MacOS has privacy and security tools for hardening your computer. Here are our top tips and best practices to for securing your Macbook. Many of these tips are pretty straightforward, free, or even seem deceptively simple. But together, these give you the essential cybersecurity tools and best practices for securing macOS computers at your business.
Many features that someone might consider “convenient” for everyday use can, unfortunately, make it surprisingly easy for hackers to access your macOS. For computers with access to large customer databases or government systems, optimizing your security settings is a critical task.
These days companies develop information security policies, which set guidelines and communicate anything employees are responsible for doing. If your business uses the Securicy app to manage your infosec program, you can sign in and see if your company policies require you to follow any of the procedures in our guide below.
So let’s look at these tips to set up your computer to protect yourself and your data.
Hardening your Mac means that you’re configuring the settings to reduce opportunities for a virus, hacker, ransomware, or another kind of cyberattack. Our guide here includes how to use antivirus tools, disable auto-login, turn off remote access, set up encryption, and more.
You can think about security for your computer (with all your personal, financial, or company data), much like you’d think about security for your house. Hardening your Mac is like you’re closing the doors and checking the locks. You want to make it harder for hackers to break in.
It might be convenient to leave the front door to your house unlocked or even open all the time. That way, you could avoid the hassle of carrying keys or even bothering with doorknobs. But doesn’t that go against the common sense we live by every day? We learn at a young age to close the door and lock it when you leave. Leaving your door wide open is like an invitation for anyone to walk into your house.
Hardening your Mac is a great step in increasing your security. It will minimize the threat of data loss or hacking. We are going to review some of the general best practices when it comes to hardening your Apple computer and review some settings changes that are quick and easy to make on your own. Here are the 11 steps we’ll be going over:
MacOS includes an easy-to-use firewall that can prevent potentially harmful incoming connections from other computers.
To configure the firewall, click Firewall Options (10.7 and later) or Advanced (10.6). In the window that appears, choose from the following options:
If you use public or unsecured networks at all it is vital to leave this on. even if you were always on a good network that is trusted, having a strong firewall is another benefit to your own personal security.
A firewall policy defines how your company’s firewalls should handle inbound and outbound network traffic. Your firewall information security policy or procedures may need to specify IP addresses or address ranges, protocols, applications, and content types.
To determine what you should include in your firewall policy, you should conduct a risk assessment to develop a list of the types of traffic your company needs and how those should be secured. That includes which types of traffic can cross a firewall and under what circumstances.
If you need to comply with an information security framework, you will want to reference their documentation, such as the NIST guidelines on firewall policies.
Companies may also determine that all inbound and outbound traffic that isn’t expressly permitted by their firewall policy should be blocked. Simple steps like enabling firewalls can reduce the risk of a cyber attack.
MacOS has a built-in backup tool called Time Machine. Once you plug in a hard drive and set up Time Machine, it will work automatically in the background, continuously saving copies of all your files, applications, and system files. If you run out of disk space, Time Machine will automatically erase the oldest version of the files to make way for the new ones. It’s pretty much a “set-and-forget” system for local backups:
Here is how to set up Time Machine:
Time Machine keeps:
This blog is meant to provide a starting point for implementing cybersecurity practices within your company. Due to the rapid progression of technology, this is an ongoing and ever-evolving subject!
Remote Access is a useful feature of macOS that lets you access files on your computer from anywhere.
However, remote access also lets anyone with your administrator login and password access files on your computer, which is why it is a good idea to shut this feature off if you don’t really use it. In fact, your company may already have a security policy about when employees can use remote access. (If you’re on a macOS computer, we have instructions for disabling your remote access here.)
You’re done! You’ve disabled remote access on your macOS.
It might sound paranoid or far-fetched to consider that someone would maliciously use remote access. But it’s not.
Security researchers actually discovered a vulnerability in Apple computers for enterprise companies that allowed them to hack a brand new Mac the first time it connected to Wi-Fi.
While remote access can be a convenient tool, enabling it all the time can increase your risk exposure. Because of that, companies may implement information security policies to give employees guidance on when they can use it.
We know that encryption is important for the protection of your data. And there’s no excuse since your Apple computer comes with tools to encrypt a hard drive in macOS.
