How to Get a Mac as Secure as Possible

Introduction

Mac has been built from the ground up to provide excellent security. This guide will assist you in enabling these security features as well help you with the setup and configuration process. You must be an administrator of your Mac to perform these tasks.
Apple macOS

Security Overview

This guide will cover the following topics:

  • Using strong passwords
  • Gatekeeper
  • FileVault
  • Automatic updates
  • Setting up backups with Time Machine

1 Select Password

Wherever possible, you should pick a password that is impossible to guess and is also resistant to brute-force attacks.

Some devices or systems do not allow special characters or they may have their own requirements.

Password Dos and Don'ts

Dos
Green Check
  • Passwords should be long, 8-12 characters or more.
  • Passwords should be something easy for you to remember, but hard for others to guess or lookup.
  • Passwords should have lots of different character types: upper and lower case letters, numbers, and symbols.
  • Replacing letters with symbols is a simple way to achieve this: use @ for a, and ( for c, as example.
  • Passwords are personal, most services have a way to create a 'linked' account or share services with trusted friends and family.
  • Change passwords regularly. Every 90 to 180 days; this helps keep your accounts from being compromised long-term.
  • If you must write down a password or make note of it, do so only in specially designed programs, or keep and hold the physical copies with the same care and respect you would a social security card or birth certificate. Remember; anyone with your password "is you".
Example of a good password
Don'ts
Red X
  • Don't use short passwords; computers can guess them very easily.
  • Don't use a common word you can find in a dictionary.
  • Don't use information that can be looked up or guessed, such as a birthday, anniversary, or pet's name.
  • Don't use the same password for everything. If one password is compromised, all of the same ones are compromised across all your accounts.
  • Don't share passwords. People with your password "are you" to a computer system, or a service.
  • Don't keep the same password forever. Assume that, at some point, it will be guessed, seen, or otherwise compromised, and it must be changed.
  • Don't write down passwords in the open, or save them in non-encrypted files on your computer.
Example of a bad password
Password Resources

? Would you like to change your password now?

  1. Yes
  2. No

We're here to help!

Connect to a Tech Pro

Call or chat with a Tech Pro 24/7.

Mac has been built from the ground up to provide excellent security. This guide will assist you in enabling these security features as well help you with the setup and configuration process. You must be an administrator of your Mac to perform these tasks.
Apple macOS

Security Overview

This guide will cover the following topics:

  • Using strong passwords
  • Gatekeeper
  • FileVault
  • Automatic updates
  • Setting up backups with Time Machine

Wherever possible, you should pick a password that is impossible to guess and is also resistant to brute-force attacks.

Some devices or systems do not allow special characters or they may have their own requirements.

Password Dos and Don'ts

Dos
Green Check
  • Passwords should be long, 8-12 characters or more.
  • Passwords should be something easy for you to remember, but hard for others to guess or lookup.
  • Passwords should have lots of different character types: upper and lower case letters, numbers, and symbols.
  • Replacing letters with symbols is a simple way to achieve this: use @ for a, and ( for c, as example.
  • Passwords are personal, most services have a way to create a 'linked' account or share services with trusted friends and family.
  • Change passwords regularly. Every 90 to 180 days; this helps keep your accounts from being compromised long-term.
  • If you must write down a password or make note of it, do so only in specially designed programs, or keep and hold the physical copies with the same care and respect you would a social security card or birth certificate. Remember; anyone with your password "is you".
Example of a good password
Don'ts
Red X
  • Don't use short passwords; computers can guess them very easily.
  • Don't use a common word you can find in a dictionary.
  • Don't use information that can be looked up or guessed, such as a birthday, anniversary, or pet's name.
  • Don't use the same password for everything. If one password is compromised, all of the same ones are compromised across all your accounts.
  • Don't share passwords. People with your password "are you" to a computer system, or a service.
  • Don't keep the same password forever. Assume that, at some point, it will be guessed, seen, or otherwise compromised, and it must be changed.
  • Don't write down passwords in the open, or save them in non-encrypted files on your computer.
Example of a bad password
Password Resources

It’s important to change your login password from time to time to protect your privacy.

