Using the Mac Security Preference Pane

Lock down all of the accounts on your Mac

The Security preference pane allows you to control the security level of the user accounts on your Mac. In addition, the Security preference pane is where you configure your Mac's firewall as well as turn data encryption on or off for your user account.

Here's how to use the Security & Privacy pane to keep your computer safe.

Instructions in this article apply to Mac OS X Mountain Lion (10.8) and later. Some options will differ depending on the model of Mac you're using.

How to Change Security Preferences on a Mac

The Security & Privacy panel has four areas, each of which controls a different aspect of Mac security. Follow these steps to access and modify each of them.

  1. Open System Preferences by selecting it from the Apple menu or clicking its icon in the Dock.

    The System Preferences command under the Apple menu
  2. Click Security & Privacy.

    The Security & Privacy heading in System Preferences
  3. Select the General tab to get started with configuring your Mac's security settings.

    The General tab in Security & Privacy
  4. Click the lock icon in the bottom left-hand corner of the Security preference pane.

    The lock icon
  5. Enter your administrator password when the prompt appears.

  6. The Require password option requires you (or anyone who attempts to use your Mac) to provide the password for the current account to exit sleep or an active screen saver. Click the box to turn the option on.

    Use the menu to select the interval before which macOS will ask for the password. Your choices are: immediately, five seconds, one minute, five minutes, 15 minutes, one hour, four hours, and eight hours.

    The Require Password setting in macOS
  7. The following items may or may not appear on your Mac:

    • Disable automatic login: This option requires users to authenticate their identity with their password anytime they log on.
    • Require a password to unlock each System Preferences pane: With this option selected, users must provide their account ID and password anytime they attempt to make a change to any secure system preference. Normally, the first authentication unlocks all secure system preferences.
  8. You may also have the option to show a message when the screen is locked by clicking the box next to that option. Click the Set Lock Message button to create a message.

    The "Set Lock Message" button
  9. Macs made in mid-2013 and later running at least macOS Sierra (10.12) also have an option to skip the password entirely when you wake up your computer. You can use an Apple Watch, provided it's on your wrist and unlocked. Click the box next to Use your Apple Watch to unlock apps and your Mac to turn this feature on.

    This feature is compatible with Apple Watch Series 1 and 2 for Macs running Sierra, and Series 3 and up for High Sierra (10.13) and later.

    The "Use your Apple Watch to unlock apps" option
  10. The final two options on the main screen of the General tab have to do with which apps you can download. The two options are App Store and App Store and identified developers. The first choice is more secure, as it only lets you install apps that Apple has certified to be compatible.

    App permissions settings
  11. Click the Advanced button to access more options.

    The settings under the Advanced button are the same in every tab of the Security & Privacy preferences.

    The Advanced button
  12. The first setting in the next window is Log out after xx minutes of inactivity. This option lets you select a set amount of idle time after which the currently logged-in account will automatically log out.

    The "log out after inactivity" setting
  13. You can also put a check in the box next to Require an administrator password to access system-wide preferences to do just that. This setting is similar to the one that asks for credentials to access preference panes.

    The "Require an administrator password" option

How to Use FileVault Settings

The next tab controls FileVault. This feature uses a 128-bit (AES-128) encryption scheme to protect your user data from prying eyes. Encrypting your home folder makes it nearly impossible for anyone to access any user data on your Mac without your account name and password.

FileVault can be very handy for those with portable Macs who are concerned about loss or theft. When FileVault is enabled, your home folder becomes an encrypted disk image that only mounts for access after you log in. When you log off, shut down, or sleep, the home folder image is no longer available.

  1. Click the FileVault tab to access its settings.

    The FileVault tab
  2. FireVault may be on by default. If it isn't, click Turn on FileVault to start the encryption process.

    The "Turn On FileVault" button
  3. A window will appear that lets you customize how you access your hard drive. The two choices are:

    • Allow my iCloud account to unlock my disk: This option lets you use your Apple ID and password.
    • Create a recovery key and do not use my iCloud account: Choose this setting for more security. Your data will be behind an independent, unique key that isn't related to your Apple ID. It's a better option if you're worried about the security of your iCloud credentials.
    FileVault options in macOS Catalina
  4. Make your selection and click Continue.

  5. FileVault will begin encrypting your disk. If you chose to create a recovery key, it will appear in a window. Make a note of it, and then click Continue.

    Keep your recovery key someplace secure.

  6. FileVault will finish encrypting your disk.

    Depending on your computer model and the version of macOS you're using, FileVault may log you out during this process.

  7. You may see the following additional options on the FileVault tab:

    • Set Master Password: The master password is a fail-safe. It allows you to reset your user password in the event you forget your login information. However, if you forget both your user account password and the master password, you will not be able to access your user data.
    • Use secure erase: This option overwrites the data when you empty the trash. This ensures that the trashed data is not easily recoverable.
    • Use secure virtual memory: Selecting this option will force any RAM data written to your hard drive to be first encrypted.

How to Configure Your Mac's Firewall

Your Mac includes a personal firewall you can use to prevent network or Internet connections. It's based on a standard UNIX setup called ipfw. This is a good, though basic, packet-filtering firewall. To this basic firewall, Apple adds a socket-filtering system, also known as an application firewall.

Instead of needing to know which ports and protocols are necessary, you can just specify which applications have the right to make incoming or outgoing connections.

  1. Click the Firewall tab in the preference pane.

  2. If your firewall is off, click Turn on Firewall to activate it.

    In older versions of macOS and OS X, this option is called Start.

    The "Turn On Firewall" button
  3. Click Firewall Options to access more settings.

    In earlier versions, this button is called Advanced. It's only available if the firewall is on.

    The Firewall Options button
  4. Click the box next to Block all incoming connections to prevent any incoming connections to non-essential services. Essential services as defined by Apple are:

    • Configd: Allows DHCP and other network configuration services to occur.
    • mDNSResponder: Allows the Bonjour protocol to function.
    • raccoon: Allows IPSec (Internet Protocol Security) to function.

    If you choose to block all incoming connections, then most file, screen, and print sharing services will no longer function.

  5. Check Automatically allow built-in software to receive incoming connections tells the firewall to accept requests from stock apps like Mail and Messages.

  6. The Automatically allow signed software to receive incoming connections option automatically adds securely signed software applications to the list of applications that are allowed to accept connections from an external network, including the internet.

  7. You can manually add applications to the firewall's application filter list using the plus (+) button. Likewise, you can remove applications from the list using the minus (-) button.

  8. Enable stealth mode prevents your Mac from responding to traffic queries from the network. This option makes your Mac appear to be non-existent.

How to Adjust Privacy Settings

You may have a fourth tab: Privacy. This section lets you decide which apps can collect and read information from different areas of your Mac. Here's how it works.

  1. Click the Privacy tab.

    The Privacy tab in Security & Privacy
  2. Generally, the left column contains a list of a type of data that an app might want to access. Some examples are your location, contacts, calendars, camera, and microphone. Select one to open its options.

  3. In the right pane, you'll see apps that have requested that information. Put a check in the box next to its name to grant permission; remove it to revoke.

    The Permissions checkbox in Privacy
  4. When you've made all the changes in this preference pane that you want to make, click the lock to stop additional ones to occur without authorization.

    The lock icon