Indeed, even Apple’s software chief Craig Federighi said (in the trial between Apple and Epic) that: “Today, we have a level of malware on the Mac that we don’t find acceptable.” While his motive was to point out that there is a benefit to forcing iPhone and iPad users to only install apps via the iOS App Store, the point is that even Apple staff admit there are Mac viruses. (Here’s What to do if you think your Mac has a virus.)
Macs are generally safer than PCs though. This is partly because the Mac operating system is Unix-based and therefore more difficult to exploit, it’s also because Apple has such tight control over the hardware and software, and Macs are safer due to of the various protections and security measures built in to the Mac and the Mac operating system that makes Macs more difficult to exploit.
But that doesn’t mean you should believe your Mac impenetrable. Macs have been targeted by hackers and viruses and over the years Apple has had to get serious about the measures included in macOS to keep its users safe.
In this article we will run through the various ways Apple keeps your Mac secure, and the things you can do to stay safe. For more advice about how to keep your Mac secure read our Mac security tips.
There are various ways that Apple protects your Mac from malware and viruses as you will see if you read on. There are of course other things you can do to supplement these measures, such as running an antivirus software or using a VPN to encrypt your traffic. We have separate advice about the best antivirus for Mac and best VPN. There is also an element of being cautious and not opening mysterious emails or clicking on questionable links–you might be sure you wouldn’t do that, but could you be so sure that your parents wouldn’t…
Luckily there are protections baked into a Mac that should mean that even the least tech savvy people are protected. We’ll outline them below.
On the software side, macOS includes its own antivirus software built in. XProtect detects and blocks any known malware. Apple monitors for new malware infections and updates XProtect regularly. XProtect will check for malware when an app is first launched and if it has been changed. If XProtect detects malware it will block the software and remove it.
In addition to the protection offered by XProtect is Gatekeeper. Gatekeeper is a feature of macOS that is designed to stop users from installing malware in the first place. Gatekeeper checks that any app you download from the internet has been verified by Apple and checked for malicious code. If the app is considered a risk Gatekeeper will stop you from installing it. For more advice about downloading and installing apps read: How to install apps on the Mac
Gatekeeper isn’t infallible, it has been bypassed in the past, and XProtect isn’t always right up to date, so malware has slipped through. But both offer a level of protection that should give you peace of mind.
Apple ensures that security updates are pushed out to Macs regularly – so it is important to keep your Mac software up to date. Apple makes this easy by making it possible for your Mac to update automatically, so you don’t even need to do anything. To set your Mac to check for updates and update software automatically follow these steps:
Open System Settings (System Preferences pre Ventura)
Click Software Update
Make sure that Automatic Update are On
This should mean that the software is downloaded to your Mac when issued by Apple.
You will still need to restart your Mac to install a normal software update update, however some security updates can be pushed to your Mac by Apple and installed as background updates without requiring you to restart.
To make sure you get background updates as soon as they are issued by Apple, make sure that Install Security Responses and System Files is selected in Ventura, or “Install system data files and security updates” in older OSs.
In Ventura this is found in System Settings > General > Software Update. Click the (i) beside Automatic Updates.
Pre Ventura this is found in System Preferences > Software Update > Advanced.
Rapid Security Responses take this a step further and will speed up the delivery of security fixes on iPhone, iPad, and Mac. Apple’s introducing the feature as an update to macOS Ventura 13.2 (and iOS 16.3). When you restart a Mac any Rapid Security Responses will be instantly applied. Approaching security updates in this way means Apple can issue them faster without them being part of a wider update.
If you want to be really confident about any app you install you would be wise to stick to apps on the Mac App Store. Every app in Apple’s Mac App Store has been reviewed by Apple, so you can be confident that it will not pose a risk to you. In fact Apple goes a step further by ensuring that apps are upfront about how they are using your data, so you can be sure that there is no risk that any of your information will be shared with anyone without your knowledge.
But even apps that you don’t install from the Mac App Store will be checked by Apple before you can install them – that’s the purpose of Gatekeeper, which we mentioned above. Gatekeeper checks that the developer is verified by Apple, as well as checking the file for malware and malicious code. There may be times when you want to open a Mac app from an unidentified developer, you should exercise caution if this is the case.
Another reason to choose App Store apps over others is that all apps that are sold via the Mac App Store have to work with sandboxing. The sandbox restricts the access apps have to a Mac’s resources and data.
Since macOS 10.15 Catalina launched in 2019 all Mac apps need to be notarised by Apple to launch, in addition it is now a requirement for all Mac apps to get your permission to access your files – whether they are on your Mac, in iCloud Drive or on an external volumes. The macOS will also ask for your permission before an app is able to access the camera or microphone, or log what you type, for example.
The above is designed to protect you from rogue apps, but the biggest threats can be from phishing emails, websites and services you might use online.
Apple’s web browser, Safari also offers various ways of protecting you online. Safari will warn you if a website is suspicious and will prevent it from opening. Every web page is loaded as a separate process in a separate tab – so if there is a problem it will be possible to close that tab without Safari itself crashing.
As well as protecting your security online Apple also protects your privacy. For example, Apple uses Intelligent Tracking Prevention to stop advertisers tracking users around the web. Users can see a Privacy Report including details of all the cross-site trackers Apple has stopped from profiling you.
This is a new layer of security in macOS Ventura that you can take advantage of if you face a cyber attack. You can use it to increase your Mac’s defences and apply strict limits so that the attack can’t exploit you. Read about how to turn on Lockdown Mode on your Mac or iPhone.
To turn it on go to System Settings > Privacy & Security, click Turn On next to the Lockdown Mode label, enter your administrator password, and click Turn On & Restart. When you believe the danger has passed, you can disable Lockdown Mode and restart again.
