Mac Security Article #1 - Physical
Article ID = 81Article Title = Mac Security Article #1 - Physical
Article Author(s) = Graham Needham (BH)
Article Created On = 22nd May 2012
Article Last Updated = 15th March 2018
Article URL = https://www.macstrategy.com/article.php?81
Article Brief Description:
Physical security recommendations for your Mac computer
Physical Security
Regardless of many of the security measures you may put in place one of the most overlooked aspects is physical security. This article has the following sections: It is number one in a series of MacStrategy security articles.Physical Access
Someone can either sit at your computer when you are not there or your computer/laptop can easily be lost or stolen. Other than setting up specific secure access procedures such as those used for server environments (e.g. cages, locked rooms, logged physical access, security alarms) there are some basic things that anyone can do to help protect your computer and data:Password Protection And Disable Automatic Login (OS X 10.7 or later)
- Go to Apple Menu > System Preferences > Users & Groups
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Click "Login Options" in the bottom left
- Set the 'Automatic Login' pop-up menu to "Off"
- Set 'Display Login Window' as "Name and password"
- Untick "Show fast user switching menu as"
- Click the "Show All" button in the top left
- Click the "Security & Privacy" icon (> General tab)
- Tick "Require password" for sleep and screen saver (we recommend "immediately" or "after 5 seconds")
- (Optional) Tick "Show a message when the screen is locked" (if listed - later versions of macOS only), click "Set Lock Message…" and enter a suitable message e.g. "Reward offered for this lost/stolen computer - please contact Joe Bloggs: +1 555-5555 or joe_bloggs@icloud.com" (make sure the email address is accessible from a different computer/device to the one you are setting this message on).
- Tick "Disable automatic login" (if listed)
- Click the "Advanced" button in the bottom right
- Tick "Log out after xx minutes of inactivity" (where xx is your required inactivity timeframe)
- Tick "Require an administrator password to access locked/system-wide preferences"
- Tick "Automatically update safe downloads list" (if listed)
- Tick "Disable restarting Safari when screen is locked" (if listed)
- Tick "Disable remote control infrared receiver" (if listed)
- Click the "OK" button
- Click the "Show All" button in the top left
- Click the "Desktop And Screen Saver" icon
- Click the "Screen Saver" tab
- Select a screen saver on the left side of the window
- Set 'Start' Screen Saver after to anything other than "Never" (a maximum of 5 minutes is usually a good choice but the lower the better) NOTE: If you want to, you can click on the "Hot Corners" button and set one of the corners of the screen to "Start Screen Saver". This allows you to move the mouse pointer to the corner of the desktop specified to launch the screen saver immediately
- Click the padlock icon in the bottom left to lock it
Password Protection And Disable Automatic Login (Mac OS X 10.4, 10.5 And 10.6)
- Go to Apple Menu > System Preferences > Accounts
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Click "Login Options" in the bottom left
- Set the 'Automatic Login' pop-up menu to "Disabled"
- Set 'Display Login Window' as "Name and password"
- Untick "Enable Fast User Switching"
- Click the "Show All" button in the top left
- Click the "Security" icon
- Tick "Require password to wake this computer from sleep or screen saver"
- Tick "Disable automatic login"
- Tick "Require password to unlock each System Preference pane"
- Tick "Log out after xx minutes of inactivity" (where xx is your required inactivity timeframe)
- Tick "Use secure virtual memory"
- Click the "Show All" button in the top left
- Click the "Desktop And Screen Saver" icon
- Click the "Screen Saver" tab
- Select a screen saver on the left side of the window
- Set 'Start Screen Saver' to anything other than "Never" (5 minutes is usually a good choice) NOTE: If you want to, you can click on the "Hot Corners" button and set one of the corners of the screen to "Start Screen Saver". This allows you to move the mouse pointer to the corner of the desktop specified to launch the screen saver immediately
- Click the padlock icon in the bottom left to lock the Preferences
Set A Strong User Account Password (All Versions Of OS X)
- Go to Apple Menu > System Preferences > Accounts or Users & Groups
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Select your user account on the left side of the window
- Click the "Password" tab on the right
- Click the "Change Password" button in the top left
- Enter the details as required setting a strong password for "New password" (remember you can use the Password Assistant here by clicking on the key icon)
- Click the "Change Password" button
- Click the padlock icon in the bottom left to lock the Preferences
Set An Open Firmware Password (Modern Mac Computers Only)
Follow Apple's instructions to set an open firmware password.Multiple Users On One Computer
Create user accounts for each individual person. Most people will only need a "standard" account.- Go to Apple Menu > System Preferences > Accounts or Users & Groups
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Click the "+" button in the bottom left corner
