Securing macOS for federal use requires implementing multiple layers of protection that go beyond default settings. This guide provides a comprehensive, step-by-step approach to hardening your government Mac following NIST guidelines, DISA STIGs, and federal best practices.
Understanding the Security Baseline
Federal Mac security is governed by several overlapping frameworks. Understanding these frameworks helps you implement appropriate controls and pass compliance audits.
NIST Special Publications
NIST SP 800-53 provides the control catalog used by most federal agencies. For macOS specifically, NIST publishes guidance on device management and security configuration. These documents establish the “why” behind security requirements.
DISA Security Technical Implementation Guides
DISA STIGs provide the specific “how”—detailed configuration settings for macOS. The macOS STIG includes hundreds of individual checks covering everything from password policies to audit logging. STIGs are available on DISA’s website and are updated with each macOS major version.
CIS Benchmarks
The Center for Internet Security publishes macOS benchmarks that complement STIGs. CIS benchmarks are often more prescriptive and easier to follow step-by-step. Many agencies use both STIGs and CIS benchmarks.
System Preferences Hardening
Begin security hardening in System Settings (called System Preferences on older macOS versions). These are the fundamental controls that protect the device.
Privacy and Security Settings
Navigate to System Settings > Privacy & Security. This section controls the most critical security features.
FileVault: Enable FileVault disk encryption. Click “Turn On FileVault” and follow the prompts. For government systems, use institutional recovery keys rather than iCloud recovery. Your IT department should provide the institutional key or manage it through MDM.
Encryption may take several hours depending on disk size. You can continue working during encryption, but keep your Mac plugged in until complete.
Firewall: Enable the built-in firewall. Click on “Firewall” and turn it on. For additional protection, enable “Block all incoming connections” unless specific applications require incoming access. Only add firewall exceptions for applications explicitly approved by IT.
Gatekeeper: Under “Allow applications downloaded from,” the most secure setting is “App Store.” If your work requires applications outside the App Store, “App Store and identified developers” is acceptable. Never disable Gatekeeper entirely.
Lock Screen and Password Settings
Navigate to System Settings > Lock Screen. Configure automatic screen lock to activate after no more than 15 minutes of inactivity—many agencies require 5 minutes or less. Enable “Require password immediately after sleep or screen saver begins.”
Under System Settings > Touch ID & Password (or Login Password on older Macs), ensure password requirements meet your agency’s policy. Federal guidelines typically require:
- Minimum 15 characters
- Mix of uppercase, lowercase, numbers, and symbols
- Password expiration every 60-90 days
- Password history preventing reuse of last 24 passwords
Location Services
Disable Location Services unless required for specific applications. Go to System Settings > Privacy & Security > Location Services and turn it off globally, or disable for individual applications.
Analytics and Improvements
Disable all analytics sharing. Go to System Settings > Privacy & Security > Analytics & Improvements. Uncheck all options including “Share Mac Analytics,” “Share with App Developers,” and “Improve Siri & Dictation.”
User Account Configuration
Proper user account configuration limits damage from potential compromises and maintains audit trails.
Administrative Privileges
Follow the principle of least privilege. Standard users should not have administrative rights. Create a separate administrator account for tasks requiring elevated permissions, and use your standard account for daily work.
If you must have admin rights for your daily account, be extremely cautious about what you authorize. Never enter your password for unexpected prompts.
Guest Account
Disable the guest account. Go to System Settings > Users & Groups, click the info button next to “Guest User,” and turn off “Allow guests to log in to this computer.”
Login Window
Configure the login window to not show user names. Go to System Settings > Lock Screen > Login Window Shows. Select “Name and password” rather than user pictures or a list of users. This prevents attackers from knowing valid usernames.
Enable displaying a legal notice at login. This provides legal standing for monitoring and sets expectations for users.
Network Security Configuration
Network configuration is critical for government systems that handle sensitive data.
WiFi Security
Only connect to authorized networks. Go to System Settings > Network > WiFi and remove any personal or unknown networks. Disable “Ask to join networks” to prevent accidental connections to unknown access points.
When connecting to government WiFi, verify the correct network name and security settings with IT before connecting.
Bluetooth
Disable Bluetooth if not needed for authorized peripherals. Go to System Settings > Bluetooth and turn it off. If Bluetooth is required, disable “Show Bluetooth in Control Center” to reduce accidental enabling.
Sharing Services
Disable all unnecessary sharing services. Go to System Settings > General > Sharing. Turn off Screen Sharing, File Sharing, Printer Sharing, Remote Login, Remote Management, and all other sharing options unless specifically required and approved.
DNS and Network Configuration
Use your agency’s DNS servers rather than public resolvers. Your network configuration should route through agency infrastructure for monitoring and protection.
Application Security
Control which applications can run and how they interact with system resources.
App Sandboxing Verification
Prefer sandboxed applications from the App Store. Sandboxed apps have limited system access, reducing potential damage from vulnerabilities. Check if an application is sandboxed by viewing its entry in Activity Monitor and looking at the “Sandbox” column.