Apple also monitors your passwords, helping you change them to a more secure option, suggesting strong passwords, and you’ll even see an alert if Apple believes your password is involved in a data breach.
On that note, Apple also offers iCloud Keychain, a password management system that works across all your Apple devices so that you can log into software and services on any of your devices without having to remember individual passwords and log in details. The benefit of this is that you can have strong rather than memorable passwords (which Apple can generate on your behalf). All your passwords are locked away behind your main password, which is protected by two factor authentication (2FA) for added security.
Another way Apple helps to protect you is with Passkeys, which are replacing passwords as of macOS Ventura and iOS 16 as an easier and safer way to sign in. Passkeys are safer because there is no password that could be leaked and everything is end-to-end encrypted. A specific passkey is generated for any site or service, and then stored on your device and in your iCloud Keychain so you have access on your other Apple devices. You just use your Face ID or Touch ID to authenticate. This is new so it’s yet to be widely adopted, but it should make things safer in the future. Read: How to use the new Passkeys on your iPhone, iPad, and Mac.
Built-in hardware protections
“For software to be secure, it must rest on hardware that has security built in” says Apple. This emphasises the main benefit of Macs – the fact that Apple makes the software and the hardware and has control over every aspect of the machine. This is a reason why Macs are more secure than PCs.
Apple builds protection into the Mac hardware. This is particularly true of the Macs that have gained Apple’s M-series of chips. The M1 system on chip introduced in November 2020, and all other M-series chips since, have a built-in Secure Enclave that protects your login password and automatically encrypts your data. But even Intel-powered Macs with the T1 or T2 security chip are able to encrypt storage and offer secure boot, for example.
The Secure Enclave is dedicated to security functions and, because it’s separate silicon to the main chip, it minimises the attack surface so any malware can’t do as much damage. Within this separate silicon is the Boot ROM (so your Mac can boot securely) and AES hardware that encrypts files as they are written. Your face and fingerprint data from Face ID and Touch ID are also kept in this Secure Enclave.
iCloud Private Relay (almost a VPN)
iCloud Private Relay isn’t available to all, it’s part of an iCloud+ subscription, but it can protect your privacy when you browse the web in Safari. It arrived in iOS 15.
We cover iCloud Private Relay in detail in our iCloud Private Relay Q&A, but in summary, with Private Relay enabled, all of your browsing activity in Safari is routed through Apple’s proxy server and encrypted so your ISP can’t see your web browsing.
It’s a little like a VPN, but not quite. There are a lot of reasons why a VPN is a better option. Apple’s solution only works in Safari and it can’t hide the region you are connecting from (a key reason why people use VPNs).
If you would like to use a VPN on your Mac take a look at our best VPN round up that includes our top pick of Surfshark
A firewall can add an extra layer of security, protecting you when you are connected to the internet or an untrusted network. Luckily your Mac has one that you can turn on.
Here’s how to turn on the Firewall on a Mac
Open System Settings
Click on the slider to turn it on.
If you want to specify additional security settings click on Options.
Click the Firewall tab in the System Preferences > Security & Privacy pane.
Click the padlock icon at the bottom left to unlock system settings (you’ll need to type your login password when prompted).
Click the Turn On Firewall button.
Then click the Firewall Options button and, in the dialog box that appears, click the Enable Stealth Mode box. This last step means your computer will be largely invisible on public networks, such as shared Wi-Fi in a cafe.
In the Firewall tab, click Firewall Options to make changes. Here, you’ll see a list of apps and services which are able to receive inbound connections. To add one to the list, if, say you try to run an app and it displays an error telling you it has been prevented from accepting an inbound connection, click the ‘+’ beneath the list.
It’s important to note that macOS’s Firewall, while useful, offers only limited protection from malware. That’s because it shields you from inbound traffic only. Its job is to limit which apps and services can accept incoming connections. It doesn’t provide any control over outbound connections ie apps and services which initiate connections. So, for example, if you download a piece of malware, macOS’s Firewall won’t stop it connecting to the internet.
Some people choose to block outgoing network connections too so that certain apps can’t “phone home” without their knowledge. This also means accidentally installed malware is unable to leak your data without you being made aware.
However macOS offers no built-in way of blocking outgoing connections. Luckily third-party apps like Little Snitch (circa £30) and Hands Off (£38.95), or an outbound firewall found in anti-malware tools from the likes of Intego, Sophos and Norton, will do the job with aplomb.
Apple offers FileVault as a way to encrypt your data (and keep it safe if your Mac is taken or someone gains access to it).
If your Mac has an M-series chip this encryption goes a step further and uses specific hardware to protect your login details.
We explain How to encrypt your Mac with FileVault 2 in a separate article, but you’ll find the settings over in System Preferences > Security & Privacy pre-Ventura, or System Settings > Privacy & Security in Ventura.
Just remember that you will need to use your login password or a recovery key to gain access to your data, so there is a risk you will lose your data without one of these.
Find My & Activation Lock
Apple also has other technologies to assist you if your Mac is stolen, from Find My which enables you to track, and potentially locate your lost Mac, and wipe it so that your data can’t fall into the wrong hands. The Macs with the T2 chip and M1 Macs also offer Activation Lock, a feature of Find My, to remotely lock your Mac so that only you are able to use it.
The Touch ID fingerprint scanner available on some Macs also adds another layer of security. It can be used to unlock your Mac, to log onto software and services, and for Apple Pay.
Thus Apple protects your Mac if it is stolen, or if someone with malicious intent gains access to it. Apple also protects you from malicious software, and gives you a say over whether you data is accessible and control over how it is used.
If your Mac has an M-series chip, or the T2 security chip which is found in some Intel Macs, you can use Activation Lock so that if you lose your Mac, or it is stollen, only you can erase and reactivate it.