How to set up a Mac securely on OS X 10.11 Sierra (El Capitan)

We’ve recently upgraded our computer stock with a bunch of new (old) Mac Pros. These are the last computers which Apple built which can be upgraded (storage, memory, GPU, CPU in order of complexity). So I’ve updated our guide on deploying new Macs. I’ve often been asked about our special sauce for securing Macs and deploying them quickly so I’ve publishing this as a starting point for others.

Despite the title stating that this covers how to set up a Mac securely on OS X, it hasn’t really been possible to secure a Mac since the App Store came into being (OS X 10.6.6 I believe). OS X 10.5.8 may be the last really secure full version of OS X ever created. Coincidentally Apple joined Prism in 2012.

Still one can make a good effort to make one’s computer far less chatty. If you really want to be secure, don’t use the app store at all and download your OS X updates. If you want to be a little bit secure, you have to avoid iCloud completely. Just ask the beautiful Jennifer Lawrence how iCloud turned out for her (I had no idea she was so sexy until those pics showed up). 

One major step which helps is to turn off all Sharing services (System Preferences:Sharing) and to turn on your Firewall. Of course this means you can’t do any home networking or intranet networking in the office. On the other hand, neither can any hackers. So if one machine goes down, the issue remains isolated. For the number of times we have to move a large file, it’s usually big enough these days that the fastest way to move it would be sneakerware. Otherwise most of our networking takes place on the cloud and in the SAAS applications we use. Just get rid of networking unless you really need it.

More seriously, there are five steps:

1. Securing the Computer
2. Checking Hardware
3. Adding Text Expansion and Multiclipboard Utilities
4. Install Basic Apps for Writing and Thinking
5. Improve Aesthetics

Let’s start by:

Securing the Computer

1. don’t plug in to internet
2. chose a country (United Kingdom)
3. refuse to share any info with Apple or log in to iCloud (to make sure you don’t get sucked in early)
4. refuse location services
5. restart
6. still a German computer
   1. add a new language in Regions preferences
   2. some dialogues (restarting) still come in German after deleting German
7. add Little Snitch 3 (preferably from USB key so you don’t have to go online before doing so)
8. turn on and license Little Snitch
9. connect to the internet
10. keep saying no to everything
11. when you need the App store (Blackmagic Disk Speed Test for instance), turn off Little Snitch briefly and then turn it back on
    1. better would be to create a custom profile for the App Store but that’s hard work
12. Turn on System Preferences – Firewall (no incoming connections allowed). Advanced Prefences:
    1. Block all incoming connections
    2. turn off allow built-in software to receive incoming connections
    3. turn off Automatical allow downloaded signed software
13. Turn off (in System Preferences:Spotlight) indexing of your search queries, i.e. Spotlight Suggestions and Allow Spotlight Suggestions in Look Up (screenshot)
14. Follow MacRumors guide for Safari privacy including allowing cookies only from websites I visit and turn off location services and website tracking.
    1. turn off all Search suggestions and switch to DuckDuckGo if not Yandex. From DuckDuckGo, Google is always only a !g away
    2. Turn off autofill
15. System Preferences:Energy Saver: turn off “Wake For Ethernet network access”
    1. set computer sleep for half hour or one hour
    2. set display sleep for 15 minutes
16. Check System Preferences:iCloud to make sure you are not signed in
17. Add mail account in System Preferences:Internet Accounts
18. Turn off automatic updates in System Preferences:App Store.
19. Make sure that in System Preferences:Sharing that nothing is allowed.
20. Mare sure Siri is turned off.

Checking Hardware

1. Check your SSD:
   1. install Disk Sensei
   2. check health and hours
   3. benchmark
   4. enable trim with terminal command (El Capitan and higher): sudo trimforce enable
   5. do manual trim if benchmark giving poor results
2. Install Geekbench 4 and check your CPU.
3. Install and configure iStat Menus on programmer level computers.

Adding Text Expansion and Multiclipboard Utilities

1. add the following utilities:
   1. ClipMenu: install at bottom of this thread
      1. change preferences to:
         1. Inline 25
         2. 20 Per Folder
         3. 100 items
         4. Enabled on Startup
   2. Witch or alternatively change the keyboard shortcut for switching between application windows to option-tab
   3. Typinator: it’s great text expander. Add license. Note: one only needs to pay once and if one wants to renew updates after two years you can pay again. Every business needs text expansion. Shared team online text expansion would be great but I have to ask Ergonis to add it (outside of iCloud of course).
   4. Spectacle, default configuration is fine except when using some video editing or high end photo programs who might use some of the same shortcuts.
   5. optional: USB Overdrive or other click to scroll software
   6. LastPass for shared password management (we recommend offline edition of 1password for personal and banking password management).

Install Basic Apps for Writing and Thinking

1. MacDown for free Markdown. If you are on the app store, iaWriter even more preferable.
2. DaisyDisk for quick disk audits when your disk gets crowded
3. Mindnode Pro for mind mapping.
4. TextWrangler (or BBEdit if you have a license) for handling huge text documents or html or CSS
5. Acorn 5 for basic image editing and screenshot prep
6. I haven’t added SnapNDrag as one can do most screen capture with either built-in shortcuts or Acorn and we’re experimenting with other screen capture utilities. But if you do a lot of screen captures, SnapNDrag is really solid.

Aesthetics

1. System Preferences
   1. General
      1. show scroll bars always
      2. change recent items to 30
   2. Dock
      1. turn off Animate Opening Applications
      2. make much smaller
      3. change menus to dark: “Use dark menu bar and dock”
   3. Turn off Stocks in Extensions
   4. Remove Date and Time from Menu Bar if you’ve added iStat Menus.
2. Install BasicColor and calibrate with two week trial.
3. Turn off system notications from noisy apps so you can work (application by application). Ideally just choose None and turn off play sound.

Not included in Basic Install

Apps not added yet include CSSEdit, photoapps like Iridient Developer, CaptureOne or video editing software like FCPX or Davinci Resolve. Or programing environments like SublimeText or Eclipse.

I have also not included complex software such macro programs like KeyboardMaestro which not everybody might like. Or even LaunchBar which I can’t live without (many people get by with the dock and spotlight).

VPN options are also not covered. Ideally people would just be using the PPTP built into Mac OS X (Witopia for instance).

Alec Kinnear

Alec has been helping businesses succeed online since 2000. Alec is an SEM expert with a background in advertising, as a former Head of Television for Grey Moscow and Senior Television Producer for Bates, Saatchi and Saatchi Russia.