Hardening macOS: The Basics

Hardening macOS is easy. These are simple steps, that anybody can follow regardless of the user’s technical knowledge.

Whether you’ve had your Mac for a while, bought a new one, or bought a second-hand Mac, it’s good practice to follow some simple steps for hardening your instance of macOS.

These are simple steps, using just the features included within macOS, that anybody can follow regardless of the user’s technical knowledge.

NOTE: The screenshots below were taken on macOS 12.4 Monterey. If you’re already using macOS Ventura beta ( or reading this when macOS Ventura is already out ) adjust for the redesigned “System Settings” app.

Basic steps for hardening macOS

1. Enable automatic software updates

This will ensure your system is always up to date and has the latest software patches installed.

To enable automatic software updates, go to System Preferences > Software Update and check Automatically keep my Mac up to date.

Next, click Advanced... and check all the options in the pop-up window.

2. Enable full disk encryption

Full disk encryption is pretty much self-explanatory. You want to encrypt your disk, so you prevent unauthorized access to your data.

To turn on full disk encription on macOS:

1. Go to System Preferences > Security & Privacy > FileVault
2. Click on the lock on the bottom left side of the screen to authenticate ( you need to authenticate to make changes, in this case, to turn on full disk encryption )
3. Click Turn On FileVault... and follow the procedure step by step

3. Enable password for waking up your Mac

To avoid unauthorized access to your Mac, you should set macOS to require you to log in every time you wake up your Mac.

This means you’ve put your Mac to sleep by closing the lid, locking the screen, or activating the screensaver.

1. Go to System Preferences > Security & Privacy > General
2. Click on the lock on the bottom left side of the screen to authenticate
3. Check Require password ______ after sleep or screen saver begins.

NOTE: I would recommend setting it so that the password is required “immediately” or “5 seconds” after sleep or screensaver begins.

 

Now enable a screensaver:

1. Go to System Preferences > Desktop & Screen Saver > Screen Saver
2. Select one of the available screensavers and check Show screen saver after 20 minutes.

NOTE: I suggest seeting the screen saver to show after 5 minutes. Also, if none of the available scree savers are satisfactory, you can install the gorgeous AppleTV aerial screen savers.

4. Disable unnecessary app permissions.

Over time, you will install a lot of apps on your Mac. Depending on the app’s purpose, it will ask you for different permissions.

Sometimes, you’ll want to grant permissions forever; other times, you’ll want to grant some permission only for a limited time.

But most times, everybody forgets to double-check granted app permissions.

To check or revoke permissions:

1. Go to System Preferences > Security & Privacy > Privacy >
2. Go through the list one by one ( Contacts, Calendars, Reminders, Microphone, Camera etc )
3. Uncheck all unnecessary app permissions.

5. Enable password to change system-wide preferences

Another self-explanatory security measure you enable. You’ll want to enable the requirement of an admin password so that unauthorized users won’t be able to change critical system-wide preferences.

1. Go to System Preferences > Security & Privacy
2. Click Advanced..., bottom right corner
3. Check Require an administrator password to access system-wide preferences

6. Disable guest users

1. Go to System Preferences > Users & Groups > Guest User
2. Uncheck everything

This is it. These are the absolute basic steps you need to take in order to harden macOS.

BONUS TIPS

1. Show all filename extentions

No matter if you use macOS, Linux or Windows, as long as you’re using a GUI desktop environment, you’ll open a file by double-clicking on that file.

You should enable filename extensions, so you’ll know what you’re double-clicking.

To enable filename extanstions in macOS:

1. Click on the desktop ( on your wallpaper )
2. Hold down cmd key and press , to access Finder’s preferences
3. Check Show all filename extensions

NOTE: some macOS apps come as .pkg files. Learn how to investigate a .pkg file before running the installer.

2. Stop Safari from auto-opening downloads

If you’re using Safari as your default web browser, you know it has the bad habit of opening files after downloading. This can be both annoying and a security risk.

Do disable downloads auto-opening in Safari:

1. Open up Safari
2. Hold down cmd key and press , to access Safari’s preferences
3. In General, click to uncheck Open safe files after downloading

3. Disable Wi-Fi and/or Bluetooth when you’re not using them.

4. Use some sort of cleans your Mac and scans for malware. CleanMyMac X is a good option

This is it. For real now. These simple steps should be enough to get you started. If you’re looking for more security tips, enjoy browsing this section.