Enabling Apple OSX Encryption & Firewall

filevault and firewall

Lately, several friends have purchased their first Apple laptops. One common question is “How should I secure it?” Since I have answered several email inquiries within the last month, I thought this topic was worth a blog entry.

The top two features that I recommend immediately enabling are disk encryption via Apple’s FileVault feature and a software firewall via Apple’s Firewall feature.

Here’s how to do this:

  1. System Preferences is the Equivalent of Control Panel:
    • In your dock bar, click the “System Preferences” application icon
      (Note: if you have hidden this icon, open Finder, click the Applications favorite, and scroll down to “System Preferences.app”)
    • Under the “Personal” row, click the “Security & Privacy” icon
  2. Turn on disk encryption:
    • Click the “FileVault” tab
    • Click the lock icon on the lower-left and enter your password, to unlock the GUI
    • Click the “Turn On FileVault…” button
    • Enable every user account
      (Note: if you leave some users disabled, an enabled user will need to unlock the disk for them, which is not convenient)
    • Once all accounts are enabled, click the Continue button
    • Your FileValut Recovery Key will be presented to you
    • Write down or print out your recovery key — keep it in a safe place in case you forget your account passwords
    • Click the Continue button
    • Select “Do not store the recovery key with Apple” and click the Continue button
    • Click Restart to complete the process and restart the computer
  3. Re-enter “Security & Privacy”
    • Click the “System Preferences” application icon
    • Under the “Personal” row, click the “Security & Privacy” icon
  4. Turn on the software firewall:
    • Click the “Firewall” tab
    • Click the “Turn On Firewall” button
    • Click the “Firewall Options” button
    • Check the “Enable stealth mode” checkbox
    • Uncheck “Automatically Allow Signed Software…”
    • Unless you are actively using sharing features, check the “Block all Incoming Connections” checkbox
    • Click the OK button
    • Click the unlocked icon on your lower-left to lock it

If you are regularly surfing on public hotspots, it is best practice to block all incoming connections, as I have documented above. But, this does prevent several other features from working. So, you will want to be aware that should you need these features, you will have to go back into the Firewall tab and allow incoming connections. The features blocked include: time machine or time capsule backups over the network (locally connected time machine via USB works fine), file sharing, remote assistance, incoming VOIP calls (making calls works fine), and sharing iTunes libraries with other family members.