Securely configuring macOS Catalina 10.15

© 2019 Lawrence I. Charters, Vice President, Strait Macintosh User Group

Note: this is essentially the first draft at a Catalina secure configuration. Catalina has just come out, and over the next year, people (some evil, most good) will find things that need to be fixed, or tweaked, or nudged. What follows are the initial steps to creating a secure MacOS Catalina environment for the average user. Most of these steps apply to previous versions of macOS, too.

Note 2: a mixture of screenshots were done in both “light” mode and “dark” mode, both to give you a sense of how things look and for variety.

Install MacOS Catalina 10.5

Security professionals would encourage you to do a “Secure” install. Virtually everybody on the planet will do the “Real People” install. Installing Catalina was covered during the October 2019 meeting. Come back here when you are done.

Set your “main” account as a standard account

If you open up System Preferences > Users & Groups, and you have only one account, it is an Admin account. Under the account names on the left, “Admin” (Administrator) accounts say “Admin” under them; Standard accounts say “Standard.” All user accounts should be “Standard.”

“Why???”

An Admin account has the power to add and delete users, change preferences, and even delete everything on the computer. A Standard user account can only touch things they own, and cannot change global settings.

In 2019, Macs are mostly immune to malware (viruses, worms, and such) unless a user with Admin privileges accidentally or intentionally gives someone else Admin privileges. This is done most often through a PDF (Acrobat) file that contains malware, or a Flash application that contains malware, or in a couple of cases, commercial programs that are essentially malware (such as MacKeeper). If you are an Admin user, the mere act of accepting a file for download to your machine could end up deleting files, setting up and giving someone else administrative control of your computer, or encrypting all your content through ransomware.

In contrast, doing all your work as a Standard user limits the amount of damage. A Standard user, for example, can’t delete files belonging to someone else, can’t set up a new user on the machine, can’t install new applications, can’t change critical security preferences, etc. This may seem limiting, but if you set up your computer with an Admin account, but do all of your daily work from a Standard account, you still have full control over your computer — just in appropriately segmented roles.

By selecting the checkbox, you can promote a standard user to an admin user. You don't want to do that; all day-to-day work should be done from a standard user account.
By selecting the checkbox, you can promote a standard user to an admin user. You don’t want to do that; all day-to-day work should be done from a standard user account.
In this example, a computer has a number of Standard user accounts, and one Admin account. All day-to-day work is done in the Standard accounts; the Admin account is only used for special purposes, such as taking screen shots to demonstrate what things look like. In  very dim lettering at the bottom center of the page, a box is checked for "Allow user to administer this computer." This box is not present for a Standard user.
In this example, a computer has a number of Standard user accounts, and one Admin account. All day-to-day work is done in the Standard accounts; the Admin account is only used for special purposes, such as taking screenshots to demonstrate what things look like. In very dim lettering at the bottom center of the page, a box is checked for “Allow user to administer this computer.”

If your machine is currently set up with your account as the only user, you need to set up a new Admin account, and then “demote” your account to a Standard account. To do this:

  • Open System Preferences > Users & Groups
  • Click the Lock icon and enter your Admin password.
  • Click the + sign just above the Lock sign. This will allow you to add a new user.
  • Important! The Admin account name should not be “Admin” or “Administrator” or “Admiral” or any name or pun that readily identifies it as an Admin account. If your Standard account is your first name, the Admin account could be your last name. Or the name of your favorite color. Or anything except Admin, etc.
  • Pick a non-trivial password. Better yet, use a passphrase. While some agencies say a password should be a complex jumble of letters, numbers, and symbols, these passwords are also hard to remember, so people tend to cheat and simplify them. Good and bad passwords:
    • Bad: password
    • Bad: 12345
    • Bad: querty
    • Bad: asdfgh
    • Good, but you’ll forget it: ;yVy(,Y.-wd67Hm8\d0?QZI2N
    • Just as good, but easier to type and remember: I love blueberries on toast.
  • A password (or passphrase) should be a minimum of 15 characters. Spaces count as one character, so “I love blueberries on toast” is exceptionally good at 27 characters.
  • Once you have set up the new Admin account, log out of your computer, then log back in again under the new Admin account.
  • Open System Preferences > Users & Groups
  • Click on the Lock icon, and enter your Admin account password.
  • Click on the account name that you regularly use for your routine work, and uncheck the box that says “Allow user to administer this computer.”
  • That’s it. You’ve demoted your regular account.

