macOS is based on BSD Unix and carries with it a long history of security. But, at heart, it’s a consumer operating system. The defaults are very trusting and open. Apple recognizes this and provides a very thorough document on securing macOS.
Here are the basic steps to securing macOS:
1. Set a firmware password. This is a password required to gain low-level hardware access. It’s set using the Firmware Password Utility on the Max macOS installation disc (in /Applications/Utilities on the installation disc).
2. Turn off Auto-login. In the Accounts preference pane select the option to disable automatic logins.
3. In the Security preference pane you should require a password when waking the computer and you should require a password to access sensitive preference panes. In addition, you should activate secure virtual memory.
4. Disable the guest account or severely limit it using Parental Controls. The main reason why you would leave it enabled is if you have theft recovery software installed. Thieves will use the guest account, giving the theft recovery software time to work.
5. You should set an inactivity timeout on the screen saver and make the value relatively low. You do that in the Desktop & Screen Saver preference pane.
6. Make certain the firewall is turned on (in the Security preference pane) and is set to either ‘Allow only essential services’ or ‘Set access for specific services and applications’.
7. Ensure you always install security updates from Apple as they are released. Don’t delay.
8. Install anti-virus software. This is less for the security of macOS then to ensure you don’t pass viruses on to other machines. ClamAV is the software bundled with macOS server and is freely available for macOS desktop. Install it and activate ClamAV Sentry to start on Login in the ClamAV preferences. Set the sentry to scan the downloads, desktop and public drop box directories. These are the primary locations for new files to be downloaded onto the computer.
9. Disable Java in the browser. There are very few Java applets in use and you can re-enable Java in the browser if you need it. Open Safari’s preferences and uncheck the “Enable Java” option.
These are the minimal steps to secure macOS. Personal files are still accessible by a technically savvy thief if the laptop is stolen. This can be resolved if the user activates File Vault or installs a full-disk encryption program like PGP Whole Disk encryption.