuickTime Player 7, Microsoft Office 2011 and Adobe CS 6, but also some of the older yet still active malware out there that runs 32-Bit (yay!). The 64-Bit only change is a big one that should not be underestimated as it may impact your day to day activity significantly.

To see how much of your software still runs in 32-Bit, go to your Apple Menu > About this Mac > System Report and find "Applications" in the side bar. This may take a minute to load, but once the full list is presented, click the 64-Bit tab to sort all software by Yes or No.

Everything listed as not being 64-bit will cease to function with the release of the next major OS update in 2018, so start preparing for that change soon. For now, all the software that worked on Sierra should continue to function in High Sierra.

If your hardware is up to the task and all the software you need is compatible, you are ready for macOS High Sierra! Let us know how the update went for you and what your thoughts on High Sierra in the comments below!

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →
  • thomr875

    I checked Adobe Photoshop CS6 under System method and it says 64 bit yes. ?

  • Kay Donovan

    I think the improvements are way too marginal for a new OS. I mean, aside from this article everyone barely mentions this issue

    At least Safari 11 got something new in terms of security, and people notice that.

    But it’s too little.

  • Graeme Cunynghame

    I downloaded high sierra and my system crashed – not impressed. I have Mac Desktop Mid 2011. I must say that Apple appear to be releasing updates without doing all thier research. Very concerning.

  • Thomas Sumner

    Great article, Jay, but I have one question. I checked my list of 64 bit applications and Adobe Photoshop CS6 was listed as a 64 bit application. However Adobe Extension Manager CS6 and Adobe Application Manager were listed as 32 bit. Does this mean that Photoshop CS6 will no longer work after High Sierra?

    • Jay

      I believe the Extension Manager is only relevant for Dreamweaver and maybe a few other Adobe apps, not for Photoshop. So even if that stops working Photoshop should be fine. The same goes for Adobe Application Manager which checks for app updates, it won’t (or shouldn’t) affect Photoshop.

      Best thing to do when the time comes is to clone your system to an external hard drive and run the upgrade there so you can test your applications. If it turns out your applications will no longer work you can just discard the clone and start up from your internal drive again where everything works.

  • Rick Cunnington

    My understanding that APFS does not work with Fusion drives, that file system is not converted. Is that correct?

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}