9 macOS Security Settings You Should Change Right Now
Apple does a reasonable job with default security settings. Better than most, actually. But "reasonable" and "optimal" are not the same thing, and there are several settings that ship in a state I would describe as convenient rather than secure.
I went through every security-relevant setting in macOS Sequoia and picked the nine that matter most. These are not obscure Terminal commands or enterprise policies. They are settings anyone can change in five minutes through System Settings.
1. Turn on FileVault
System Settings, then Privacy and Security, then FileVault.
If this is not on, your entire hard drive is unencrypted. That means if someone steals your laptop, they can pull the drive and read every file on it without knowing your password.
FileVault encrypts your entire disk. The performance impact on modern Macs with Apple Silicon is essentially zero because the chip handles encryption in hardware. There is no reason not to enable this.
It will take a while to encrypt on first enable. Let it run overnight. After that, it is invisible.
2. Set your lock screen timeout to something reasonable
System Settings, then Lock Screen.
I see Macs set to never lock or lock after 30 minutes constantly. That is too long. If you walk away from your desk at a coffee shop, someone can sit down and have full access to your machine.
Set it to 5 minutes maximum. I use 2 minutes. Yes, it means typing your password more often. That is a very small price for not having your machine compromised because you went to the bathroom.
3. Review which apps have Full Disk Access
System Settings, then Privacy and Security, then Full Disk Access.
Full Disk Access is the most powerful permission an app can have. It lets an app read and write literally any file on your system, including your emails, messages, and credentials.
Go through this list carefully. Any app you do not use regularly should lose this permission. You can always re-grant it if needed.
4. Audit your camera and microphone permissions
System Settings, then Privacy and Security, then Camera. Then Microphone.
These are self-explanatory but people rarely check them. You might be surprised what has access. That video app you tried once three months ago? It probably still has camera permission.
Remove anything that does not actively need it. CoreLock's privacy audit does this automatically, but you can also just scroll through the list yourself.
5. Enable the Firewall
System Settings, then Network, then Firewall.
The macOS firewall is off by default. I genuinely do not understand why Apple ships it this way, but they do. Turn it on.
The built-in firewall blocks incoming connections that are not authorized. It will not interfere with normal browsing or app usage. It just prevents unsolicited inbound connections, which is exactly what you want.
6. Disable automatic login
System Settings, then Users and Groups, then look for Automatic Login.
If this is set to your account, anyone who opens your laptop goes straight to your desktop. No password, no Touch ID, nothing.
Set it to Off. This is especially important if you ever travel with your Mac.
7. Turn off AirDrop for everyone
Control Center, then AirDrop, or System Settings then General then AirDrop.
Set AirDrop to "Contacts Only" or "No One" instead of "Everyone." When set to Everyone, any nearby Apple device can attempt to send you files. This has been exploited in public places to send malicious files or offensive content.
8. Check your sharing settings
System Settings, then General, then Sharing.
Go through every toggle. Screen Sharing, File Sharing, Remote Login, Remote Management. If you are not actively using these, turn them off. Each one is a potential entry point for an attacker on your network.
Most people have never opened this panel and have no idea what is enabled. Remote Login being on means someone with your credentials can SSH into your machine. That is fine if you need it and know what you are doing. It is a liability if you do not.
9. Require password for software installations
System Settings, then Privacy and Security.
Under "Allow apps downloaded from," make sure this is set to "App Store and identified developers," not "Anywhere." On modern macOS versions, the Anywhere option is hidden by default, which is good. But if you previously enabled it, check that it is back to the safer default.
Also make sure Gatekeeper is active. It checks that apps are signed by a known developer before letting them run. This catches a significant percentage of malware because most malicious apps are not signed.
One more thing
These settings help, but they are a baseline, not a guarantee. Settings do not monitor what happens after an app has been granted permission. They do not watch your network traffic. They do not notice when a process starts behaving differently.
That is where active monitoring comes in. CoreLock watches your system continuously and alerts you when something changes. Think of it as the security camera that supplements the locks you just installed.
Settings are the foundation. Monitoring is what catches the threats that get past the foundation.