eXtensions - Saturday 15 October 2016

System Preferences in macOS, Sierra: Security & Privacy

apple and chopsticks


By Graham K. Rogers

The update of macOS, has seen a number of changes to System Preferences. The Security & Privacy Preferences is similar to what was available before, with one or two user-specific changes. Aapps that interact with the operating system are shown in the Privacy pane.

Security should be a priority for all users. While Mac users claim that macOS is more secure than alternative operating systems, there have been a number of attacks and examples of malware in recent times. There is no reason for complacency, particularly after recent revelations concerning data-sharing and government surveillance.

The Security & Privacy Preferences section works with other parts of System Preferences (like Accessibility and Sharing) for a safer environment. The Security Preference pane has four sections as before: General, FileVault, Firewall and Privacy. There are some minor changes here.

Security & Privacy
General settings in Security & Privacy (screenshot with thanks to "a Reader")


The content of the General pane is almost indistinguishable from the same pane in recent versions of OS X, unless a user owns an Apple Watch (see below). At the top of the pane is a button that allows a user to change the login password for the current account. Using this does not need Admin account privileges: users may change this on their own as long as the padlock at bottom left is open (that will require an Admin password).

If the "Change Password" button is pressed, a panel appears that requires the old password, new password (+ verify), with a panel at the bottom for a password hint.

There are three checkboxes below the Change Password button:

  • Require password specified time after sleep or screensaver activates.

    This is controlled by a button that allows the selection of a time when the screen saver begins. "Immediately" will give the best security, but if hot corners are used the screen saver may be activated accidentally, so an option of 5 seconds is available. Other settings here are 1 minute, 5 minutes, 15 minutes, 1 hour, 4 hours and 8 hours (new). If a user tries to change the set time, a panel appears asking for a user password.

  • Show a message when the screen is locked. A button allows the user to "Set Lock Message...". Before 10.7 this was only possible with a third-party utility like Onyx. The button opens a panel into which a message may be typed. I leave a message - with my phone number - for a potential finder, should I ever lose the Mac.

  • Disable automatic login. The automatic login may make access to the Mac easy, but it is dangerously insecure. Used with the screen-saver lock and Firmware Password Utility (available now by starting up in the Rescue partition - use Command + R) this may prevent unauthorized use of a computer.

Note: with newer Macs the way to reset the Firmware Password Utility, if the password has been forgotten, has been changed and may require several days work at an Apple authorised agent. It is recommended that if Firmware Password Utility is used, the password is written down and locked away.

Security & Privacy

Users who have access to an Apple Watch, will also find a new option in the center area of the panel: Allow Apple Watch to unlock your Mac. Below this is a checkbox for each Apple Watch in use by the user. I have access to two of these devices and checkboxes have appeared on all the Macs I use. As they were updated separately, and the Apple Watch never comes into contact with the Macs (so far), this new feature has been added by iCloud access (Apple Watch > iPhone > iCloud).

Security & Privacy

If a box is checked, a panel appears warning the user that Two-factor authentication must be turned on. The process requires 2-step authentication to be turned off first and some users are reporting difficulties with this. A number of useful articles are available and I suggest reading these:

  • How to protect your Apple ID with Two-factor Authentication (Christian Zibreg, iDownloadBlog)

  • Unlocking a Mac with an Apple Watch requires two-factor, not two-step, iCloud protection - what? (Glen Fleischman, MacWorld)

  • The Apple two-step: My disastrous attempt to use Apple's two-factor authentication (Kirk McElhearn, MacWorld)

[Apart from a certain trepidation about this, I had problems initially with 2-step authentication which I set up months ago, but which needed setting up again. I am holding off taking the final steps as this week the Apple Watch Series 2 is arriving in Thailand and I will wait until I have this in my hands: I will update as and when I am able.]

In the lower half of the General panel are controls connected to the sandboxing of apps that Apple introduced a while ago: Gatekeeper. There are now 2 settings as Apple has tightened security here: Allow apps downloaded from

  • App Store
  • App Store and identified developers

With App Store only apps, there is a built-in secure process for developers to follow before their apps can be authorised for sale: these apps are supposed to be completely secure for users to install.

Identified Developers have registered with Apple and while their apps are not sold via the Mac App Store, the registration with Apple should give users a relative peace of mind as to the safety of the apps. This may apply also to developers who sell via the Mac App Store but who make available trial or beta versions of their software.

By selecting the (now unavailable) third option, it was possible to install any downloaded app, but this may have unacceptable levels of risk for some. There are certain developers, however, whose products are worthy but who have not registered with Apple for this.

Although the missing "Anywhere" option is no longer shown, it is possible to install apps from other sources, although this will require some command line work to make the option reappear in the General tab. An article by Paul Horowitz on OSXDaily explains how this may be done. As this requires use of the SUDO command, it may only be done in an Admin account. With the clear instructions, this was a task of only a few seconds.

