Depending on your userbase and threat model, they frequently can be. Many organisations running windows resort to policies effectively preventing any third party binaries from running as a first line defense against malware, meaning developer tools need lengthy review and approval processes to deploy and infrequently receive updates after the fact. Windows routinely has drive-by attacks that manage to bypass their signature systems, leaving little other option.
In contrast, macs seem to implement binary signing in what to a non-it-admin seems to be a more effective way, which usually results both in a less locked down system and less concern about surprise malware.
In both cases, endpoint protection is of course still required, but the ‘feeling’ is definitely there that windows is harder to lock down, and I experience that even as an end user where I basically don’t trust my own windows machine to be 100% virus free, a worry I just don’t have on my macs thanks to years of the marketing advertising just that.
How is windows binary signing better than macos?
I don't get why IT would block 3rd party binaries in windows but not in macos for the same target-group of users.
MacOS signing and security is better implemented than on Windows, and more comprehensive. Specifically:
1. On macOS it's safe for IT to assume all binaries used by non-developers are signed. On Windows ~30% of binaries aren't signed at all, which means the OS and IT can't tell the difference between a polymorphic virus and a mission critical program. Note: homebrew users are an exception as those binaries are generally not signed.
2. On macOS apps have been malware scanned ahead of time by Apple (notarization), in such a way that they can take their time over it. They can also go back and revisit earlier classifications if they learn they were duped and then re-classify apps retroactively. On Windows only online real-time scanning is possible, which must fit within whatever resources users have, so there's a lot of false positives and negatives. Microsoft has no equivalent of notarization.
3. On macOS code signing actually means something because programs are signed as a unit, and all the code inside a process is typically coming from either the app vendor or the OS vendor. Code injection and apps overwriting each other's files aren't allowed by default. On Windows, because they introduced packaged identity very late and tied it tightly to their packaging scheme (MSIX), most apps are to the OS just a collection of files that aren't obviously related to each other in any way, and apps constantly inject code into each other's address spaces.
4. MacOS has an app sandboxing system that is somewhat widely used, e.g. by MS Office. Windows sandboxing is brand new and not really launched yet (+will be Win11 only when it does).
There are other differences, but it's fair to say that Apple has invested into code signing and sandboxing more intensively and more consistently over a longer period of time, and this has been noticed by IT admins.
In contrast, macs seem to implement binary signing in what to a non-it-admin seems to be a more effective way, which usually results both in a less locked down system and less concern about surprise malware.
In both cases, endpoint protection is of course still required, but the ‘feeling’ is definitely there that windows is harder to lock down, and I experience that even as an end user where I basically don’t trust my own windows machine to be 100% virus free, a worry I just don’t have on my macs thanks to years of the marketing advertising just that.