The Ultimate Guide to Mac Security, Privacy, and Protection
Welcome to the ultimate guide to Mac security, privacy, and physical protection. Your data security and the privacy of your actions online are more and more important in a modern world.
Everyone has right to protect themselves and should educate themselves on necessary tools and tips. I wrote this guide using simple language, without fancy technical names, so that everyone can understand it and actually use the recommendations, tips, and tools described below.
If you are a serious Mac power user, you are coding or using Terminal a lot, please head over to the DrDruh Mac security and privacy guide - it will be more relevant to you. If you don’t know what Terminal is or haven’t used it before, this guide is for you. So, how to improve Mac security?
Four simple tips that will help you stay out of trouble instantly
The vast majority of security problems arise from bad habits when it comes to surfing the web or using emails.
Below is a very short list of things to remember all the time. If you do these, you will protect yourself enormously, without the need to change system settings or installing some apps:
1. Don’t download and install software (or open any other file) from low-trust forums, warez websites, or websites claiming it’s „free version” of an otherwise paid software. Virtually everything downloaded from such websites will install some form of malware in your system, or will try to trick you into buy something or get your credit card info.
2. Be extra careful when websites ask you to download and install software. 99% of the time it’s malware.
3. Be careful when you click any suspicious link. Always check where it points to in the browser’s status bar (usually bottom left corner of the screen). If it’s overly complicated, strange, or not starting with https/http, it may lead to downloading an unwanted file or installing some unknown browser plugin.
4. Don’t click any links found in emails from strangers and don’t open any attachments if the file extension is exe, app, rar, zip, r00, 7z or similar. There are hundreds of email scams out there, where some government agency claims that you must view the attachment and take action. Thousands of people fall for these scams. The fact is, none of the government agencies, shipping carriers, or utility providers will email you out of the blue with a ZIP attachment.
System preferences, web browsers & the best apps for security and privacy
Below is a list of system preferences, web browsers preferences and add-ons, and apps to consider for increasing your security and privacy. Remember, the more sensitive or important data you store on your computer, the more paranoid you should be. I know people underestimate many of these recommendations, but it’s better to take care of this now than to cry later.
Keep your system up to date and install all security patches immediately
Check App Store for system updates and security patches regularly. You don’t need Apple ID to do this. Don’t wait with installing security patches - if they are available, it means your system is vulnerable right now.
Check also your most important apps in App Store (or on their websites, if you installed them outside of App Store), as they can have some security weaknesses that attackers may use to steal or access your data.
If you are paranoid, consider subscribing to the Apple security-announce list.
Encrypt all data on your hard drive
Use built-in FileVault tool to completely encrypt your hard drive. If your MacBook or desktop Mac will be stolen, a thief won’t decrypt your files without your Administrator account password or the recovery key.
To enable disk encryption, you must go to the security preferences of your Mac OS. Where are Mac security preferences located? Go to the menu and choose System Preferences. There, click on the Security & Privacy icon. Click on the FileVault tab. Click on Turn On FileVault… You will be asked to save the recovery key (really important!) and the encryption process will begin. Don’t worry, it won’t interfere with your work or slow down the computer. There is no change in performance whatsoever, yet your data is secured.
Use a separate system account for day-to-day work and for installing software and changing settings
When you’re launching your Mac for the first time, the Administrator account is created by default. Usually, it’s the only user account on the system, and it has a lot of privileges, which - if hacked - can give an attacker total access to your computer.
Consider creating another user account with basic privileges, and use that account for everyday work and entertainment. If hacked, an attacker can’t do much with your computer using this account’s privileges only.
To add another user, go to menu, System Preferences > Users & Groups tab. You may have to click on the yellow lock to make changes. Then click on the plus button to add an account. Use “standard” account, provide its name and password (keep it strong), and click on Create User. You can now log in as a new user by going to the menu and choosing Log Out [current user name]. The login screen will show up and you can choose the new user account there.
Consider creating backups
Backup is a copy of your data, which can be used to recover after your disk is damaged/stolen/cleaned out. Always encrypt first (eg. using FileVault) before doing the backup.
To make backups, you will need an external hard drive with WiFi connectivity. Apple makes Time Capsule, which can be connected via AirPort to your Mac, but it can be any other disk with such functionality.
