Controlling app access to files in macOS
Apple believes that users should have full transparency, consent and control over what apps are doing with their data. In macOS 10.15, this model is enforced by the system to help ensure that all apps must obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive and network volumes. In macOS 10.13 or later, apps that require access to the full storage device must be explicitly added in System Preferences. In addition, accessibility and automation capabilities require user permission to help ensure they don’t circumvent other protections. Depending on the access policy, users may be asked or required to change the setting in System Preferences > Security & Privacy > Privacy:
User prompted by app
User must edit system privacy settings
Full internal storage access
Files and folders
Note: Includes Desktop, Documents, Downloads, network volumes and removable volumes
Automation (Apple events)
Items in the user’s Bin are protected from any apps that are using Full Disk Access; the user won’t get prompted for app access. If the user wants apps to access the files, they must be moved from the Bin to another location.
A user who turns on FileVault on a Mac is asked to provide valid credentials before continuing the boot process and gain access to specialised startup modes. Without valid login credentials or a recovery key, the entire volume remains encrypted and is protected from unauthorised access, even if the physical storage device is removed and connected to another computer.
To protect data in an enterprise setting, IT should define and enforce FileVault configuration policies using mobile device management (MDM). Organisations have several options for managing encrypted volumes, including institutional recovery keys, personal recovery keys (that can optionally be stored with MDM for escrow) or a combination of both. Key rotation can also be set as a policy in MDM.