macOS is often considered secure by default, and while Apple does build strong security into its operating system, relying on defaults alone isn't enough. In 15 years of Mac support, I've seen Macs compromised through phishing, outdated software, weak passwords, and inadequate physical security. Let me walk you through a comprehensive security setup.
Enable FileVault Encryption
FileVault encrypts your entire startup disk, protecting your data if your Mac is lost or stolen. Without FileVault, anyone with physical access can read your files by removing the drive. Enable it: System Settings > Privacy & Security > FileVault > Turn On. This takes 1-2 hours initially but runs invisibly afterward.
Strong Passwords and Touch ID
Your Mac's login password is your first line of defense. Use a strong password (12+ characters, mix of types) and enable Touch ID on supported Macs for convenience without sacrificing security. Go to System Settings > Touch ID & Passcode to configure.
Change Login Password Settings
In System Settings > Touch ID & Passcode, enable "Use your fingerprint for..." options that make sense. Also set "Require password" to "immediately" after sleep or screen saver—this prevents someone from accessing your Mac while you're away.
Gatekeeper: Control App Installation
Gatekeeper limits what apps can run on your Mac. The default setting (App Store and identified developers) is appropriate for most users. System Settings > Privacy & Security > Security > "Allow apps downloaded from" controls this. Don't change it to allow apps from anywhere—that's an unnecessary security risk.
Keep macOS Updated
Apple releases security updates regularly. Enable automatic updates: System Settings > Software Update > Automatic Updates > enable all options. This ensures critical security patches install without requiring your attention.
Firewall Configuration
macOS includes a firewall that blocks incoming connections. Enable it: System Settings > Network > Firewall. For most home users, the default configuration is fine. If you use file sharing or services, you may need to create exceptions for specific apps.
Find My Mac
Enable Find My Mac: System Settings > [Your Name] > Find My > Find My Mac. This allows you to locate, lock, or erase your Mac if it's lost or stolen. Combined with FileVault encryption, your data remains protected even if the physical device is compromised.
Privacy Settings Audit
Regularly review which apps have access to sensitive data: System Settings > Privacy & Security. Review each category:
- Location Services: Only enable for apps that genuinely need location
- Camera and Microphone: Only apps you trust should have access
- Contacts, Calendars, Photos: Review app permissions
- Automation: New in Ventura, controls which apps can control other apps
Malware and Adware Protection
macOS isn't immune to malware, though it's less targeted than Windows. Best practices:
- Never install software from sources you don't trust
- Be suspicious of "You have a virus" warnings in browsers—these are scams
- Don't install browser toolbars or "optimizer" apps from popups
- Macs don't need antivirus software if you follow safe practices
Safari Privacy
Safari has strong privacy features. Enable: Safari > Settings > Privacy. Enable "Prevent cross-site tracking" and "Hide IP address from trackers." Regularly clear your browsing data: Safari > Clear History. Consider using a content blocker extension for additional privacy.
Backup Security
Your backups should also be protected. Time Machine backups on an unencrypted drive are readable by anyone. For sensitive data, either use Time Machine with FileVault, or use encrypted disk images for particularly sensitive files.
VPN for Public Wi-Fi
When using public Wi-Fi (coffee shops, airports, hotels), use a VPN to encrypt your traffic. Your data passes through the local network and could be intercepted by anyone on that network. A VPN encrypts everything, preventing that interception. I recommend established VPN services like Mullvad, ProtonVPN, or NordVPN.
Secure Delete
When you delete a file normally, the data remains on disk until overwritten. For sensitive files, use Secure Empty Trash (deprecated in modern SSDs due to how they work) or FileVault encryption, which protects all data equally.
Physical Security
Physical access is often the weakest link:
- Set a firmware password to prevent booting from external drives (System Settings > Privacy & Security > Startup Security on business Macs)
- Use a privacy screen in public places
- Lock your Mac when stepping away (⌘Q or Ctrl-⌘Q in Ventura)
- Consider a cable lock for shared workspaces
