15 Mac Settings To Make Your Mac More Secure

Here are some settings you may want to check out if you are concerned about security on your Mac. Not all of these are necessary, but you may want to consider them.

You can also watch this video at YouTube (but with ads).

Video Transcript: Hi, this is Gary with MacMost.com. Here is some settings on your Mac that you should check to make it more secure.
MacMost is brought to you thanks to a great group of more than 2000 supporters. Go to MacMost.com/Patreon. There you could read more about it. Join us and get exclusive content and course discounts.  
If you want to make sure your Mac is secure just take a few minutes to check these settings. Now I did a video like this a few years ago but a lot of things have changed, especially the transition from System Preferences to System Settings. So here I'm going to show you how to do it in macOS Sonoma and beyond. Some of these are important and others less so. So it is up to you to decide which ones that you set. But I would say the first one is not optional. You should have a password set for your Mac. I'm amazed that some users still don't do this. 
So, in System Settings if you go down to Login Password this is where you can set your password. You can see I've got it set here. But you shouldn't just set it. You should make sure it's a good password. As a general rule if the word appears in the dictionary, so it is just a regular word or it's a name, then it's Not a strong password. It should be a fairly random set of letters and numbers. You're going to type it a lot so I understand not wanting to make it 27 characters long, completely random with symbols. But it should be something that nobody can possibly guess. I recommend not setting any kind of password hint but, of course, make sure that you write this password down somewhere and store it in a safe place so in case you forget it you have a backup. 
Of course it is even more important for you to have a strong password for your Apple ID. There you shouldn't compromise and only have a completely random password because your Apple ID, unlike your Mac, can be accessed from anywhere in the world. So you should have a strong password and of course you should be using two-factor authentication that Apple provides. It's really hard to actually have an Apple ID that is setup without those right now, and that's good. 
Now that you have a good password set on your Mac the next thing to do is to go to the Lock Screen settings. Here is where you'll find Require Password After Screensaver Begins or Display is Turned Off. So if you've got this set to something long, like say one hour, that means somebody who gets access to your Mac less than an hour after you've used it can get on without needing the password. You should, at the very least, have it set down to five minutes maybe for a Mac that is in a secure location like your home where only people you trust could actually get access to it. But if the MacBook, something that could be in public, then you don't want to go any longer than 5 seconds. Five seconds is pretty handy for when you see your Mac has gone to sleep and you want to quickly hit the spacebar to wake it up again. Otherwise if you set it to Immediately then you'll always have to enter your password. So either have it set to immediately or five seconds for a MacBook and then don't go any longer than five minutes even if the Mac is in a secure location.
Now right here you also have another interesting security setting that you could use if you like. Show Message When Locked. So you can turn this On and then you can set this message. So you can set something that appears on the Locked Screen. So you could put contact information there, an email address or a phone number, because it is not always the case that if you lost your MacBook that it's been stolen and you'll never see it again. Sometimes somebody may find it and want to get it back to you. It'll be handy to have a message on the Lock Screen that tells them how. 
Next let's go into the Privacy & Security section here. Go all the way down to the bottom. Here you've got a security setting for Allow Applications Downloaded From. You can set this to either the App Store Only or App Store and Identified Developers. Now if you have it set to the second one that means you a download apps from the internet and as long as they're assigned with a certificate from Apple you can install them. Both of these are pretty good security options. But if you rarely download something from the internet then switch to App Store Only. You might as well provide that extra layer of security. Remember you could always go in here and switch this to the other one if you need to download a piece of software from a website. So it is not like you've locked yourself out completely from downloading other apps. But it does give you another step. A few seconds to have to pause and think about downloading an app from somewhere outside the App Store. 
Now right under here you're also going to see FileVault. So having FileVault on is a good idea. Now all the most recent Macs, the last Intel Macs that had a T2 Security Chip and all of the M1, M2, and M3 Macs they all have encrypted data on the drive already. So if you're worried about turning FileVault On and having it encrypt everything or slow things down, it's not going to do that at all. What FileVault will do is make sure that somebody can't access the data on your drive without logging into your Mac first. So taking your Mac and using it in something like Target Disk Mode won't allow them to get to your data. 
Now let's take a look at File Sharing. That's under General and then you want to go to Sharing. You can see here I've got File Sharing turned On. I've got my Mac on a private network in my own home. But my MacBook doesn't usually have this turned On. I rarely need to use old fashion File Sharing using AirDrop or iCloud to share files between my machines. But if I did need to turn it On I would just turn it On when I needed it. The problem is that if you have this turned On and you go to a public network, like say one at a conference center, school, work, or hotel, other people can see your Mac on the network. That's not a good idea from a security standpoint. There is no immediate threat because it follows these rules here of what people can access. But it is just a good idea to have it turned Off so people don't see you at all. 
Let's go next to Siri and Spotlight. So if you've got Listen For turned On then you've got the ability to allow Siri when locked. So if you're on the Lock Screen then you can do certain things with Siri. Now there is no real immediate threat to that. But I find it just to be a good idea from a security standpoint to not allow Siri when your Mac is locked. In the past there have definitely been some things that people have figured out can be done on a iPhone, iPad, or Mac using Siri when it is locked. So just have that turned Off. 
