A comprehensive guide to hardening macOS for security-conscious users.

This guide provides actionable techniques for improving security and privacy on Apple silicon Macs running a currently supported version of macOS.

⚠️ Intel Macs are not recommended. They contain unpatchable hardware vulnerabilities (checkm8) that Apple cannot fix. Apple silicon Macs are the minimum requirement—newer chips always offer stronger security.

• Power users seeking enterprise-grade security
• Privacy-conscious individuals looking to reduce their digital footprint
• Developers and IT professionals hardening their daily drivers

For organizational deployments, refer to the NIST macOS Security Guidelines.

• Security is an ongoing process—no single configuration guarantees protection
• This guide is provided as-is without warranties
• You are responsible for any changes you make to your system

💡 Contributions welcome! Open an issue or submit a pull request.

• Security Fundamentals
• Threat Modeling
• Hardware
• Installing macOS
• Initial Setup
• User Accounts
• Firmware & Encryption
• Lockdown Mode
• Firewall
• System Services
• Spotlight & Siri
• Package Management
• DNS Security
• Certificate Authorities
• Web Proxy
• Web Browsers
• Tor & Anonymity
• VPN
• Encryption (PGP/GPG)
• Secure Messaging
• Malware Protection
• System Integrity Protection
• Metadata & Artifacts
• Password Security
• Backup Strategy
• Wi-Fi Security
• SSH Hardening
• Physical Security
• System Monitoring
• Binary Authorization
• Additional Tweaks
• Related Tools
• Resources

General security best practices apply:

• Define what you're protecting and from whom
• Is your adversary a nation-state actor, a corporate competitor, or opportunistic attackers?
• Understand Advanced Persistent Threats (APT) and where you fall on the threat spectrum

• Enable automatic updates in System Settings → General → Software Update
• Or use the CLI: softwareupdate --install --all
• Subscribe to Apple Security Announcements

• Enable FileVault for full-disk encryption
• Use the built-in password manager (Passwords app in macOS Sequoia+) or a reputable third-party solution

• Create regular backups with Time Machine
• Always encrypt backup drives
• Consider enabling Advanced Data Protection for iCloud

• Only install software from verified sources
• Verify downloads when possible (checksums, signatures)
• Be skeptical of unsolicited links and attachments

The foundation of any security strategy is understanding what you're protecting and who you're protecting it from. See OWASP Threat Modeling for methodology.

Catalog what matters most:

• Devices (Mac, iPhone, iPad)
• Data (passwords, financial info, private communications)
• Online accounts and identities
• Professional/intellectual property

Categorize by sensitivity: public, sensitive, or secret.

Who might target you? Consider their motivations:

• Opportunistic criminals — Financial gain via ransomware, credential theft
• Corporate actors — Data harvesting, behavioral tracking
• Nation-state actors — Surveillance, espionage

Rank threats from unsophisticated to advanced:

Match defenses to threats. Here's an example threat matrix:

📖 Further reading: Threat Model 101

macOS security is strongest on genuine Apple hardware with Apple silicon.

• Buy the newest Mac you can afford — Each generation brings security improvements
• Avoid Hackintoshes — No Secure Enclave, no hardware root of trust
• Skip older Intel Macs — Missing critical security features, limited update support

Depending on your threat model:

• Pay with cash in-store to avoid linking the purchase to your identity
• Use a prepaid card if buying online

For Bluetooth peripherals (keyboard, mouse, headphones):

• Apple accessories receive automatic firmware updates
• They support BLE Privacy (randomized Bluetooth addresses)
• Third-party accessories may not offer these protections

Always install the latest compatible macOS version. Older versions don't receive all security patches.

Apple silicon Macs require activation with Apple's servers during reinstallation. This verifies the device isn't stolen or activation-locked.

Technical details: LocalPolicy signing key creation and management

An Apple ID is optional but required for:

• App Store access
• iCloud services
• iMessage, FaceTime, Apple Music

Privacy considerations:

• Apple ID creation requires a phone number
• By default, significant data syncs to iCloud
• Enable Advanced Data Protection for E2EE on iCloud data
• You can manage or delete your Apple ID data anytime

The Mac App Store provides:

• Curated software with review guidelines
• Mandatory sandboxing and hardened runtime
• Automatic updates integrated with the system

Trade-off: Apple can associate downloads with your Apple ID.

