--- title: macOS Overview icon: material/apple-finder description: macOS is Apple's desktop operating system that works with their hardware to provide strong security. --- **macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings. Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/HT211814). ## Privacy Notes There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services. ### Activation Lock Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices. ### App Revocation Checks macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked. Apple's OCSP service uses HTTPS encryption, so only they are able to see which apps you open. They've [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally [promised](http://lapcatsoftware.com/articles/2024/8/3.html) to add a mechanism for people to opt-out of this online check, but this has not been added to macOS. While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running. ## Recommended Configuration Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account. However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time. If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen. ### iCloud When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This is called [Standard Data Protection](https://support.apple.com/en-us/102651) by Apple. Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple. If you want to be able to install apps from the App Store but don't want to enable iCloud, you can sign in to your Apple Account from the App Store instead of **System Settings**. ### System Settings There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app: #### Bluetooth - [ ] Uncheck **Bluetooth** (unless you are currently using it) #### Network Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon. Click on the "Details" button by your network name: - [x] Select **Rotating** under **Private Wi-Fi address** - [x] Check **Limit IP address tracking** ##### Firewall Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use. - [x] Check **Firewall** Click the **Options** button: - [x] Check **Block all incoming connections** If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it. #### General By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac". Click on **About** and type your desired device name into the **Name** field. ##### Software Updates You should automatically install all available updates to make sure your Mac has the latest security fixes. Click the small :material-information-outline: icon next to **Automatic Updates**: - [x] Check **Check for updates** - [x] Check **Download new updates when available** - [x] Check **Install macOS updates** - [x] Check **Install application updates from the App Store** - [x] Check **Install Security Responses and system files** #### Privacy & Security Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions. ##### Location Services You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option. - [ ] Uncheck **Location Services** ##### Analytics & Improvements Decide whether you want to share analytics data with Apple and developers. - [ ] Uncheck **Share Mac Analytics** - [ ] Uncheck **Improve Siri & Dictation** - [ ] Uncheck **Share with app developers** - [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud) ##### Apple Advertising Decide whether you want personalized ads based on your usage. - [ ] Uncheck **Personalized Ads** ##### FileVault On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling [FileVault](../encryption.md#filevault) additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on. On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled. - [x] Click **Turn On** ##### Lockdown Mode [Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers) and [WASM](https://developer.mozilla.org/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with. - [x] Click **Turn On** ### MAC Address Randomization macOS uses a randomized MAC address when performing Wi-Fi scans while disconnected from a network. You can set your MAC address to be randomized per network and rotate occasionally to prevent tracking between networks and on the same network over time. Go to **System Settings** → **Network** → **Wi-Fi** → **Details** and set **Private Wi-Fi address** to either **Fixed** if you want a fixed but unique address for the network you're connected to, or **Rotating** if you want it to change over time. Consider changing your hostname as well, which is another device identifier that's broadcast on the network you're connected to. You may wish to set your hostname to something generic like "MacBook Air", "Laptop", "John's MacBook Pro", or "iPhone" in **System Settings** → **General** → **Sharing**. Some [privacy scripts](https://github.com/sunknudsen/privacy-guides/tree/master/how-to-spoof-mac-address-and-hostname-automatically-at-boot-on-macos#guide) allow you to easily generate hostnames with random names. ## Security Protections macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security. ### Software Security
Warning
macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.Warning
Software downloaded from outside the official App Store is not required to be sandboxed. If your threat model prioritizes defending against [:material-bug-outline: Passive Attacks](../basics/common-threats.md#security-and-privacy){ .pg-orange }, then you may want to check if the software you download outside the App Store is sandboxed, which is up to the developer to *opt in*.Warning
Just because one of an app's processes is sandboxed doesn't mean they all are.