A vitally important thing to remember: all security controls require an admin user name and password to change. And all security controls apply to all accounts on a machine, both admin users and standard users.

Login options

Under System Preferences > Users & Groups:

  • Click on Login Options in the left-hand column.
  • At the top on the right, set Automatic login to Off
  • For Display login window as: select Name and Password.
  • The options below that can be set anyway you wish, but I recommend leaving them as shown in this illustration:
Set login options to prohibit automatic login, and prompt for the user name and password.

Security & Privacy settings

Under System Preferences > Security & Privacy:

  • Click on the General tab, check to require a password if the computer goes to sleep or the screen saver begins. This prevents someone from using your machine if you wander away. Set the time to start as low as you find comfortable, from immediate to no more than a minute. Keep in mind that this is above and beyond the time it takes your machine to sleep.
  • Optionally, show a message when the screen is locked.
  • Disable automatic login. You should have done this earlier using the Users & Groups preference pane.
  • Make sure downloaded apps only come from the App Store.
Set your general preferences as shown. If you have an Apple Watch, you can also check the box for allowing your Apple Watch to unlock your Mac.
Set your general preferences as shown. If you have an Apple Watch, you can also check the box for allowing your Apple Watch to unlock your Mac.
  • Under the FileVault tab, decide if you want to use FileVault. FileVault is recommended for mobile computers, as it encrypts your drive. Even if someone stole the entire computer, they could not see any of your data. The downside: if you do have any kind of disk corruption, it makes recovery much harder.
FileVault preference
FileVault securely encrypts everything on your hard drive. It takes some time to set up, and you have to remember some security information as otherwise, it will secure your information from you, too.
  • Under the Firewall tab, make sure the firewall is turned on. There is no sane reason to ever turn it off. If some service technician or alleged genius guru suggests otherwise, find another technician or guru.
Make sure the Mac's firewall is turned on. There is no reason to turn it off. Ever.
Make sure the Mac’s firewall is turned on. There is no reason to turn it off. Ever.
  • The fourth tab, Privacy, is complicated, and requires an entire configuration document all by itself. It lists major macOS services on the left and then, application by application, allows you to specify which features, if any, that application should be allowed to use. For example, you probably don’t want Facebook to have access to your Contacts, Calendars, Camera, Microphone, etc. But it is probably a good idea for Weather to know where you are located.
The security tab Privacy settings are complex, and allow you to approve or deny applications access to basic macOS capabilities.
The security tab Privacy settings are complex, and allow you to approve or deny applications access to basic macOS capabilities.

Software Update settings

MacOS Catalina has separated operating system updates from application updates. Application updates are still handled by the App Store application in the Applications folder. If it is in your Finder Dock, you will see small, red numbers show up when one or more applications need to be updated. macOS updates now have their own System Preferences control pane, System Preferences > Software Update:

The Software Update System Preference controls how the Mac handles updates to macOS.
The Software Update System Preference controls how the Mac handles updates to macOS.

If it isn’t already checked, check the box labeled “Automatically keep my Mac up to date.”

Make sure "Automatically keep my Mac up to date" is checked.
Make sure “Automatically keep my Mac up to date” is checked.

“But wait,” you say. “My friend George says I should wait a few days to see if there are incompatibilities with new updates.”

