Hardening macOS

Update (Sat, 25 May 2018): added workaround to unpatched Gatekeeper bypass, as published by Filippo Cavallarin in this blog post.

Update (Mon, 8 Oct 2018): some extra advice has been added about automatic updates, sharing and privacy settings, the guest user account, fixing a particular misconfiguration of ssh-agent and the “Further reading” section at the end.

Update (Tue, 2 Oct 2018): some minor updates have been made based on general feedback, thanks to everyone that collaborated. Do not hesitate to contact me if you find anything else that should be modified.

Why?

There are bad guys out there, who want to steal your data, your money, your identity, your time… Those bad guys come from very different backgrounds, some are known as criminals, others as governments or ad companies. Your device is not secure, and never will be. I’m not going to lie to you, this guide ain’t no silver bullet, there’s no such thing as a completely secure system. That said, you can make it a lot harder for the bad guys to steal what’s yours, that’s what this guide is made for.

Warning: if your threat model is a state-sponsored agency, you are better off without macOS, see OpenBSD.

Disclaimer: some of this steps might mildly detriment user experience, security is always a convenience trade-off. Some of the steps may require extra research, always follow trusted sources.

How?

Install a fresh copy of macOS

Note: this step is optional, but highly recommended, it’s best to start off with a clean system to avoid possible misconfiguration.

Boot into Recovery Mode (hold command + R during boot) (Optional) Go to the Utilities > Firmware Password Utility and consider setting up a firmware password to protect your data should it be lost or stolen Format the boot drive and install macOS from scratch (Warning: this step will permanently delete the contents of the boot drive)

First boot

Clear the NVRAM (hold command + P + R during boot) (skip if you set up a Firmware Password previously) Create an administrator user account with a strong password and no hint. This user is for administration purposes only. Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself Go to System Preferences > Users & Groups > Guest User and uncheck Allow guests to log in to this computer Go to System Preferences > Software Update and consider enabling automatic updates (if you are not comfortable enabling this, consider at least turning on security updates by going into Advanced… and checking Install system data files and security updates) Go to System Preferences > Security & Privacy > General and set Require password after sleep to immediately or 5 seconds Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers Go to System Preferences > Security & Privacy > Firewall and turn on the firewall Go to System Preferences > Security & Privacy > Firewall > Firewall Options… and check Block all incoming connections Go to System Preferences > Security & Privacy > Privacy > Location and uncheck Enable Location Services Go to System Preferences > Security & Privacy > Privacy > Analytics and uncheck Share Mac Analytics Go to System Preferences > Sharing and anonymize the computer’s name, this name can be see by those connected to the same network as yours Go to System Preferences > Sharing and turn off every service (turn on only when using it and disable afterwards) Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for 1.1.1.1 and 1.0.0.1 and remove any other server Go to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions and Allow Spotlight Suggestions in Look up Go to System Preferences > General and uncheck Allow Handoff between this Mac and your iCloud devices Go to System Preferences > Bluetooth and turn off Bluetooth (turn on only when using it and disable afterwards) Go to Finder > Preferences > Advanced and check Show all filename extensions Disable Captive Portal (use your browser instead): Disable Crash Reporter: Block malicious domain names using the /etc/hosts file (see StevenBlack/hosts) Consider running an outbound firewall such as Little Snitch (proprietary, full-featured) or LuLu (open-source, very basic) Consider doing binary whitelisting with google/santa Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time) Secure FileVault when on sleep: If you plan on using ssh with ssh-agent, add a safe timeout parameter to ssh-agent to protect your credentials: Edit /etc/auto_master as root and comment the line beginning with /net (note: this is a workaround to an unpatched vulnerability) Reboot and log back in as the unprivileged user

Second boot (user)

Go to System Preferences > Security & Privacy > Privacy > Contacts/Calendars/Reminders/Photos and remove any apps that shouldn’t have access to any of those folders, if any Go to System Preferences > Security & Privacy > Privacy > Camera/Microphone and remove any app you don’t want to have access to the camera or microphone, if any Go to System Preferences > Security & Privacy > Privacy > Full Disk Access and remove any app you don’t want to have full-disk access, if any Go to System Preferences > Security & Privacy > Privacy > Advertising, check Limit Ad Tracking and click Reset Advertising Identifier Carefully assess and install a web browser. Regardless of your browser… …block third-party cookies

…disable DNS preloading

…disable Flash support

support …install an ad blocker

…enable Do Not Track

…opt-out of telemetry

…consider using a privacy-respecting search engine in lieu of Google

…consider a whitelist approach to JavaScript execution Note: if using Safari, go to Safari > Preferences > Search and uncheck “Include Safari Suggestions” and to Safari > Preferences > General and uncheck “Open”safe" files after downloading" Consider tunneling your traffic through a VPN when connected to untrusted networks (see ThatOnePrivacyGuy’s VPN comparison or roll your own) Consider using a privacy-respecting email service provider (see ThatOnePrivacyGuy’s email comparison or roll your own) Consider setting up PGP/GPG encryption for email regardless of your email service provider

That’s it?

No.

Again, you don’t have a “100% secure system”, you are just a lot harder to screw with than everyone else in the city.

Keep in mind that securing a system is not a one-time job, you must actively backup your data, patch your system, look out for new vulnerabilities… Some general best practices are:

Keep your system up-to-date, both macOS and installed software Prevent unattended physical access to the device from anyone but yourself Encrypt sensitive data on rest and on transit Backup your data, multiple, encrypted (of course) copies of your data in different physical locations Keep your guard up, you are your system’s last line of defense

Further reading

If you are interested in macOS security you may enjoy:

macOS Security Overview, a detailed overview of macOS security by Apple

drduh’s macOS Security and Privacy Guide, like this guide with a lot more detail

I’ll try to keep this guide upgraded to keep up with modern threats and new macOS releases.