Securing Mac OS X can often be overlooked by new users of Apple Devices and it shouldn’t be. In this blog post I’ll describe seven of the basic security-led changes I make to every device I use.
1. Settings -> Security -> General
Starting in the settings app under the security tab there are a number of changes to be made to increase basic security on the machine.
- Change the “Require password after” setting from the default of 15 minutes to 5 seconds. You could go for “immediately” here but that can get annoying if the screen saver activates while you’re working on something.
- Enable “Show a lock message when the screen is locked”. It is good practice here to include a means of contacting you or an IT department if somebody does come across the laptop.
2. Settings -> Security -> FileVault
For the last few releases of Mac OS X, Apple have made FileVault enabled by default but it is always worth checking. Whole disk encryption is a must before beginning to use a device. Go to the “FileVault” tab in the security settings to verify that it is enabled.
3. Settings -> Security -> Firewall
Every machine that is on a network should have a local firewall enabled to block incoming connection attempts. Enable the Firewall on the machine by going to the “Firewall” tab in settings.
To further enhance the firewall select the “Firewall Options” button above and in the dialog enable the option to “Enable Stealth Mode”. This prevents your machine from responding to pings or other applications.
Aside: I also use the application “Little Snitch” which is a great outbound firewall. It prompts you when applications on your machine try to access the internet and is a great addition to any Mac OS X installation.
4. Screen saver shortcut
With the introduction of Mac OS High Sierra, Apple have added a “quick lock” feature to bring a machine back to the login screen immediately.
Previous versions did not support this feature and it is important to have the ability to quickly enable the screen saver a lock screen. Under Settings -> Screen Saver -> Hot Corners I add a hot corner to the bottom left which immediately enables the screen saver and lock screen. This is great if you have to walk away from the machine quickly.
5. Securing Mac OS X computer name
Even with a firewall enabled, the name of your machine can leak onto any network. By default, Apple set the name of the machine to be “John Smith’s MacBook Pro” where John Smith is your name you gave during system setup. In the Settings app under “Sharing”, change the “Computer Name” at the top to something else and pressing enter.
Make sure that all sharing services on the left are disabled as well.
6. Securing Mac OS X users & guest users
The final setting is to remove the access for guest users. In the settings app under “Users & Groups” you will find the users you have configured for the machine. You will find the “Guest User” enabled by default. Select the “Guest User” and deselect the option “Allow guests to log into this computer”. There can be a bug where, once you’ve disabled the user, you will have to close the settings app and repeat the process. Make sure that in the list of users you see the option below “Guest User, Off”.
If you are serious about securing Mac OS X, create a “super-admin” user on the machine for admin tasks. Then downgrade your own user to a standard user as this adds another layer of security to your machine. You will need to provide the super-admin user credentials to complete tasks like application installation or system security changes.
7. Securing Mac OS X firmware
Often overlooked this simple step goes a long way to securing your Mac and preventing somebody reinstalling the OS and simply taking the device for themselves. It locks out access to the BIOS level utilities such as “Disk Utility” and low-level terminal access.
- During system boot, press the Command + R keys to boot into system recovery mode.
- Once booted into this mode, use the utilities menu to select “Firmware Utility”
- Then Select the “Turn on Firmware Password” option.
Note: Make sure you write down this password or remember it as you won’t be able access the firmware again without it!!
So they are my basic 7 steps for securing Mac OS X. Do you do something else that you think is missing here? Let me know in the comments below. Finally, if you’re looking for a whole other level of steps for securing Mac OS X, check out this excellent expert-level guide on GitHub from drduh.