This is a very bad idea, and you should tell George to stop giving out computer security advice. Far more machines have been trashed by not getting operating system updates than have ever had serious problems from operating system incompatibilities. Software companies (good ones, at least) are always going to keep their software compatible with the latest system updates. Their development teams have advance access to Apple’s operating system updates, and a feedback mechanism to alert Apple to problems with those updates.

Failure to install updates is the leading cause of computer compromises. Leave this box checked.

Sharing settings

The Sharing options are one of the most commonly misused features on the Mac. Many users think they need to turn on sharing to transfer files, print, use the Internet, or other options. In reality, these options should usually be turned off. The other problem has to do with network identify. None of these services are required to:

  • Log in to the computer
  • Use a printer
  • Use the Internet
  • Use a Bluetooth mouse or keyboard
The Sharing preference pane, under most circumstances, should have all services unchecked. Also, a custom name, not identifying the computer or the user, should be used for the computer name.
The Sharing preference pane, under most circumstances, should have all services unchecked. Also, a custom name, not identifying the computer or the user, should be used for the computer name.

Most of the other options are used for obscure purposes. Screen Sharing is mostly used by network system administrators, as is Remote Login, Remote Management, and Remote Apple Events. Media Sharing, Printer Sharing, Internet Sharing, Bluetooth Sharing, and Content Caching are even more obscure.

File Sharing, if needed to transfer files between two computers, should only be turned on for one of the computers, and immediately turned off when not needed.

One more important item: change the name under Computer Name, at the top. macOS gives your computer a name when the first user first logs into the machine. If Jane logs into a MacBook Pro, macOS will name the computer “Jane’s MacBook Pro.” This should be changed, as this name is broadcast over the local network. If you use the MacBook in a bookstore or coffee shop, for example, anyone on the network can see that a MacBook Pro is on the network, and that the user is probably named Jane. This is both a privacy issue and, potentially, a security issue.

Screen Saver settings

Your Mac’s screen saver options are an important security tool. If you get up from your computer, the screen saver can be set to blank and lock the screen, keeping children, coworkers, and others from seeing what is on your machine, and lock them out of using your machine.

These settings can be found under System Preferences > Desktop & Screen Saver > Screen Saver tab. On the left, you can find a list of possible screen saver options. Below that, you can set when you want the screen saver to turn on (how long the machine should be idle before starting the screen saver). On the right bottom, there is an option to Show with clock (which shows the current time along with whatever the screen saver is doing), and Hot Corners.

On the bottom left, select how much idle time should expire before the screen saver begins. On the right, select Hot Corners to pick a corner for starting the screen saver manually.
On the bottom left, select how much idle time should expire before the screen saver begins. On the right, select Hot Corners to pick a corner for starting the screen saver manually.

If you select Hot Corners, you are given the option to start the screen saver manually by moving the mouse into a corner of the screen. It is recommended that you select the bottom left corner to Start Screen Saver.

What this does: by moving the mouse into the bottom right corner, the Screen Saver will blank the screen and start displaying whatever you select as your Screen Saver format. It also will lock the screen, since you previously set the Security & Privacy Settings to “Require password after sleep or screen saver begins.”

Working on something confidential and someone comes up behind you? Start up the screen saver. Wander away from your machine? The screen saver will start automatically, after however many minutes you set, and lock the machine.

The bottom right corner of the screen has no common use (no trash can, no Notification Manager, no Apple Menu) and is recommended as the Hot Corner to manually start the Screen Saver.
The bottom right corner of the screen has no common use (no trash can, no Notification Manager, no Apple Menu) and is recommended as the Hot Corner to manually start the Screen Saver.

Extra non-security-related information: the Flurry screen saver uses up a lot of energy, and is not recommended if you are trying to save battery life on a MacBook. The Message screen saver uses the least amount of energy.

And no, on modern computers, Screen Savers do next to nothing to prevent “screen burn-in,” which was the original purpose. Modern LCD and LED screens are not inclined to burn-in.

