Your Mac is pretty safe on your private home network, but what about when you're surfing the Web in coffee shops? Anyone with a computer and rudimentary hacking skills could target you, which is why it's important to make sure your Mac's built-in firewall is enabled and that stealth mode is turned on.
macOS's firewall feature blocks unwanted network traffic coming into your computer, and stealth mode makes your Mac essentially invisible to hackers snooping for computers to target. They aren't foolproof features, but they will keep most people from finding and attacking your Mac on public networks.
First, you need to make sure your Mac's firewall is enabled:
• Go to Apple menu > System Preferences.
• Choose Security & Privacy.
• Select the Firewall tab.
• If the firewall is active you’ll see a green dot and "Firewall: On." If not, click Turn Firewall On. You may have to click the padlock icon and authenticate with your Mac's password to change the setting.
Next, enable stealth mode:
• Click Firewall Options. It's below the button for turning the firewall on and off.
• Check Enable stealth mode.
• Click OK.
"Automatically allow built-in software to receive incoming connections" and "Automatically allow downloaded signed software to receive incoming connections" should already be checked. Those settings let the apps you already have communicate through the firewall without you having to take any extra steps. Leave those checked unless you know what you're doing and plan to manage app network access manually. You should leave "Block all incoming connections" unchecked too, unless all you're doing is surfing the Web.
If you’ve been using FileVault from the time you set up your Mac, that encryption is extremely strong, and erasing the drive deletes the passphrase-protected encryption key. That makes the contents effectively irretrievable, and no additional erasure is needed for an SSD or HDD. If you didn’t use FileVault, here are your options.
Unless you’re dealing with secrets that would lead to the overthrow of governments, using Disk Utility’s secure erase feature meets the mark. HDDs can also be physically destroyed with a drill equipped with a bit suitable for puncturing the metal casing. A hammer and chisel could work, too. If you have a dead HDD and if you think anyone with motivation might pay to have the data recovered, physical destruction is the only way to ensure data isn’t readable.
Data is written in an unpredictable fashion on SSDs to distribute the wear across all the memory cells in the solid-state device. As a result, a secure erase feature doesn’t work at all, as it may not overwrite all the data. Physical destruction is really the only course of action, which is an unfortunate waste of technology. And if you have a Mac in which the SSD isn’t removable, but part of the computer, that’s even worse.
Fortunately, the various kinds of RAMs used by generations of Macs are all volatile memory: the contents disappear instantly or shortly after a device is powered down. So far, there’s no way to recover any traces of data from RAM chips.
Apple has today launched its new Data and Privacy website, allowing Apple users to download everything that Apple personally associates with your account, from Apple ID info, App Store activity, AppleCare history to data stored in iCloud like photos and documents. This is currently only available in European Union, Iceland, Liechtenstein, Norway, and Switzerland to comply with GDPR, but will roll out worldwide in the coming months.
The new online tools allow customers to get a copy of all data associated with an Apple ID. You can request account details and sign-in records and data such as contacts, calendars, notes, bookmarks, reminders, photos and documents. Apple also stores info like app usage statistics for Apple Music and Game Center, a purchase history of items bought from the App Store and iTunes Store, AppleCare support history and marketing records.
Only data that is personally identifiable can be found here. This can all be downloaded with a few simple clicks on the privacy portal. To obtain a copy of your data:
1. Log in to privacy.apple.com.
2. Select the "Get started" link under the "Get a copy of your data" heading.
3. Tick the boxes of the categories of data you want to download (iCloud Photos, Mail and Drive are separated into a separate list as this data may be exceptionally large).
4. Press Continue.
5. Select what is your preferred maximum file size (Apple will split up the data into chunks, up to a maximum of 25 GB) and press Continue.
Your data request is now in progress. Data like iCloud Photos will take a long time to generate as there are potentially tens of gigabytes of files. It can take up to a week to prepare the downloads. Apple notifies you when the data is ready to download, and it is automatically deleted after 2 weeks.
Apple says it provides all data in standards-compatible formats. This means it can be used as a way to move all your data to a new cloud service, as well as transparently showing customers what data Apple keeps on you.
Whilst these features will roll out later in the year for other regions, all customers can request data corrections, deactivate or delete their account. You can do this by following the links on the main page.
Deactivation means that Apple will stop processing any data relating to your Apple ID. You will not be able to access any store purchases from iTunes, iBooks or the App Store. You will not be able to access any iCloud data, or use iCloud services like FaceTime or iMessage (see here for more conditions about account deactivation). You are literally cutting yourself off from the Apple connected world. Apple will verify all deactivation requests to prevent abuse. Apple doesn’t delete your info, it just stops anyone - including Apple - from accessing it whilst the account is deactivated. You can re-enable the account by logging back in to the privacy portal and choosing to reactivate it.
Permanent deletion takes this one step further, essentially asking Apple to remove all data they have stored on you - forever. This process is not reversible once initiated.
Mac users in higher security risk situations may wish to enable an optional firmware password on their machines, which offers an advanced level of protection. In short, a firmware password is a lower level layer of security that is set on the actual Mac logic board firmware, rather than at the software layer like FileVault encryption or the standard login password.
The result of setting an firmware password is that a Mac can not be booted from an external boot volume, single user mode, or target disk mode, and it also prevents resetting of PRAM and the ability to boot into safe mode, without logging in through the firmware password first. This effectively prevents a wide variety of methods that could potentially be used to compromise a Mac, and offers exceptional security for users who require such protection.
Like any other essential password, use something memorable but complex, and do not forget a firmware password after it has been set. A lost firmware password is unrecoverable on most modern Macs without a visit to an Apple Store for service and recovery.
Setting a firmware password is rather simple.
• Start up from macOS recovery mode by holding down Command (⌘)-R immediately after turning on your Mac. Release the keys when you see the Apple logo.
• When the utilities window appears, choose Utilities > Firmware Password Utility from the menu bar. On iMac Pro, choose Startup Security Utility instead.
• Click Turn On Firmware Password.
• Enter a firmware password in the fields provided, then click Set Password.
• Quit the utility, then choose Apple () menu > Restart.
The firmware password will not appear during a regular restart or boot of the Mac, it only becomes mandatory when the Mac is attempted to boot from alternate methods. This may be in situations where a Mac is attempted to boot from an macOS installer drive, an external boot volume, recovery mode, single user mode, verbose mode, target disk mode, resetting the PRAM, or any other alternative booting approach that will summon the rather plain looking firmware password window. There are no password hints or additional details provided, only a simple lock logo and a text entry screen. An incorrectly entered firmware password does nothing and offers no indication of login failure except that the Mac won't boot as anticipated.
To reset a login password in OS X Mountain Lion or later, restart the Mac and hold down Command-R to boot into the Recovery HD partition. From the Utilities menu, choose Terminal to open it. In Terminal type:
and press Return.
In macOS Sierra and macOS High Sierra, an Reset Password assistant will launch. Choose the user account or admin account you want to reset the password for. Enter a new password, confirm the new password, set (if you like) a password hint and then click on "Next" to set the new password for the account in question. Choose to "Restart" the Mac and when the Mac boots up, use the newly reset password to login to the computer.
In OS X Mountain Lion, OS X Mavericks, OS X Yosemite and OS X El Capitan, a Reset Password window will appear that will list all the bootable volumes attached to your Mac. Select the volume that contains the account you want to reset and choose the user name that needs its password reset. Enter and verify a new passwords in the appropriate fields and, if you like, enter a password hint. Click Save and the new password is applied to the account.