Switch between removable and full disk access for apps on macOS

A few years ago, Apple added the ability to macOS to restrict which apps can access files and folders stored on local volumes connected to your Mac.

Some apps, such as Finder, require this access. However, for third-party apps, you may not want to allow them to access your files.

macOS has preferences System settings Allow or deny apps access to files.

Some apps can also access removable volumes such as USB thumb drives and CD/DVD volumes inserted in your Mac’s DVD drive.

You can also configure which apps can access removable files System settings. Not all apps offer this feature. If provided, the app and its settings are System Settings -> Security & Privacy Pain.

When you build Mac apps using Apple’s Xcode development environment, certain security settings are included in each app bundle. These are based on how developers configured these settings in Xcode.

One of these settings is whether to allow access to files and folders.

If the app developer included this setting when building the app, the setting is System Settings -> Security and Privacy -> Files and Folders Pain. If not, your app will not be listed there.

Specifically, these settings are configured on each build target. Signatures and Features -> App Sandbox -> File Access Xcode settings:

Target app sandbox settings for Apple’s Xcode.

App Sandbox is a security system built into macOS that blocks app access from sensitive parts of the system, such as the file system and network, by default. Apps can only access parts of the system that they have been given permission to access.

These settings in Xcode include specific user folders such as Downloads, Photos, and Music, but also the following settings: File selected by user.

This setting allows third-party apps to allow users to use standard macOS system[ファイル セレクター シートを開く]You can now select the files you want to access using Developers can also specify whether read-only or read/write access is allowed.

of Hardware -> USB Checkboxes in Xcode determine whether apps can access USB devices, including thumb drives.

How you configure these settings when you build your app determines whether they appear in the file and removable access system settings.

Developers can also completely turn off all file access, denying access to files at the system security level, regardless of what APIs the app calls. There are also sandbox settings for camera, audio, printing, and Bluetooth.

For example, this is why you may see a macOS alert the first time you run a VOIP app, such as Skype or some gaming apps, that requires access to your computer’s microphone.

In summary, app sandbox settings limit or allow what kind of access your app has to your Mac. Apple added these settings to macOS to prevent malware from performing actions such as sending the entire contents of your startup disk to a malicious attacker.

With app sandboxing and other security features, you don’t have to worry as much about downloading a Mac app and having all your local data captured the moment you run it.

All macOS apps distributed in the Mac App Store must have sandboxing enabled in Xcode at build time, even if all settings are turned off.

When it comes to file and folder access, you can toggle these settings in two places: System settings App:

1. System Settings -> Security and Privacy -> Files and Folders
2. System Settings -> Security & Privacy -> Full Disk Access

in the case of full disk accessThere is no setting in Xcode for app sandbox. When enabled full disk accessyou are giving the app access to all files on the startup disk at the OS level, not just specific folders or files selected by the user.

full disk access should be changed as it is a more general and serious level of security. full disk access Be careful, as doing so will give the app in question free reign over your Mac’s startup disk.

Full disk access to apps in the macOS System Settings app.

For removable drives, you’ll see an additional switch for the app if it’s configured to allow access to removable volumes. files and folders Pain. Not all apps support removability.

Additional switches may appear in each of the user folders listed above, and possibly on the desktop as well. If you need or have an app full disk access When checked, the title will appear next to the app files and folders The pane is visible but grayed out.

Enable removable access in macOS system settings.

Obviously, if you allow the app, full disk accessNo separate permission switch is required. files and folders Pain.

System Settings -> Security & Privacy -> Full Disk Access You can configure which apps are allowed full disk access.

You can turn off full disk access for Finder and Dock apps. However, since these are both integral parts of the Finder and both are provided by Apple, you probably shouldn’t use them.

The only reason to turn off access to these apps is if you want your Mac to act like a kiosk, or if you want to restrict file access by, for example, your children.

Network-based apps in particular should not be granted full disk access, as this increases security risks. One example is a malicious Java applet or extension downloaded via a web browser.

macOS also uses gatekeepers and runtime protections to protect core parts of the operating system and its files from third-party apps. This makes it impossible to tamper with the system.

Gatekeeper also provides some level of confidence that the app comes from a real registered developer and is not fake.

Gatekeeper apps must be digitally signed by Xcode before being distributed in the Mac App Store. If they have been tampered with, Finder will notify you when you try to launch them.

The Mac App Store also employs notarization and encrypted digital receipt verification to ensure that downloaded Mac apps are not compromised.

Overall, these security settings help strengthen your Mac’s security and mean it’s much harder for malware to penetrate your Mac’s defenses. It also helps protect your private files.

We recommend checking these settings to ensure all apps have maximum security. Also, be sure to review the Apple Platform Security Guide.