How to Make Your Mac As Secure As Possible
In a recent blog post entitled “ Making macOS more secure, ” Ricard Bejarano offers an extensive list of settings you can tweak to make macOS as secure as possible. This is a comprehensive list of tasks — and we love it — but it’s also important that you understand the “why” behind its recommendations. Here are some of his top tips and explanations for why you set up, install, or modify your Mac in this way:
System Preferences is your new best friend
Ricard’s tip: “Keep your system up to date, both macOS and installed software.”
Apple releases frequent security updates and often provides quick fixes for new threats. Keeping your software up to date is an important security component of your system, and not everyone constantly checks system settings for the latest updates. If you are not using macOS Mojave, you should review the Software Update frequently. Do this even once every two weeks on your calendar.
And if you work in Mojave, you can install Mac updates to install automatically. Go to System Preferences> Software Update and select the Automatically update my Mac checkbox. If the check box is incomplete (there is a hyphen instead of the check box), open Advanced and make sure all check boxes are selected (especially Install system data files and security updates).
Use two accounts instead of one
Ricard’s advice:
- “Create an administrator account with a strong password and no prompts. This user is for administrative purposes only. “
- “Go to System Preferences> Users & Groups and create an unprivileged user account for day-to-day use, which Apple considers best practice.”
It might seem a little odd to create two accounts for yourself when you only use one most of the time, but it’s a great way to make your system more secure for day to day use.
Create an administrator account with a strong password that you will use whenever you need to change software, update keychains, etc. Then set up a separate, unprivileged account to use as the default account, which sets some restrictions , when you install the software or are using certain applications “advanced users” (eg for automation).
This limits your exposure by limiting your options. (And you can always use your administrator account with its super secure password to approve actions that your user account is locked out by default.)
Let the applications of certain developers work too
Ricard’s tip: “Go to System Preferences> Security & Privacy> General and set Allow App Store or App Store Apps to Download and Identified Developers.”
While the App Store offers the best app security (in most cases ), many of your favorite apps can be obtained directly from third-party developers. “Identified Developers” means that the creator of the app used code signing, an Apple-regulated process that requires developers to have Apple accounts and provide apps that are authenticated.
This is not a reliable security measure as anyone can get a developer account and sign their app, but Apple can revoke a developer certificate if it detects malware activity or other violations in their apps. If you only want to run apps that Apple has tested and approved for itself, select only “App Store” – but we and Rickard think you can enable “specific developers” as well.
Protecting your privacy
Ricard’s tip: “Go to System Preferences> Security & Privacy> FileVault and turn on FileVault (note: this may take a while)”
FileVault is Apple’s built-in method for encrypting your data, which protects it from other people’s access if they have physical access to your system. There’s really no good reason not to use FileVault – it won’t affect your system’s performance as long as you’re using something new enough (within the past few years or so).
You also need to make sure that your backups (you’re backing up, aren’t you?) Are encrypted and password protected, whether you’re doing a Time Machine backup or sending data off to a cloud service. Luckily, most popular backup services automatically encrypt the data you send – make sure you choose a strong password (and use two-factor authentication if possible).
Maybe don’t share your location with all apps
Ricardo’s tip: “Go to System Preferences> Security & Privacy> Privacy> Location and uncheck the Enable location services box.”
Location services is an area where you must sacrifice convenience in exchange for privacy. Do you want Spotlight (and Siri) to suggest suggestions based on where you are? If you type “weather” in Spotlight, do you want a local forecast? These are pretty harmless use cases, but there are other apps that can use location services for more nefarious purposes. And do you really want some random developer (or company) to know where you are when you use their applications on your system?
Stop your Mac’s suggestions
Ricardo’s tip: Go to System Preferences> Spotlight> Search Results and deselect Spotlight Suggestions and Allow Spotlight Suggestions on Search.
The related privacy issues came up quickly when Spotlight suggestions were introduced in OS X Yosemite. Spotlight queries send limited personal information not only to Apple, but also to Microsoft’s Bing search engine. From Apple’s privacy statement:
When you use Spotlight, your searches, your chosen Spotlight suggestions, and associated usage data will be sent to Apple. Search results found on your Mac will not be sent. If location services are enabled on your Mac, when you perform a Spotlight search, your Mac’s location at that time will be sent to Apple. Search results for common words and phrases will be redirected from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search, and usage information sent to Apple will only be used by Apple to make Spotlight offerings more relevant and to improve other Apple products and services.
If you’re using Safari, you’ll also need to go to Preferences> Search in your browser and uncheck the box next to Enable Spotlight Suggestions .
Safe surfing with different DNS
Ricardo’s advice: “Go to System Preferences> Network> Advanced> DNS, add two records to DNS servers for 1.1.1.1 and 1.0.0.1 and delete any other server.”
Ricard’s list has a complete list of ways to configure your web browser for security and privacy. Another point that deserves further explanation is the use of third-party DNS resolvers. Ricardo recommends 1.1.1.1
( Cloudflare service ) and 8.8.8.8
( Google service ). Both Cloudflare and Google have their own secondary addresses, and there are additional options like OpenDNS .
Third party DNS is a better choice than your ISP because it will likely be (slightly) faster. Typically, third-party DNS records are updated more frequently and take less time to find the domain you are looking for. You can check the performance of your ISP (as well as the performance of any new DNS service you choose) using a tool like Domain Name Speed Estimator .
More importantly, the servers listed above (Cloudflare, Google, OpenDNS) offer protection against phishing and better protection against things like DNS poisoning, spoofing, and DDoS attacks . All of the DNS servers listed offer either DNSSEC or DNSCrypt, security features that protect your requests from being snooped, intercepted, or redirected.