Run macOS in a VM for testing or isolation:

During Setup Assistant, create your first account with a strong password (no hint!).

Your real name becomes part of the computer's network identity (e.g., John Appleseed's MacBook). Change it in System Settings → General → About or via Terminal:

Both should be verified and updated as needed in System Settings > About or with the following commands after installation:

sudo scutil --set ComputerName MacBook
sudo scutil --set LocalHostName MacBook

The first user created is an admin account with sudo access, which poses security risks—any program you run can potentially gain system-wide control.

Per Apple and NIST recommendations:

• Use a standard account for daily work
• Reserve the admin account for installations and system changes

💡 You can hide the admin account for a cleaner experience.

To demote an existing account from admin to standard:

sudo dscl . -delete /Groups/admin GroupMembership <username>
sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>

Find the GeneratedUID:

dscl . -read /Users/<username> GeneratedUID

More details: SuperUser discussion

Ensure firmware security is set to Full Security (the default) to prevent OS tampering:

System Settings → General → Startup Disk → Security Policy

All Apple silicon Macs have encrypted storage by default. FileVault adds password protection to access that data.

Enable via: System Settings → Privacy & Security → FileVault

Your FileVault password also serves as a firmware password, preventing:

• Booting from external drives
• Accessing Recovery Mode
• DFU revive attacks

⚠️ Recovery Key: Store it securely offline. Avoid iCloud recovery if you don't trust Apple with your decryption capability.

Lockdown Mode is Apple's extreme protection feature that significantly reduces attack surface by disabling:

• Most message attachment types
• Link previews
• Complex web technologies
• Incoming FaceTime from unknown callers
• Shared albums
• USB accessories when locked
• Configuration profiles

Ideal for: Journalists, activists, and high-risk individuals.

💡 You can whitelist trusted websites in Safari when Lockdown Mode is enabled.

Enable via: System Settings → Privacy & Security → Lockdown Mode

macOS includes a basic firewall that blocks incoming connections only.

Enable via: System Settings → Network → Firewall

Or via Terminal:

# Enable firewall with logging and stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Prevent auto-whitelisting signed apps
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off

# Apply changes
sudo pkill -HUP socketfilterfw

Stealth mode prevents your Mac from responding to ICMP pings and port scans.

For outgoing connection control, consider:

⚠️ These require system extensions and can be bypassed by root-level malware.

For advanced users, macOS includes pf (packet filter). Example configuration:

# pf.rules
wifi = "en0"
ether = "en7"
set block-policy drop
set skip on lo0
scrub in all no-df
table <blocklist> persist
block in log
block in log quick from no-route to any
block log on $wifi from { <blocklist> } to any
block log on $wifi from any to { <blocklist> }
antispoof quick for { $wifi $ether }
pass out proto tcp from { $wifi $ether } to any keep state
pass out proto udp from { $wifi $ether } to any keep state
pass out proto icmp from $wifi to any keep state

Commands:

sudo pfctl -e -f pf.rules  # Enable
sudo pfctl -d              # Disable
sudo pfctl -t blocklist -T add 1.2.3.4  # Block IP

For a GUI, try Murus.

macOS services are managed by launchd. See launchd.info for details.

• Login Items: System Settings → General → Login Items
• Extensions: System Settings → General → Extensions

launchctl list                    # User agents
sudo launchctl list              # System daemons
launchctl list com.apple.Maps.mapspushd  # Specific service

defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist
man apsd  # Read about the binary

⚠️ System services are protected by SIP. Don't disable SIP to tinker with them—it's a critical security feature.

find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null

📖 More info: Apple Terminal scripting with launchd

Apple has moved toward on-device processing for Siri, but some data is still sent to Apple. Review Apple's Siri Privacy Policy to understand what's collected.

