Will Admin Account Get Prompted For Password For (hidden) App Authentication?

A

Awassh

Registered
Hello!
I've been trying to find clear answer to this:

I run admin account. I have installed Apps and it asks me password for this.

I heard that one thing Mac uses for security is when files that might be malware, but are masked as innocent image/video/something else files, Mac will prompt user for password as it sees it is executive file.

If I'm running Admin account, would I get such warning with malicious software? If it is type that tries to hide what it is and sneak in pretending being innocent image/video file?

If I click on it, would Mac always ask if I want to run it? I have "Mac App Store and identified developers" setting in Gatekeeper.

In short: will Mac always ask me if I want to install app even if it is hiding it's installer nature?
 
Gatekeeper will ask you to verify the first time you run an app that you download. So, yes, your Mac (gatekeeper) will ask you the first time you run a downloaded app (which could be an installer, or app in some other form), but you only need to accept the app the first time you use it.
Gatekeeper verifies the signing of the app (is it a real app, from an accepted developer?), and won't let the app run until you do your end of verifying the app. You probably won't know if the app is actually safe or not, but part of what the gatekeeper does is do what it can to assure you that the download is safe. Gatekeeper may, in turn, ask you to enter your admin password, usually because something is going to be installed. There will STILL be certain types of files that won't install - until you temporarily disable the SIP (System Integrity Protection). Note that disabling SIP is NOT something that you want to do, unless you absolutely have to do that, and you know why. If you need a specific app, and it needs the SIP disabled to install it completely, I would suggest that you should contact the developer first, unless you have already verified that as necessary. SIP, and Gatekeeper do different things in your system. Both are necessary in today's internet reality.

Can some rogue app still get through? Yes.
Are you likely to encounter such an app, outside of the "dark" corners of the web, or if you partake of certain types of software sourced from certain countries?
Highly unlikely.

Anyway, your questions have answers that are not simple, but mostly, your macOS system will not let known "dangerous stuff" run, and you usually won't get the opportunity to decide, as your system has already blocked it.
So, when you get the message that you need to verify the software, and asks for your password, and you know (as best you can) that the app comes from a reliable source - and you know that YOU downloaded it - then you can consider yourself protected at that time. (Gatekeeper is doing its job!)
 
DeltaMac said:
Gatekeeper will ask you to verify the first time you run an app that you download. So, yes, your Mac (gatekeeper) will ask you the first time you run a downloaded app (which could be an installer, or app in some other form), but you only need to accept the app the first time you use it.
Gatekeeper verifies the signing of the app (is it a real app, from an accepted developer?), and won't let the app run until you do your end of verifying the app. You probably won't know if the app is actually safe or not, but part of what the gatekeeper does is do what it can to assure you that the download is safe. Gatekeeper may, in turn, ask you to enter your admin password, usually because something is going to be installed. There will STILL be certain types of files that won't install - until you temporarily disable the SIP (System Integrity Protection). Note that disabling SIP is NOT something that you want to do, unless you absolutely have to do that, and you know why. If you need a specific app, and it needs the SIP disabled to install it completely, I would suggest that you should contact the developer first, unless you have already verified that as necessary. SIP, and Gatekeeper do different things in your system. Both are necessary in today's internet reality.

Can some rogue app still get through? Yes.
Are you likely to encounter such an app, outside of the "dark" corners of the web, or if you partake of certain types of software sourced from certain countries?
Highly unlikely.

Anyway, your questions have answers that are not simple, but mostly, your macOS system will not let known "dangerous stuff" run, and you usually won't get the opportunity to decide, as your system has already blocked it.
So, when you get the message that you need to verify the software, and asks for your password, and you know (as best you can) that the app comes from a reliable source - and you know that YOU downloaded it - then you can consider yourself protected at that time. (Gatekeeper is doing its job!)
Click to expand...

Thank you for clarifying. Basically, if it is installer, Mac will almost always tell me if I want to run it, even if it is masked as image/video/non-installer files. There is always chance something could slip through, but for it to be so sophisticated to get past OS security, it would have to be quite well crafted and meeting such malicious software is not often occurence.

And to clarify - Gatekeeper will be on guard even if I use Administrator account I hope? It won't be letting new apps through easier if I'm using Administrator?
 
Last edited:
The usual default account on a Mac is an admin account, so that's what you would likely be using.
If you prefer the extra layer of security when using a standard account, then do that.

Keep in mind that if you typically use the terminal, that you would not be allowed by the system to use a sudo command when you are logged in to a standard account.
(Just thought I'd mention that :D )
 
DeltaMac said:
The usual default account on a Mac is an admin account, so that's what you would likely be using.
If you prefer the extra layer of security when using a standard account, then do that.

Keep in mind that if you typically use the terminal, that you would not be allowed by the system to use a sudo command when you are logged in to a standard account.
(Just thought I'd mention that :D )
Click to expand...

Well, I'm more comfortable with Admin. I just read some comment that in Admin account, Mac asks less confirmation and passwords and it made me suddenly worried if that applies to Mac asking if I want to run or install new apps - but those asks will always be there no matter my account?

Thanks for that extra bit! More reason to stay with Admin. :D
 
Well, yes, partly - but I think your understanding of the authentication process is a bit backwards.
If there is a procedure, or you need to install some software that requires authentication, your Mac will ask for authentication from either a standard or an admin account.
If you are logged in as admin, the main difference is that your system won't need to ask for the name of an admin account, but would still need the password when that is needed for authentication. There are certain types of authentication which would require that you be logged in as an admin.
If you are logged in as a standard user, then the authentication needs the name of an admin account, plus password for that authentication
And, of course, there are some parts of your system that will block access, even if you are logged in as an admin. For those, you would need to be logged in to your root user account.
It's fairly easy to upgrade an admin account to enable the root user, which gives someone access to lots of your system. A Standard account is much more difficult to do that same upgrade, at least while that standard account is logged in.
Do you want to be more secure (with a non-admin account), or do you want your system to be somewhat less secure with an admin account?
 
DeltaMac said:
Well, yes, partly - but I think your understanding of the authentication process is a bit backwards.
If there is a procedure, or you need to install some software that requires authentication, your Mac will ask for authentication from either a standard or an admin account.
If you are logged in as admin, the main difference is that your system won't need to ask for the name of an admin account, but would still need the password when that is needed for authentication. There are certain types of authentication which would require that you be logged in as an admin.
If you are logged in as a standard user, then the authentication needs the name of an admin account, plus password for that authentication
And, of course, there are some parts of your system that will block access, even if you are logged in as an admin. For those, you would need to be logged in to your root user account.
It's fairly easy to upgrade an admin account to enable the root user, which gives someone access to lots of your system. A Standard account is much more difficult to do that same upgrade, at least while that standard account is logged in.
Do you want to be more secure (with a non-admin account), or do you want your system to be somewhat less secure with an admin account?
Click to expand...

I feel like I hit clear understanding right now. :D
I'd say thread is finished, I understood now.
 
You must log in or register to reply here.
Back
Top