(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Downloadable PDF with screen shots

Apple is expected to release the next version of its operating system on or around September 20th, 2016 [1]. The current version of OS X, 10.11, or also known as El Capitan has been updated several times with various bug fixes. Currently, you should be running 10.11.6. It is possible that when Apple releases Sierra, another bug fix and security update will be released for El Capitan.

To find what version of OS X you are running, select About this Mac by clicking on the logo in the upper left-hand corner.

We will cover the upgrade process only at this point. Most users will receive macOS Sierra as an Upgrade and not install it from scratch. But I bet some of the tips here apply to regular installs as well. To make this guide as generic as possible, I used a plain install of OS X El Capitan without any significant adjustments (I swapped backgrounds for a plain blue one to make the screen shots simpler).

I will not cover features that remained the same (e.g. FileVault).

The initial upgrade via the App Store is simple, and there are no options to choose. You download and install macOS Sierra and reboot your system once you are done. We start this guide after the first log-in after the upgrade.

Please only update via the App Store. Do not download macOS Sierra from any other sources. Make sure to make a full back up before you initiate the update.

If multiple users use a system, then each user has to follow the same procedure.

iCloud Credentials

After logging in, you are asked for iCloud credentials. There is an option to skip this step, but I opted for entering iCloud credentials. Many of the privacy issues with OS X are related to iCloud. But at the same time, many features are linked to iCloud. I doubt many users will disable iCloud.

iCloud Keychain

Next, you will be asked to set up iCloud Keychain. I opted against this. The iCloud Keychain will synchronize your OS X keychain across devices. You may still use the keychain locally without synchronization. According to Apple, the keychain is encrypted before it is uploaded to the cloud [2]. But anybody with access to your iCloud password will be able to access your keychain and with that, all passwords stored in your keychain. Please make sure to use a strong password and enable two-factor authentication before enabling the iCloud Keychain. Apple requires that you set-up a Security Code when setting up the iCloud Keychain.

iCloud Shared Document and Desktop Folder

During your first login, you are asked if you would like to store files from the Documents and Desktop folder on your iCloud drive. I opted out of this option. This feature may expose files to iCloud that you are not willing (or authorized) to share on cloud-based services.

Siri

macOS Sierra comes with Siri enabled by default. Not everybody may be comfortable with having Siri listen in. Just like on iOS, Siri uses a cloud-based service to analyze voice commands. Siri was disabled by default for me, and you can remove the Siri icon from the dock by right-clicking it and selecting Options = Remove from Dock. Siri can also be managed from a dedicated settings dialog.

To verify that Siri is disabled, check the Siri dialog in System Preferences. The Enable Siri checkbox should be unchecked.

Apple Watch Screen Unlock

If you own an Apple Watch, and upgraded it to WatchOS 3, then you will be able to unlock your system using your watch. Connecting your watchwill only work if you have two-factor authentication enabled for your account, and your watch has to be secured with a passcode. By default, the feature is turned off. You should be able to enable the Apple Watch unlock in the Security Privacy part of the Settings dialog. But lacking a compatible watch I wasnt able to see the dialog.

Continuity / Universal Clipboard

Continuity existed in OS X El Capitan and allows sharing content between iOS and OS X devices. One significant new security relevant feature in macOS Sierra is the ability to unlock the screen with your Apple Watch. There is also a cross-device Clipboard to copy/paste between devices. The clipboard could expose sensitive content to other devices, for example if you copy/paste passwords from a password wallet type application. There appears to be no easy way to disable these features. For them to work, you need to link all devices to the same iCloud account, and then enable Wi-Fi as well as Bluetooth on all devices.

Optimized Storage

macOS Sierra can move files to iCloud to save disk space. For files like iTunes movies and music, whichyou downloaded from Apple, this is probably less of an issue. But it may also affect other files that havent been opened in a while. To review optimized storage settings, click on About this Mac in your menu. Then select Storage and click on the Manage button. The Recommendations menu will allow you to turn on some of these features. To turn them off, you will need to disable them in your iCloud settings, or for the automatic trash delete, in Finders preferences (Preferences = Advanced)

Gatekeeper

Gatekeeper limits which applications a user may execute. OS X El Capitan had three settings: Mac App Store, Mac App Store and identified developers, and Anywhere. macOS Sierra lost the last option. Instead, if you try to launch an unsigned application, you need to open the Security Privacy dialog, and then you will have to allow the application to run. You will only have to do this the first time you run the application. This behavior is identical to OS X El Capitan. macOS Sierra also relabeled the options to App Store instead of Mac App Store.

Summary

The privacy and security changes in macOS Sierra come from its tighter integration with iCloud. Cloud integration is an industry wide trend and not just specific to Apple. Which documents and what data you want to share with cloud services should be carefully evaluated, and the security of cloud accounts will become more and more important. Two-factor authentication is an absolute must, no matter if it is iCloud, Dropbox or OneDrive. Traditional passwords are too easily lost in phishing attacks. Phishing attacks against cloud credentials can be very targeted and convincing. Two-Factor authentication provides some protection against these attacks.

Many of the existing security features in OS X remain the same, like for example FileVault and various other iCloud based services like Back to my Mac. Please consult various OS X hardening guides for advice.

[1] http://www.apple.com/macos/sierra/
[2] https://support.apple.com/en-us/HT202303

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status