AMITIAE - Sunday 10 November 2013

System Preferences in OS X 10.9, Mavericks: Security & Privacy

apple and chopsticks


By Graham K. Rogers

The recent update of OS X to version 10.9, Mavericks, has seen several changes to System Preferences. The Security & Privacy Preferences is similar to what was available in OS X 10.8, Mountain Lion. There are, however, several additions to the way apps now interact with the operating system, which is reflected in more complex settings found in the Privacy pane.

Security is not an option and should be a priority for all users. While Mac users claim that OS X is more secure than alternative operating systems, this is less so than before and there is no reason for complacency, particularly after recent revelations concerning data-sharing.

The Security & Privacy Preferences section works with other parts of System Preferences (like Accessibility, Users & Groups, and Sharing) for a safer environment if used properly. The Security Preference pane has four sections: General, FileVault, Firewall and Privacy. There are several changes here, particularly to the Privacy pane.

Security & Privacy


The General pane is almost indistinguishable from the same pane in Mountain Lion, although there are slight wording changes. At the top of the pane is a button that allows a user to change the login password if one has been set. Using this does not need Admin account privileges: users may change this on their own as long as the padlock at bottom left is open (that will require an Admin password.

If the "Change Password" button is pressed, a panel appears that requires the old password, new password (+ verify), with a panel at the bottom for a password hint.

Guard passwords carefully. Someone I know came home recently to find that his 4 year-old son had changed the password, which not only locked him out, but stopped access to passwords stored in Keychain Access

There are three checkboxes below the Change Password button:

  • Require password specified time after sleep or screensaver activates.

    This is controlled by a button that allows the selection of a time when the screen saver begins. "Immediately" will give the best security, but if hot corners are used the screen saver may be activated accidentally, so an option of 5 seconds is available. Other settings here are 1 minute, 5 minutes, 15 minutes, 1 hour and 4 hours.

  • Show a message when the screen is locked. A button allows the user to "Set Lock Message...". Before 10.7 this was only possible with a third-party utility like Onyx. The button opens a panel into which a message may be typed. On my computer, the same message I had used in Mountain Lion, and which was originally entered using Onyx (pre-10.7) is still shown.

  • Disable automatic login. The automatic login may make access to the Mac easy, but it is dangerously insecure. Used with the screen-saver lock and Firmware Password Utility (available now by starting up in the Rescue partition - use Command + R) this may prevent unauthorized use of a computer.

    Note, with newer Macs the way to reset the Firmware Password Utility has been changed and may require several days work at an Apple authorised agent. It is recommended that if Firmware Password Utility is used, the password is written down and locked away.

In the lower half of the General panel are controls connected to the sandboxing of apps that Apple introduced a while ago: Gatekeeper. There are 3 settings: Allow apps downloaded from

  • Mac App Store
  • Mac App Store and identified developers
  • Anywhere

With App Store only apps, there is a built-in secure process for developers to follow before their apps can be authorised for sale: these apps are supposed to be completely secure for users to install.

Identified Developers have registered with Apple and while their apps are not sold via the Mac App Store, the registration with Apple should give users a relative peace of mind as to the safety of the apps. This may apply also to developers who sell via the Mac App Store but who make available trial or beta versions of their software.

By selecting the third option, it is possible to install any downloaded app, but this may have unacceptable levels of risk for some. There are certain developers, however, whose products are worthy but who have not registered with Apple for this. Users may still want to download and install these while maintaining a higher level of security.

If a user tries to install any such App from an unrecognised developer a warning panel will appear. To install, the user should find the icon in the Applications folder. Control click on the icon and select Open. For those who work in a user account, this needs Admin privileges. Once the password is entered the app opens and will for evermore.

Information on Gatekeeper and other aspects of Security, is available from the Apple OS X pages.

Security & Privacy

At the bottom right of all panels in Security & Privacy preferences there is a button marked "Advanced...". This has 3 checkbox options (reduced from 4) as well as wording changes:

  • Log out after a certain time of inactivity (this option has a box in which a time from 1 - 960 minutes may be entered);
  • Require an administrator password to access system-wide preferences (new wording here)
  • Disable remote control infrared receiver.

