macOS Mojave: Better app privacy can also lead to app failure

Every year, Apple introduces many exciting and cool new consumer-centric features into its platforms. Less exciting, though no less important, are the many security and enterprise features that Apple users also get to enjoy.

The upcoming release of macOS Mojave is keeping many enterprises on their toes this week, especially regarding some important app changes. These updates will shape app behavior on Macs to match the app experience on iOS, a significant change your IT organization should start preparing for now. If you have a current macOS deployment, keep reading, because your app performance will likely depend on it.

Once your users upgrade to macOS Mojave, they may discover that their apps no longer perform as expected. Here’s why: Until now, applications installed on Macs have had many privileges that were not always necessary for an application to run. These privileges included access to files, camera, mic, etc. Some of these apps were recently found to be stealing and uploading browser history. Apple may have closed that hole for now. See Apple’s release notes here, which explain the new privacy feature in macOS Mojave:  

You can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.

So, what does this mean for your enterprise? There are two main takeaways from this announcement:

  1. Applications that have been using “application” data without user consent will now have to request explicit user consent. If denied by the user, applications may not continue to work as usual. At WWDC, application developers were shown how to upgrade their applications to create a better user experience.
  2. Users don’t have to be responsible for choosing these permissions. Apple has provided MDM configurations that allow IT to provide most of these runtime permissions to applications on behalf of users. This provides users a seamless experience and IT can ensure that only necessary permissions are provided to IT-sanctioned apps. Other apps do not have access to a user’s microphone or camera, for instance.

Taking these permission options away from users can help IT prevent unsanctioned conferencing or other rogue apps from accessing the mic or camera or files on the device.

Application seeking permission to System Events

IT can also restrict access to system files to sanctioned applications only. This example shows how an application is seeking permission to System Events, which might not be in the best interest of IT.

However, a user might be easily confused by all of these notifications and accidentally make choices that put enterprise data at risk — a situation that IT needs to fix immediately. New MDM configurations can help eliminate frustration and potential risk by keeping these options invisible to the end user.

MobileIron can help IT make these choices on macOS by distributing the necessary Privacy Preferences Policy Controls, which allow enterprises to keep pace with Apple’s features. However, if you need more time to prepare, you can defer this upgrade for 90 days — an option that is also available through MDM.

Protected  data includes:

  • AddressBook - Contact information managed by
  • Calendar - Calendar information managed by
  • Reminders - Reminders information managed by
  • Photos - Pictures managed by in ~/Pictures/.photoslibrary
  • Camera - Access to the camera cannot be given in a profile; it can only be denied
  • Microphone - Access to the microphone cannot be given in a profile; it can only be denied
  • Accessibility - Controls the application via the Accessibility subsystem
  • PostEvent - Allows the application to use CoreGraphics APIs to send CGEvents to the system event stream
  • SystemPolicyAllFiles - Allows the application to access all protected files, including system administration files
  • SystemPolicySysAdminFiles - Allows the application to access some files used in system administration
  • AppleEvents - Allows the application to send a restricted AppleEvent to another process

Moving forward, we can expect many more security features that can be configured through MDM or unified endpoint management (UEM) providers such as MobileIron. Like any other modern OS, macOS is a target for attacks. Therefore, securing Mac endpoints through a UEM platform should not be an afterthought, especially as enterprises are increasingly expanding their Mac footprint. Learn more about iOS 12’s new enterprise features and why they matter to your company.