Apple’s computer operating system, macOS, runs on its Macbook, iMac, and Mac mini computers. You probably store a lot of data on your Mac, so it’s critical that you take the time to set your security and privacy settings.
Apple is known for building strong security and privacy into its software. However, that doesn’t mean that you should simply accept the default macOS system preferences. There are changes you can make to increase the security and privacy of macOS.
For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.
This guide was last updated for macOS 10.14.3 on a Macbook Pro. The settings and steps may differ based on version of iOS and device.
Note: this page contains affiliate links.
macOS System Preferences
To open the macOS settings, simply open the System Preferences app (a gray gear icon). We’ll go through the settings it contains in order.
There’s a padlock icon in the bottom left corner of many System Preferences screens. You may not be able to change some options until you unlock that padlock by clicking it and entering your Mac password.
Security & Privacy
In System Preferences, click Security & Privacy.
Change Password: If you haven’t already, set a long, strong password (15+ characters, with a mix of uppercase, lowercase, numbers, and special characters). You’ll need to type this into your Mac from time to time, so make a password you can remember. You’ll need to enter this password to open any password manager you have on your Mac, so don’t rely on just grabbing it from your password manager (unless you plan to use a password manager on your phone). Once you create your password, I recommend saving it in a password manager, such as LastPass, in case you forget it.
Require password after sleep or screen saver begins: This makes your Mac require a password after it’s been idle for a certain amount of time. I recommend immediately or 5 seconds.
Show a message when the screen is locked: Click Set Lock Message to set the message that shows on the lock screen. If a Good Samaritan finds your Mac, this will tell them how to contact you. However, don’t give away too much personal info, because a nefarious person could use it against you. Definitely don’t put your home address. I recommend putting a phone number and/or email address.
Allow apps downloaded from: Apple monitors its App Store pretty closely, so it’s a safe source for apps. Getting apps from other sources is riskier. I recommend choosing App Store. If you try to run an app that you didn’t get from the App Store, macOS will tell you that it’s blocked. However, you can open this settings page and choose to allow the app, if you know it’s trustworthy.
Click the FileVault tab at the top of the Security & Privacy window.
FileVault is macOS’ way of encrypting your entire disk. It’s one of the best things you can do to secure your Mac, because it means that if someone steals your Mac, they won’t be able to see or copy your data off the disk.
If it’s not already on, click Turn on FileVault. You’ll be asked how you want to recover if you forget your password. I recommend choosing Create a recovery key and do not use my iCloud account. I would rather not give that key to Apple. I recommend saving the recovery key in a password manager, such as LastPass.
Click the Firewall tab at the top of the Security & Privacy window.
Go back to System Preferences, then click Firewall.
The firewall prevents “unauthorized applications, programs, and services from accepting incoming connections.” I recommend clicking Turn on Firewall.
Click Firewall Options. I recommend checking the bottom 3 boxes:
- Automatically allow built-in software to receive incoming connections
- Automatically allow downloaded signed software to receive incoming connections
- Enable stealth mode
If you discover that these settings are breaking something (preventing something from communicating with your Mac, which you want to allow), open these settings and adjust as necessary.
Click the Privacy tab at the top of the Security & Privacy window. On the left side of the screen you’ll see several categories. Click through each one, setting your privacy as desired.
Location Services: I only allow Location Services for Find My Mac, which allows you to remotely find and erase your Mac. To do this, check the box for Location Services, then uncheck all the boxes below that. At the bottom of the list, next to System Service, click Details. Uncheck all boxes except Find My Mac.
Camera: uncheck the box for any apps that shouldn’t have access to your camera.
Microphone: uncheck the box for any apps that shouldn’t have access to your microphone.
Full Disk Access: uncheck the box for any apps that shouldn’t have access to your full disk. It’s OK for backup software and security software (such as antimalware) to have access, but be wary of granting access to anything else.
Analytics: I generally like to share data that helps make software and services better, as long as my data is anonymized. You may choose to disable if you’d rather not send your data (even anonymized data) to Apple. Apple says,
Personal data is either not logged at all in the reports generated by your Mac, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.
Advertising: I recommend checking the box for Limit Ad Tracking, to limit the data Apple collects and stores about you. Note that even by setting this, you’ll still see the same number of ads, but they’ll be less relevant (less targeted to your personal data).
Go back to System Preferences, then click Notifications.
What could a person learn about you if they could see messages, calendar reminders, and other notifications appear on your screen when you’re away from your Mac? I recommend adjusting your settings to not reveal such sensitive data.