When FileVault is on, your Mac will require that you login with your account password.
If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. For each user, click the Enable User button and enter the user’s password. User accounts that you add after turning on FileVault will be automatically enabled.
Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
Encryption occurs in the background as you use your Mac, and only while your Mac is awake and plugged into AC power. You can check progress in the FileVault section of Security & Privacy preferences. Any new files that you create are automatically encrypted as they are saved to your startup disk.
When the FileVault setup is complete you’ll need to restart your Mac. You will use your account password to unlock your disk and allow your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up and no account is permitted to log in automatically.
Stuff happens, so don’t be that person who gets an unencrypted laptop stolen from their car which leads to 43,000 patients getting notified their information was stolen. Encrypting your devices is a low-effort way to boost your security.
This is the kind of best practice that many companies require employees to follow in their security policies and procedures. Vendor security questionnaires often ask about your encryption policy and practices.
Especially for B2B companies that are under scrutiny from enterprise customers or regulatory authorities, it’s important that all your employees encrypt their hard drives.
It’s important to routinely check your computer for viruses.
You may have been led to believe that you don’t have to worry about computer viruses on your Mac. And, to some extent, there’s truth to that. Although your Mac can still be infected with malware, Apple does have built-in malware detection and file quarantine capabilities. These are designed to make it less likely that you’ll download and run malicious software.
Apple introduced malware detection to the Mac OS starting with Snow Leopard (Mac OS 10.6). Because of this system, called File Quarantine (occasionally referred to as XProtect), apps that are known malware cannot be opened at all. Instead, you’ll see a message offering the option to toss the app in the trash.
To make sure your Mac malware database is always up to date you’ll want to verify that your Mac always automatically installs security updates and related system data files.
This should keep your Mac free from most malicious software, although it’s important to note that it does not make it impossible for malicious software to be installed on your Mac. So it’s always best to be cautious when downloading software from unknown sources.
And never, never click “install” or dismiss a warning message if something looks suspicious. You don’t want to run the risk of infecting your entire company with a virus that gets into your local network.
Protecting your Mac’s screensaver with a password is simple. Yet many users don’t think about doing it.
And boom! You’re finished! Now, the next time the screensaver is running you will be prompted for your Mac’s password before you can start using it. If these steps don’t match the macOS version you have, Apple has a support page you can check.
When you wake your computer or the screensaver comes on after you’re inactive, it might seem silly to have to enter in your password to get back in. But a little inconvenience for you means a lot of inconvenience for hackers or someone stealing your computer.
Yes, using a screensaver with a password is optional (unless your company has information security policies that require this setting), but it’s your choice to make yourself an easy target.
Password protecting your computer after a screensaver seems basic. And it is. But many people ignore little steps like this. That’s why company security policies are so crucial to communicate with employees. If your company requires all work devices to have passwords, that is a security policy that everyone should know and be held responsible for following.
This may even be a topic or policy that prospective business customers ask about in a vendor security questionnaire.
Each time we let our guard down, that leaves a new vulnerability in our computer system or even a company network. If you have a B2B company, lax security practices can ultimately lead to a poor cybersecurity posture that damages your sales.
Automatic login can be either a useful feature for devices in the workplace… or a vulnerability in your security program.
When you set up a new Mac or do a clean installation of a new version of macOS, the first thing you do is create a user account. That account is set, by default, to log in automatically at startup.
Convenient, right? Only if you’re working from home 24/7. If you use a laptop and travel for work, this can leave you at a big risk. This automatic login means that anyone who finds your Mac just needs to start it up. They now have access to all your files, including personal and internal emails, or customer data.
You can change this and tell macOS to display a login screen on boot instead. (We also have the steps to change this setting in MacOS too.) There are two ways to do this.
Alternatively, you can also change this setting from System Preferences, then clicking the Security & Privacy preferences. If you click on the General tab, you’ll see an option to Disable Automatic Login.
Setting your display to timeout is a great way to lessen the chances of someone accessing your device if it is left unattended. The inactivity notification is a configurable period of time during which the user can be inactive, after this period of time the device is locked and will require a password to log back in. Changing the setting will reduce the chances of anyone accessing your device if you step away from it for a moment and forget to lock or close the screen. Not only does this increase the security of your device but it can help increase battery life as well. The timeout should be set in accordance with the security policies of your organization.
