Controlling app access to files in macOS
Apple believes that users should have full transparency, consent, and control over what apps are doing with their data. In macOS 10.15 or later, this model is enforced by the system to help ensure that all apps have obtained user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes.
In macOS 10.13 or later, apps that require access to the full storage device must be explicitly added in System Settings (macOS 13 or later) or System Preferences (macOS 12 or earlier). In addition, accessibility and automation capabilities require user permission to help ensure that they don’t circumvent other protections. Depending on the access policy, users may be asked, or required, to change the setting in:
In macOS 13 or later: System Settings > Privacy & Security > Privacy
In macOS 12 or earlier: System Preferences > Security & Privacy > Privacy
Item | User prompted by app | User must edit system privacy settings |
---|---|---|
Accessibility | ||
Full internal storage access | ||
Files and folders Note: Includes Desktop, Documents, Downloads, network volumes, and removable volumes | ||
Automation (Apple events) |
A user who turns on FileVault on a Mac is asked to provide valid credentials before continuing the boot process and gain access to specialized startup modes. Without valid login credentials or a recovery key, the entire volume remains encrypted and is protected from unauthorized access, even if the physical storage device is removed and connected to another computer.
To protect data in an enterprise setting, IT should define and enforce FileVault configuration policies using a mobile device management (MDM) . Organizations have several options for managing encrypted volumes, including institutional recovery keys, personal recovery keys (that can optionally be stored with MDM for escrow), or a combination of both. Key rotation can also be set as a policy in MDM.