  1. Open the Apple menu, and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select Users & Groups.
    Users and Groups Preferences
  3. Select Change Password.
    Users and Groups Preferences with Change Password highlighted.
  4. Enter your current password in the Old Password field, then enter your new password in the New Password field, then enter it again in the Verify field.
    Change Password dialog with Old Password, New Password, and Verify highlighted.
    For help choosing a secure password, select the Key button next to the New Password field.
    Key icon
  5. If you want, you can enter a Password Hint to remind you in the future what you used as a password.
    The hint appears if you enter the wrong password three consecutive times, or if you click the question mark in the password field in the login window.
  6. Select Change Password.
    Change password dialog with Change Password highlighted.

This only applies to the newer MacBooks with the Touch bar along the top. If you do not have a Touch Bar, it is okay to skip this step.

The Touch Bar, along the top of your MacBook Pro, not only provides a convenient way to access functions and menus in your favorite apps, but also provides an extra, convenient security option.

  1. Your Touch ID button is on the far right-hand side in the top corner of your laptop's keyboard.
    MacBook Pro
    MacBook Pro Keyboard with Touch ID key highlighted.
    MacBook Air
    MacBook Air with TouchID key highlighted.


  2. Open the Apple menu, and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  3. Select Touch ID.
    Touch ID
  4. Select the big plus sign to add a new fingerprint.
    Touch ID Preferences with Add a fingerprint highlighted.
  5. Follow the instructions on the screen to add your fingerprint to Touch ID.
  6. Once your fingerprint is added, you can select to use your fingerprint to Unlock your Mac, for Apple Pay, and for iTunes & App Store purchases using the check boxes below.
    Touch ID Preferences with options highlighted.

Touch ID does not replace your password, rather it is added to it. Do not forget your password, you will need it in other places when Touch ID won't help.

A Lock Screen will help ensure that only you can use your computer, keeping your data safe. You will need to setup the Lock Screen first, then setup when the Lock Screen is used.

Setting up Lock Screen

  1. Choose Apple menu > System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Choose Security & Privacy.
    Security and Privacy Preferences
  3. Unlock Security & Privacy Preferences by selecting the Lock in the bottom-left corner.
    Security and Privacy Preferences with Lock highlighted.
  4. Enter your Mac's password, and select Unlock.
    Unlock prompt with password and Unlock highlighted.
  5. On the General tab, place a check next to Require password and set the timer to something you are comfortable with, five minutes is the default. Place a check next to Disable automatic login.
    Security and Privacy preferences with Require password and Disable automatic login highlighted.

Set when Lock Screen is used

  1. Choose Apple menu > System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Choose Desktop & Screen Saver.
    Desktop and Screen Saver Preferences
  3. Select Screen Saver at the top. Pick a Screen Saver you like from the list on the left, and choose a time at the bottom. 20 minutes is the default.
    Desktop and Screen Saver Preferences with Screensaver Tab, screensaver selection, and Start after highlighted.

Hot Corners

Hot Corners allows you to place your mouse cursor in that corner to instantly activate your screen saver.

  1. To configure this feature, select Hot Corners... in the bottom-right.
    Desktop and Screen Saver Preferences with Hot Corners highlighted.
  2. Select Start Screen Saver for one of the 4 corners, and select OK to exit Hot Corners setup.
    Hot corners with Start Screen Saver and OK highlighted.

Some apps downloaded and installed from the Internet could adversely affect your Mac. Gatekeeper helps protect your Mac from such apps. When Gatekeeper is enabled, it will only allow trusted apps to be installed.

The most reliable place to get apps is from the Mac App Store as Apple reviews each app before it's accepted by the store. If there's ever a problem with an app, Apple can quickly remove it from the store.

For apps that are downloaded from places other than the store, developers can get a unique Developer ID from Apple to digitally sign their apps. This ID allows Gatekeeper to block apps created by malicious developers and verify that apps haven't been tampered with since they were signed. If the app has no Developer ID or it has been tampered with, Gatekeeper can block the app from being installed.

To set up Gatekeeper:

  1. Open the Apple Menu, and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select Security & Privacy.
    Security and Privacy Preferences
  3. Select the Lock icon in the bottom-left corner.
    Security and Privacy Preferences with Lock icon highlighted.
  4. Enter your Mac's password and select Unlock.
    Password prompt with password and Unlock highlighted.
  5. On the General Tab, there are two options for Gatekeeper.
    Security and Privacy Preferences with Gatekeeper options highlighted.
    App Store
    Only apps that came from the Mac App Store can open.
    App Store and identified developers
    Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.

    This is the recommended setting; it gives you the flexibility to install apps but helps keep you safe.