Text below the last checkbox item tells users that the computer will work with any available remote. There is a Pair button that makes sure only a specific remote control may be used with the computer. When a Remote control device is paired, that button changes to Unpair. If the box is checked, the text below reads, "This computer will not work with any remote" and the Pair button is greyed out.


The feature of FileVault was introduced with OS X 10.3 Panther. It is claimed to use military strength encryption and is intended to protect a user's data: the files that are in the Home folder.

The FileVault icon (a house with a safe dial superimposed) signifies the ability to lock the users Home folder by way of encryption. If activated, files are decrypted and encrypted while working. A user enters the account as normal, using the password.

To start this, users press the single button, "Turn On FileVault" at the top of the pane. The text description to its left is unchanged: "FileVault secures the data on your disk by encrypting its contents automatically."

Security & Privacy

There are two parts to this feature: the file vault protection itself, which needs much hard disk space for the file swapping that will occur; and the Master Password. This is a safety net as it will allow unlocking of any File Vault account. If this master password is lost, then you can kiss good-bye to your data.

Text beneath indicates if the feature is on or off for the disk.

An extended discussion of FileVault is available online at the O'Reilly Mac Devcenter site: An Unencrypted Look at FileVault, by FJ de Kermadec. This dates from 2003, but the ideas and comments are still valid.


Anyone who does not use a firewall these days is asking for trouble. There were significant changes to the firewall in OS X Leopard. The panel in Mavericks appears to be similar. It is application-focussed rather than port-focussed.

The Firewall pane has basic information for the user and two buttons: Turn On Firewall (or Turn Off Firewall if it is ON) and Firewall Options... The advanced panel can be accessed only if the security padlock icon is open.

The Options panel has three checkboxes. Above the main (applications) list is "Block all incoming connections". If this is selected only essential services (DHCP, Bonjour, IPSec) will be able to use internet access.

An applications list panel allows an application the access needed, instead of specifying port numbers as was the case earlier. Above the application list are several OS X features that may have been activated in other preferences, such as DVD or CD Sharing or Screen Sharing.

Security & Privacy

At the bottom of the panel are two icons (+/-) for adding applications to or removing them from the list. Pressing the Add (+) reveals a Finder panel which allows us to choose an item to be included. This adding is usually carried out automatically when software is installed. Pressing the remove (-) removes an app from the list with no warning, although the Cancel button will replace a deleted app. Pressing OK will complete the action.

Below the panel are two checkboxes:

  • Automatically allow signed software to receive incoming connections, will allow only software with a legitimate, signed certificate to use internet services

  • Enable stealth mode: any outside probing that occurs (such as that shown in logs) will have no response. The computer will appear not to exist.


The final pane in Security & Privacy preferences, Privacy, has been updated in terms of the number of apps that are now listed.

To the left is a panel that shows any apps or services that are permitted to access specific types of data. Highlighting each will show in the main panel any apps affected and the type of access allowed. A user will be asked to permit such access when setting up OS X or after installing some applications.

To the left is a panel that shows any apps or services that are permitted to access specific types of data. Highlighting each will show in the main panel any apps affected and the type of access allowed. A user will be asked to permit such access when setting up OS X or after installing some applications.

In Mountain Lion, 4 apps were shown in the list. With Mavericks, the list has been expanded (in the same way as in Internet Accounts and Notifications. There are now 9 listed, including Accessibility

Security & Privacy

The list of apps will differ with each user. Examples I have, include:

  • Location Services - this is enabled and specific applications (now Calendar, Safari and Maps) are able to use Location data. Text information below the box tells users that if the location icon appears beside an app, the location was requested within the last 24 hours.

  • Contacts - certain apps (in my case now Aperture, Pages, iWatermark as well as Skype) are allowed to access data in my list of contacts.

  • Accessibility allows the system to use apps that include Automator, Little Snitch, System Events and yType.

  • Diagnostics & Usage - when setting up the account, I specifically agreed to allow access to information for the purposes of diagnostics. A text explanation in the panel has information about the purposes of the data use and there is a link to Apple's Privacy Policy page which explains the reasons for collecting data, what data is collected and the uses it is put.

Calendars, Facebook, Linkedin, Reminders, Twitter have no apps listed as yet that have requested access to them.

See Also:

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.



Made on Mac

For further information, e-mail to

information Tag

Back to eXtensions
Back to Home Page