Disable Siri Suggestions: System Settings → Siri & Spotlight → Siri Suggestions & Privacy

Homebrew simplifies software installation and updates.

xcode-select --install  # Install Command Line Tools first
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

• Homebrew uses TLS and verifies package integrity
• Run brew upgrade regularly on trusted networks
• Check packages before installing: brew info <package>

export HOMEBREW_NO_ANALYTICS=1
brew analytics off

export HOMEBREW_NO_INSECURE_REDIRECT=1
export HOMEBREW_CASK_OPTS=--require-sha

macOS supports encrypted DNS (DoH/DoT) via configuration profiles.

Create profiles: dns.notjakob.com

Popular providers:

• Quad9
• AdGuard
• NextDNS

Block domains at the system level:

sudo vi /etc/hosts

Add entries like:

0.0.0.0 ads.example.com
0.0.0.0 tracking.example.com

Curated blocklists:

• StevenBlack/hosts
• someonewhocares.org

Encrypt DNS traffic with dnscrypt-proxy:

brew install dnscrypt-proxy

Configure to run on port 5355 (to combine with dnsmasq), then:

sudo brew services restart dnscrypt-proxy

Local DNS caching and filtering:

brew install dnsmasq
sudo brew services start dnsmasq
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

macOS ships with 100+ root CA certificates from corporations and governments worldwide. Any of these can issue certificates for any domain.

Apple blocks untrustworthy CAs and enforces strict requirements.

• Keychain Access → System Roots
• Or via CLI: security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

In Keychain Access, double-click a certificate → Trust → set to Never Trust.

⚠️ Don't distrust Apple root certificates—it will break macOS functionality.

📖 More info: CA/Browser Forum

Privoxy provides local web traffic filtering.

brew install privoxy
brew services start privoxy

Configure system proxy:

sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118
sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118

Example filter to block all traffic except specific domains:

{ +block{all} }
.

{ -block }
.apple.
.github.com

The Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet.

An important property of modern browsers is the Same Origin Policy (SOP) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised.

Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially careful when downloading new software.

Another important consideration about browser security is extensions. This is an issue affecting Firefox and Chrome alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers.

Mozilla Firefox, Google Chrome, Safari, and Tor Browser are all recommended browsers for their own unique and individual purposes.

Mozilla Firefox is a popular open source browser. Firefox replaced major parts of its infrastructure and code base under the projects Quantum and Photon. Part of the Quantum project is to replace C++ code with Rust. Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox.

Firefox offers a similar security model to Chrome: it has a bug bounty program, although it is not as lucrative. Firefox follows a four-week release cycle similar to Chrome.

Firefox supports user-supplied configuration files. See drduh/config/firefox.user.js and arkenfox/user.js for recommended preferences and hardening measures. Also see NoScript, an extension which allows selective script blocking.

Firefox focuses on user privacy. It supports tracking protection in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will randomize your fingerprint to foil basic tracking scripts. Firefox offers separate user profiles. You can separate your browsing inside a profile with Multi-Account Containers.

Firefox only supports Web Extensions through the Web Extension Api, which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary.

Google Chrome is based on the open source Chromium project with certain proprietary components:

• Automatic updates with GoogleSoftwareUpdateDaemon
• Usage tracking and crash reporting, which can be disabled through Chrome's settings
• Media Codec support for proprietary codecs
• Chrome Web Store
• PDF viewer
• Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google.

Chrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is encrypted with the account password.

Chrome's Web Store for extensions requires a 5 USD lifetime fee in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage.

Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as node.js which uses Chrome's V8 Engine and the Electron framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite constant attacks, Chrome has retained an impressive security track record over the years. This is not a small feat.

Chrome offers separate profiles, robust sandboxing, frequent updates, and carries impressive credentials. In addition, Google offers a very lucrative bounty program for reporting vulnerabilities, along with its own Project Zero team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code.

Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins. You should also disable the V8 Optimizer for sites where you do use Javascript to further reduce attack surface. Go to Settings -> Privacy and security -> Security -> Manage v8 security -> Don't allow sites to use the V8 optimizer

Read more about the benefits of disabling this here.

