Easy Read Time: 7 Minutes

Best Security and Privacy Practices for MacBook Pro

Mac protection is critical but is sometimes ignored. These Mac security tips will inform you about the Mac security settings you need, including the firewall and more. This guide provides a collection of guidelines to strengthen the security and privacy of a modern Apple MAC system officially known as MacBook running a new version of macOS formerly known as “OS X.” It is ideal not only for inexperienced users interested in enhancing their privacy and protection on a Mac but also for power users wishing to follow company-standard security practices.

MacBook Pro MacBook-Pro

  • MacBook Pro (https://support.apple.com/kb/SP809?locale=en_US), In November 2019 the fifth-generation MacBook Pro was launched. It has a 16-inch screen with smaller bezels and switches to a keyboard with a scissor mechanism. It has a wider 16-inch 3072×1920 Retina touchscreen mounted in a smaller bezel, the largest MacBook screen since the 17-inch MacBook Pro unibody that was discontinued in 2012. The 16-inch MacBook Pro, like its predecessor, has four Thunderbolt 3 ports combination supporting USB-C 3.1 Gen 2 and Dual DisplayPort 1.4 signals, providing 6016×3384 performance to run the Pro View XDR at maximum speed. It uses the same 15-inch configuration of the Coffee Lake CPUs as in 2019. Consumers can choose between AMD Radeon Pro 5300 M or 5500 M GPUs with GDDR6 memory up to 8 GB, 2667MHz DDR4 memory up to 64 GB, and SSD capacity up to 8 TB. It is available in two types of finish; Silver & Space Gray. The new case configuration has no Kensington lock slot and it needs alternate solutions to physically protect the device.
  • The Apple T2 Security Chip, which supports several recent Mac models, can keep your Mac safer. The Secure Enclave coprocessor in the Apple T2 chip provides the basis for the functionality of Touch ID, secure boot and encrypted data. Touch ID allows you a simple way to unlock your Mac with your fingerprint, fill in Safari passwords and make transactions with Apple Pay. The safe boot helps make sure you run Apple’s trusted operating system apps, while the Apple T2 chip automatically encrypts the data on your Mac. And understanding that security has been engineered right into your Mac’s architecture from the ground up, you can be assured.

MacBook Pro Security & Privacy settings

MacBook Pro Security & Privacy settings

Let’s start with the simple Mac settings that you can review to make sure the protection is tight.

To get yourself familiar with the controls, visit the System Preferences —> Security & Privacy panel. Here, you will find four tabs that control different security settings.

  • To open system Preferences, at the top left of your screen, you can get to System Preferences from the Apple menu.
  • Click on Security & Privacy.
  • You can see General, FileVault, Firewall and Privacy Tabs.

You will need to click on the padlock at the bottom of the screen and type in your username and password to update either of those settings.

Security & Privacy settings

MacBook Pro — Security Best Practices

A device is just as secure as the administrator can make it. There is no single technology, program, or methodology to guarantee flawless computer security; as a modern operating system and desktop are very complicated, and many incremental changes are needed to significantly improve their security and privacy.

You can start by applying basic Standard security best practices;

Keep your system up to date by patching the main operating system and other applications from third parties.   Updates to the macOS program can be completed using the App Store application, or the command-line ios upgrade tool-neither method requires Apple account registration. You can also download updates directly from Apple’s support website.  You can also subscribe to mailing alert lists such as Apple Security Alert.

Build a Threat Model, What do you want to protect, and from whom? Is the competitor a three-letter company (if so, you may want to start using OpenBSD instead); a nosy network eavesdropper; or a deliberate inclined to orchestrate a campaign against you? Recognize risks and how to reduce the scope of threats against them.

Assure the accuracy of records. Make daily backups of the files and be ready in case of failure to update and reinstall the operating system. Also, encrypt locally before copying is transferring to other media or the “internet.” Verify backups work by periodically checking them, such as viewing those files or making a hash-based comparison.

Select Wisely. Ultimately, a system’s protection can be limited to its owner. When downloading new apps, care should be taken, so always support free and open source applications (which isn’t macOS).

Admin and Default User Accounts

An Admin account is often the first user account. Admin accounts are admin group accounts and have access to “sudo”, which helps them to usurp other accounts, particularly the root, and provide them with effective control of the system or the device. Any software executed by the admin will likely gain the same access, making this a risk to security. Utilities like “sudo” have vulnerabilities that can be exploited by operating applications running at the same time as many panes in System Preferences are unlocked for admin accounts by default.

Ensure the passwords are long, complicated.

Using a separate and standard user account for day-to-day activities and using the administrator account for installations, configurations and device setup is considered best practice by Apple and others. Logging into the admin account via the macOS login screen isn’t specifically necessary. If needed, the device will request authentication and Terminal will do the rest. Towards this end, Apple is making suggestions to cover the admin account and its home directory. It could be a clever way to prevent making a ‘ghost’ account available. For further hardening, the admin password may also be removed from FileVault.

Account Setup: In System Preferences account can be created and managed. On settled systems, creating a second admin account is usually easier, and then demoting the first one. This way, data migration can be stopped. Newly configured systems can add a default account as well.

The demotion of an account can be achieved in System Preferences from the new admin user account – the other user must be signed out – or by executing these commands.

