The Practical Guide To Mac Security: Part 11, Mac User Accounts

Hi, this is Gary with MacMost.com. This is Part 11 of my course The Practical Guide to Mac Security brought to you thanks to my great Patreon supporters. 

When it comes to Mac security one of the most important tools you have is User Accounts. Every individual that uses a computer should have their own User Account. So if you are sharing a Mac with your spouse or with other people in your home then you should each have your own User Account. This does several things. First it will separate what you've got, your documents, your preferences, and all sorts of other things like which email accounts the mail app accesses, which bookmarks you see in Safari. It separates those into two separate accounts. It's like having two computers in one. You log onto your User Account and all of your stuff is there. When you make changes you're making changes to your stuff. When somebody else logs on they log onto their User Account and they don't touch your stuff. They are just working with their stuff. You can go and setup User Accounts in System Preferences under Users & Groups. Then it will show you the current user and then other users. As you can see here I've got two User Accounts on this Mac. I've got one called MacMost which I use to make courses and tutorials. Another one that's my main User Account. But, if say, my spouse and I were using the same Mac we would each have a User Account and you would see my User Account as the current user and her's as another user. 

Having separate User Accounts means that if the other person makes a change that it won't effect your things. This is also true when it comes to security. If they were to go and try to log onto a website they would only see their passwords there in Safari. They wouldn't be able to accidentally log onto your account and perhaps do things in a less secure way than you would do it. So it separates all of your passwords as well. So that's why it is important to have separate User Accounts. 

So to create a new User Account or make any changes in here you've got to Unlock and then Authenticate. Now you could see the other User Accounts. To add one use the Plus button here and you could setup either Standard or Administrator User Accounts. The difference is that an Administrator can do things with other people's accounts. As an Administrator you can reset another User Account's passwords or you can add or remove accounts. A Standard account can still do most things that an Administrator can do. For instance, it can be used to install apps on the Mac. But it cannot then change the password or delete another account or create new ones. So in general you could have one Administrator and everybody else is Standard. But if they are all adults using the Mac then it's fine to have multiple Administrators as well. You would enter your full name here and then a short Account name. It's important to use a short name here. This is going to be the name of your Home folder. So a long name, say your first and last name is probably too long. So, for instance, I would do my full name here but I would just do Gary, perhaps, for the account name. Then a Password. This is the password that will be used for anybody to access this account. So if it's a weak password, like a word or a date or something like that, that means somebody could actually get in and have access to all of your passwords, have access to your email accounts, all of that. So you want to make sure it's relatively strong although you are going to end up typing it from time to time. Hopefully you have a Mac say with touch ID so you can use that most of the time instead of actually typing the password except when you reboot. But it is useful, to say, have an eight, nine, or ten letter password that is random and something after typing a few times you've basically memorized and can type very quickly.

Now when you create multiple users it's very useful to go into Login Options here and first turn Automatic Login off, so you have to login when you restart the computer. Display Login Window As Name and Password. So somebody trying to get into the Mac has to enter the name and password. Otherwise a list of users is a little less secure but it's not a big deal. Then you want to Show Fast User Switching and you can have icon, full name, or account name. It doesn't matter as long as you have this turned on. This is Fast User Switching up here. This is very important because by using Fast User Switching you can basically switch from one user to another without logging the first user out. So you could be using your Mac, say you're checking your email, you're composing something in Pages. You're working on a spreadsheet in Numbers. You've got a bunch of windows open and a bunch of webpages open and the other person could ask, mind if I check my email for a minute. So say sure. You get up. They use Fast User Switching to switch to their account. They can go in and check their email or whatever it is they need to do. Then you could switch back using Fast User Switching and all of your stuff is still there. You've never logged out so everything was hidden while they were logged in. But as soon as you switch back everything is just as you left it. So it's like having two computers but you're only seeing one on the screen at a time. It's very useful to have and it makes having multiple users much more powerful in a home that there's one Mac shared by many people.

Another tool you've got here is Guest User. Now unfortunately Guest User's only powerful when you are not using Fire Vault since Fire Vault is a very useful tool for security. But if you're not using Fire Vault you can turn Guest User on. What that does is it allows a guest, somebody who is not usually using this computer, could literally be a guest in your home or it can be somebody who has another Mac but they want to use yours for something just for a minute, they could basically login as a guest user and they don't need a password or anything for that because when you logon as a guest user it creates a brand new User Account from scratch. That's brand new with no data in it at all. It's not connected to the other user accounts. Then when they are done and they logout it erases that account. So it's a temporary account created just as long as they use it. They use it for twenty minutes and check their email. They can then logout and it erases it. So anything they may have done, anything they may have downloaded, it's gone. So it's a very secure way to allow guests to use your computer. Never allow a guest or somebody that isn't you to use your User Account.

Now what if you have Fire Vault turned on. Well, you can't use Guest User that way. In this case with a Guest User account they can only just access the web which maybe fine. But you could always very easily create a new account. So if somebody, say, a houseguest is coming over. They are going to stay for a few days. You want them to be able to access their things on your computer, create a new account for them. Make it a Standard account. Set it all up and then let them use their account while they are there. This is handy because it stays persistent.  As they Fast User Switch to other accounts you still have your stuff, based on their stuff, it's persistent. It stays there. Then when they are done you can use the Minus button down here to remove that account. So it's kind of like a Guest Account that will stick around between logins but you can do it using Fire Vault. So that's the way you should handle guests if you're using Fire Vault. 

Other than that follow the rule that Nobody except you should be using your User Account. It doesn't matter if you completely, totally trust that other person. It's not about trust. It's about having all of your stuff and your things separate from the other person. For instance, your iCloud or Apple ID. There's only one account you can be logged into at a time. So if you have two people in the house, they both have their own Apple ID with their own iCloud account, they could simply have a separate User Account on that Mac. Each User Account is logged into each iCloud account and maybe that links up with your own personal iPhones as well. You just use Fast User Switching to switch between the accounts. It's like you've got two Macs in your house instead of just one. Everything is separate. All the settings are separate. All the data is separate in those User Accounts. 

If you haven't done this and you have more than one person using one account right now I would suggest immediately setting up a separate account and getting to know how this works. How Fast User Switching works. Then work towards having that person having a separate Apple ID and a separate iCloud account and having everything on this Mac separated by person using the two separate User Accounts. 

Note, in case it's not clear, when you're logged into a Mac User Account the settings are all different including your Apple ID. So this account here is logged into this demo Apple ID here. But if I were to switch to another user account that user account would be using it's own Apple ID. So if you and your spouse share a Mac you would each have your own User Account. Each User Account would be logged into a separate Apple ID. You could still share things with each other. For instance, you could share purchases through Family Sharing. Even the amount of storage that you purchase from Apple can be shared although your files in iCloud Drive would be separate. They would be separate Apple ID's This would also apply, say Safari if you're logged into Facebook. One account you may be logged into Facebook using one Facebook account and then you could switch to the other user account, go to Safari and that would be a completely separate instance of Safari that would be using its own settings and its own information and you could be logged into your Facebook account there. So two people using the same Mac, as they switch between user accounts, they would find themselves logged into separate things in web browsers, in apps, and also with Apple ID.