Restricting Application Permissions
Review application permissions in System Settings > Privacy & Security. Audit which apps have access to:
- Camera and Microphone (remove access from non-essential apps)
- Full Disk Access (should be minimal)
- Accessibility (used for automation; review carefully)
- Screen Recording (should be minimal)
- Files and Folders (limit to necessary locations)
Remove permissions from any applications that don’t require them for their core function.
Browser Hardening
Configure your browser for security. For Safari:
- Enable “Prevent cross-site tracking”
- Enable “Hide IP address from trackers”
- Block all cookies if practical, or “Allow from websites I visit”
- Disable AutoFill for credit cards and contacts
- Enable fraudulent website warnings
For Chrome, disable sync with personal Google accounts and review extension permissions regularly.
Audit and Logging Configuration
Federal systems must maintain audit logs for security monitoring and incident investigation.
Enabling Audit Logs
macOS includes a powerful audit subsystem. To enable comprehensive auditing, you’ll need to modify the audit configuration. This is typically managed through MDM, but can be configured manually.
Open Terminal and check current audit settings with: sudo audit -s. The audit policy should be set to capture authentication events, privilege escalation, and file access to sensitive areas.
System Log Configuration
Ensure the unified logging system is capturing appropriate events. View current logs using Console.app or the log command in Terminal. Your IT department should have a log forwarding solution to send logs to a central SIEM for analysis.
Login Records
Verify login records are being maintained. The last command shows recent logins. These records support incident investigation and audit requirements.
Software Update Management
Keeping software current is essential for security. Unpatched vulnerabilities are a leading cause of security incidents.
macOS Updates
Go to System Settings > General > Software Update. Click on the info button for Automatic Updates. Your agency may manage updates centrally through MDM, which may override these settings.
If managing updates yourself, enable automatic security updates at minimum. Consider enabling all automatic updates unless your agency prohibits them.
CISA’s Binding Operational Directive 22-01 requires patching known exploited vulnerabilities within specific timeframes—often 14 days or less for critical issues. Monitor CISA’s Known Exploited Vulnerabilities catalog.
Application Updates
Keep all applications updated. App Store applications typically update automatically. For other applications, check for updates regularly or use your agency’s patch management system.
Advanced Terminal Security
Some security configurations require Terminal commands. Execute these carefully.
System Integrity Protection
Verify SIP is enabled by running in Terminal: csrutil status. It should report “enabled.” Never disable SIP unless specifically instructed by IT for a particular task, and re-enable it immediately after.
Secure Empty Trash
While macOS no longer includes secure empty trash as a feature, FileVault encryption protects deleted data. Ensure FileVault is active rather than relying on secure deletion.
Firmware Password
On Intel Macs, set a firmware password to prevent unauthorized boot from external media. This is done from Recovery Mode: restart holding Command+R, then go to Utilities > Firmware Password Utility.
Apple Silicon Macs use Startup Security Utility for similar protections. Access it from Recovery Mode.
Physical Security
Technical controls are undermined by poor physical security.
Device Location
Never leave your government Mac unattended in public spaces. In the office, lock your screen (Control+Command+Q) when stepping away. Consider a laptop cable lock for added security in shared spaces.
Removable Media
Most agencies restrict removable media to prevent data exfiltration and malware introduction. If USB storage is disabled by policy, don’t attempt to work around it.
Screen Privacy
In public spaces, be aware of shoulder surfing. Consider a privacy screen filter that limits viewing angles. Position your screen away from windows and high-traffic areas.
Incident Response Preparation
Know what to do when something goes wrong.
Reporting Security Incidents
Document your agency’s security incident reporting procedures. Know how to contact your IT security team and Security Operations Center. Report suspicious activity immediately—early reporting limits damage.
Recognizing Compromise
Watch for signs of compromise: unexpected pop-ups, new applications you didn’t install, slow performance, unusual network activity, or changes to settings you didn’t make. Trust your instincts—if something seems wrong, report it.
Preservation of Evidence
If you suspect compromise, don’t attempt to fix it yourself. Disconnect from the network if instructed by IT, but don’t shut down or modify the system without guidance. Forensic evidence is easier to collect from a running system.
Compliance Verification
Regular verification ensures your Mac stays compliant with security requirements.
Self-Assessment
Periodically review your security settings against your agency’s checklist or the STIG. Many settings can drift over time, especially after system updates.
Automated Compliance Scanning
Your agency likely uses automated tools to scan for compliance. Remediate any findings promptly. Common scanning tools include SCAP scanners and MDM compliance reports.
Documentation
Maintain records of your security configurations, especially any deviations from standard settings. Document justifications for any exceptions and ensure they’re approved by appropriate authorities.
Security hardening is an ongoing process. Stay informed about new threats and updated guidance, and work with your IT security team to maintain a strong security posture. A well-secured Mac is a foundation for accomplishing your agency’s mission safely.
