Essentials on securing macOS

published on on macOS, Apple, Security

Even though there are like one million guides on how to secure macOS properly, I decided to throw in my 5c on this topic. In contrast to many other guides, I'd just like to provide you with the best practices that I also use. Also, this is not the full monty but rather the essential things that I always do when getting a new mac to provide better security while preserving almost all macOS features like iCloud document saving or Time Maching usage.

My threat model is more tailored towards security when accessing the device physically, preventing malware and protect against data loss then privacy although it incorporates some privacy fixes as well.

As security advices can sometimes become esoteric really fast, all I can say is that this is only my approach which consists more of doing small things that help much then installing additional security software or something like this.

Also please be aware that I am not responsible for you breaking your system when following this guide.

Reinstall macOS when getting a new device

First thing I always do is reinstalling macOS. And not because I think that it's already infected when I get it but e.g. when buying an exhibition piece or a used device you don't know what was done to the device before. Also reset SMC and clear NVRAM.

Enable full disk encryption

Next thing is enabling full disk encryption. This can be done on macOS from the system preferences in the "Security" section on the "FileVault" tab. I never write down my recovery key or something like this because I can remember my password and have regular backups of my data in case I become oblivious.

Additionally, especially useful when having a portable device, is enforcing hibernation instead of sleep to memory alongside with the deletion of the FileVault session keys when closing the lid:

sudo pmset -a destroyfvkeyonstandby 1
sudo pmset -a hibernatemode 25
sudo pmset -a powernap 0
sudo pmset -a standby 0
sudo pmset -a standbydelay 0
sudo pmset -a autopoweroff 0

Filter malicious hosts using the hosts file

To prevent loading known malicious sites that provide malware as well as directly blocking advertisements on the net and preventing social network foo to be loaded, I use StevenBlack's hosts file ([]) in the malware+ads+social+fakenews+gambling flavour:

curl "" | sudo tee -a /etc/hosts

(Warning: This will override your existing hosts file)

Set a firmware password

In short, the firmware password will prevent your machine booting from a different volume then the one integrated. This is useful for various cases including loss of your machine etc. This can only be reset at a Apple Store and as newer models have flash built-in without the possibility to exchange it, I don't expect it to cause problems.

sudo firmwarepasswd -setpasswd -setmode command

Fix OpenSSL and curl

macOS comes with an OpenSSL version that is like 100 years old... Installing the current one and building a new curl that uses that newer OpenSSL might be a little paranoid, but this is what I always do:

brew install openssl
brew install curl --with-openssl
brew link --force curl

Secure SSH

I assume this one is relatively self-explanatory. I added this one to my ~/.ssh/config file.

Host *
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  HashKnownHosts yes
  UseKeyChain no

Regarding the Firewall...

I know many people use a personal firewall on macOS or the integrated one. I use neither the integrated firewall nor an additional software firewall because by default macOS does not expose any services that would create vulnerable surface. You can check this by your own:

sudo lsof -i -P | grep -i "listen" | grep -v "localhost:"

To prevent apps from accessing the network, I use the macOS sandbox like
described here:

Ask for password immediately

When putting your device to sleep or the screensaver starts it makes sense to directly ask for a password when trying to wake it up again. So if you leave your device unattended, no one will be able to get in. This is especially useful when using it together with the FileVault advice from earlier in this guide.

defaults write askForPassword -int 1
defaults write askForPasswordDelay -int 0

Show real extensions

Having a executable pretending to be an image is bad... So make sure to always see what you got:

defaults write NSGlobalDomain AppleShowAllExtensions -bool true

Disable crash reporter and diagnostics

I just always disable it because it drives me crazy:

defaults write DialogType none

Read more on how to prevent diagnostics to be sent to Apple:

Prevent applications to read your terminal input

macOS Terminal and iTerm2 offer an option to enable "Secure keyboard entry", which you should do.

The usual stuff

As this blog is aimed towards somewhat more experienced users, I only dedicated a small paragraph to this because this is what you should be doing anyway: Back up regularly, Time Machine is the easiest solution for this (and detach your disk or use a network filesystem for backing up and snapshot that periodically to not having your Ransomware encrypting your backup file system ;-). Keep your system up to date, brew will help you doing this as well as softwareupdate. Use the provided security features like SIP (= rootless), Gatekeeper & XProtect. Use a VPN or SOCKS proxy on untrusted networks and, please, don't use Java or Flash.

Is there something important I've missed? Let me know below in the comments and I will add it!

Further references