Once you have your backup disk in place, go to System Preferences > Time Machine and click on Select Backup Disk. Select your disk from the list, check the Encrypt Backups option, and click Use Disk. Finally, check the Back Up Automatically option to have backups made behind the scenes.
Two things to keep in mind: Time Machine backups all your hard drive data, including all files. This can take much space on the backup disk. If you don’t want some files or folders to include in the backup, click on Options button and click on plus button to add files/folders to exclude from the backup. The second thing is the Back up while on battery power option. By default, MacBook will make a backup only during the time it’s connected via a cord. If you use your MacBook on battery a lot, it means backup will rarely be done. Check this option to ensure backups are made even if you use MacBook on battery.
You can recover from an incident using Time Machine backup. Restart your Mac, hit and hold Cmd+R while booting to enter the Recovery Mode. Select first position on the tools list - Recover with Time Machine.
Set up a firmware password
FileVault (disk encryption) recovery key can be read using the Direct Memory Access technique if an attacker has physical access to your computer. To prevent this, set up a so-called firmware password.
1. Restart your Mac, hit and hold Cmd+R while booting to enter the Recovery Mode.
2. Choose Firmware Password Utility from the Utilities menu.
3. In the window, select Turn On Firmware Password.
4. Enter the password and re-enter it in the Verify field.
5. Select Set Password and Quit Firmware Utility to close it.
6. Select the menu and click on Restart or Shutdown to apply changes.
Your firmware password will be active at next boot. If you want to verify that the firmware password is active and correct, launch Terminal app (hit cmd+space to launch Spotlight and type “terminal”) and type:
$ sudo firmwarepasswd -verify
You will be asked to provide the password and if the response is “Correct”, everything is OK.
Use strong passwords, two-factor authentication, and a password manager
Use strong passwords everywhere. Use unique passwords for every service you use. Always use two-factor authentication if available (if your password gets stolen and cracked, an attacker won’t successfully log in as you, because he/she don’t have your phone with a verification code).
Because you must use strong and unique passwords, you have to have a way to store them securely (you can’t possibly remember them all). Use a password manager to store your passwords securely and generate strong passwords on the go.
You can use the builtin Keychain Access app to view and add login credentials. You can add a password by clicking on the + button.
Keychain is not very easy and fast to use, that’s why I recommend a third-party paid app - 1Password. It’s super efficient, fast and easy to use. Combining it with a web browser extension, you can log in and save credentials with one click. 1Password also allows you to share your passwords between various devices (eg. MacBook and iPhone). I love it and use it in my business to store every password or recovery key.
Use a firewall
Firewall is a tool to block unwanted internet connections, which can be used by attackers to upload malware to your computer and launch it remotely.
Use the builtin Firewall utility. Go to System Preferences, click on Security & Privacy, and go to Firewall tab. If your firewall is turned off, turn it on.
Click on Firewall Options button (if it’s greyed out, click on the yellow lock and provide an Administrator password to access these settings). In Firewall Options, turn on the Stealth mode. This way you’ll block all incoming connections (with exceptions listed in the white box - in my case it’s Dropbox and Ruby), but also your Mac won’t respond to pings (something like an internet version of “hello”) from unknown sources scanning networks to find vulnerable computers.
If you want more control over what connects to your Mac and what tries to connect from it to the internet, you can use a third-party firewall app, like Little Snitch.
Store important data in the cloud
It’s a good idea to share/store some or all important files in a cloud service. Not only it is accessible then from multiple devices (or by multiple coworkers), it serves as a backup, but you can still access it when you don’t have access to your Mac (for example, when it’s in repair).
I worked with a few cloud storage services over the past 5 years and I can recommend Dropbox. It’s the fastest and most intuitive service available in my opinion, with a free plan and affordable paid plan with 1TB space. The account can easily be shared, so multiple devices or persons have access to the same files. Uploading, moving and deleting files takes place in Finder, and it looks like any other normal operations performed on files and folders. Other services, like Box, iCloud and Google Drive makes these things more complicated, unfortunately.
Use Find My Mac app
If your Apple device ever gets lost or stolen, you can track it on Find My Mac app on iPhone, iPad, or via this iCloud page.
To enable it, install Find My Mac app from App Store. Then, go to iCloud section of System Preferences, log in if necessary, and from the list on the right check Find My Mac. This allows your Mac to broadcast its location to all devices with your iCloud account logged in. When you’ll find your Mac, you can then take action, eg. lock it or erase all data remotely.