Now let's go to the network settings. Let's go into WiFi. So if you're in here you could see the networks that you've connected to in the past, known networks. If you look at these you'll notice Auto Joined either Checked or Not Checked. So what you want to do is if the network is one of your networks, it's something in your home, then that is fine. Have it Auto Joined. The same thing at work and school and places you regularly go. But if you connect to a network, say at a cafe or hotel or someplace like that, then it will be shown under Known Networks since you've entered in the password and you want it to remain there because you don't want to enter in the password each time. But, you do want to make sure that Auto Joined is turned Off. So in other words it won't automatically join the network. You'd have to go into your WiFi settings and select it instead. This prevents you from being on, maybe, a different network than the one that you think. Or having, say, your Mail app or some other app automatically start doing things on the internet even if you're someplace like a cafe where you didn't actually intend to log into the network.
For the next one I want to go to Safari. In Safari Settings you go to General and then there's a checkbox here for Open Safe Files After Downloading. Now, Safe Files really only apply to things like videos, pictures, stuff like that. So you download an image and it will go to the Downloads folder and open it up so you can view it. Now I find this a little annoying. A lot of times I just want to download the content and not necessarily switch apps to view it right now. But also in the distant past there were issues with malware getting onto your Mac this way. There's no current threat like that. There hasn't been for a long time. But I don't see the need to actually risk that by having this checked. So I leave it Off. It's really easy to just go to the Downloads folder or click on the Downloads button at the top right and open that content after you download it anyway. 
While we're herein Safari Settings also go to Websites. Then go to the Notification Section here. Here you're going to see a list of websites where you may have accidentally granted permission for it to show you Notifications. This is a common attack vector for scams and malware. You go to some random website that's a search result and it really quickly hits you with permission to send you notifications. Maybe you accidentally say okay. Now it will send you notifications. Not right then but sometime later and the notification looks like it's like a warning or that you have malware or that you need to call a tech support or something like that. When that happens people sometimes think they have malware installed but all it is is they have gone to a website, given it permission to send them notifications and now it is sending them a notification that is misleading. Right. So check in here every once in a while. Make sure that you only allowed notifications for websites where you really want it to. Also, what I like to do is uncheck Allow Websites To Ask Permission to Send Notifications. That way these websites can't actually trick you into allowing Notifications. Some of them will actually still ask you. But it is not the official ask for the browser. It's a step before that. So even if you accidentally say okay the next step, actually allowing notifications, won't show up because you have this unchecked. 
Let's get back to System Settings and look at a really important one. Under General there is Software Update. For best security, under Automatic Updates you should have all of these checked. This will automatically install System Updates. Now I know some people say, well I don't want to install System Updates until it has been a few days later or people tell me it is okay. But a lot of that dates back to the earlier days of macOS where there wasn't public beta testing. Now there is and tons of regular users test out macOS before it comes out. So installing it right away doesn't mean you're one of the first people to get this system update outside of Apple. Not at all. That's a thing of the past. By turning these on makes sure that you get security updates of all sorts of different levels right away. An important one is actually Install Application Updates from the App Store because security problems don't just happen with the system. They commonly happen with apps you have installed. Apps that may have parts running in the background even. So you want to make sure all your apps are up-to-date as well as macOS. 
Also here under General you've got your Settings for Time Machine. Now notice here I have a Time Machine drive and it says it is encrypted. If yours isn't encrypted that means somebody could steal your Time Machine Drive and actually have access to all your files. So your Mac is already encrypted and hopefully you have FileVault turned On like I showed before. But then your Time Machine backup is completely unencrypted. If you don't see it as encrypted then you seriously want to consider, at some point soon, restarting your Time Machine Backups. So in other words erasing the drive and starting from scratch with Encryption checked. 
Another thing you may want to consider if security is a primary concern for you is setting a Firmware Password on your Mac. This will prevent somebody from booting your Mac up using an external drive. So the instructions for doing so involve actually booting into macOS Recovery Mode which is hard to show here. But here is the page that Apple has that walks you through it. 
Now if you do lose or somebody steals your Mac you do want to be able to track it and take action remotely. You can only do that if in advance you turn on Find My Mac. So you do that by going to your Apple ID here at the top of Settings. Then go into iCloud. Then where it shows apps using iCloud click on Show More Apps. Here you'll Find My Mac. Now, you'll see it turned Off here because this is my second user account on my Mac. It is only turned On for one user account. So my main user account has this turned On and in addition to that there's a second option on newer Macs to actually have it send you the location even if the Mac is powered Off. So now you can use the Find My App on an iPhone, and iPad, or another Mac and you can locate your device which will show you on a map. But also you can do other things like, for instance, you can mark it as lost and erase it remotely protecting your data if you know it has been stolen. 
So there are a whole bunch of different suggestions for ways to make your Mac more secure. Hope you found this useful. Thanks for watching.

