Digital signing and encryption
Access Control Lists
Keychain data is partitioned and protected with Access Control Lists (ACLs). As a result, credentials stored by third-party apps can’t be accessed by apps with different identities unless the user explicitly approves them. This protection provides the mechanism for securing authentication credentials in Apple devices across a range of apps and services within the organisation.
In the Mail app, users can send messages that are digitally signed and encrypted. Mail automatically discovers appropriate RFC 5322 case-sensitive email address subject or subject alternative names on digital signing and encryption certificates on attached PIV tokens in compatible smart cards. If a configured email account matches an email address on a digital signing or encryption certificate on an attached PIV token, Mail automatically displays the signing button in the toolbar of a new message window. If Mail has the recipient’s email encryption certificate or can discover it in the Microsoft Exchange Global Address List (GAL), an unlocked icon appears in the new message toolbar. A locked lock icon indicates the message will be sent encrypted with the recipient’s public key.
iOS, iPadOS and macOS support per-message S/MIME. This means that S/MIME users can choose to always sign and encrypt messages by default or to selectively sign and encrypt individual messages.
Identities used with S/MIME can be delivered to Apple devices using a configuration profile, a mobile device management (MDM) solution, the Simple Certificate Enrolment Protocol (SCEP) or Microsoft Active Directory Certificate Authority.
macOS 10.12 or later includes native support for personal identity verification (PIV) cards. These cards are widely used in commercial and government organisations for TFA, digital signing and encryption.
Smart cards include one or more digital identities that have a pair of public and private keys and an associated certificate. Unlocking a smart card with the personal identification number (PIN) provides access to the private keys used for authentication, encryption and signing operations. The certificate determines what a key can be used for, what attributes are associated with it and whether it’s validated (signed) by a CA.
Smart cards can be used for two-factor authentication. The two factors needed to unlock a card are “something the user has” (the card) and “something the user knows” (the PIN). macOS 10.12 or later also has native support for smart card login window authentication and client certificate authentication to websites on Safari. It also supports Kerberos authentication using key pairs (PKINIT) for single sign-on to Kerberos-supported services. To learn more about Smart cards and macOS, see Intro to smart card integration in the Deployment Reference for Mac.
Encrypted disk images
In macOS, encrypted disk images serve as secure containers in which users can store or transfer sensitive documents and other files. Encrypted disk images are created using Disk Utility, located in /Applications/Utilities/. Disk images can be encrypted using either 128-bit or 256-bit AES encryption. Because a mounted disk image is treated as a local volume connected to a Mac, users can copy, move and open files and folders stored in it. As with FileVault, the contents of a disk image are encrypted and decrypted in real time. With encrypted disk images, users can safely exchange documents, files and folders by saving an encrypted disk image to removable media, sending it as a mail message attachment or storing it on a remote server. For more information on encrypted disk images, see the Disk Utility User Guide.