Device Recommendations
-
Mac with Apple Silicon Chip (M1 or newer) because of secure ARM architecture. M1, M1 Pro, M1 Max, M1 Ultra are all the same. Just core and performance changes.
-
older devices (T2 or T1 chips) are no longer recommend because vulnerability to checkm8, lacks some hardware security features and are vulnerable against Passware Kit Forensic T2 Add-on
First steps
- Clean NVRAM (nonvolatile random-access memory)/ PRAM (Parameter RAM) and SMC (system management controller) after purchase
- Clean install OS after purchase
- Distrust all networks by disallowing all incoming connections in Firewall settings (stealth mode).
- Check for updates and enable automatic updates.
- If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another
- Enable FileVault after installation for increased entropy and also to protect your firmware
General Tips
- enable Two-factor authentication for your Apple ID and use FIDO security keys for it
- enable Advanced Data Protection for iCloud
- beside FileVault, (encrypted) disk images can be created for sensitive files (search for "Create secure image file" at bottom)
- Install software only from the App Store as there is a mandatory sandbox for all App Store apps. If not possible, at least Electron based programs should be avoided.
- Check if all forms of remote access are disabled in Sharing settings.
- use only Safari as browser, because it supports PrivateRelay, PassKeys and offers the best collaboration in Apple cosmos with privacy by design
- Password protect your screen saver and use a low time for locking and logout.
- Backup with Time Machine and make sure you have encryption turned on.
- While DNS encryption isn't perfect both Quad9 and Cloudflare are recommend. Quad9 provide a easy solution with Apple signed profiles. AdGuard and NextDNS are another, but some users report problems like false positive filtering, stability/performance issues.
- Avoid Kernel extensions (Catalina and earlier), System extensions (Big Sur and later) and Rosetta. These add unnecessary attack surface.
- Consider using a more stricter umask such as 027 or 077 for both system processes and user apps.
- open Termimal and enable "Secure keyboard entry” at MacOS menu bar to prevent other applications reading the keyboard input while using the terminal
- encrypt external media
Reading/Informational Material
- Security-announce - Product security notifications and announcements from Apple
- Apple Platform Security PDF
- Apple Security Research Blog & Security Bounty
- macOS has Hardened Runtime for user space code. This is not required for App Store apps and not all apps enable this.
- M1 Macs have Kernel Integrity Protection (KIP) for kernel code
- M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
- Apple requires that all applications are sandboxed only from the App Store.
- some resources about macOS/iOS system security
- macOS IR (Incident Response) & Forensics resources
- CIS (Center for Internet Security, Inc) Security Benchmarks
- NIST Security Technical Implementation Guide
- About speculative execution vulnerabilities in ARM-based and Intel CPUs
- About System Integrity Protection (SIP) on your Mac
- About Gatekeeper (forerunner was Quarantine) - Safely open apps on your Mac
- Tracking Prevention in WebKit (Safari browser)
- Learn how Private Relay protects users’ privacy on the internet
- Getting started in macOS security / forensics
- Protecting against malware in macOS
- (Ventura and newer) AMFI Launch Constraints - First Quick Look
- Evolution of privacy & security in macOS
- Data Vault - Protecting app access to user data
- Why your macOS EDR solution shouldn’t be running under Rosetta 2
- PPL (Page Protection Layer) or: why iOS/ iPadOS is much more secure than macOS
- "what is": Effaceable Storage, sepOS, BIMI support in Apple Mail
- The Complete Guide to Understanding Apple Mac Security for Enterprise
- A Guide to macOS Threat Hunting and Incident Response
- MacOS Security & Privilege Escalation
- Let's talk macOS Authorization
- Harden your devices against mercenary spyware with Lockdown Mode
- How APFS mounts encrypted volumes, snapshots, cryptexes and more