Even though there are like one million guides on how to secure macOS properly, I decided to throw in my 5c on this topic. In contrast to many other guides, I'd just like to provide you with the best practices that I also use. Also, this is not the full monty but rather the essential things that I always do when getting a new mac to provide better security while preserving almost all macOS features like iCloud document saving or Time Maching usage.
My threat model is more tailored towards security when accessing the device physically, preventing malware and protect against data loss then privacy although it incorporates some privacy fixes as well.
As security advices can sometimes become esoteric really fast, all I can say is that this is only my approach which consists more of doing small things that help much then installing additional security software or something like this.
Also please be aware that I am not responsible for you breaking your system when following this guide.
Reinstall macOS when getting a new device
First thing I always do is reinstalling macOS. And not because I think that it's already infected when I get it but e.g. when buying an exhibition piece or a used device you don't know what was done to the device before. Also reset SMC and clear NVRAM.
Enable full disk encryption
Next thing is enabling full disk encryption. This can be done on macOS from the system preferences in the "Security" section on the "FileVault" tab. I never write down my recovery key or something like this because I can remember my password and have regular backups of my data in case I become oblivious.
Additionally, especially useful when having a portable device, is enforcing hibernation instead of sleep to memory alongside with the deletion of the FileVault session keys when closing the lid:
sudo pmset -a destroyfvkeyonstandby 1 sudo pmset -a hibernatemode 25 sudo pmset -a powernap 0 sudo pmset -a standby 0 sudo pmset -a standbydelay 0 sudo pmset -a autopoweroff 0
Filter malicious hosts using the hosts file
To prevent loading known malicious sites that provide malware as well as directly blocking advertisements on the net and preventing social network foo to be loaded, I use StevenBlack's hosts file ([https://github.com/StevenBlack/hosts]) in the malware+ads+social+fakenews+gambling flavour:
curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-social/hosts" | sudo tee -a /etc/hosts
(Warning: This will override your existing hosts file)
Set a firmware password
In short, the firmware password will prevent your machine booting from a different volume then the one integrated. This is useful for various cases including loss of your machine etc. This can only be reset at a Apple Store and as newer models have flash built-in without the possibility to exchange it, I don't expect it to cause problems.
sudo firmwarepasswd -setpasswd -setmode command
Fix OpenSSL and curl
macOS comes with an OpenSSL version that is like 100 years old... Installing the current one and building a new curl that uses that newer OpenSSL might be a little paranoid, but this is what I always do:
brew install openssl brew install curl --with-openssl brew link --force curl
I assume this one is relatively self-explanatory. I added this one to my
Host * PasswordAuthentication no ChallengeResponseAuthentication no HashKnownHosts yes UseKeyChain no
Regarding the Firewall...
I know many people use a personal firewall on macOS or the integrated one. I use neither the integrated firewall nor an additional software firewall because by default macOS does not expose any services that would create vulnerable surface. You can check this by your own:
sudo lsof -i -P | grep -i "listen" | grep -v "localhost:"
To prevent apps from accessing the network, I use the macOS sandbox like
described here: https://www.davd.eu/os-x-run-any-command-in-a-sandbox/.
Ask for password immediately
When putting your device to sleep or the screensaver starts it makes sense to directly ask for a password when trying to wake it up again. So if you leave your device unattended, no one will be able to get in. This is especially useful when using it together with the FileVault advice from earlier in this guide.
defaults write com.apple.screensaver askForPassword -int 1 defaults write com.apple.screensaver askForPasswordDelay -int 0
Show real extensions
Having a executable pretending to be an image is bad... So make sure to always see what you got:
defaults write NSGlobalDomain AppleShowAllExtensions -bool true
Disable crash reporter and diagnostics
I just always disable it because it drives me crazy:
defaults write com.apple.CrashReporter DialogType none
Read more on how to prevent diagnostics to be sent to Apple:
Prevent applications to read your terminal input
macOS Terminal and iTerm2 offer an option to enable "Secure keyboard entry", which you should do.
The usual stuff
As this blog is aimed towards somewhat more experienced users, I only dedicated a small paragraph to this because this is what you should be doing anyway: Back up regularly, Time Machine is the easiest solution for this (and detach your disk or use a network filesystem for backing up and snapshot that periodically to not having your Ransomware encrypting your backup file system ;-). Keep your system up to date,
brew will help you doing this as well as
softwareupdate. Use the provided security features like SIP (= rootless), Gatekeeper & XProtect. Use a VPN or SOCKS proxy on untrusted networks and, please, don't use Java or Flash.
Is there something important I've missed? Let me know below in the comments and I will add it!