Controlling app access to files in macOS
Apple believes that users should have full transparency, consent, and control over what apps are doing with their data. In macOS 10.15, this model is enforced by the system to help ensure that all apps must obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. In macOS 10.13 or later, apps that require access to the full storage device must be explicitly added in System Preferences. In addition, accessibility and automation capabilities require user permission to help ensure they don’t circumvent other protections. Depending on the access policy, users may be asked to, or required to, change the setting in System Preferences > Security & Privacy > Privacy:
User prompted by app
User must edit system privacy settings
Full internal storage access
Files and folders
Note: Includes Desktop, Documents, Downloads, network volumes, and removable volumes
Automation (Apple events)
Items in the user’s Trash are protected from any apps that are using Full Disk Access; the user won’t get prompted for app access. If the user wants apps to access the files, they must be moved from the Trash to another location.
A user who turns on FileVault on a Mac is asked to provide valid credentials before continuing the boot process and gain access to specialized startup modes. Without valid login credentials or a recovery key, the entire volume remains encrypted and is protected from unauthorized access, even if the physical storage device is removed and connected to another computer.
To protect data in an enterprise setting, IT should define and enforce FileVault configuration policies using mobile device management (MDM). Organizations have several options for managing encrypted volumes, including institutional recovery keys, personal recovery keys (that can optionally be stored with MDM for escrow), or a combination of both. Key rotation can also be set as a policy in MDM.