macOS security basics — FileVault · Firewall · Gatekeeper · XProtect

macOS has reasonable defaults, but a developer machine needs a few more switches flipped. FileVault (disk encryption), Firewall, Gatekeeper (signature checking), and XProtect (malware quarantine) are the four core features.

This guide finishes a security baseline in 30 minutes after the Mac initial setup is done. Mandatory for work laptops, personal laptops, and any machine holding source code.

TL;DR

1. FileVault ON — protects data if the device is lost / stolen (most important)
2. Firewall ON — block incoming connections + enable stealth mode
3. Gatekeeper keep default — App Store + identified developers only
4. XProtect is automatic — just keep auto-updates on
5. Company laptops: (1)+(2) are mandatory, never disable (3)

Prerequisites

• macOS 14+ (Sonoma or later)
• Admin account
• Apple ID signed in (for FileVault recovery key backup)

1. FileVault — disk encryption (mandatory)

1.1 Why mandatory

• No data leakage if lost / stolen — without the key the disk is meaningless
• macOS ships with it OFF — Apple Silicon has hardware encryption, but without FileVault the key is unlocked
• Required by ~all corporate security policies

1.2 Enable

System Settings → Privacy & Security → FileVault → Turn On

Pick a recovery option:

• Allow iCloud recovery (easy; lose Apple ID = lose data forever)
• Generate a recovery key (28 chars — store somewhere safe, e.g. 1Password)

Recommendation: generate a recovery key and store it in a password manager. Removes iCloud as a single point of failure.

Disk encryption runs in the background after enabling. You can keep using the machine, but expect 1–2 hours of mild slowdown. Progress shown on the same settings page.

1.3 Verify

fdesetup status
# FileVault is On.

Or:

diskutil apfs list | grep -i encrypted
# Encrypted:                  Yes (Unlocked)

1.4 Caveats

• Lose the recovery key + lose your Apple ID = data is gone forever. Back the key up in two places
• Corporate laptops: your employer may escrow the recovery key — check IT policy
• External SSDs can be encrypted too (diskutil apfs encryptVolume)

2. Firewall (mandatory)

2.1 Enable

System Settings → Network → Firewall → Turn On

Options:

• Block all incoming connections — drops nearly everything (no sharing services)
• Automatically allow signed software — signed apps allowed (recommended default)
• Enable stealth mode — no ping/probe responses (good on public Wi-Fi)

2.2 Recommended profile

2.3 Allow inbound for specific apps

When an app needs inbound (dev server, game host):

Firewall → Options → + → add the app → "Allow incoming connections"

Or accept the macOS prompt when the app first asks.

2.4 Verify

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
# Firewall is enabled. (State = 1)
 
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
# Stealth mode enabled

3. Gatekeeper — app validation

3.1 What it does

When macOS launches an app for the first time:

1. Verify code signature (Apple Developer ID or App Store)
2. Verify notarization (proof Apple's malware scanner passed)
3. Run only if both succeed

3.2 Keep the default

System Settings → Privacy & Security → Security:

• App Store — strictest
• App Store and identified developers — default (recommended)
• The "Anywhere" option was removed in macOS 14 (only bypassable via command line now)

3.3 One-off allow for unsigned apps (dev builds, etc.)

To run an unsigned app once:

# A. Right-click → Open
# In Finder, right-click the app → Open → click Open in the warning → it'll launch from then on
 
# B. Strip the quarantine attribute (risky — only for trusted apps)
xattr -d com.apple.quarantine /path/to/MyApp.app

3.4 Disabling Gatekeeper (DON'T)

# ❌ Don't run this
sudo spctl --master-disable

This turns off signature checks for every app and opens the door. Even as a developer, don't disable it — use §3.3 for ad-hoc cases.

3.5 Verify

spctl --status
# assessments enabled    ← good
 
# Check a specific app
spctl --assess --verbose /Applications/SomeApp.app

4. XProtect — malware quarantine

4.1 What it does

A background malware scanner built into macOS. No setup needed.

