macOS has a reputation for being secure out of the box. And compared to some alternatives, it is. But the default settings leave plenty of room for improvement — especially when it comes to privacy.

This guide walks you through hardening your Mac, from disk encryption to app permissions. Most steps take just a few minutes and don’t require any technical expertise.

FileVault: Encrypt Your Disk

If someone steals your Mac, they can remove the disk and read your files — unless the disk is encrypted. FileVault encrypts your entire startup volume with XTS-AES-128 encryption.

To enable FileVault:

1. Open System Settings > Privacy & Security > FileVault
2. Click Turn On FileVault
3. Choose how to unlock your disk if you forget your password:
   • iCloud account — convenient but ties recovery to Apple
   • Recovery key — a random key you store yourself (more secure, more responsibility)
4. Restart your Mac — encryption happens in the background

Important: If you choose the recovery key, write it down and store it somewhere safe (not on the Mac itself). If you lose both your password and the recovery key, your data is gone.

On modern Macs with Apple Silicon (M1 and later), FileVault is essentially always active — the hardware encrypts data at rest automatically. Enabling FileVault adds an extra layer by requiring authentication before the disk is accessible at boot.

Firmware Password / Startup Security

Apple Silicon Macs (M1 and later)

Startup security is managed through Startup Security Utility in Recovery Mode:

1. Shut down your Mac
2. Press and hold the power button until “Loading startup options” appears
3. Click Options to enter Recovery
4. Go to Utilities > Startup Security Utility
5. Set Full Security — only allows booting from a trusted, signed operating system

Intel Macs

Set a firmware password to prevent booting from external drives:

1. Boot into Recovery Mode (Cmd+R)
2. Go to Utilities > Startup Security Utility (or Firmware Password Utility)
3. Enable the firmware password

This prevents someone from bypassing your login by booting from a USB drive.

Firewall

macOS has a built-in application firewall — but it’s off by default.

To enable it:

1. Open System Settings > Network > Firewall
2. Toggle Firewall on
3. Click Options to configure:
   • Block all incoming connections — strictest setting, may break some apps
   • Automatically allow built-in software — recommended
   • Enable stealth mode — your Mac won’t respond to ping requests or connection attempts on closed ports

For most users, enabling the firewall with stealth mode and allowing built-in software is the right balance.

Gatekeeper and App Security

Gatekeeper controls which apps can run on your Mac. It prevents unsigned or unnotarized software from launching.

Check your settings:

1. Open System Settings > Privacy & Security
2. Under Allow applications downloaded from, choose:
   • App Store — most restrictive, only allows App Store apps
   • App Store and identified developers — recommended; allows apps signed with an Apple Developer ID

If you need to run an app that isn’t signed, macOS will block it. You can allow it manually in Privacy & Security after the first blocked launch — but only do this for software you trust.

Lock Screen and Login

• Require password immediately after sleep or screen saver: System Settings > Lock Screen > Require password after screen saver begins or display is turned off > set to Immediately

• Set a short screen saver timeout: System Settings > Lock Screen > Turn display off > 5 minutes or less

• Disable automatic login: System Settings > Users & Groups > Automatic login > Off

• Show a message on the lock screen (optional): System Settings > Lock Screen > Show message when locked Useful if you lose your Mac — add a phone number or email for the finder.

Privacy Permissions

macOS requires apps to request permission for sensitive resources. Review these regularly.

Go to System Settings > Privacy & Security and audit each category:

Location Services

• Disable for apps that don’t need your location
• Consider disabling System Services > Significant Locations — Apple uses this to “learn places significant to you”
• Disable Location-Based Apple Ads and Location-Based Suggestions

Camera and Microphone

• Only grant access to apps that genuinely need it (video calls, recording)
• Revoke access from apps you no longer use

Full Disk Access

• This gives apps access to all your files, including Mail, Messages, Safari data, and backups
• Keep this list as short as possible — only backup software, security tools, and terminal apps typically need it

Automation

• Controls which apps can control other apps (e.g., a script controlling Finder)
• Review and remove anything you don’t recognize

App Management

• Controls which apps can modify or delete other apps
• Be very selective here

Analytics and Improvements

Go to System Settings > Privacy & Security > Analytics & Improvements and disable:

• Share Mac Analytics — sends usage data to Apple
• Improve Siri & Dictation — sends voice recordings to Apple
• Share with App Developers — sends crash data to third-party developers
• Share iCloud Analytics — sends iCloud usage data to Apple

Safari Privacy

Safari is one of the more privacy-respecting browsers, but the defaults can be improved.

