TickYouOff
Sign in
Back
🔒

Apple macOS 14 (Sonoma) Security Checklist

Medium 20 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist summarizes essential security hardening steps for Apple macOS 14 (Sonoma) based on STIG guidance. It’s for system administrators and informed users who want to secure macOS devices in managed or personal environments. Use it to audit settings, enforce policies, and prepare devices for compliance reviews.

Source: https://ncp.nist.gov/checklist/1078

Progress
0 / 20
  1. Install macOS updates — Enable auto-updates and install all available macOS 14 patches and security updates.
  2. Enable FileVault disk encryption — Turn on full-disk encryption to protect data at rest using System Settings > Privacy & Security.
  3. Record FileVault recovery key — Save the recovery key to a secure location or institutional escrow before completing setup.
  4. Verify FileVault encryption status — Confirm encryption completed successfully in System Settings or via diskutil in Terminal.
  5. Set firmware (EFI) password — Configure an EFI password in Recovery mode to prevent unauthorized boot or disk access.
  6. Disable automatic login — Require users to enter credentials at login to prevent bypassing account-level controls.
  7. Require password after sleep/screensaver — Set immediate or short timeout for password requirement on wake to prevent unauthorized access.
  8. Enable macOS Firewall — Turn on the built-in firewall to block unsolicited incoming network connections.
  9. Enable Stealth Mode for firewall — Prevent your Mac from responding to probing or ping requests when connected to networks.
  10. Ensure System Integrity Protection (SIP) is enabled — Verify SIP is active to protect system files and processes from tampering.
  11. Enable Gatekeeper and restrict app sources — Allow apps from App Store or identified developers only to reduce untrusted software risk.
  12. Enable XProtect and malware removal updates — Keep built-in malware definitions and removal tools current via automatic updates.
  13. Disable unnecessary sharing services — Turn off File Sharing, Screen Sharing, Remote Login, and Remote Management if unused.
  14. Limit Bluetooth and AirDrop discoverability — Set AirDrop to Contacts Only and restrict Bluetooth visibility when not pairing.
  15. Configure encrypted Time Machine backups — Use an encrypted backup volume and verify backups run regularly and complete successfully.
  16. Set strong user account passwords and enable MFA where possible — Enforce long passphrases and enable two-factor authentication for Apple ID and accounts.
  17. Audit and remove unused user accounts — Delete or disable dormant accounts and review admin privileges regularly.
  18. Review privacy settings for location, camera, mic access — Restrict apps' access to sensitive sensors and data via Privacy & Security settings.
  19. Enable Find My Mac and Activation Lock — Turn on device tracking and activation lock to help recover or disable lost/stolen Macs.
  20. Maintain an offline recovery plan — Keep offline copies of installers, recovery keys, and backup verification records securely stored.
Sign in to save
📝 My Notes