How to secure and lock down your Mac

Leave a reply

SecurityIconXThere are numerous ways that a thief can get into your Mac, including booting your system to another hard drive to bypass the security of the built-in operating system and access any file on disk, or simply booting to the OS X Recovery partition and using the password reset tools to change the password of an account on the system. While keychain information and other secured documents will be safe from such approaches, other non-secured files will still be accessible.

If you are concerned about theft, there are several ways you can ensure your Mac or at least the data on it are secured.

Filevault

FileVault in OS X

Click this button in the Security & Privacy system preferences to enable FileVault (click image for larger view).

Perhaps the easiest way to ensure your Mac is secured is to enable Apple’s FileVault disk encryption routine. By encrypting your drive, you will scramble all information on it to anyone who does not have the password for unlocking the drive. As a result, if your computer is stolen and someone tries to remove the drive, or boot to another drive to bypass your OS X installation’s security, they will be met with a password prompt to access your hard drive. Even though they can format the drive and otherwise use your Mac’s hardware, they will not be able to access your data or programs.

You can enable FileVault by going to the FileVault tab of the Security & Privacy system preferences, and then clicking the button to Turn On Filevault (you may have to click the lock to authenticate first). When you do this, the system will take a few hours to complete encryption of your drive, after which it will be safe from anyone who does not have a password for it.

CoreStorage Encryption

Encryption of disks in the Finder

Right-clicking a disk (including unencrypted disk images) in the OS X Finder offers options to encrypt it.

FileVault is great and convenient, but will only work for your system’s boot volume, and not for additional volumes you might use with your Mac. If you have external drives attached to your Mac, then consider using Apple’s CoreStorage encryption routines (the same ones used to set up FileVault) for these drives. To use this, the drives must use the GUID partitioning scheme and be formatted to Apple’s “Mac OS Extended” format, after which you can right-click them in the Finder and choose the option to encrypt the drive. After providing a password, the drive will be encrypted and then be secured from use on any system without the password.

Keep in mind that unlike FileVault, CoreStorage Encryption will have to be manually done on every drive you use with your Mac. Additionally, since it will only work with GUID drives formatted to Mac OS Extended (HFS+), it will not work with BootCamp partitions and other special partitions. For these, you will have to use the encryption routines in Windows and other operating systems you use.

Encrypted backups

Apple’s Time Machine feature in OS X is a great backup routine; however, being set-and-forget, it is easy to simply plug in a drive and have it be used to back up your Mac. Even if your Mac is set up with FileVault, unless the backup drive is also encrypted then data transferred to it will not be secured. Therefore, be sure your backups are also encrypted. When you initially set up Time Machine you can choose the option to encrypt the drive; however, if not then you should be able to encrypt the existing backups by right-clicking the drive and choosing the option to encrypt it, just as you would with CoreStorage Encryption on any external drive.

Firmware password

Firmware password utility in OS X

The firmware password utility should be in this menu (click image for larger view).

FileVault and CoreStorage Encryption will secure your data, but will not prevent people from resetting hardware components like PRAM, or booting to alternative hard drives, which can be used to format your drive. To prevent this, you can set your Mac’s firmware password which in effect locks the hardware from alternate uses. To do this, reboot your system and then hold down the Command-R keys at the boot chimes to start up in Recovery Mode. Then choose “Firmware Password Utility” from the utilities menu and use it to set your desired password.

Firmware passwords on Macs made before 2010 can be reset by altering the system’s hardware (e.g., changing the installed RAM); however, those after 2010 will require bringing the system to an Apple Store and having it serviced.

Account and screensaver passwords

Your Mac’s data is only as secure as the passwords you set up for it. Therefore, be sure to use a complex password for your user account, and also be sure to set up the system’s screensaver password. To change your password, go to the Users & Groups system preferences and click on your account, where you should see a button for changing your account’s password. To ensure your Mac’s screensaver password is set, go to the Security & Privacy system preferences and check the option to require a password immediately after sleep or screensaver begins. You can also change the current user’s password in these system preferences.

iCloud remote access

iCloud settings for Screen Sharing

Enable both this and the Find My Mac iCloud services, to provide you with remote options for accessing, locking, and wiping your Mac if it is stolen (click image for larger view).

Another built-in service for ensuring your Mac is secure is to use Apple’s iCloud remote access services, and especially “Find My Mac,” which will allow you to remotely wipe your system or lock it down with a pin number. With a standard iCloud account enabled, you can simply check the Find My Mac service in the iCloud system preferences, and then use the Find My Mac section at iCloud.com, or using the Find My Mac app on an iOS device, to remotely lock or wipe your Mac if it is stolen. Granted for this to work the Mac will need to be connected to the internet; however, the remote wipe feature will queue up and activate whenever the Mac next connects to the internet.

Enable Apple ID two-step authentication

Apple IDs can be used for accessing your iCloud account, and subsequently may be used to access details about your Mac and even your Mac itself. Therefore, be sure your Apple ID is secured by not only using a robust password for it (and perhaps regularly changing this password), but also setting up Apple’s two-step authentication routine.

In addition to your Apple ID, other online accounts you use may implement two-step authentication, so be sure to check with all services you use and implement these security features.

Third-party locks

The above features are perhaps the best for securing your Mac’s data; however, your Mac itself is a good $1000-$3000 investment, and having it be gone will be a chunk of change out of your pocket for a new one, and the inconvenience of going for a while without a system. Therefore, consider purchasing a locking device for your Mac. Unfortunately in many of its devices, Apple has begun phasing out the use of the classic Kensington lock hole for standard computer locking devices; however, there are a number of third-party solutions (such as those from MacLocks and other vendors) where you can use your Mac’s existing screw layouts to bolt on a low-profile locking system and better secure your hardware from theft.

Leave a Reply

Your email address will not be published. Required fields are marked *