Apple + Recommended + Security & Privacy
OS X El Capitan: Security and Privacy Features Overview
Posted on by Kirk McElhearn
OS X El Capitan is now available, and it’s time to upgrade your Mac to Apple’s new operating system, if you so desire. El Capitan will run on all Macs that can run Yosemite, so if you’re running OS X 10.10, you should consider upgrading to OS X 10.11.
If you have older hardware, you may hesitate, thinking that El Capitan might slow down your Mac. Keep in mind that, historically, when Apple released a “revision” version of OS X, such as Mountain Lion or Snow Leopard, these newer operating systems were as fast, or even faster than their predecessors. I’ve only tested El Capitan on recent Macs, but if you’re hesitant, wait a week or so and see what the various Mac websites report about its speed on older Macs.
In addition to the widely-publicized features in a new operating system, there are always under-the-hood improvements that make the upgrade worthwhile. In OS X El Capitan, there are a few key security and privacy features that will make Macs much harder to attack, and that will protect your data.
El Capitan’s Basic Security Features
Last year, when OS X 10.10 was released, I wrote an overview of Yosemite’s security and privacy features. None of these features have changed; in fact, if you compare the Security & Privacy pane of System Preferences, you won’t see any differences. See that previous article to learn how to set your Mac’s basic security settings.
But Apple has incorporated several security features into OS X 10.11, some of which are quite important. Here’s a look at these new features.
Apple has offered two-factor authentication for some time (here’s how you set it up), but with the release of iOS 9 and OS X El Capitan, Apple is changing the way this works. Previously, you had to save a recovery key, a long string of characters that Apple suggested you print out and store in a safe place. This presented a number of problems, however, such as people not saving it, losing it, or not being in the location where it was stored when they needed to access it.
It’s a good idea to turn on two-factor authentication, especially now that the process is a bit simpler. If, however, you get locked out of your account, it can take several days for Apple to reinstate it. If this happens, go to iforgot.apple.com and follow the instructions. Apple will contact you and ask you a number of questions, so you can prove that you are, indeed, you, and have not been replaced by an alien or a cyborg.
Note that with the new Apple two-factor authentication, you should be running OS X El Capitan and iOS 9 on all your devices. So, if you’ve already updated your iOS devices to iOS 9, and you’re updating your Mac to El Capitan, then you can turn this on. Find out more here.
System Integrity Protection, or Rootless
This sounds quite technical, and it is, but System Integrity Protection, or Rootless, makes your Mac much more secure. This technology ensures that system files can only be modified by the Installer app, or by software updates that are installed through the App Store app. This means that even administrators can’t change or delete these files.
On a Unix-based operating system, such as OS X, each user has an account. There are standard users, who can only access their files, and administrators, who are allowed to alter other files, as well as install or delete applications. There’s also a hidden user called “root,” who has access to everything; this is the user with the master keys to the operating system. An administrator can have temporary root access to make changes to essential files, such as when installing applications.
The problem is not so much that an administrator will do damage to the operating system; if you accidentally delete a file, your Mac may not start up, and you’ll have to re-install OS X. The real risk is that if, say, an administrator downloads an application and installs it, he or she may be unwittingly installing malware. This application will be able to delete or change any files on the Mac, because of the administrative privileges of the person who installed it.
With System Integrity Protection, this changes. Administrators no longer have this root access, and won’t be able to change anything in the root System folder, or in a few hidden folders, such as /bin, /sbin, and /usr. However, the /usr/local folder will still be accessible to apps, because it’s long been used to house temporary files.
When you upgrade to El Capitan, some files that have been installed in the above directories might be removed; you may need to reinstall some of your apps. But most apps don’t install anything there, so few users will actually notice any changes.
Nevertheless, if you really need root access — and if you do, you know who you are — there will be a way to get this. Boot into the recovery partition, choose Utilities > System Configuration, and then uncheck Enforce System Integrity Protection. Click Apply Configuration, and then restart your Mac.
One side-effect of this is that the Disk Utility app will no longer let you repair permissions. Repairing permissions have long been a sort of voodoo that people hoped would fix certain problems on Macs, but actually, in most cases, did nothing. In the future, permissions will be checked and fixed, if needed, when you install or update software.
App Transport Security
When you see a web site URL, you may see that it’s prefaced by http://. This means hypertext transfer protocol, and it’s the backbone of the way the Internet uses web addresses; the http part of the URL indicates that you’re requesting a web server, as opposed to, say, an FTP server.
However, sometimes you see https:// before a URL; when you visit a web page with this type of URL, you also see a padlock in your browser’s address bar. Https is the secure version of the hypertext transfer protocol, and any data you send or receive is encrypted. This is essential when you enter a password or credit card number on a website to ensure that people capturing traffic at different web servers, or over insecure Wi-fi, can’t discover your credentials.
Security experts are increasingly pointing out the need for all web traffic to be secure, and to use https. As such, Apple has added App Transport Security, in both iOS 9 and El Capitan, which requires that any app that requests data via http use the secure version, or https.
Since apps you use may access web servers, Apple requires that they now only use https to ensure that your data cannot be compromised.
El Capitan also fixes a number of bugs and vulnerabilities in OS X. If only for the security features, it’s worth updating to El Capitan.
- 15 Mac-Hardening Security Tips to Protect Your Privacy
- Intego Software Updated for OS X El Capitan Compatibility
- iOS 9 Security and Privacy Features Explained