Open Safari > Settings:

Privacy Tab

• Prevent cross-site tracking — enabled by default, keep it on
• Hide IP address — set to from Trackers (or from Trackers and Websites for more privacy)
• Block all cookies — only if you’re willing to break some websites

General Tab

• Remove history items — set to After one month or shorter
• Remove download list items — set to When Safari quits

Search Tab

• Consider switching from Google to DuckDuckGo for less tracking
• Disable Include Safari Suggestions and Include Spotlight Suggestions — these send your keystrokes to Apple as you type

Extensions

• Remove extensions you don’t use — each one can access your browsing data
• Consider adding a content blocker to reduce tracking

Sharing and Network

Sharing Services

Go to System Settings > General > Sharing and disable everything you don’t actively use:

• Screen Sharing — off unless needed
• File Sharing — off unless needed
• Remote Login (SSH) — off unless needed
• Remote Management — off unless needed
• AirDrop — set to No One or Contacts Only (not Everyone)

Wi-Fi

• Remove networks you no longer use — your Mac broadcasts the names of networks it’s looking for, which can be used to track you
• Go to System Settings > Wi-Fi > Advanced and remove old networks
• Disable Ask to join networks if you prefer to connect manually

Bluetooth

• Turn Bluetooth off when not in use — reduces your attack surface
• At minimum, disable Bluetooth Sharing in Sharing settings

Siri

Siri sends voice data to Apple for processing. If you don’t use it:

1. Open System Settings > Siri & Spotlight
2. Disable Ask Siri
3. Under Siri Suggestions & Privacy, disable suggestions for apps that don’t need it

Software Updates

Keep your system updated — security patches fix vulnerabilities that are actively exploited.

1. Open System Settings > General > Software Update
2. Click Automatic Updates and enable:
   • Check for updates
   • Download new updates when available
   • Install macOS updates
   • Install Security Responses and system files

Time Machine Backup

A secure Mac is worthless if you lose your data. Set up Time Machine:

1. Connect an external drive
2. Open System Settings > General > Time Machine
3. Click Add Backup Disk and select your drive
4. Encrypt your backup — check the encryption option when setting up the disk

Encrypted backups protect your data even if the backup drive is stolen.

Additional Hardening

DNS

Your ISP can see every domain you visit through DNS queries. Switch to a privacy-respecting DNS provider:

1. Open System Settings > Network > Wi-Fi > Details > DNS
2. Replace the default DNS servers with:
   • Quad9: 9.9.9.9 and 149.112.112.112 (blocks malware domains)
   • Cloudflare: 1.1.1.1 and 1.0.0.1 (fast, privacy-focused)

For even more privacy, enable DNS over HTTPS (DoH) — Safari supports this natively with compatible DNS providers.

Hosts File

Block known tracking and advertising domains at the system level by editing /etc/hosts. Tools like StevenBlack/hosts maintain curated blocklists.

Firmware and Recovery

• Enable Find My Mac (System Settings > Apple ID > Find My) — lets you locate, lock, or wipe your Mac remotely if stolen
• Set up an Activation Lock — tied to your Apple ID, prevents anyone from erasing and reactivating your Mac without your credentials

Quick Checklist

• FileVault enabled
• Firewall on with stealth mode
• Password required immediately after sleep
• Automatic login disabled
• Gatekeeper set to App Store and identified developers
• Location Services reviewed and restricted
• Camera and microphone permissions audited
• Analytics sharing disabled
• Safari cross-site tracking prevention on
• Sharing services disabled (AirDrop, Screen Sharing, etc.)
• Siri disabled or restricted
• Automatic updates enabled
• Time Machine backup with encryption
• DNS switched to a privacy-respecting provider
• Find My Mac enabled

Further Reading

• Apple Platform Security Guide — Apple’s official documentation on macOS security architecture
• macOS Security Compliance Project — NIST security baselines for macOS
• Objective-See Tools — free, open-source macOS security tools (firewall, process monitor, ransomware protection)

• security
• privacy
• macos