Comments: 14 Responses to “15 Mac Settings To Make Your Mac More Secure”

john120165

12 months ago

Another great video Gary. I opted to turn on file vault and the firmware password after viewing the content. Keep up the great work.

LorneS

To help prevent account changes if Mac is stolen and thief gets password, go to Settings, Content&Privacy, and set a pin to restrict changes to Allow Passcode Changes and Allow Account Changes. Do this on iOS too.

Jeff

ANOTHER terribly-useful video from Gary. Thank you, Gary.

lana

This was so direct and easy to follow. I am in my eighties, but your videos help me stay up to date. Thank You

Luc Prévost

Did you get a new mic? Your voice is richer! Great work like always.

Gary Rosenzweig

Luc: Same Mic for the last 2 years. Same audio processing for the last 4 months or so to?

Daniel

Good stuff, Gary. It may be worth pointing out that setting a firmware password is only needed (and possible) on Macs with Intel processors. Apparently, Apple silicon computers are automatically protected if you turn on FileVault.
D.

Justine

Hi Gary,

I tried to encrypt my Time Machine hard disk but can;t figure out how to get to the settings. I may have gotten rid of the back ups incorrectly. I moved all the back ups to the trash and erased that way but when I go to try to setup a new encrypted hd Time Machine just saves the file as though it's the same as it ever was plus I don't get the settings option for encryption. What am I doing wrong?
Thanks in advance (hope this is enough info for you!)

Justine: You do it when you create your Time Machine backup. It is an option at that point. If you have removed everything from the drive, just reformat it in Disk Utility and start fresh. Then note the option to encrypt when you set it as your Time Machine backup.

Disk utility for the win!

Sheldon

Thanks bunches

Nan

Many thanks, as there were a couple of things here I did not know about.

Jonathan

Is there any downside (e.g. performance, authentications, required additional actions or mouse clicks etc, issues issues with websites ) to engaging FileVault on a desktop Mac?

Jonathan: No on a modern Mac, no.