Security & Privacy

Information on Gatekeeper and other aspects of Security, is available from the Apple macOS pages.

At the bottom right of all panels in Security & Privacy preferences there is a button marked "Advanced...". It is greyed out if the Padlock has not been opened. Advanced gives access to 2 checkbox options (reduced from 4 in Mountain Lion and 3 in Mavericks) as well as wording changes:

  • Log out after a certain time of inactivity (this option has a box in which a time from 1 - 960 minutes may be entered);

  • Require an administrator password to access system-wide preferences


The feature of FileVault was introduced with OS X 10.3 Panther. It is claimed to use military strength encryption and is intended to protect a user's data: the files that are in the Home folder.

The FileVault icon (a house with a safe dial superimposed) signifies the ability to lock the users Home folder by way of encryption. If activated, files are decrypted and encrypted while working. A user enters the account as normal, using the password. Local users who take advantage of this have told me that the process is seamless.

To start this, users press the single button, "Turn On FileVault" at the top of the pane. The text description to its left is unchanged: "FileVault secures the data on your disk by encrypting its contents automatically."

Security & Privacy

There are two parts to this feature: the file vault protection itself, which will need disk space for the file swapping that will occur; and the Master Password. This is a safety net as it will allow unlocking of any FileVault account on the specific Mac. If this master password is lost, then you can kiss good-bye to your data.

Text beneath indicates if the feature is on or off for the disk.

An extended discussion of FileVault is available online at the O'Reilly Mac Devcenter site: An Unencrypted Look at FileVault, by FJ de Kermadec. This dates from 2003, but the ideas and comments are still valid.


Anyone who does not use a firewall these days is asking for trouble. Since Yosemite the panel has been application-focussed rather than port-focussed as it was in earlier versions of OS X.

The Firewall pane has basic information for the user and two buttons: Turn On Firewall (or Turn Off Firewall if it is ON) and Firewall Options... The buttons can be used only if the security padlock icon is open. The Options panel now has four checkboxes.

Above the main (applications) list is "Block all incoming connections". If this is selected only essential services (DHCP, Bonjour, IPSec) will be able to use internet access.

Applications in the list panel are allowed the access needed, instead of specifying port numbers as was the case earlier. Above the application list are several OS X features that may have been activated in other preferences, such as DVD or CD Sharing, File Sharing (SMB) or others depending on the User's settings.

Security & Privacy

At the bottom of the panel are two icons (+/-) for adding applications to, or removing them from the list. Pressing the Add (+) reveals a Finder panel which allows us to choose an item to be included. This adding is usually carried out automatically, however, when software is installed. Pressing the remove (-) deletes an app from the list with no warning, although the Cancel button will replace a deleted app. Pressing OK will complete the action.

Below the panel are three checkboxes:

  • (New) Automatically allow built-in software to receive incoming connections

  • (Amended) Automatically allow downloaded signed software to receive incoming connections, will allow software with a legitimate, signed certificate to use internet services

  • Enable stealth mode: any outside probing that occurs (such as that shown in logs) will have no response.


The final pane in Security & Privacy preferences, Privacy, has been updated in terms of apps that are now listed.

To the left is a panel that shows any apps or services that are permitted to access specific types of data. Highlighting each will show in the main panel any apps affected and the type of access allowed. A user will be asked to permit such access when setting up OS X or after installing some applications.

To the left is a panel that shows any apps or services that are permitted to access specific types of data. Highlighting each will show in the main panel any apps affected and the type of access allowed. A user will be asked to permit such access when setting up OS X or after installing some applications. This list will differ with each user.

Security & Privacy

The list of apps will differ with each service. A number of system applications and services are shown, including :

  • Location Services - this is enabled and specific applications (now Maps, Calendar, Photos, Reminders, Safari, Weather and others) are able to use Location data. Siri has also been added to this section. Text information below the box tells users that if the location icon appears beside an app, the location was requested within the last 24 hours.

  • Contacts - certain apps are allowed to access data in my list of contacts. A checkbox beside each app allows such access.

  • Accessibility allows the system to use an expanding list of apps, including AppleScript, Automator, Little Snitch, Safari and yType.

  • Diagnostics & Usage - when setting up the account, I specifically agreed to allow access to information for the purposes of diagnostics. A text explanation in the panel has information about the purposes of the data use and there is a link to Apple's Privacy Policy page which explains the reasons for collecting data, what data is collected and the uses it is put.

Calendars and Reminders have been granted access to specific apps. Facebook and Twitter have no apps listed that have requested access to them so far.

See Also:

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs. He is now continuing that in the Bangkok Post supplement, Life. He can be followed on Twitter (@extensions_th)



Made on Mac

For further information, e-mail to

information Tag

Back to eXtensions
Back to Home Page