• Auto-scans against known malware signatures
• Scans downloaded files and apps right before they run
• Apple pushes definition updates silently (separate from system updates)

4.2 Confirm auto-updates

System Settings → General → Software Update → Automatic Updates:

• ✅ Install Security Responses and system files — includes XProtect definitions, must be ON

4.3 Verify

# Last XProtect update timestamp
defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info CFBundleShortVersionString
 
# Or
sudo /usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist

A recent 2026-xx-xx-style date is normal.

4.4 Optional supplemental AV

XProtect only catches known malware. Zero-days and sophisticated attacks slip through. Optional:

• Malwarebytes — Mac, free tier
• CrowdStrike / SentinelOne — enterprise EDR

For individual developers, XProtect + Malwarebytes is usually enough. Stacking antivirus tools tanks performance.

5. SIP (System Integrity Protection)

5.1 What it does

Prevents modifications to system folders even as root. macOS's own self-protection.

• Protects /System, /usr
• Blocks kernel extension loading
• Blocks debugging system processes

5.2 Check status

csrutil status
# System Integrity Protection status: enabled.

enabled is correct. Never disable — very dangerous.

Disabling is only possible from macOS Recovery, and it's effectively never needed by regular users.

6. Recommended extras — lock + auto-lock

6.1 Screen lock shortcut

System Settings → Lock Screen → Turn display off when inactive: 5 minutes

Quick lock:

• Ctrl + Cmd + Q — lock instantly

6.2 Disable auto-login

System Settings → Users & Groups → Login Options:

• Automatic login: Off

6.3 Hide notification content on the lock screen

System Settings → Notifications → Show previews → "When unlocked"

Don't show message content from the lock screen. Prevents work messages and SMS verification codes from leaking.

7. SSH key security

By default macOS stores SSH keys in plaintext on disk. Hardening:

7.1 Use a passphrase

# Enter a passphrase when generating
ssh-keygen -t ed25519 -C "you@example.com"

An empty passphrase is convenient but means an instantly usable key if leaked — not recommended.

7.2 Use the macOS Keychain

~/.ssh/config:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

The passphrase is stored in the macOS Keychain → enter it once, then automatic.

7.3 1Password SSH agent (optional)

The most secure setup. SSH keys live in a 1Password vault and every auth requires Touch ID.

More: /multi-os/password-manager.

8. Verify — one-shot baseline check

echo "=== FileVault ==="
fdesetup status
 
echo "=== Firewall ==="
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
 
echo "=== Gatekeeper ==="
spctl --status
 
echo "=== SIP ==="
csrutil status
 
echo "=== Auto Login ==="
defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser 2>/dev/null && echo "AUTO LOGIN ON — disable it" || echo "auto login OFF"

Expected output:

FileVault is On.
Firewall is enabled. (State = 1)
Stealth mode enabled
assessments enabled
System Integrity Protection status: enabled.
auto login OFF

All five = safe baseline.

9. Troubleshooting

Password prompted twice on boot after enabling FileVault

• Normal — once at the EFI stage, once at the login window
• If you want a single prompt, disable System Settings → Users & Groups → Login Options → Show fast user switching menu

App stops working because of the firewall

• Likely an app that needs inbound (dev server, game host)
• Firewall → Options → + to allow it explicitly
• Or accept the prompt when it first asks

Gatekeeper blocks an app from a developer you trust

• Happens occasionally — temporary delay in Apple's notarization service
• Try again in 5-30 minutes, or right-click → Open

XProtect definitions look stale

• Confirm Software Update auto-update is ON
• Manual trigger: reboot

M1/M2/M3 needs an unsigned kext

• Requires switching to Reduced Security (macOS Recovery → Startup Security Utility)
• Avoid if possible — find software that doesn't need a kext

"This app is damaged" (won't open)

• ARM-incompatible binary on Apple Silicon
• Or a user build missing the quarantine attr — xattr -cr /path/to/App.app then retry (trusted sources only)

10. What's next

• Mac initial setup — /mac/initial-setup
• SSH multi-account — /mac/ssh-multi-account
• Password managers (1Password / Bitwarden) — /multi-os/password-manager
• Backups (Time Machine) — (planned) /mac/backup-time-machine

References

• Apple Platform Security
• FileVault official guide
• Malwarebytes for Mac

Changelog

• 2026-05-16: First draft. FileVault + Firewall + Gatekeeper + XProtect + SIP + SSH security + one-shot verify script + six troubleshooting cases.