- Mac with Apple Silicon Chip (M1 or newer) because of secure ARM architecture. Newer chips have better security features, so it's best to stick with the most recent ones.
older devices (with T2 or T1 chips) are no longer recommended because they are vulnerable to checkm8, Passware Kit Forensic T2 Add-on and lack some hardware security features.
- Distrust all networks by disallowing all incoming connections in Firewall settings (stealth mode).
- Check for updates and enable automatic updates for OS and also App Store.
- If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another
- Enable FileVault
- make sure you have Full Firmware Security and System Integrity Protection enabled
- enable Two-factor authentication for your Apple ID and use FIDO security keys for it
- enable Advanced Data Protection for iCloud
- beside FileVault, (encrypted) disk images can be created for sensitive files (search for "Create secure image file" at bottom)
- Install software only from the App Store as there is a mandatory sandbox for all App Store apps. If not possible, at least Electron based programs should be avoided - even in 2024.
- Check if all forms of remote access are disabled in Sharing settings.
- use only Safari as your browser, because it supports PrivateRelay, PassKeys, supports many privacy features, and offers the best compatibility with the Apple ecosystem.
- Password protect your screen saver and use a low time for locking and logout.
- Backup with Time Machine and make sure you have encryption turned on.
- Instead of using insecure, privacy-unfriendly adblocker browser extensions or programs, use the Reader mode in Safari.
- If possible, use iCloud Private Relay. Alternatives are: Quad9 and Cloudflare. Quad9 provide an easy solution with Apple signed profiles. AdGuard and NextDNS are also options, but some users report problems like false positive filtering and stability/performance issues. Only Private Relay supports ODoH!
- Avoid Kernel extensions (Catalina and earlier), System extensions (Big Sur and later) and Rosetta. These add unnecessary attack surface.
- open Terminal and enable "Secure keyboard entry” at macOS menu bar to prevent other applications reading the keyboard input while using the terminal
- encrypt external media
- (Macbooks only) control accessory security
- enable Lockdown Mode
- Consider using a stricter umask such as 027 or 077 for both system processes and user apps.
- Security-announce - Product security notifications and announcements from Apple
- Apple Platform Security PDF
- Apple Security Research Blog & Security Bounty
- Apple Safety certifications
- macOS has Hardened Runtime for user space code. This is not required for App Store apps and not all apps enable this.
- M1 Macs have Kernel Integrity Protection (KIP) for kernel code
- M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
- Apple requires that all applications are sandboxed only from the App Store.
- some resources about macOS/iOS system security
- CIS (Center for Internet Security, Inc) Security Benchmarks
- NIST Security Technical Implementation Guide
- About speculative execution vulnerabilities in ARM-based and Intel CPUs
- About System Integrity Protection (SIP) on your Mac
- About Gatekeeper (forerunner was Quarantine) - Safely open apps on your Mac
- Tracking Prevention in WebKit (Safari browser)
- Learn how Private Relay protects users’ privacy on the internet
- Getting started in macOS security / forensics
- Protecting against malware in macOS
- (Ventura and newer) AMFI Launch Constraints - First Quick Look
- Evolution of privacy & security in macOS
- Data Vault - Protecting app access to user data
- Why your macOS EDR solution shouldn’t be running under Rosetta 2
- PPL (Page Protection Layer) or: why iOS/ iPadOS is much more secure than macOS
- "what is": Effaceable Storage, sepOS, BIMI support in Apple Mail, signed system volume (SSV)
- The Complete Guide to Understanding Apple Mac Security for Enterprise aka Apple at Work
- A Guide to macOS Threat Hunting and Incident Response
- macOS Security & Privilege Escalation
- Let's talk macOS Authorization
- How APFS mounts encrypted volumes, snapshots, cryptexes and more
- (macOS Sonoma+) implementations of exfat and msdos file systems provided by services running in user-space instead of by kernel extensions
- (Safari 17.x) GPU Process security, Privacy changes, blob partitioning
- (macOS 14.0+) Link Tracking Protection in Messages, Mail, and Safari
- Managed Device Attestation - a technical exploration
- Built-in macOS Security (TCC, File Quarantine, Gatekeeper, XProtect, MRT, XPR)
- JNUC 2023: Securing Apple Devices in organization with MDM