Device Recommendations

• Mac with Apple Silicon Chip (M1 or newer) because of secure ARM architecture. M1, M1 Pro, M1 Max, M1 Ultra are all the same. Just core and performance changes.

• older devices (T2 or T1 chips) are no longer recommend because vulnerability to checkm8, lacks some hardware security features and are vulnerable against Passware Kit Forensic T2 Add-on

First steps

• Clean NVRAM (nonvolatile random-access memory)/ PRAM (Parameter RAM) and SMC (system management controller) after purchase
• Clean install OS after purchase
• Distrust all networks by disallowing all incoming connections in Firewall settings (stealth mode).
• Check for updates and enable automatic updates.
• If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another
• Enable FileVault after installation for increased entropy and also to protect your firmware

General Tips

• enable Two-factor authentication for your Apple ID and use FIDO security keys for it
• enable Advanced Data Protection for iCloud
• beside FileVault, (encrypted) disk images can be created for sensitive files (search for "Create secure image file" at bottom)
• Install software only from the App Store as there is a mandatory sandbox for all App Store apps. If not possible, at least Electron based programs should be avoided.
• Check if all forms of remote access are disabled in Sharing settings.
• use only Safari as browser, because it supports PrivateRelay, PassKeys and offers the best collaboration in Apple cosmos with privacy by design
• Password protect your screen saver and use a low time for locking and logout.
• Backup with Time Machine and make sure you have encryption turned on.
• While DNS encryption isn't perfect both Quad9 and Cloudflare are recommend. Quad9 provide a easy solution with Apple signed profiles. AdGuard and NextDNS are another, but some users report problems like false positive filtering, stability/performance issues.
• Avoid Kernel extensions (Catalina and earlier), System extensions (Big Sur and later) and Rosetta. These add unnecessary attack surface.
• Consider using a more stricter umask such as 027 or 077 for both system processes and user apps.
• open Termimal and enable "Secure keyboard entry” at MacOS menu bar to prevent other applications reading the keyboard input while using the terminal
• encrypt external media

Reading/Informational Material

• Security-announce - Product security notifications and announcements from Apple
• Apple Platform Security PDF
• Apple Security Research Blog & Security Bounty
• macOS has Hardened Runtime for user space code. This is not required for App Store apps and not all apps enable this.
• M1 Macs have Kernel Integrity Protection (KIP) for kernel code
• M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
• Apple requires that all applications are sandboxed only from the App Store.
• some resources about macOS/iOS system security
• macOS IR (Incident Response) & Forensics resources
• CIS (Center for Internet Security, Inc) Security Benchmarks
• NIST Security Technical Implementation Guide
• About speculative execution vulnerabilities in ARM-based and Intel CPUs
• About System Integrity Protection (SIP) on your Mac
• About Gatekeeper (forerunner was Quarantine) - Safely open apps on your Mac
• Tracking Prevention in WebKit (Safari browser)
• Learn how Private Relay protects users’ privacy on the internet
• Getting started in macOS security / forensics
• Protecting against malware in macOS
• (Ventura and newer) AMFI Launch Constraints - First Quick Look
• Evolution of privacy & security in macOS
• Data Vault - Protecting app access to user data
• Why your macOS EDR solution shouldn’t be running under Rosetta 2
• PPL (Page Protection Layer) or: why iOS/ iPadOS is much more secure than macOS
• "what is": Effaceable Storage, sepOS, BIMI support in Apple Mail
• The Complete Guide to Understanding Apple Mac Security for Enterprise
• A Guide to macOS Threat Hunting and Incident Response
• MacOS Security & Privilege Escalation
• Let's talk macOS Authorization
• Harden your devices against mercenary spyware with Lockdown Mode
• How APFS mounts encrypted volumes, snapshots, cryptexes and more