Network settings

Normally, you use System Preferences > Network to choose how you connect to the Internet or the local network. But the Wi-Fi settings have some important security settings. You want to make sure you don’t accidentally connect to the wrong network, or connect to an unknown network by accident.

Checking all the options under Wi-Fi ensures that your computer only connects to known networks. The checkbox at the bottom allows you to see the current Wi-Fi status in the menu bar.
Checking all the options under Wi-Fi ensures that your computer only connects to known networks. The checkbox at the bottom allows you to see the current Wi-Fi status in the menu bar.

Time Machine settings

An essential part of securing your Mac is: backing it up. There are several options, one mostly free and others mostly not:

  • Time Machine. Time Machine has been built-in to every version of macOS since January 2008, when it was included with Mac OS X 10.5.
  • iCloud. iCloud can back up a lot (but not all) of your data, specifically Photos, Mail, Contacts, Calendars, Reminders, Safari bookmarks, Notes, iBooks, and documents created by Keynote, Numbers, Pages, and some other apps (such as 1Password) designed to work with iCloud.
  • Backblaze (and similar services). Designed to back things up across the Internet to remote, encrypted cloud-based servers, Backblaze (https://www.backblaze.com) will securely back up everything — everything — on your computer, for a monthly subscription charge. It has two limitations: 1) it is not free, and 2) if you have a lot of data and a slow Internet connection, it can take a long time to back stuff up.

Of these three options, everyone should use Time Machine, and many should probably use iCloud. Some — depending on how valuable your information might be — should also use Backblaze.

Time Machine is easy to use:

  • Get an external hard drive. Connect it to your Mac.
  • Format it (always format a new drive) with Disk Utility.
  • Go to System Preferences > Time Machine, select the new drive, and — that’s it.

Time Machine will take quite a while to back up your computer the very first time, but after that, you probably won’t notice. Every hour it will check your machine to see if there is anything new and, if there is, Time Machine will copy it to the Time Machine disk. It does this automatically; you don’t need to do anything. In fact, resist all temptation to mess with the settings.

 Make sure Time Machine has a disk to use for backup (look in the upper right next to Select Disk; in this case, the selected disk is called Manchester). Make sure that Back Up Automatically is checked. Optionally (but recommended), check the box for Show Time Machine in menu bar.
Make sure Time Machine has a disk to use for backup (look in the upper right next to Select Disk; in this case, the selected disk is called Manchester). Make sure that Back Up Automatically is checked. Optionally (but recommended), check the box for Show Time Machine in menu bar.

Optional settings

General Preferences

System Preferences > General covers a couple settings that are not really security-related, but may help you solve a mystery. At the very top are three thumbnail images named Light, Dark, and Auto. Clicking on Light will give Finder windows a “light” appearance, which is essentially the same thing macOS has been offering since 2001. Clicking Dark switches to the new Dark theme, which is a favorite among photographers, programmers and web designers. Clicking Auto will switch between Light and Dark depending on the time of day.

Farther down is a setting that allows you to set the default web browser. As installed, the default web browser is Apple Safari. But if you wanted to automatically use Google Chrome for websites, select Chrome from the drop-down menu (assuming Chrome is already installed).

Though it isn't readily obvious, the thumbnails at the top of the General preference pane are buttons that tell macOS that you want a Light theme, a Dark theme, or a theme that switches automatically with night and day. Farther down is a pop-up menu that allows you to select which of the installed web browsers you want to use by default, assuming you have more than one installed.
Though it isn’t readily obvious, the thumbnails at the top of the General preference pane are buttons that tell macOS that you want a Light theme, a Dark theme, or a theme that switches automatically with night and day. Farther down is a pop-up menu that allows you to select which of the installed web browsers you want to use by default, assuming you have more than one installed.

Finder Preferences

Changing Finder Preferences do not make the computer more secure but, rather, increase the awareness of the user to security issues. The least secure part of any computer is the user, so providing the user with all possible help is a good idea.