This simple step is one of the many easy things you can do to make yourself more secure at work.
Before using a company device for non-business purposes or sharing it with another member of your family you should ensure that using a company device for other activities is permitted by your security policies. If it is permitted it is important to set up a specific account for these activities. Check that your company’s policy on acceptable use and their device management policy is in line with creating this account. These policies will outline what you can do with the device, as certain organizations will not allow you to use a company computer or personal activities.
When you get a new Apple laptop or desktop the setup assistant asks you for your name, a username and a password and uses this information to set up your first user account. This first user by default is an administrator meaning they have full access to your device. Administrator accounts can change or delete any file and install any software, which may be a risk if the software is malicious. A standard user account will have less access and depending on permissions can be very restricted by default. They can only use, change and create files in their home folder, access folders on shared volumes and depending on permissions, change settings to system preferences. To create a non-admin account click on:
While you are entering the information for this users account to ensure that it’s set to be a standard user account.
Every organization should have a password policy and when creating your account you should always follow this policy. It will ensure that you are using at least the minimum requirements as outlined by your organization. When creating your passwords for each account depending on the requirements and the number of applications you may have a large number of complex passwords to remember; especially if your password policy requires you to change them every month.
Passwords should never be written down as well so this can make things even more difficult. Using a password manager allows for the creation of complex unique passwords so they’re more difficult to crack and creates an encrypted way to store them so the process of entering them can become automated. There are a number of great tools out there for password managers. No matter what your needs are there should be one that fits your organization. along with using a password manager, two-factor authentication should be used when possible on all accounts that support your iCloud account. Two-factor authentication adds an extra level of security on top of your already complex password.
OSX updated the spotlight feature that is commonly used to search your device. the update allowed for suggestions from the internet to be included. these suggestions can be manipulated and allow for data to be tracked by third parties some of the data can be sent to Apple itself or third-party providers such as Microsoft Bing or Google search engine. to prevent this from happening or limit what appears on spotlight you should update these default settings:
Changing these settings will stop this from happening in Spotlight, However, Apple’s default browser Safari does the same thing. In order to stop this from happening in Safari click on:
Now, review your security and privacy settings. What applications are you sharing your personal location with? What do the apps you have installed have access to on your device? If you are unsure or want to prevent location data access you need to review your security and privacy settings.
Under the Privacy tab, you will see a listing of all applications and what they have access to on your Mac. Under location services, you can make any changes by logging in as an administrator and unchecking or checking the applications you would like to grant or revoke access to. From these services finally, never leave your computer unlocked and unattended. There’s a good chance it will not be there when you return or it could have been altered in some way without you knowing. Always lock your computer when unattended to keep private eyes from rubbing your information or taking your laptop.
Apple makes it easy to enable auto-updates for your macOS. It all happens in the background while you’re going about your day. Apple will never install an update without your permission, but they’ll make sure you don’t have to wait around your desk for hours when you want to install it.
It will only take you a minute or so to enable auto-updates on your Mac.
Easy as that! Now you’ll never miss an update on your Mac. You can also check Apple’s support guide about enabling updates, which may differ a little depending on the macOS version you are using. (Get the steps to enable auto-updates on a Mac 10 system here.)
It’s important to automatically update your operating system. Or if you need to do it manually, to check and hit update on a regular basis.
Some updates are for critical security reasons. Ignoring security updates leaves you vulnerable to known issues and cyber attacks. The devastating ransomware attacks in 2017, known as Petya and WannaCry, both targeted outdated computer software. It sounds scary, but there are actually some simple steps that will help protect you from ransomware.
You may even have an information security policy at your company that requires you to enable auto-updates. If half the computers at your company were taken down because they had outdated software, that would cause a major business disruption. And that’s not a far fetched scenario. It’s a serious risk that companies need to consider and mitigate.
Installing security updates is an easy way to protect yourself. Also your company and all your customers.
Hardening your Mac is a great first step into developing your security foundation. The next step is hardening your organization with our Startup Security Playbook. It provides tips and answers to common questions about information security programs.