This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a currently supported version of macOS. Using Macs with Intel CPUs leaves you open to security vulnerabilities on the hardware level that Apple can't patch. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure.

This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.

If you're securing computers for an organization, use the official NIST guidelines for macOS.

A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.

This guide is provided on an 'as is' basis without any warranties of any kind. Only you are responsible if you break anything or get in any sort of trouble by following this guide.

To suggest an improvement, send a pull request or open an issue.

• Basics
• Threat modeling
  • Identify assets
  • Identify adversaries
  • Identify capabilities
  • Identify mitigations
• Hardware
• Installing macOS
  • System activation
  • Apple ID
  • App Store
  • Virtualization
• First boot
• Admin and user accounts
  • Caveats
  • Setup
• Firmware
• FileVault
• Lockdown Mode
• Firewall
  • Application layer firewall
  • Third party firewalls
  • Kernel level packet filtering
• Services
• Siri Suggestions and Spotlight
• Homebrew
• DNS
  • DNS profiles
  • Hosts file
  • DNSCrypt
  • Dnsmasq
• Certificate authorities
• Privoxy
• Browser
  • Firefox
  • Chrome
  • Safari
  • Other browsers
  • Web browser privacy
• Tor
• VPN
• PGP/GPG
• Messengers
  • XMPP
  • Signal
  • iMessage
• Viruses and malware
  • Downloading Software
  • App Sandbox
  • Hardened Runtime
  • Antivirus
  • Gatekeeper
• System Integrity Protection
• Metadata and artifacts
• Passwords
• Backup
• Wi-Fi
• SSH
• Physical access
• System monitoring
  • OpenBSM audit
  • DTrace
  • Execution
  • Network
• Binary authorization
• Miscellaneous
• Related software
• Additional resources

Basics

General security best practices apply:

• Create a threat model

  • What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined APT orchestrating a campaign against you?
  • Recognize threats and how to reduce attack surface against them.

• Keep the system and software up to date

  • Patch the operating system and all installed software regularly.
  • macOS system updates can be completed in the settings and set to automatically install. You can also use the softwareupdate command-line utility - neither requires registering an Apple account.
  • Subscribe to announcement mailing lists like Apple security-announce.

• Encrypt sensitive data

  • In addition to FileVault volume encryption, consider using the built-in password manager to protect passwords and other sensitive data.

• Assure data availability

  • Create regular backups of your data and be ready to restore from a backup in case of compromise.
  • Encrypt locally before copying backups to unencrypted external media or the "cloud"; alternatively, enable end-to-end encryption if your cloud provider supports it.
  • Verify backups by accessing them regularly.

• Click carefully

  • Ultimately, the security of a system depends on the capabilities of its administrator.
  • Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc.

Threat modeling

The first and most important step for security and privacy is to create a threat model. You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model.

Identify assets

This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret.

Identify adversaries

Define whom you are defending against. Start by defining the motivation they might have to attack your assets. Financial gain is a big motivator for many attackers, for example.

Identify capabilities

In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password.

Identify mitigations

Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. It's important to balance security and usability; every mitigation should counter some capability of your adversaries, otherwise you might be making your life inconvenient for little to no gain. If you can't think of any more capabilities your adversaries might have and you've implemented mitigations for them all, your work is done.

Here's an example of the type of table you should make for each asset you want to protect:

Adversary	Motivation	Capabilities	Mitigation
Roommate	See private chats or browsing history	Close proximity; can see screen or watch type in password	Use biometrics, use privacy screen, keep phone locked when not using it
Thief	Unlock phone and steal personal info and drain bank accounts, sell phone for money	Shoulder surf to see password, steal device when not looking while it's logged in	Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device
Criminal	Financial	Social engineering, readily-available malware, password reuse, exploiting vulnerabilities	Use sandboxing, enable security features in OS, keep OS and all software updated and turn on automatic updates
Corporation	User data marketing	Telemetry and behavioral data collection	Block network connections, reset unique identifiers, avoid adding payment data
Nation State/APT	Targeted surveillance	Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets	Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/canary tokens

Read more about threat modeling here.

Hardware

macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't patch all vulnerabilities in versions that aren't the most recent one.

When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase.

If you want to use a wireless keyboard, mouse, headphones or other accessory, the most secure option is Apple ones since they will automatically be updated by your system. They also support the latest Bluetooth features like BLE Privacy which randomizes your Bluetooth hardware address to prevent tracking. With third party accessories, this isn't a guarantee.

Installing macOS

There are several ways to install macOS. Choose your preferred method from the available options.

You should install the latest version of macOS that is compatible with your Mac. More recent versions have security patches and other improvements that older versions lack.

System activation

As part of Apple's theft prevention system, Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen or activation-locked Macs.

You can read about exactly how this process works here.

Apple ID

Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a lot of data to iCloud, Apple's cloud storage service. You can disable the syncing later if you want or enable end-to-end encryption for your iCloud data.

You can control the data associated with your Apple ID or completely delete it.

An Apple ID is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc.

App Store

The Mac App Store is a curated repository of software that is required to utilize the App Sandbox and Hardened Runtime, as well as offering automatic updates that integrate with your system.

The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple ID and Apple will be able to link your Apple ID to your downloaded apps.

Virtualization

You can easily run macOS natively in a virtual machine using UTM. It's free from their site but if you buy it from the App Store, you'll get automatic updates.

Follow their documentation to install a macOS VM with just a few clicks.

Another option is VMware Fusion, although it costs money. You can read their documentation to see how to install a macOS VM.

First boot

When macOS first starts, you'll be greeted by Setup Assistant.

When creating the first account, use a strong password without a hint.

If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., John Appleseed's MacBook) and thus will appear on local networks and in various preference files.

Both should be verified and updated as needed in System Settings > About or with the following commands after installation:

sudo scutil --set ComputerName MacBook
sudo scutil --set LocalHostName MacBook

Admin and user accounts

The first user account is always an admin account. Admin accounts are members of the admin group and have access to sudo, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk.

Utilities like sudo have weaknesses that can be exploited by concurrently running programs.

It is considered a best practice by Apple to use a separate standard account for day-to-day work and use the admin account for installations and system configuration.

It is not strictly required to ever log into the admin account via the macOS login screen. When a Terminal command requires administrator privileges, the system will prompt for authentication and Terminal then continues using those privileges. To that end, Apple provides some recommendations for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account.

Caveats

• Only administrators can install applications in /Applications (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in ~/Applications instead (the directory can be created). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in /Applications – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in /Applications and require no additional authentication.
• sudo is not available in shells of the standard user, which requires using su or login to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces.
• System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console).
• There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the open utility.
• See additional discussion in issue 167.

Setup

Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account.

Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see issue 179):

sudo dscl . -delete /Groups/admin GroupMembership <username>
sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>

To find the GeneratedUID of an account:

dscl . -read /Users/<username> GeneratedUID

See also [this