Hardening macOS

Published Jan 31, 2022 by Ricard Bejarano

This guide is about security, not privacy.

Additionally, security measures that heavily compromise usability were not included.

This guide aims to produce above-average secure systems, without giving up features.

Last updated for macOS Monterey (12.3).

The easy stuff

Everyone can do these, no technical knowledge required.


  1. Install a fresh copy of macOS
    Why? It’s best to start clean, to avoid previous misconfiguration.
    How? Follow this Apple Support guide. This step cannot be undone.

  2. Perform the inital configuration, until you can freely use the system.

  3. Enable automatic software updates
    Why? So that your system has the latest software patches installed.
    How? Go to System Preferences > Software Update > Advanced, check all.

  4. Enable password-protected sleep
    Why? To avoid unauthorized third-party access.
    How? Go to System Preferences > Security & Privacy > General, check “Require password 5 seconds after sleep or screen saver begins”.

  5. Forbid unsigned software
    Why? To prevent potentially malicious software from running.
    How? Go to System Preferences > Security & Privacy > General, select “Allow apps downloaded from App Store and identified developers” at most.

  6. Disable guest user access
    Why? To avoid unauthorized third-party access.
    How? Go to System Preferences > Users & Groups > Guest User, uncheck all.

  7. Enable disk encryption
    Why? To prevent unauthorized third-party access to your data.
    How? Go to System Preferences > Security & Privacy > FileVault, if disabled, click “Turn On FileVault” and follow the procedure.

  8. Enable the inbound network firewall
    Why? To reduce the exposure to network-based attacks.
    How? Go to System Preferences > Security & Privacy > Firewall, if disabled, click “Turn On Firewall”.

  9. Disable network services
    Why? To reduce the exposure to network-based attacks.
    How? Go to System Preferences > Sharing, uncheck all.

  10. Disable unnecessary application access
    Why? To mitigate the potential impact of malicious software.
    How? Go to System Preferences > Security & Privacy > Privacy > Camera, uncheck all unnecessary access. Repeat these steps for Microphone, Input Monitoring, Full Disk Access and Screen Recording access as well.

  11. Prevent Safari from opening downloads automatically
    Why? So that you know what you’re double-clicking on.
    How? Go to Safari > Preferences > General, uncheck “Open safe files after downloading”.

  12. Show all filename extensions
    Why? So that you know what you’re double-clicking on.
    How? Go to Finder > Preferences > Advanced, check “Show all filename extensions”.

  13. Disable radios when unused
    Why? To reduce the exposure to wireless-based attacks.
    How? When unused, disable Wi-Fi and/or Bluetooth.

The advanced stuff

For the security enthusiast, who wants to go the extra mile.


  1. Use a password manager
    Why? To avoid reusing passwords and to facilitate two-factor authentication.
    How? Choose one that suits your needs. I like 1Password.

  2. Reconsider the risks of browser extensions
    Why? Browser extensions such as adblockers or grammar checkers require full read-write access to everything you do on the web. Yes, this includes your passwords. This is not malicious per se, but is the reward worth the risk?
    How? Go through your browser’s installed extensions and assess their value to you, and whether the risk trade-off is worth it or not.

  3. Run an outbound network firewall
    Why? For visibility and control about the traffic leaving your system.
    How? Install Little Snitch (paid) or LuLu (open-source).

  4. Block malicious domain names
    Why? To mitigate potential DNS poisoning.
    How? Install StevenBlack’s /etc/hosts file (or mine).

  5. Enable binary whitelisting
    Why? To completely prevent unauthorized software from running.
    How? Install and configure Google’s Santa.

The serious stuff

Security specialists surely know more about macOS security than me, so I won’t make any specific recommendations.

I will instead link to trusted authorities on the subject:

That’s it?

No.

Security is an ongoing task. You must actively look out for newly discovered vulnerabilities and educate yourself on how to protect your system from them.

Some generic (but useful) rules are:

Thanks for dropping by!

Did you find what you were looking for?
Let me know if you didn't.

Have a great day!