You can block trackers with uBlock Origin Lite.

Change the default search engine from Google to reduce additional tracking.

Disable DNS prefetching (see also DNS Prefetching and Its Privacy Implications (pdf)). Note that Chrome may attempt to resolve DNS using Google's 8.8.8.8 and 8.8.4.4 public nameservers.

Read Chromium Security and Chromium Privacy for more information. Read Google's privacy policy to understand how personal information is collected and used.

Safari is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine WebKit, which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's Blink engine is a fork of WebKit and both engines share a number of similarities.

Safari supports certain unique features that benefit user security and privacy. Content blockers enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced Intelligent Tracking Prevention, which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with lockdown mode, which can be disabled per-site. Read more about tracking prevention in Safari.

Safari offers an invite-only bounty program for bug reporting to a select number of security researchers. The bounty program was announced during Apple's presentation at BlackHat 2016.

Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly developer subscription fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open.

Safari syncs user preferences and passwords with iCloud Keychain. In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security.

Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store.

See also el1t/uBlock-Safari to disable hyperlink auditing beacons.

Many Chromium-derived browsers are not recommended due to being closed source, poorly maintained, or making dubious privacy claims.

Tor Browser provides anonymity through the Tor network.

1. Download from torproject.org
2. Verify the signature (important!)
3. Mount the disk image and drag to Applications

# Verify code signature
spctl -a -vv ~/Applications/Tor\ Browser.app
# Look for: Developer ID Application: The Tor Project, Inc (MADPSAYN6T)

⚠️ Never configure other browsers to use Tor—use only Tor Browser.

• Tor provides anonymity, not privacy
• Tor traffic is encrypted to exit nodes, but usage patterns can be identified
• Use pluggable transports to obfuscate Tor traffic
• For higher security, run Tor inside a VM

📖 Alternative: I2P — comparison with Tor

• Research your provider's jurisdiction and logging policies
• Use a kill switch to prevent traffic leakage on disconnect
• Consider self-hosting for maximum control

📖 Technical details: macOS VPN Architecture

GPG enables end-to-end encryption for files and communications.

brew install gnupg

For hardware key storage, see drduh/YubiKey-Guide.

Download recommended configuration:

curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf

• Enable Advanced Data Protection to prevent key backup to Apple
• Verify contacts using Contact Key Verification
• Remember: your messaging partners should do the same!

Mac malware is increasingly common. Macs are not immune to viruses.

• Bundled with pirated software
• Fake updates and phishing
• Supply chain attacks on legitimate software
• Malicious browser extensions

📖 Stay informed: Objective-See Blog, Malwarebytes Blog

Check App Sandbox:

codesign -dvvv --entitlements - /path/to/app.app | grep sandbox

Check Hardened Runtime:

codesign --display --verbose /path/to/app.app
# Look for: flags=0x10000(runtime)

• KnockKnock — Examine persistent software
• BlockBlock — Alert on persistence mechanisms
• VirusTotal — Multi-engine malware scanning

⚠️ Third-party antivirus can introduce attack surface and privacy concerns due to privileged access.

SIP prevents modification of protected system files and processes.

Verify SIP status:

csrutil status
# Should return: System Integrity Protection status: enabled.

⚠️ Never disable SIP unless absolutely necessary, and re-enable immediately after.

macOS tracks metadata that can reveal your activities. Periodically clean these for privacy.

View extended attributes on downloaded files:

xattr -l ~/Downloads/example.dmg
mdls ~/Downloads/example.dmg

Remove download metadata:

xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/example.dmg
xattr -d com.apple.quarantine ~/Downloads/example.dmg

sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache
sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices

qlmanage -r disablecache
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/*

sudo rm -rfv /var/spool/cups/c0* /var/spool/cups/tmp/* /var/spool/cups/cache/job.cache*

defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders
defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations
defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches

sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network
sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks

⚠️ Clearing Document Revisions (/.DocumentRevisions-V100) may break some Apple apps.

tr -dc '[:graph:]' < /dev/urandom | fold -w 20 | head -1

Or use Diceware for memorable passphrases.

