macOS Security Guide
This guide is going to focus on the built-in security and privacy protections that macOS offers. There won't be any third-party software recommendations.
Updates
You should always use the latest stable version of macOS. Turn on Automatic Updates in the settings and you can just leave your system to its own devices if you want to.
Make sure to set Background Security Improvements to Automatically Install as well. These are security updates that are applied in between regular software updates.
If you see Beta Updates in your update settings, do not enable them. Beta updates are unfinished and can contain severe bugs that aren't present in stable versions of operating systems. There's also extra telemetry that Apple collects on devices enrolled in the beta program.
macOS can automatically update apps you install from the App Store as well. Note that apps you install from outside the App Store won't be updated.
Hardware
The security of macOS is highly dependent on your hardware. Do not run macOS as a hackintosh or on hardware not officially supported by that version of macOS.
If you're running the latest version of macOS officially supported on your hardware, then Apple considers your hardware new enough to be secure. However, newer machines always have better security features.
As an example, Macs with the M5 chips or later support Memory Integrity Enforcement, a powerful hardware security feature that helps prevent memory safety vulnerabilities.
Accessories
Your choice of accessories can have a big impact on your security and privacy, especially for wireless accessories that need security updates to patch vulnerabilities.
On macOS, first party accessories such as the Magic Keyboard are automatically updated by the operating system without you having to do anything. Third-party accessories might require you to install a third-party app on your Mac to flash firmware, and those apps might not support the same seamless automatic updates or they might harvest your data.
Wired accessories don't need firmware updates since they're only accessible to the device they're plugged in to, but be warned that hardware keystroke loggers exist that someone can put in between your keyboard and your computer to record your keystrokes surrupticiously. Wired accessories also give off RF signals of their own which in some cases can be picked up and reconstructed to access the original data.
Bluetooth accessories aren't all created equal: some support optional privacy and security features that others don't.
For example, Bluetooth devices have a static hardware address that can be used for tracking you inside of buildings. Apple devices support hardware address randomization that randomizes this address so these trackers can't identify you as the same person over time. While this is a standard Bluetooth feature, it's completely optional for OEMs to implement and it's hard to find info on whether they did or not.
Hardware Microphone Disconnect
MacBooks and iPads with MFi-compliant cases support a hardware disconnect for the microphone when the lid is closed. This ensures that even if the operating system is fully compromised, an attacker can't listen to the microphone when the lid is closed. Note that there is no hardware disconnect for the camera, since the camera is blocked when the lid is closed anyway.
Camera Indicator
Macs come with a camera indicator that lets you know when the camera is active. According to Apple:
The camera is engineered so that it can't activate without the camera indicator light also turning on. This is how you can tell if your camera is on.
Some Macs tie the onscreen indicator light to hardware so that designed to prevent any untrusted software—even with root or kernel privileges in macOS—from engaging the camera without also visibly lighting the on-screen camera indicator light.
It's common to cover your laptop camera with a camera cover, but Apple warns against this. If you need to cover the camera, make sure it's no thicker than an average piece of paper and doesn't leave adhesive residue behind.
Gatekeeper
Gatekeeper stops apps from running if they're downloaded from outside the App Store and not signed and notarized by Apple.
When a user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn't been altered.
You can bypass Gatekeeper in the Settings, but it's not recommended as Gatekeeper forms the first line of defense against malware on your Mac.
Hardened Runtime
The Hardened Runtime is a security feature that's optional for developers to enable in their apps.
The Hardened Runtime prevents certain features such as JIT compilation to protect you against exploits.
Apps have to enable the Hardened Runtime in order to be notarized by Apple, so if you run an app and Gatekeeper doesn't prevent it from launching, then you know it's enabled.
If you want to check if an app has it enabled, you can do so in the Terminal via the following command:
codesign -dv <path to your app>
If you see flags=0x10000(runtime), that means the Hardened Runtime is enabled.
App developers can individually disable parts of the Hardened Runtime, even if it's enabled. To check these, use the same Terminal command codesign -dv <path to your app> and check for any runtime exceptions.
Any app that disables parts of the Hardened Runtime will be less secure than apps that don't.
App Sandbox
The App Sandbox is an optional security feature that app developers can enable for their app.
Even if you adopted secure coding practices while developing your app, it may still have vulnerabilities that threaten your users' security and privacy. App Sandbox - a requirement for distributing your app on the App Store - limits the scope for an attacker to abuse platform features via your app.
The operating system creates a container directory when launching your sandboxed app, to which the app has unrestricted read and write access. The sandboxed app doesn't have unrestricted access to the user's home folder.
Developers who want to publish their app on the App Store are required to enable the App Sandbox, so you can be sure any apps you download from there will be sandboxed.
If you want to check whether an app is sandboxed outside of the App Store, you can check in Activity Monitor.
Otherwise, you can check in Terminal using the command codesign -dvvv --entitlements - <path to your app> and looking for the following output:
[Key] com.apple.security.app-sandbox
[Value]
[Bool] trueLockdown Mode
Lockdown Mode is a mode that enhances the security of your Mac by disabling or restricting certain features that attackers exploit to attack you, such as Just-In-Time compilation in Safari or certain image types in the Messages app.
Lockdown Mode introduces extra friction where it didn't exist before, so you'll have to weigh whether you think the added annoyance is worth it for you.
Secure Keyboard Entry
In Terminal, you can enable Secure Keyboard Entry to prevent other apps on your computer or the network from detecting and recording what you type in Terminal.