For each app that has notifications that could reveal sensitive data, set Show notification preview to Unlocked, or uncheck the box for Show notifications on lock screen to not have that app show notifications on the lock screen. If you ever share the screen of your Mac, in person or online, consider unchecking the box for Show notification preview.
Go back to System Preferences, then click iCloud.
Next to iCloud Drive, click Options. You’ll see a list of apps and items that can be stored in iCloud Drive. Uncheck the boxes for any items that you don’t want to store data in iCloud Drive. I recommend keeping to a minimum the data you store in iCloud.
Back on the iCloud screen, uncheck the boxes for any apps that you don’t want to store data in iCloud. I recommend keeping to a minimum the data you store in iCloud.
Scroll down the list to Find My Mac. This allows you to find, lock, or wipe/erase your Mac remotely, if it becomes lost or stolen. I recommend checking the box.
Go back to System Preferences, then click Internet Accounts.
Click through each account and ensure that it’s syncing only the data you want synced.
Go back to System Preferences, then click Software Updates.
Check the box for Automatically keep my Mac up to date.
Click Advanced, then check all the boxes.
Go back to System Preferences, then click Bluetooth.
If you’re not using Bluetooth right now, click Turn Bluetooth Off. Bluetooth is easily compromised, so turn it on only when you need it.
Go back to System Preferences, then click Sharing.
In the list of services, uncheck the boxes for all the services you don’t truly need to share. For those you enable, click through and carefully set additional settings.
Users & Groups
Go back to System Preferences, then click Users & Groups.
Review and edit any users and groups, as necessary.
Go back to System Preferences, then click Parental Controls.
If children use your Mac, familiarize yourself with and use the parental controls.
Go back to System Preferences, then click Software Updates.
Siri gives you more privacy than other voice assistants, but if you don’t want to use it (as I don’t), you can uncheck the box for Enable Ask Siri.
Go back to System Preferences, then click Time Machine.
Check the box for Back Up Automatically. I recommend also backing up to an external disk. When you set it up, check the box for Encrypt Backup Disk. I recommend saving the password in a password manager, such as LastPass.
Back Up Your Mac
Back up regularly. I recommend backing up to an external drive and the cloud. Why an external drive? If you need to restore a lot of data, it’s much faster to restore from an external drive than download from the cloud. Why cloud backup? If your Mac is hit by fire, a flood, or other disaster, or it’s stolen, it’s likely that your external drive will suffer the same fate.
As I mentioned above, I recommend using macOS’ Time Machine to back up to an external drive.
There are many cloud backup providers. Choose one that lets you set your own private encryption key. I recommend IDrive, but you can also look at SpiderOak, BackBlaze, Mozy, Carbonite, Acronis, Sync, and Tresorit.
Using macOS Safely
Install all software updates (for macOS and apps) as soon as they’re available. You should set your device to do this automatically (see settings above), but also watch for any update prompts.
Be careful what access you grant to apps. When an app asks for access to your camera, microphone, contacts, location, etc., think carefully about whether it truly needs that access. You can always grant the access later if you change your mind.
Don’t use public Wi-Fi for anything sensitive, because you’re using an insecure, untrusted network. Instead, tether to your mobile device or hotspot and use its mobile/cellular data, or use a VPN (virtual private network) to protect your traffic when using public Wi-Fi.
Even though there’s much less malware for macOS than for Windows, I still recommend scanning your Mac at least every two weeks. You can choose to scan weekly (an on-demand scan), or even have your anti-malware software run constantly in the background (sometimes called real-time scanning), if you want. I like Malwarebytes for Mac and Bitdefender Virus Scanner (both free).
Apple’s iMessages system, which powers its Messages app, is end-to-end encrypted. That means iMessages can’t be read by third parties, making them much more private than standard SMS/text messages. Just remember that if you send messages to someone who’s not using an Apple device (if the messages are green rather than blue), those messages are outside of the iMessages system. Also, be aware that iMessages are stored in your iCloud backup, giving Apple the ability to access them. You can disable iCloud backup to prevent this (see settings above), but keep in mind that your messages sent to others could still be backed up into their iCloud accounts. If you’re concerned about the privacy of your messages, consider a secure, private messaging app such as Signal or Wire.
Regularly delete unnecessary apps from your Mac. This decreases your “attack surface”; it limits the ways your Mac could be compromised.
Encrypt and erase your Mac before you sell or donate it. Ensure that you have your main drive encrypted (see details on FileVault above). Then follow Apple’s document What to do before you sell, give away, or trade in your Mac.