Making macOS safer

Besides, it does not include those security measures that greatly reduce usability.

This guide is intended to create systems with above-average security levels without sacrificing functionality.

The article has been updated with the release of macOS Sequoia.

Simple level

This can be done by anyone, no technical knowledge is required.

1. Reinstall macOS

Why? It is better to start with a clean slate to avoid misconfiguration.

How? Follow this Apple Support guide (Intel-based, Apple silicon).

2. Perform the initial system setup.

3. Enable automatic software updates

Why? To ensure your system has the latest software patches installed.

How? Go to System Settings > General > Software Update > Automatic updates, check all.

4. Enable screen lock after inactivity

Why? To prevent unauthorized access.

How? Go to System Settings > Lock Screen, set "Turn off display if inactive for" to 20 minutes or less, and "Require password after screen saver or display is turned off" to 5 seconds or less.

5. Disallow unsigned software

Why? To prevent potentially malicious software from running.

How? Go to System Settings > Privacy & Security > Security, set "Allow apps downloaded from" to App Store & Known Developers.

6. Enable disk encryption

Why? To prevent unauthorized access to your data.

How? Go to System Settings > Privacy & Security > Security > FileVault. If it is disabled, click "Turn On..." and follow the instructions.

7. Enable the firewall

Why? To reduce the risk of network attacks.

How? Go to System Settings > Network > Firewall, turn it on and select "Block all incoming connections", but this may degrade the user experience.

8. Disable the guest account

Why? To prevent unauthorized access.
How? Go to System Settings > Users & Groups > Guest User, uncheck all the boxes.

9. Disable network services

Why? To reduce the risk of network attacks.

How? Go to System Settings > General > Sharing, uncheck all unused services.

10. Disable access to unnecessary applications

Why? To limit potential exposure to malware.

How? Go to System Settings > Privacy & Security > Privacy > Camera, uncheck all programs that do not need this access. Do the same for the entire list: microphone, accessibility, etc.

11. Prevent Safari from automatically opening downloads

Why? So you know what you are launching.

How? Go to Safari > Settings > General, disable the "Open 'safe' files after downloading" feature.

12. Enable showing all file extensions

Why? So you know what you are launching.

How? Go to Finder > Settings > Advanced, check the "Show all filename extensions" box.

13. Turn off wireless network if not in use

Why? To reduce the risks of wireless network attacks.

How? Turn off Wi-Fi and/or Bluetooth if you are not using them.

14. Use a password manager

Why? To avoid reusing passwords and to facilitate two-factor authentication.

How? Choose a password manager that suits your needs. I like 1Password.

Advanced Level

For those who want to delve deeper into security settings

15. Perform daily tasks with a non-administrator user account.

Why? The user created during system installation has administrator rights. In case of a password leak, this can significantly worsen the consequences.

How? Create a user account with standard rights and use it when you do not need administrator rights. This method is considered advanced as it causes a lot of inconvenience during work.

16. Review the risks associated with browser extensions

Why? Browser extensions, such as ad blockers or grammar checkers, require full read and write access to everything you do on the Internet. Yes, this includes your passwords. This is not inherently malicious, but is it worth the risk?

How? Review the extensions installed in your browser and assess their importance to you, as well as whether it is worth the risk or not. I like having them installed, but you can allow them access only to specific sites or on demand.

17. Run an additional firewall

Why? To monitor and control outgoing network connections.

How? Install Little Snitch (paid) or LuLu (open source).

18. Block malicious domain names

Why? To reduce the likelihood of DNS poisoning.

How? Install the /etc/hosts file from StevenBlack (or mine).

19. Enable secure keyboard input in the terminal

Why? To prevent other applications from peeking at what you are typing in the terminal.

How? Go to Terminal program > Terminal menu, select "Secure Keyboard Entry".

20. Enable the whitelist of processes (applications)

Why? To completely prevent the launch of applications that are not allowed.

How? Install and configure Google Santa.

Serious level

Security specialists surely know more about macOS security than I do, so I will not give any specific recommendations.

Instead, I will refer to authoritative experts on this issue:

• Apple macOS User Guide

• Apple Platform Security Documentation

• CIS Benchmarks for macOS

• drduh's macOS Security and Privacy Guide

Is that all?

No.

Security is an ongoing task. You must actively monitor newly discovered vulnerabilities and learn how to protect against them.

Some general (but useful) rules:

• Always update software in a timely manner.

• Prevent physical access to unattended devices.

• Do not reuse passwords and enable two-factor authentication.

• Regularly back up data.

• Stay vigilant. Most attacks these days are aimed not at the system, but at the user, at you.

Take care!