Don’t disable guest account
According to Apple: "The guest account works with the Find My Mac feature of iCloud, which can help you find your Mac if you lose it. You can locate your Mac if someone finds it, logs in as a guest, then uses Safari to access the internet.”
In a way, by leaving guest account alone, you’re “helping” potential thief to be found. Also, if you share your Mac with your family or friends, you can log them to guest account without the worry that they will break something.
Disable Spotlight/Safari suggestions
If you don’t want to share your search history with Apple, disable Spotlight suggestions and/or suggestions inside Safari browser. Consider disabling Siri on newer MacBooks. If you don’t do this, each time you type something into search (or say something), it’s sent over to Apple servers.
To disable Spotlight suggestions, go to System Preferences > Spotlight and turn off the Allow Spotlight Suggestions in Look up option.
To disable Safari suggestions, launch Safari and from menu Safari choose Preferences. Go to Search tab and turn off the Include Safari Suggestions option.
Use a secure web browser securely, with proper settings
Use a professionally maintained, frequently updated web browser - Chrome, Firefox or Safari.
A web browser is by far the most dangerous place when it comes to the security of your Mac because it’s primary thing is to download and run untrusted code from the Internet on your machine. I mentioned earlier about what not to download and click using web browsers, so here I will focus on browser settings that can lower the risk of getting hacked.
To access settings, click on three vertical dots icon on the right side of the top bar. From the menu choose Settings. Scroll to the bottom of the page and click on Advanced link.
Settings to set:
1. Protect you and your device from dangerous sites - ON
2. Send a "Do Not Track" request with your browsing traffic - ON (some websites will respect that and won’t follow you with your pages viewed path).
3. Auto-fill Settings: Auto-fill forms - OFF (this will disable automatic logins, not great if someone steals your Mac, so you will have to log in manually or using a password manager).
4. Manage passwords: Offer to save passwords - OFF (you’d be better with a password manager to handle login credentials).
5. Content Settings: Location, Camera, Microphone, Notifications, Flash, Automatic downloads, Unsandboxed plugins access, Handlers, USB devices, Clipboard - Ask first (you don’t want to give access to these by default, but you’ll want to enable them on a per-website basis, for example, you might give access to your location on Google Maps, but does your bank website really needs that?).
You can safely browse the web by choosing Incognito mode (Cmd+Shift+N) if you are not logging in to any service.
Safari browser is pretty safe by default. You can tweak some things though. Go to Safari menu and choose Settings. Go to Privacy tab and check the Ask websites not to track me option. You can also go to Websites tab to manage what websites have access to your location, camera, microphone etc. Make sure you have “Ask” chosen on the When visiting other websites option.
You can safely browse the web by choosing Private Window (Cmd+Shift+N) if you are not logging in to any service.
You can also install a safe ad blocker for Safari.
Firefox is secure by default. If you want to change default settings, go to the Firefox menu and choose Preferences. On a page, click on Privacy and Security tab on the left sidebar.
You can safely browse the web by choosing Private Window (Cmd+Shift+N) if you are not logging in to any service.
Be careful of using web extensions or plugins
Don’t install Adobe Flash, Microsoft Silverlight, Oracle Java and/or Adobe Reader plugin. These have security flaws and holes for years. Adobe Reader can be handy if you work with PDFs a lot. I’ve never had any issue personally with this plugin, but I don’t download any suspicious PDFs from the web.
Check for HTTPS
Always check if a website you’re visiting is using HTTPS secure connection, if not - consider not visiting it. It’s radical, but we’ve living almost in 20’s of XXI century and not providing a secure connection at all times is just unacceptable. Consider using HTTPS Everywhere extension which will switch to the https version of any website, if available.
Consider creating separate user profiles
Browsers offer user profiles. Most likely you’re using the default one, without even noticing. Profiles can be used to separate settings, extensions and browsing behavior, depending on the person or current needs. Consider creating two profiles: one for browsing trusted websites (like banking, email) and one for the general web (with increased-to-paranoid security settings).
Use Incognito mode in Chrome, Private Window in Safari and Firefox
If you’re just browsing the web or doing online research, use incognito/private window. While in it, the browser does not use your previous sessions’ data. It literally treats you as a first time user. It’s also a good option if you want to search something on Google without biasing results with your search history. What’s more, all extensions and plugins are turned off in incognito/private window mode.