Demoting an account can be done either from the new admin account in System Preferences (the other account must be logged out) or by executing these commands.

$ sudo dscl . -delete /Groups/admin GroupMembership <username>

$ sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>

To find the “GeneratedUID” of an account:

$ dscl . -read /Users/<username> GeneratedUID

You can visit this link (https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x/395738#395738) for more details.

Ensure the passwords are long, complicated.

Once you have enabled user accounts management on your Mac systems, the next move is to ensure that long, complicated passwords are leveraged. Password security is more important than ever and using a lengthy, complicated password is the only way to do so for your system. The easiest way to do so is to mix a few sentences, or just construct a phrase you can quickly recall. Mix in letters, certain numbers, and special characters and you’ll minimize the risk of unwanted access into the system significantly.

Firewall Settings

The first step to securing any Mac is to enable the firewall which blocks any incoming unwanted network connections. You might think the firewall has always been enabled but it is often not. But, it’s utterly wise to enable it and it is also very easy to do so. MacOS provides many types of firewalls.

Application layer firewall is a built-in, simple firewall that simply blocks incoming connections. This firewall has no monitoring functionality, nor does it block outgoing connections. It can be configured in System Preferences from the Security & Privacy Firewall tab.

Turn on the Firewall

To unlock system settings, press the padlock icon at the bottom left (you’ll need to type in your login password when prompted).

Click on the button “Turn On Firewall”.

Then click the Firewall Options button and click the Allow Stealth Mode box in the dialog box that appears. This last step means that your device would be completely invisible on public networks, for example for shared Wi-Fi in a cafe.

To make changes, click on Firewall Options in the Firewall tab. Here you can see a list of applications and utilities that can provide inbound connections. If you say you are trying to run an app and it shows an error telling you it was prevented from accepting an inbound connection, you can add one to the list by clicking the “+” sign.

Alternatively. You can also do Turn on the Firewall with the following commands.

Enable the firewall with logging and stealth mode:

  • $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw –setglobalstate on

Firewall is enabled. (State = 1)

  • $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw –setloggingmode on

Turning on log mode

  • $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw –setstealthmode on

Stealth mode enabled

Optional

  • $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw –setallowsigned off

Disabled allow signed built-in applications automatically

  • $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw –setallowsignedapp off

Disabled allow signed downloaded applications automatically

The last two commands are used to prevent both built-in and code-signed apps from automatically whitelisting downloaded applications.

Full disk encryption

FileVault offers complete disk encryption (technically, full volume) in macOS. FileVault encryption protects the data at rest, hardening (but not always preventing) those with physical access from accessing or exploiting your Mac data. The hard disk has to be unencrypted in order to access the computer, and that allows you to enter the long, complicated password your users have created before. FDE features, combined with Mac MFA, make it incredibly hard to hack the system – even though the hard drive had to be removed.

The performance penalty for FileVault is not significant with most of the cryptographic operations occurring efficiently in hardware. Like all cryptosystems, FileVault’s protection depends heavily on the consistency of the pseudo random number generator.

Enable FileVault through System Preferences > Security & Privacy or with the command “sudo fdesetup enable” and reboot.

Optional: There’s no need to save the Recovery Key if you can remember the password. The encrypted files would, though, be lost permanently if there is no encryption or recovery key, either. Enforce hibernation and removal of FileVault keys from memory rather than conventional memory sleep using commands:

$ sudo pmset -a destroyfvkeyonstandby 1

$ sudo pmset -a hibernatemode 25

You should also change the standby and power nap settings if you want to delete FileVault keys in standby mode. Otherwise, when in standby mode, your computer can wake up and then turn off due to the absence of the FileVault key. Use these commands to change these settings:

$ sudo pmset -a powernap 0

$ sudo pmset -a standby 0

$ sudo pmset -a standbydelay 0

$ sudo pmset -a autopoweroff 0

full disk encryption file vault

Viruses and malware

There’s an increasing amount of malware on Mac in the wild. Macs aren’t resistant to viruses and malware!

Viruses and malware

Your user interfaces and devices are the medium to reach your confidential information. It’s dangerous to say it’s all in the cloud so people wouldn’t transfer data on their Mac systems. Unfortunately, even though that was true – and we all know it isn’t – their devices have confidential cloud passwords and keys for web applications and cloud infrastructure in their devices. Single user-access control for Macs has always been a problem. Microsoft Active Directory ® is also not running perfectly for Macs. Similarly, for Windows systems, Apple Open Directory is not as supportive. OpenLDAP works well for Debian, although it does fail with other systems. Yet the management of computers is a security cornerstone. But lack of management has been a key concern with IT managers that acknowledge struggle with these systems.

Any malware comes packaged with both legal software, such as the Java bundling Ask Toolbar and those with illegitimate applications, such as pirated programs packaged with Mac.BackDoor.iWorm. Malwarebytes Anti-Viruses for Mac is a good application to get rid of “garden-variety” viruses and other crapware. Although there are indeed more viruses targeting Macs these days, we’re still nowhere near the tidal wave that Windows users are experiencing every day. This also refers to the malware assault which has crippled the NHS-it targets only Windows PCs. Because of this, and because OS X / macOS already has a strong but invisible anti-malware device called Xprotect, we assume that antimalware software is not yet a mandatory requirement for a Mac.