The four Mac security options everyone should know
By Topher Kessler
As our lives increasingly go digital, security is a major concern not only for the various online services we use, but also for the devices on which we save our data. Chances are that if you’re reading this article, you own a Mac. And on your Mac, you’d like much of the work you do on it to be kept private.
While OS X is relatively secure by default, there are some additional steps you can take to ensure the data on your Mac is only accessible by you, even if your Mac is stolen. Take the following tips to heart to better protect your Mac and its data.
Enable the OS X firewall
The firewall in OS X is a network filter that allows you to control which programs and services can accept incoming connections. While classic firewalls do this on a per-port basis—regardless of which software is using the port—OS X’s firewall can work on a per-application or per-service basis, giving you more flexibility.
To set up your firewall, go to the Security & Privacy system preferences, click on the Firewall tab, and then unlock the preference pane, after which you will be able to click the Turn On Firewall button. This basic option is the best for most purposes, but you can also click the Firewall Options button to see the specific settings for each application as well as access some additional features such as stealth mode (which hides your computer from outside access attempts) and an option for blocking all connections.
The firewall is a good option to enable if you’re connected to a public Wi-Fi network, such as one at a cafe, library, or other hotspot. For home networks you can usually rely on your router’s firewall for protection, though enabling the OS X firewall for added security generally won’t cause additional problems.
FileVault is the full-disk encryption routine in OS X that will secure all files on the drive, including OS X system files, applications, caches and other temporary files; any of which may contain personal or sensitive information.
To enable FileVault, go to the FileVault tab of the Security & Privacy system preference, unlock the preference, and click Turn On FileVault. When you do this you’ll be asked to choose the user accounts that are authorized to unlock the disk (you can add other accounts later, if you like). Click Continue and your Mac will begin encrypting your drive. This may take a while to do, especially with large mechanical drives, where both encrypting and optimizing may take a number of hours to complete. For a walkthrough on setting up FileVault, see this story.
Full disk encryption is primarily useful for protecting a stolen Mac. When your drive is unlocked, files on it can be read. However, before it’s unlocked (ie, your Mac is shut down), all data on the drive will be scrambled. This prevents data recovery by unauthorized third parties, who might try to access it using Target Disk mode on your Mac or by removing your Mac’s hard drive and attaching it to another computer.
If you use numerous online services regularly then you will (or should) have different credentials for each one. These may be difficult to remember. Often people store their credentials in a text, Word, or Pages file for easy access, but this is a highly insecure way to store passwords. In OS X you have a built-in alternative for managing passwords called the keychain.
Unlike other security options, the keychain is enabled by default to store your various passwords for online services, email accounts, sharing services, and many other authentication routines. Whenever you see a checkbox for saving your password, or in a drop-down menu when using Safari, this is OS X asking you to store these passwords in an encrypted file called the login keychain.
This keychain can be managed using the Keychain Access utility (/Applications/Utilities). In most cases, unless you’re troubleshooting your Mac, there’s little need to use this utility. Instead, simply use the option to save your passwords and OS X will automatically enter them where appropriate.
There are some third-party password tools such as 1Password that provide expanded password management. If Keychain Access and Safari’s ability to store passwords don’t provide you with the features you need, try 1Password or a similar utility.
Locking and locating
A final couple of options for protecting your Mac include securing your computer when you have to leave it unattended and enabling remote access to it—not only to interact with it from afar, but also to track and lock it down, if needed.
You set up the first of these options in the General tab of the Security & Privacy system preference. Just enable the Require Password option and choose Immediately or 5 seconds from the pop-up menu and you’ll be required to enter a password to use your Mac after it’s gone to sleep or the screen saver has started. The shorter the time interval you use in this feature, the better, especially for laptops. Just close the lid to lock the system.
To remotely access and track your Mac, open the iCloud system preference and switch on the Back to My Mac and Find My Mac iCloud services. With the first option checked you can access the sharing services you’ve enabled on your Mac. For example, with Screen Sharing turned on, your remote Mac will appear in the Finder sidebar, where you can click it and share its screen to view and interact with your remote Mac’s desktop.
For Find My Mac, if your system is ever stolen you can log into iCloud.com or use the Find My iPhone app on an iOS device to locate your device, send it a command to lock it down unless a password is supplied, have it issue a sound (also a great option for locating a misplaced iOS device), or remotely wipe the device. See How to track a lost computer with Find My Mac for more details.
Overall, while Apple can do very little to prevent your computer from being stolen, OS X does its best to protect the data it holds as well as offers a chance that you can pinpoint its location. With these options enabled, you can be sure your Mac’s data is as safe as possible, with little to no inconvenience for you.