Secure your macOS system with this comprehensive hardening guide.
Ideal for users who value privacy, security, and performance.

• Mac with Apple Silicon Chip (M1 or newer) because of it's secure ARM architecture.
• Newer chips, starting with M2 have better security features like Secure Page Table Monitor (SPTM) & Trusted Execution Monitor (TXM).
• M4 adds the Secure Exclave. So it's best to stick with the most recent ones.
• Older devices (with T2 or T1 chips) are no longer recommended because they are vulnerable to checkm8, Passware Kit Forensic T2 Add-on, and lack some hardware security features.

• create/ use an iCloud.com email address for your Apple-ID at first start.
• Check for updates and enable automatic updates for all options.
• Keep a record of the settings you modify.

• Enable FileVault (Full Disk Encryption) and backup the recovery key. You can check for an recovery key and verify if your saved key is valid.
  • Beside FileVault, (encrypted) disk images can be created for sensitive files (search for "Create secure image file" at the bottom).
  • Also encrypt external media.
• Set Gatekeeper to "App Store and identified developers".
• Require a password immediately after sleep or screen saver begins.
• Enable Two-factor authentication for your Apple-ID and use FIDO security keys for it.
• Enable Advanced Data Protection for iCloud.
• Backup with Time Machine and make sure you have encryption turned on.
• Open Terminal and enable Secure keyboard entry at macOS menu bar to prevent other applications reading the keyboard input while using the terminal.
• Password protect your screen saver and use a low time for locking and logout.
• (Macbooks only) control accessory security.
• Make sure you have Full Firmware Security and System Integrity Protection enabled.

• Disable automatic login.
• Disable the Guest user account.
• • If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another.

• Turn on the Firewall, enable blocking all incoming connections for all network and activate stealth mode in firewall settings.
• Disable all forms of remote access sharing settings.
• Limit Location Services to essential apps only.
• (iCloud+ needed) Enable Private Relay.
  • Alternatives are: Quad9 and Cloudflare. Quad9 provides an easy solution with Apple signed profiles. AdGuard and NextDNS are also options, but some users report problems like false positive filtering and stability/performance issues.
  • Only Private Relay supports Oblivious DNS over HTTPS (ODoH)

• Safari settings:

  • Block cross-site tracking.
  • Clear history and website Data to get a fresh start, now with tracking protection.
  • Instead of using insecure, privacy-unfriendly (adblocker) browser extensions, use the Reader mode.
  • Hide IP address from trackers / and Websites (if PrivateRelay is activated)
  • Enable Advanced Tracking and Fingerprinting Protection

• Safari hardening:

  • Enable protection against fraudulent websites
  • Enable protection against non-encrypted HTTP sites

• Install only from the App Store as there is a mandatory sandbox for all App Store apps.
• If not possible, at least Electron-based programs should be avoided - even in 2024.
• Avoid using Homebrew and remove unmaintained programs.
• Avoid Kernel extensions (Catalina and earlier), System extensions (Big Sur and later) and Rosetta.
• Also VM software like Parallels aren't perfect in 2024 nor 2025.

• Regularly audit installed apps and permissions.
• Where PassKeys isn't supported, use strong, unique passwords and enable 2FA everywhere. This is easily manageable with internal Passwords program.
• Periodically review Privacy Settings.
• With Activity Monitor you can find Apps lacking the Sandbox and/ or Code injection Protection.
  • Just enable the "Sandbox" and "Restricted" columns.
• With the Terminal, you can also check the Hardened Runtime.
• Thunderbolt 4 cables enforce DMA protection using Directed I/O (Intel VT-d) technology that provides IO virtualization (often referred to as IO Memory Management Unit or IOMMU).
• If Bluetooth accessories like a keyboard or mouse are used, stay with official Apple ones as their firmware will automatically be updated by macOS, and Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.

• Enable Lockdown Mode.
• Consider using a stricter umask such as 027 or 077 for both system processes and user apps.

• Security-announce - Product security notifications and announcements from Apple
• Apple Platform Security Overview - PDF
• Apple Security Research Blog & Security Bounty
• Apple Safety certifications
• Safari provides many privacy features like Tracking & Fingerprint Prevention, Link Tracking Protection, Privacy Report, locked isolated and ephemeral Private Browsing tabs and more and is also the only browser which is secure against data extraction & decryption
• macOS has Hardened Runtime for user space code. This is not required for App Store apps, and not all apps enable this.
• M1 Macs have Kernel Integrity Protection (KIP) for kernel code
• M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
• Apple requires that all applications are sandboxed only from the App Store.
• Some resources about macOS/iOS system security
• CIS (Center for Internet Security, Inc.) Security Benchmarks
• NIST Security Technical Implementation Guide
• About speculative execution vulnerabilities in ARM-based and Intel CPUs
• About System Integrity Protection (SIP) on your Mac
• About Gatekeeper (forerunner was Quarantine) - Safely open apps on your Mac
• Learn how Private Relay protects users’ privacy on the internet
• Getting started in macOS security / forensics
• Protecting against malware in macOS
• (since macOS 13) AMFI Launch Constraints - First Quick Look and Trust Cache
• Evolution of privacy & security in macOS
• Data Vault - Protecting app access to user data
• Why your macOS EDR solution shouldn’t be running under Rosetta 2
• PPL (Page Protection Layer) or: why iOS/ iPadOS is much more secure than macOS
• "what is": Effaceable Storage, sepOS, BIMI support in Apple Mail, signed system volume (SSV)
• The Complete Guide to Understanding Apple Mac Security for Enterprise aka Apple at Work
• A Guide to macOS Threat Hunting and Incident Response
• macOS Security & Privilege Escalation
• Let's talk about macOS Authorization
• How APFS mounts encrypted volumes, snapshots, cryptexes, and more
• (since macOS 14.0) implementations of exFAT and MS-DOS file systems provided by services running in user space instead of by kernel extensions, Link Tracking Protection in Messages, Mail, and Safari
• (since Safari 17.x) GPU Process security, Privacy changes, blob partitioning
• Managed Device Attestation - a technical exploration
• Built-in macOS Security (TCC, File Quarantine, Gatekeeper, XProtect, MRT, XPR)
• JNUC 2023: Securing Apple Devices in an organization with MDM
• Apple's theft prevention system
• Runtime protection in macOS Sequoia
• CVE-2023-42929: Why do we need the App Container Protection
• SLAP & FLOP speculative execution attack
• (since Safari 18.4) Cookies Having Independent Partitioned State (CHIPS)

🔒 Stay Safe and Secure!