In the Finder, select Finder > Finder Preferences > General and (recommended) check the boxes for Hard disks; External disks; CDs, DVDs, and iPods; and Connected servers. Why? It will give you a visual indication that a device or volume is available and mounted.

In the Finder, select Finder > Finder Preferences > General and (recommended) check the boxes for Hard disks; External disks; CDs, DVDs, and iPods; and Connected servers. Why? It will give you a visual indication that a device or volume is available and mounted.
In the Finder, select Finder > Finder Preferences > General and (recommended) check the boxes for Hard disks; External disks; CDs, DVDs, and iPods; and Connected servers. Why? It will give you a visual indication that a device or volume is available and mounted.

For the Tags and Sidebar preferences, select whatever works for you.

Select Finder Preferences > Advanced and (recommended) check the boxes for the first four options:

  • Show all filename extensions, allowing you to tell the difference between auntjane.txt (text file about Aunt Jane), auntjane.jpg (a photo of Aunt Jane), and auntjane.pdf (an Acrobat file showing a facsimile of Aunt Jane’s immigration record from 1924).
  • Show warning before changing an extension (preventing you from accidentally telling your computer that the photo of Aunt Jane should be read as text by a word processor).
  • Show warning before removing from iCloud Drive (preventing you from accidentally deleting something from your iCloud Drive).
  • Show warning before emptying the Trash. This is non-obvious: if you are emptying the trash, why would you want to be warned? But if you think you have six items in the trash, and your Mac tells you it is emptying 126,771 items, it gives you the chance to panic and stop the action before wiping out your entire photo collection of tropical fungi or your multi-volume manuscript on the life of Millard Fillmore.
The first four options are recommended to increase the user's security awareness.
The first four options are recommended to increase the user’s security awareness.

Clock preferences

One of the most common mistakes people make on computers is setting the wrong time. Many computers are on 24 hours a day; when you aren’t using the computer, Time Machine does backups, Spotlight indexes things on the drive, and invisible programs (called “daemons” because computer nerds have a strange sense of humor) do housekeeping chores. Most of these tasks are tied to the clock and calendar, and if you’ve ever had a 5 p.m. alarm go off at 5 a.m., you have experienced the pain and anguish of a 12-hour clock.

Under System Preferences > Language & Region, you can change languages, or add additional languages. You can also set the time to a 24-hour clock. Most of the world uses a 24-hour clock, which unambiguously allows you to set an alarm for 5 and know that it is 5 a.m. and 17 and know it is 5 p.m. It also helps when looking at log files. If the computer’s log file says something happened at 12:59, is that AM or PM? A 24-hour clock makes this unambiguous; you can easily see in this sample log that 12:59:51 is 59 minutes and 51 seconds past noon, and 13:00:08 is 8 seconds past 1 p.m.

Nov 17 12:59:31 Imp bluetoothd[103]: notify name "com.apple.bluetooth.sensorTracking.stateChanged" has been registered 10080 times - this may be a leak
Nov 17 12:59:51 Imp bluetoothd[103]: notify name "com.apple.bluetooth.sensorTracking.stateChanged" has been registered 10100 times - this may be a leak
Nov 17 13:00:08 Imp bluetoothd[103]: notify name "com.apple.bluetooth.sensorTracking.stateChanged" has been registered 10120 times - this may be a leak
Nov 17 13:00:25 Imp bluetoothd[103]: notify name "com.apple.bluetooth.sensorTracking.stateChanged" has been registered 10140 times - this may be a leak
Setting your computer time to a 24-hour clock removes all ambiguity about when alarms go off, actions occur, and when things happen when you aren't watching.
Setting your computer time to a 24-hour clock removes all ambiguity about when alarms go off, actions occur, and when things happen when you aren’t watching.

Final thoughts

If this seems somewhat daunting, consider this: the Center for Internet Security guide for securing macOS 10.13 High Sierra is 196 pages.