Consider encrypting emails
If you share sensitive or confidential data over email, consider encryption. PGP is a standard for encrypting email end to end. Only the legitimate recipients can decrypt a message, unlike regular email which is stored by providers (like Gmail) in open text format forever.
Use GPG Suite for encrypting emails and/or files.
You can also use encrypted email service, like ProtonMail.
Consider using VPN
If you want to access the internal business network, encrypt your web browsing, or seem like you’re connecting to a website or service from another place in the world, use Virtual Private Network.
It’s like a middleman in the world of the Internet. You’re connecting to VPN provider, and then you are connecting to the final website or network. Effectively, this will also allow accessing sensitive data over public WiFi, because you’re connecting to VPN using public WiFi, and then you're securely accessing sensitive data over the VPN network.
To set up VPN on a Mac, you’ll need first to sign up to one of the VPN providers. Once you have VPN IP address, your name and password, and connection type (L2TP or PPTP), you can set things up on your Mac.
Protect against malware
Macs aren’t immune to viruses and malware. Consider using MalwareBytes for Mac to scan for common malware. Frankly speaking, you don’t need an antivirus software, if you have your common sense in place. Besides, every antivirus is simply slowing down your system.
Use BlockBlock to be warned if an app wants to install itself
If you want to control what is installed on your system in the background, consider using BlockBlock app. This way you can detect malware as it’s trying to install itself and - hopefully - prevent it.
Show file extensions in Finder
It’s a good idea to show file extensions in Finder. This way, you won’t be opening files with hidden or unknown extension. To enable this, open Finder and go to Finder menu, then choose Preferences. Go to Advanced tab and check Show all filename extensions option.
Put tape over your webcam
It’s not funny. Even FBI or Mark Zuckerberg does this. It’s the best protection against some software using your camera. If you want something fancier than plain tape, some businesses offer decorative camera stickers as extras shipped together with their products, for example, Keyshorts offer such stickers as extras to their decorative or bilingual keyboard stickers.
Remove unused WiFi networks
Your Mac remembers WiFi networks it has connected to in the past. It will broadcast all networks names it remembers each time it looks for a network. Make sure to delete networks you’re not using anymore (for example, airport/hotel networks).
To do this, go to System Preferences > Network, choose your WiFi network from the list on the left, and click on Advanced… button. On the Preferred Networks list, you’ll see all WiFi networks your Mac ever connected to. Select a network and click on minus button to delete it.
Never access confidential services (like a bank) over public WiFi
Public WiFi either has no password to join (so everybody can use it) or has a password many people have access to. Attackers can set up listening devices and gather all data sent over such a public network, including your logins and credit card information.
In such a situation, you have three solutions:
1. Simply don’t access sensitive data/websites.
2. Use VPN as described earlier.
3. Set up a personal hotspot with your iPhone, so your Mac will use iPhone cellular network connection instead. Go to your iPhone’s Settings app, choose Personal Hotspot and enable it. Set up a strong password and connect to that network from your Mac (usually it will be named something like “Jack’s iPhone”). Such a connection is secure and lifesaving if there’s no WiFi around.
Use disposable email address when signing up for services
If you are using one email address for signing up to websites or services, you will accumulate messages and spam over the years.
Disposable email address is handy if you just want to sign up for a service and just use it. Even if such service or website will eventually share your email with some third party, or send you unwanted messages, it’s no problem.
The most popular services of this kind are Nada and Guerrilla Mail.
Disable location services if not needed
Some services will try to use your location. Most of them will do that for legitimate reasons, like showing your location on a map. You can control which apps have access to your location. Go to System Preferences > Security & Privacy, Privacy tab. Select Location Services on the left and examine the app list on the right. You can uncheck any service you don’t want to have access to your location.
Check if and what are you sharing over the network
Mac enables sharing of various services over Bluetooth or WiFi, for example, access to a printer, screen, internet connection, and remote login. You can check which of these are turned on (they are all turned off by default) and change settings if necessary.
Go to System Preferences > Sharing to see what’s shared and with who.
Common Mac security issues and problems
Mac security on public WiFi
Public WiFi is suitable for checking news or weather, not for anything where you must log in. Use either a VPN or personal hotspot in such situations.
