Protect files from other administrator accounts

macos security encryption

Solution 1:

Simple answer - no. Administrative access is too powerful for multiple users on a single machine. Even if you trust every one of these users implicitly, there will always be a chance of accidental misuse and potential data loss.

  • If you are admin - you can read any file on the Mac
  • If you are admin - you can delete and modify any file on the Mac

The only exception is SIP - where even root can't modify some files Apple has marked as restricted.

Standard operating procedure dictates standard user accounts for all users on a multi-user Mac, with an administrator's account for maintenance, etc.

You can make an encrypted DMG to store things that you can't allow another user of the computer to see. They could copy the files and try to brute force the password - but Finder does a good job of asking for and mounting such filesystems when you reference an alias to the file.

The keychain is a specialized version of an encrypted store. You might be able to store your keys there and they would be safe from other users in a similar manner.

Related

Automator action to run python script on series of files fails in Catalina
How can I connect 2 headset microphones to my Macbook Pro so that we can both speak AND hear sound effects from the Macbook Pro?
Is it safe to use non-Apple adapter to charge Apple devices?
How to configure OS X for exhibitions
What to do about recent remote code execution vulnerability in git (on El Capitan)
How to add extra info to copied web text
Is it okay to use <input type="tel"/> now?
How to find the intersection of two STL sets?
Reason for huge size of compiled executable of Go
How to mock an exported const in jest
What is the best AJAX library for Django? [closed]
Understanding the ngRepeat 'track by' expression