Recommended: YubiKey — supports WebAuthn, TOTP, and GPG key storage.

See drduh/YubiKey-Guide for setup instructions.

Per CISA guidelines:

• 3 copies of your data
• 2 different storage types
• 1 offsite copy

1. Connect an external drive
2. System Settings → General → Time Machine
3. Always encrypt backups

# Encrypt
tar zcvf - ~/Documents | gpg -c > backup-$(date +%F).tar.gz.gpg

# Decrypt
gpg -d backup-*.tar.gz.gpg | tar zxvf -

hdiutil create ~/Desktop/secure.dmg -encryption -size 100M -volname "Secure"

Your Mac broadcasts remembered network names (SSIDs) when searching for networks, revealing location history.

Remove old networks: System Settings → Network → Wi-Fi → ⓘ on each network → Forget

Randomize your MAC address on untrusted networks:

sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%')

Note: Resets to hardware MAC on reboot.

Use hardware-backed or password-protected keys. See drduh/config/ssh_config for recommended options.

Consider hashing hostnames in ~/.ssh/known_hosts:

ssh-keygen -H

ssh -NCD 3000 you@remote-host.tld

Then configure your browser to use localhost:3000 as a SOCKS5 proxy.

Forward a remote proxy locally:

ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld
sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555

By default, macOS does not enable sshd. To enable:

System Settings → General → Sharing → Remote Login

If enabling, configure strong authentication:

• Disable password authentication
• Use key-based auth only
• See drduh/config/sshd_config

Check if sshd is running:

sudo lsof -Pni TCP:22

Keep your Mac physically secure. A skilled attacker with physical access could:

• Install hardware keyloggers
• Extract data from an unencrypted drive
• Access Recovery Mode

• Use nail polish on screws to detect physical tampering
• Consider privacy screens in public spaces

macOS includes OpenBSM for auditing process execution, network activity, and more:

sudo praudit -l /dev/auditpipe

See man audit, man praudit, and files in /etc/security/.

⚠️ Reboot required for audit configuration changes.

Note: Requires disabling SIP (not recommended).

ps -ef                    # All processes
launchctl list            # User launch agents
sudo launchctl list       # System daemons

sudo lsof -Pni            # Open network connections
sudo netstat -atln        # Network structures

With Wireshark installed:

# DNS queries
tshark -Y "dns.flags.response == 1" -Tfields -e dns.qry.name -e dns.a

# HTTP traffic
tshark -Y "http.request or http.response" -Tfields -e http.request.full_uri

Google Santa provides binary allowlist/blocklist enforcement for macOS.

Santa uses macOS's Endpoint Security framework to monitor and allow/block binary execution based on:

• SHA-256 hash
• Signing certificate
• Team ID

# Download from GitHub Releases
hdiutil mount ~/Downloads/santa-*.dmg
sudo installer -pkg /Volumes/santa-*/santa-*.pkg -tgt /

santactl status

Block an application:

sudo santactl rule --block --path /Applications/SomeApp.app/

Allow by certificate:

santactl fileinfo /Applications/App.app/   # Get signing chain
sudo santactl rule --allow --certificate --sha256 <CERT_SHA256>

Lockdown mode (only allow explicitly approved binaries):

sudo defaults write /var/db/santa/config.plist ClientMode -int 2

⚠️ Santa cannot block scripts (Python, Bash) since interpreters are Apple-signed.

defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0

defaults write com.apple.finder AppleShowAllFiles -bool true
chflags nohidden ~/Library

Prevent "malware.jpg.app" disguises:

defaults write NSGlobalDomain AppleShowAllExtensions -bool true

defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

Enable in Terminal → Secure Keyboard Entry to prevent other apps from reading keystrokes.

defaults write com.apple.CrashReporter DialogType none

Set restrictive default file permissions:

sudo launchctl config user umask 077

⚠️ Breaks AirPlay and AirPrint!

sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

Contributions welcome! Please see the guide for submitting improvements.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.