Cannot install software
By default, you can only install apps downloaded via App Store. Apple takes this radical approach to protect its users, but if you do something more than the usual tasks, this can be limiting.
Go to System Preferences > Security & Privacy, General tab. You will most certainly have to unlock the lock and provide an administrator password to continue. Once the Allows apps downloaded from section isn’t greyed out, switch from App Store option to App Store and identified developers. This will allow you to download software from a website and install it.
Physical security and protection in work, travel, dorm, university
Most vulnerabilities and dangers to your Mac comes from the web. There are still some things to consider when it comes to old, plain physical security. Your Mac isn’t totally secure just because you changed few settings and you don’t click on suspicious links.
Don’t leave your Mac unattended
Try to keep your Mac (most importantly a MacBook) physically secure at all times. It’s a common sense not to let strangers have access to your stuff, especially that expensive and important. Don’t leave your Mac unattended in hotels, airport, coffeeshop or dorm room, even for few minutes.
Someone with skills and physical access to your Mac can infect it by using USB dongle or other devices and steal your passwords, which can then be used to remotely access your data.
If you must, take precautions
Use usbkill software to shut down your MacBook immediately if a new USB device is plugged in. It secures your device against attacks described earlier.
Require password immediately after sleep or screen saver begins. To set this up, go to System Preferences > Security & Privacy, General tab. Change Require password option from default 1 Minute to Immediately.
Consider buying a privacy filter for your screen, so any person behind you won’t be able to see what you do.
You can also consider MacBook lock, which literally locks down your laptop, so it can’t be opened.
Protect your Mac from scratches, stains, and dust
You can protect your Mac against remote and physical attacks, but accidents happen and you can damage your laptop by scratching it or spilling your drink over the keyboard, which can lead to dramatic results. Such accidents can damage your Mac in a similar way to digital threats, effectively disabling you from access to your data.
To protect against scratches, corrosive or greasy stains, and dust, you can consider MacBook vinyl skins and/or plastic cases. Both of these products will beautify your device, make it more personal while offering more or less physical protection. Who likes to have his/her Mac scratched all over the place? Your MacBook can serve you longer if you’ll protect it right.
Best MacBook skins are made of durable, high-quality vinyl with fully removable glue. They come with a few different finishes and vibrant artworks, like marbles, galaxies, Van Gogh paintings and so on. They protect from minor scratches, stains, and dust.
Best MacBook cases are made of thin and lightweight plastic, covering top lid and bottom lid together with laptop sides. Avoid cheap ones, because they break easily and have an uneven surface. If you don’t like the plastic look, consider case + vinyl skin combo, which combines the pros of both MacBook cases and vinyl skins.
To secure your MacBook in transit, you can also consider a good sleeve made of neoprene, but the plastic case should be enough.
To protect your keyboard from scratches, letters wearing off and dust, consider keyboard stickers or silicone covers (although covers can be troublesome).
I hope this article answered all your questions regarding Mac security, privacy, and physical protection.
If you have any questions or have a great tip not included here, please let me know in the comment. If you think this is a really useful guide, it would mean a world to me if you’ll share it using the buttons below :) Thanks!
You may also be interested in...
If you asked me about MacBook cases or iPhone silicone covers 5 years ago, I would probably cry and then say one big fat "noooo"! Why? I had my reasons, mostly because I got my MacBook almost killed by using them, not even counting how many times its life was in serious danger. If you're thinking about getting a MacBook case, make sure to read this article first. Read more
You probably heard of multiple advantages of having your keyboard covered with decorative or specialized keyboard decals. Want to get your first keyboard stickers but still not sure how these work? Then check out these 15 questions (and answers of course) we prepared for you to clear up all doubts! Read more
Ahhh... keyboard stickers versus silicone covers - it's like Mac vs Windows, each side has its own believers and haters. By the headline you already know where we stand - and we do it with a reason. Read more
- I Hated MacBook Cases, Here’s Why I Changed my Mind...
- The Ultimate Guide to Mac Security, Privacy, and Protection
- 15 Questions About Keyboard Stickers You Always Wanted to Ask and One Extra Surprise at the End
- 9 Reasons to Get Keyboard Stickers Instead of Silicone Cover
- How to Remove Keyboard Stickers Like a Pro