Awesome
Device Recommendations
- Mac with Apple Silicon Chip (M1 or newer) because of secure ARM architecture. Newer chips have better security features, so it's best to stick with the most recent ones. <br/>older devices (with T2 or T1 chips) are no longer recommended because they are vulnerable to checkm8, Passware Kit Forensic T2 Add-on and lack some hardware security features.
First steps
- Distrust all networks by disallowing all incoming connections in Firewall settings (stealth mode).
- Check for updates and enable automatic updates for OS and also App Store.
- If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another
- Enable FileVault
General Tips
- make sure you have Full Firmware Security and System Integrity Protection enabled
- enable Two-factor authentication for your Apple ID and use FIDO security keys for it
- enable Advanced Data Protection for iCloud
- beside FileVault, (encrypted) disk images can be created for sensitive files (search for "Create secure image file" at bottom)
- Install software only from the App Store as there is a mandatory sandbox for all App Store apps. If not possible, at least Electron based programs should be avoided - even in 2024. Also avoid using Homebrew. Also remove unmaintained programs.
- Check if all forms of remote access are disabled in Sharing settings.
- use only Safari as your browser, because it supports PrivateRelay, PassKeys, many privacy features like Tracking & Fingerprint Prevention, Link Tracking Protection, Privacy Report, locked isolated and ephemeral Private Browsing tabs and more. Also enable Cross-site tracking prevention and Advanced Tracking and Fingerprinting Protection
- Password protect your screen saver and use a low time for locking and logout.
- Backup with Time Machine and make sure you have encryption turned on.
- Instead of using insecure, privacy-unfriendly adblocker browser extensions or programs, use the Reader mode in Safari.
- If possible, use iCloud Private Relay. Alternatives are: Quad9 and Cloudflare. Quad9 provide an easy solution with Apple signed profiles. AdGuard and NextDNS are also options, but some users report problems like false positive filtering and stability/performance issues. Only Private Relay supports ODoH!
- Avoid Kernel extensions (Catalina and earlier), System extensions (Big Sur and later) and Rosetta. These add unnecessary attack surface. Also VM software like Parallels arent't perfect.
- open Terminal and enable "Secure keyboard entry” at macOS menu bar to prevent other applications reading the keyboard input while using the terminal
- encrypt external media
- (Macbooks only) control accessory security
- with Activity Monitor you can find Apps lacking the Sandbox and/ or Code injection Protection. Just enable the "Sandbox" and "Restricted" column. With the Terminal you can also check the Hardened Runtime.
- Thunderbolt 4 cables enforces DMA protection using Directed I/O (Intel VT-d) technology that provides IO virtualization (often referred to as IO Memory Management Unit or IOMMU).
- If Bluetooth accessories like keyboard or mouse is used, stay with official Apple ones as their firmware will automatically be updated by macOS and Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
Advanced users/special use case
- enable Lockdown Mode
- Consider using a stricter umask such as 027 or 077 for both system processes and user apps.
Reading/Informational Material
- Security-announce - Product security notifications and announcements from Apple
- Apple Platform Security Overview - PDF
- Apple Security Research Blog & Security Bounty
- Apple Safety certifications
- macOS has Hardened Runtime for user space code. This is not required for App Store apps and not all apps enable this.
- M1 Macs have Kernel Integrity Protection (KIP) for kernel code
- M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
- Apple requires that all applications are sandboxed only from the App Store.
- some resources about macOS/iOS system security
- CIS (Center for Internet Security, Inc) Security Benchmarks
- NIST Security Technical Implementation Guide
- About speculative execution vulnerabilities in ARM-based and Intel CPUs
- About System Integrity Protection (SIP) on your Mac
- About Gatekeeper (forerunner was Quarantine) - Safely open apps on your Mac
- Learn how Private Relay protects users’ privacy on the internet
- Getting started in macOS security / forensics
- Protecting against malware in macOS
- (since macOS 13) AMFI Launch Constraints - First Quick Look and Trust Cache
- Evolution of privacy & security in macOS
- Data Vault - Protecting app access to user data
- Why your macOS EDR solution shouldn’t be running under Rosetta 2
- PPL (Page Protection Layer) or: why iOS/ iPadOS is much more secure than macOS
- "what is": Effaceable Storage, sepOS, BIMI support in Apple Mail, signed system volume (SSV)
- The Complete Guide to Understanding Apple Mac Security for Enterprise aka Apple at Work
- A Guide to macOS Threat Hunting and Incident Response
- macOS Security & Privilege Escalation
- Let's talk macOS Authorization
- How APFS mounts encrypted volumes, snapshots, cryptexes and more
- (macOS Sonoma+) implementations of exfat and msdos file systems provided by services running in user-space instead of by kernel extensions
- (Safari 17.x) GPU Process security, Privacy changes, blob partitioning
- (macOS 14.0+) Link Tracking Protection in Messages, Mail, and Safari
- Managed Device Attestation - a technical exploration
- Built-in macOS Security (TCC, File Quarantine, Gatekeeper, XProtect, MRT, XPR)
- JNUC 2023: Securing Apple Devices in organization with MDM
- Apple's theft prevention system
- runtime protection in macOS Sequoia
- CVE-2023-42929: Why do we need the App Container Protection