By Graham K. Rogers

Recently updated to version 10.8, Mountain Lion, Apple's OS X has had many changes to System Preferences. The Security & Privacy preferences has had several changes and it is here that the way apps may be downloaded and installed is controlled as well as other features concerning access from outside.

Security should be a priority for all users. While Mac users claim that OS X is more secure than alternative operating systems, this is less so than before and there is no reason for complacency.

The Security & Privacy Preferences section works with other parts of System Preferences (like Users & Groups and Sharing) for a safer environment if used properly. The Security Preference pane has four sections: General, FileVault, Firewall and Privacy. There are several changes here, particularly to the General pane.

General

Similarly, a checkbox that allows the user to require a password after sleep or when the screen saver has displayed, is also live for the account user. A button is available to set a time before the password is required. Immediately will give the best security, but if hot corners are used the screen saver may be activated accidentally so an option of 5 seconds is available. Other settings here are 1 minute, 5 minutes, 15 minutes, 1 hour and 4 hours.

Changes to settings below these two require the lock icon to be undone which may require the assistance of an administrator for the computer.

A major change in this panel is to the way a user may add a message that can be viewed when the screen is locked. Before 10.7 this was only possible with a third-party utility like Onyx. With the latest update to OS X, the feature has been moved up the panel and the text box is no longer visible. A button, marked Set Lock Message opens a drop-down text box. On my computer, the same message entered using Onyx (pre-10.7) is still shown.

A further check box prevents automatic log-in. Used with the screen-saver lock, Firmware Password Utility (available now by starting up in the Rescue partition, by using Command + R) this may prevent unauthorized use of a computer.

In the lower half of the panel are new controls connected to Apple's sandboxing of apps: Gatekeeper. There are three settings -

Allow applications downloaded from:

• Mac App Store
• Mac App Store and identified developers
• Anywhere

The settings reflect Apple's take on security. With App Store only apps, there is a built-in secure process for developers to follow before their apps can be authorised for sale: in this case, these apps are supposed to be completely secure for users to install.

Identified Developers have registered with Apple and while they may not wish to have their apps sold via the Mac App Store, the registration with Apple should give users a relative peace of mind as to the safety of their products. This may apply also to developers who sell via the Mac App Store but who make available trial or beta versions of their software.

All the rest, may or may not be trusted and this is the user's decision. By selecting the third option, it is possible to install anything and this may have unacceptable levels of risk for some. However, there are certain developers whose products are worthy but who have not registered with Apple for this. Users may still want to download and install these while maintaining a higher level of security.

If a user tries to install such an App from an unrecognised developer this will be stopped by the system and a warning panel will appear. To install, the user should find the icon in the Applications folder. Control click on the application's icon and select Open. If you work in a user account like I do, this does need Admin privileges, but I entered the password and now the app opens and will for evermore.

At the bottom right of all panels in Security & Privacy preferences there is now a button marked "Advanced...". This has a number of checkbox options that were previously on the General pane:

• Log out after a certain time of inactivity (this option has a box in which a time from 1 - 960 minutes may be entered);
• Require an administrator password to access locked preferences;
• Automatically update safe downloads list
• Disable remote control infrared receiver.

Text below the last checkbox item tells users that the computer will work with any available remote. There is a Pair button that makes sure only a specific remote control may be used with the computer. If the box is checked, the text below reads, "This computer will not work with any remote" and the Pair button is greyed out.

Information on Gatekeeper and the related security is available on the Apple Website.

FileVault

The button has now been moved to the top of the pane and the text description to its left has been changed: "FileVault secures the data on your disk by encrypting its contents automatically." [Previously: FileVault secures the data on your disk by encrypting its contents. It automatically encrypts and decrypts your files while you're using them.]

There are two parts to this feature: the file vault protection itself, which needs a considerable amount of hard disk space for the file swapping that will occur; and the Master Password. This is a safety net as it will allow unlocking of any File Vault account. If this master password is lost, then you can kiss good-bye to your data.

Text beneath indicates if the feature is on or off for the disk.

An extended discussion of FileVault is available online at the O'Reilly Mac Devcenter site: An Unencrypted Look at FileVault, by FJ de Kermadec. Although this dates from 2003, the principles are still valid and may be of interest to some.

Firewall

The Options panel has three checkboxes. Above the main (applications) list is Block all incoming connections. If this is selected only essential services (DHCP, Bonjour, IPSec) will be able to use internet access.

An applications list panel allows a feature or program the correct access instead of specifying port numbers as was the case before Leopard. A checkbox when active will Automatically allow signed software to receive incoming connections. Above the application list are several OS X features that may have been activated in other preferences, such as DVD or CD Sharing or Screen Sharing.

Below the panel are two icons (+/-) for adding applications to or removing them from the list. Pressing the Add (+) reveals a Finder panel which allows us to choose an item to be included. As software is installed, however, this adding is usually carried out automatically. Pressing the remove (-) removes an app from the list with no warning.

One more check box in the Options panel allows activation of Stealth mode, so that any outside probing that occurs (such as that shown in logs) will have no response: the computer will not even appear to exist.

Privacy

To the left is a panel that shows any apps or services that are permitted to access specific types of data. Highlighting each will show in the main panel any apps affected and the type of access allowed. A user will be asked to permit such access when setting up OS X or after installing some applications.

Examples I have are:

• Location Services - this is enabled and specific applications (Safari and Reminders) are able to use Location data. Text information below the box tells users that if the location icon appears beside an app, the location was requested within the last 24 hours.

• Contacts - certain apps (in my case Skype) are allowed to access data in my list of contacts.

• Twitter - Any apps that request access to Twitter (none at this time) will be listed in the main panel.

• Diagnostics & Usage - when setting up the account, I specifically agreed to allow access to information for the purposes of diagnostics. A text explanation in the panel has information about the purposes of the data use and there is a link to Apple's Privacy Policy page which explains the reasons for collecting data, what data is collected and the uses it is put.

At the bottom right, as in all panels of the Security & Privacy preferences there is a button marked "Advanced...". This has several checkbox options that were previously on the General pane (See General, above).

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.