Exempt an App from Gatekeeper

  1. In Finder, Control-click or right click the icon of the app.
  2. Select Open from the top of contextual menu that appears.
    screenshot of Finder menu for an app with open highlighted
     
  3. Click Open in the dialog box. If prompted, enter an administrator name and password.
    screenshot of dialog for an app requesting permission to run
For the best security, we recommend keeping all apps and the operating system up to date.

macOS Operating System

  1. Open the Apple menu, and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select Software Update.
    Software Update Preferences
  3. Any updates for the macOS Operating System will be shown here. Make sure Automatically keep my Mac up to date is checked.
    Software Update Preferences with Automatically keep my Mac up to date.

Apps

  1. Select the Apple Menu, then App Store.
    macOS Mojave Apple Menu with App Store highlighted.
  2. Select the App Store menu, then Preferences.
    App Store Menu with Preferences highlighted.
  3. Make sure Automatic Updates is checked.
    App Store Preferences with Automatic Updates highlighted

MacBook, MacBook Pro, and MacBook Air must have the power adapter plugged in to automatically download updates.

A firewall can help keep other computers from connecting to it when you don't want them to, such as when you're on the Internet or a network. However, it will still allow you to browse the web using Safari, for example.

  1. Open the Apple menu, then select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select Security & Privacy.
    Security and Privacy Preferences
  3. Unlock Security & Privacy Preferences by selecting the Lock in the bottom-left corner.
    Security and Privacy Preferences with Lock highlighted.
  4. Enter your Mac's password, and select Unlock.
    Unlock prompt with password and Unlock highlighted.
  5. Select the Firewall tab at the top, then select Turn On Firewall.
    Security and Privacy Preferences with Firewall tab and Turn On Firewall highlighted.
  6. Select Firewall Options.
    Security and Privacy Preferences, Firewall tab, with Firewall Options highlighted.
  7. By default, the Firewall is configured to allow most signed apps (those from Apple and trusted parties), and block unsigned apps. This will allow you to use your computer normally, and give you good protection from most threats. Just make sure the only two options selected are "Automatically allow built-in software to receive incoming connections" and "Automatically allow downloaded signed software to receive incoming connections". Select OK when done.
    Firewall Options with Built-In software and Sign Software highlighted.

Keychain Access is an app for macOS that stores and manages your passwords for other programs, such as your web browser, Safari.

The idea is to allow you to avoid password reuse. You can use a different password for each website or place, and Keychain Access will store them, and automatically fill them in for you.

Your Keychain password cannot be reset. If it is forgotten, you have to reset it to empty, and start again.

To open Keychain Access

  1. Select Finder from your Dock, then open the Go menu and select Utilities.
    Finder
    Finder menu with Go and Utilities highlighted.
  2. Select Keychain Access.
    Keychain Access
  3. From here, you can see and edit your saved passwords, and make secured notes that are only visible to you.
    Keychain Access

Safari, the default web browser for macOS, offers great security by default, but there are a few things that you can change to make it more secure, but still easy to use.

  1. Open Safari from your Dock, and select the Safari menu at top, then choose Preferences.
    Apple Safari.
    Safari menu with Preferences highlighted.
  2. Choose General at the top. Make sure Safari opens with is set to A new window, to prevent malicious pages from loading when you start your browser. Make sure the Homepage is a page you want and recognize. You may wish to change how often History items are removed. Also, if you are regularly using your computer in public, changing Top Sites to something lower so others can't see where you go over your shoulder would be a good idea.
    Safari Preferences General Tab with Opens With, Homepage, History, and Top Sites highlighted.
  3. Choose AutoFill at the top. If you do not want Safari to automatically fill in some of your data, remove the check mark here.
    Safari Preferences with Autofill tab and settings highlighted.
  4. Choose Passwords at the top. Sign in with your Mac's password and press Return.
    Safari Preferences password tab with Password entry highlighted.
  5. You can choose not to let Safari fill in your passwords, edit, or remove any you do not recognize for websites you don't use.
    Safari Preferences Passwords tab
  6. Choose Search at the top. Make sure the Search engine is one you recognize and trust. Verify quick website search doesn't remember any pages you don't want it to by clicking Manage Websites... on the right.
    Safari Preferences Search tab with Search Engine and Manage Websites highlighted.
  7. Click Security at the top. Make sure the check box for Fraudulent sites is selected.
    Safari Preferences Security tab with Fraudulent Sites highlighted
  8. Click Privacy at the top. Cookies are used to perform most logins, so it's not advisable to block all of them, but choosing to allow only from websites you visit is best. Click Manage Website Data... to review cookies currently on your computer, and remove ones you do not want or recognize. You can also set the 'Do not track' option here, which will help.
    Safari Preferences Privacy tab with Website Tracking and Manage Website Data highlighted.
  9. Click Websites at the top. From here, the different features of your browser are in the list on the left. Choose each, and you'll see a list of websites that can use that feature. Pay special attention to Camera, Microphone, and Location and remove websites you do not recognize or want to give that private information to. Check Auto-Play and Notifications to make sure no odd sites are listed which end up being common annoyances and advertising sources. Look through any Plug-ins you have at the bottom.
    Safari Preferences Websites tab with Camera, Microphone, and Location highlighted.
  10. Click Extensions at the top. Look through the list of extensions here carefully, and make sure you recognize each. If you don't recognize the extension, remove it.
    Safari Preferences with Extensions tab highlighted.

