The Architecture of macOS SecurityFileVault Disk EncryptionFirewall SettingsGatekeeper App VerificationSIP (System Integrity Protection)Privacy SettingsLogin Security SettingsSecurity Audit ScriptAutomatic Update SettingsPractical Tips
macossecuritysettings

macOS Security Settings Guide — FileVault, Firewall, Gatekeeper

· 7 min read

The Architecture of macOS Security

macOS is built with multiple layers of security. Gatekeeper verifies app installations, FileVault encrypts the disk, and the firewall controls network access. These security features are either disabled by default or set to minimal levels, so developers should actively enable them.

This post covers how to manage FileVault, the firewall, Gatekeeper, and privacy settings from both CLI and GUI.

FileVault Disk Encryption

FileVault is macOS’s full-disk encryption (FDE) feature. When enabled, all data on the disk is encrypted with XTS-AES-128. Even if your Mac is lost or stolen, data cannot be accessed without the login password.

# Check FileVault status
sudo fdesetup status
# Example output:
# FileVault is Off.  (or FileVault is On.)

# Enable FileVault
sudo fdesetup enable
# A recovery key will be displayed — store it securely!
# Example output:
# Recovery key: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX

# List FileVault-enabled users
sudo fdesetup list
# Example output:
# username,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

# Check encryption progress (right after enabling)
diskutil apfs list | grep -A5 "FileVault"
# Apple Silicon Macs use hardware encryption and complete instantly
# Intel Macs encrypt in the background (takes several hours)

Important considerations when enabling FileVault:

  • Store the recovery key: If you lose the recovery key, your data becomes permanently inaccessible
  • iCloud recovery: There’s an option to store the recovery key in iCloud, but maintaining an offline backup is safer
  • Performance impact: Apple Silicon Macs have a hardware encryption engine with zero performance impact. Intel Macs also show virtually no perceivable difference

Firewall Settings

The macOS firewall controls incoming network connections. It is disabled by default and must be turned on manually.

# Check firewall status
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
# Example output: Firewall is disabled. (State = 0)

# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Output: Firewall is enabled. (State = 1)

# Enable stealth mode (blocks ICMP ping responses)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
# Hides your Mac's presence on the network

# Allow/block connections for a specific app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Firefox.app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Applications/Firefox.app

# View all firewall settings
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
# Example output:
# ALF : Total of 5 app rules
# 1 : /usr/libexec/rapportd - Allow incoming connections
# 2 : /Applications/Firefox.app - Allow incoming connections

Local development servers (localhost:3000, etc.) are not blocked by the firewall. Per-app allow rules are only needed for external access.

# Firewall settings for development servers
# Allow Node.js through the firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw \
    --add $(which node)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw \
    --unblockapp $(which node)

# Enable auto-allow mode (automatically allow signed apps)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on

Gatekeeper App Verification

Gatekeeper verifies code signatures and Notarization when installing apps. It controls execution of apps downloaded outside the App Store.

# Check Gatekeeper status
spctl --status
# Output: assessments enabled (active)

# Verify app code signature
spctl --assess --verbose /Applications/Visual\ Studio\ Code.app
# Example output:
# /Applications/Visual Studio Code.app: accepted
# source=Notarized Developer ID

# Add a specific app as a Gatekeeper exception
# When you need to run unsigned development tools
sudo spctl --add --label "DevTools" /path/to/unsigned-app.app
sudo spctl --enable --label "DevTools"

# Allow a blocked app to run (on first launch after download)
# In Finder, Ctrl+click the app → select "Open"
# Or via CLI:
sudo xattr -r -d com.apple.quarantine /Applications/SomeApp.app

Apps installed via Homebrew Cask have the quarantine attribute automatically removed.

SIP (System Integrity Protection)

SIP is a kernel-level security feature that protects macOS system files. It should generally never be disabled.

# Check SIP status
csrutil status
# Output: System Integrity Protection status: enabled.

# Directories protected by SIP
# /System, /usr (except /usr/local), /bin, /sbin
# Files in these directories cannot be modified even with root privileges

# If SIP needs to be disabled (not recommended)
# Boot into Recovery Mode (hold the power button)
# Open Terminal → csrutil disable
# After completing the task, re-enable with csrutil enable

Privacy Settings

macOS manages per-app access permissions for camera, microphone, location, file system, and more. Developers should check permissions for Terminal and IDE access.

# Check apps with full disk access permissions
# System Settings → Privacy & Security → Full Disk Access

# If Terminal/iTerm2 needs full disk access:
# System Settings → Privacy & Security → Full Disk Access → "+" → Add iTerm

# Check developer tools permissions
# System Settings → Privacy & Security → Developer Tools
# Enabling Terminal and iTerm2 relaxes security restrictions

# TCC (Transparency, Consent, Control) database location
# Where app permission records are stored
ls ~/Library/Application\ Support/com.apple.TCC/
# Permission info is stored in the TCC.db file

# Reset permissions for a specific app
tccutil reset All com.googlecode.iterm2
# Resets all iTerm2 permissions (permission prompts will appear again)

Login Security Settings

# Disable auto-login (security hardening)
sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -bool false

# Set screensaver password
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
# Require password immediately when screen locks

# Set screen lock timeout after inactivity (5 minutes)
defaults -currentHost write com.apple.screensaver idleTime -int 300

# Check remote login (SSH) status
sudo systemsetup -getremotelogin
# Output: Remote Login: Off

# Enable SSH (only if needed)
sudo systemsetup -setremotelogin on
# Disable
sudo systemsetup -setremotelogin off

Security Audit Script

A script to check the current security settings of your Mac at a glance.

#!/bin/bash
# security-audit.sh — macOS security settings audit

echo "=== macOS Security Audit ==="
echo ""

# FileVault
echo -n "FileVault: "
fdesetup status | head -1
# Example output: FileVault is On.

# Firewall
echo -n "Firewall: "
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null | head -1
# Example output: Firewall is enabled. (State = 1)

# Gatekeeper
echo -n "Gatekeeper: "
spctl --status 2>/dev/null
# Example output: assessments enabled

# SIP
echo -n "SIP: "
csrutil status | head -1
# Example output: System Integrity Protection status: enabled.

# Remote Login
echo -n "SSH: "
sudo systemsetup -getremotelogin 2>/dev/null
# Example output: Remote Login: Off

# Automatic updates
echo -n "Auto Update: "
defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 2>/dev/null
# Example output: 1 (enabled)

# Stealth mode
echo -n "Stealth Mode: "
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode 2>/dev/null | head -1
# Example output: Stealth mode enabled

echo ""
echo "=== Audit Complete ==="

Automatic Update Settings

Enable automatic updates to quickly apply security patches.

# Enable automatic update checks
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true

# Enable automatic downloads
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true

# Auto-install security updates
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true

# Auto-install system data files
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true

# Check current update settings
softwareupdate --schedule
# Output: Automatic check is on

Practical Tips

  • FileVault is a must: Laptop users should always enable it. It’s the only data protection measure if your Mac is lost or stolen
  • Firewall + Stealth Mode: Especially important on public Wi-Fi. Protects your Mac from network scanning at cafes, airports, etc.
  • Keep Gatekeeper active: Don’t disable it. Instead, add individual exceptions only for specific apps you need
  • Never disable SIP: Maintain it except in the extremely rare case where kernel extensions are required
  • Regular security audits: Run the audit script above monthly to verify that settings haven’t been changed
  • Recovery key management: Store the FileVault recovery key securely in a password manager (1Password, Bitwarden, etc.)
  • SSH key management: Delete unused SSH keys and always set a passphrase on your keys

Was this article helpful?