With FileVault 2, your data is safe and secure — even if your Mac falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease.

To set up FileVault:

  1. Open the Apple menu, and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select Security & Privacy.
    Security and Privacy Preferences
  3. Unlock Security & Privacy Preferences by selecting the Lock in the bottom-left corner.
    Security and Privacy Preferences with Lock highlighted.
  4. Enter your Mac's password, and select Unlock.
    Unlock prompt with password and Unlock highlighted. 
  5. Select the FileVault tab, and select Turn On FileVault.
    Security and Privacy Preferences with FileVault Tab and Turn On FileVault highlighted.
  6. Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password; you can choose to use your iCloud account to unlock your disk and reset your password. If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
    FileVault iCloud unlock password prompt with both options and Continue button highlighted.
    If you lose or forget both your account password and your FileVault recovery key, you won't be able to log in to your Mac or access the data on your startup disk.
  7. When FileVault setup is complete, your Mac restarts and asks you to log in with your account password. Your password unlocks your disk and allows your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.

Find My Mac isn't just handy for locating a missing computer, it can also be used to lock or erase a device in a worst case scenario.

  1. Open the Apple menu and select System Preferences.
    macOS Mojave Apple Menu with System Preferences highlighted.
  2. Select iCloud.
    iCloud Preferences
  3. Scroll down, and make sure Find My Mac is checked.
    Find My Mac with checkmark highlighted

Use Find My Mac

  • Using the Find My iPhone app on another mobile device.
  • Using the Apple iCloud website: https://www.icloud.com/

Find My Mac will only work on a Mac if it is connected to a cellular network or wireless network. If the Mac does not have connectivity, Find My Mac will not be able to communicate with the device.

Data Backup

Now that we've covered updates and security, let's go over some best practices for backing up your data.

  • First and foremost, it is always wise to backup you data and backups should be performed regularly. Even beyond the scope of malware or security, it is always prudent to have frequent backups because hard drives can fail, systems can crash, things can break, "life can happen", so you're always better off safe than sorry.

  • Data backups, just like any type of backup are a matter of redundancy. One backup solution is good, two or more is better.

  • Offsite backups are always a good idea, especially as a secondary backup. That way if an event happens such as a fire, flood or theft, you have the remote offsite backup to fall back on.

  • It is always prudent to set your backups to use a versioning scheme. That way if files are corrupted, infected or locked, you don't have to worry about having only one backup which may be the bad version.

  • If you are using a local backup such as an external hard drive it is always a good idea to disconnect the drive when it is not in use. The reason being, some forms of malware can encrypt or corrupt all data on all connected drives, so a drive that is not connected will not be affected.

We have a separate guide to walk you through backing up the files on your Mac.

MacOS is designed to help keep you safe. Remembering a few, simple rules allow you to keep your digital life safe.

  • Secure, complicated passwords that you use only once per site or program.
  • Not sharing your passwords, or allowing others to see your password.
  • Using Keychain Access to keep a large list of passwords secure.
  • Making sure Gatekeeper is enabled and keeping you safe.
  • Using file encryption with FileVault.
  • Making a backup and making sure it's up-to-date.
We use cookies on our website to enhance your experience, analyze site usage and support our marketing efforts. To learn more, visit our Privacy Policy. By clicking “Accept”, you agree to our use of cookies and similar technologies.
Accept