- Select the required user type from the 'New Account' pop-up menu (usually "Standard")
- Enter the details as required setting a strong password for "New password" (remember you can use the Password Assistant here by clicking on the key icon)
- Click the "Create User" button
- Click the padlock icon in the bottom left to lock the Preferences
Child/Managed Accounts (Parental Controls)
- Go to Apple Menu > System Preferences > Accounts or Users & Groups
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Click the "+" button in the bottom left corner
- Select "Managed with Parental Controls" from the 'New Account' pop-up menu
- Enter the details as required setting a strong password for "New password" (remember you can use the Password Assistant here by clicking on the key icon)
- Click the "Create User" button
- Click the "Show All" button in the top left
- Click the "Parental Controls" icon
- Configure Parental Controls as required
- Click the padlock icon in the bottom left to lock the Preferences
Guests
If someone just wants to "jump on your computer to check their webmail" consider setting up a specific guest account for them to use (Mac OS X 10.5 or later):- Go to Apple Menu > System Preferences > Accounts or Users & Groups
- If the padlock icon in the bottom left is locked click on it to unlock it (enter your administrator user name and password)
- Select the "Guest Account" or "Guest User" account on the left side of the window
- Tick "Allow guests " tab on the right
- Configure Parental Controls if required by ticking "Enable parental controls" and clicking "Open Parental Controls"
- It is probably best to untick "Allow guests to connect to shared folders" if it is not required
- Click the padlock icon in the bottom left to lock the Preferences
Cameras
Most Macs have a built-in (iSight) camera. Although it is generally only on when a software application specifically requests access to it some people may want to switch it off. Although there are scripts for this to be honest the best way of disabling the camera is simply to tape something over it.Physical Removal Of Components
You can help protect the components inside your computer such as the hard disk/SSD with your data on it on some Apple computers. Although some Mac computers make it hard to get at the internal components if your data is sensitive you may still want to consider encrypting it.Mac computers that are easy to get into but you can enhance their protection
- Mac Pro (all models)
- Power Macintosh G5 (all models)
- Power Macintosh G4 (all models)
- Power Macintosh G3 (Blue & White)
Mac computers that are easy to get into:
- MacBook Pro (Unibody model only - 2009 to 2011)
- MacBook (all models)
- iMac (G5 models only)
- Cube
- PowerBook G3 (all models)
NOTE: Although the Xserve had easy access to some components one would assume that as it is a server you have physical access security procedures already in place for it.
Mac computers that are relatively hard to get into:
- MacBook Pro (all models prior to the Unibody model - prior to 2009)
- MacBook Pro (Retina Display model onwards - 2012 and later)
- MacBook (Retina Display model onwards - 2012 and later)
- MacBook Air
- Mac mini (especially 2014 model onwards)
- iMac (all models except G5 model)
- eMac
- iBook (all models)
- PowerBook G4 (all models)
Mac computers that are hard to get into and have special internal components:
- MacBook Pro (2016 Thunderbolt 3 model onwards) - internal storage is soldered to the motherboard
Physical Removal Of Computer
NOTE: Although these recommendations will help against physical removal of your computer if your data is sensitive you may still want to consider encrypting it.Macs And Kensington Lock Slots
The following Mac computers have a Kensington lock slot:- iMac (all models)
- MacBook Pro (all models)
- MacBook (all models)
- Mac mini (white models only)
- Power Macintosh G4 (all models)
- Power Macintosh G3 (Blue & White)
- Cube
- eMac
- iBook (all models)
- PowerBook G4 (all models)
- PowerBook G3 (all models)
- Mac Pro (Silver)
- Power Macintosh G5 (all models)
- Mac Pro (Black) - however, there is an optional security lock adapter from Apple
- MacBook Pro (Retina Display model onwards - 2012 and later)
- MacBook (Retina Display model onwards - 2012 and later)
- MacBook Air (all models)
- Mac mini (Aluminium/silver models)
NOTE: Although the Xserve does not have a Kensington lock slot one would assume that as it is a server you have physical access security procedures already in place for it.
Locks And Cables
- Kensington (UK)
- MicroSaver DS Laptop Lock (flat key) [UK - K64591EU]
- MicroSaver Lock [UK - 64020]
- MicroSaver Dual Lock [UK - 64025]
- Combination Ultra Lock [UK - K64675EU]
- Kensington (USA)
- MicroSaver DS Laptop Lock (flat key) [USA - K64590US]
- MicroSaver Lock [USA - K64068F]
- MicroSaver Dual Lock [USA - K64025F]
- Combination Ultra Lock [USA - K64675US]
- Combination Lock [USA - K64673US]
- Tryten (USA)
- MacBook Pro Combination Lock
- MacBook Lock Pro
- MacBook Lock Pro - Master Keyed
- iMac Lock Pro
- iMac Lock T1
- iMac Lock T3
- iMac Lock T5
- Kensington (worldwide)
- MacLocks (USA)
- Mac Pro (Black) lock and security case bundle
- MacBook Pro (Retina Display) lock and security case bundle
- MacBook Air 11" lock and security case bundle
- MacBook Air 13" lock and security case bundle
- Applelocks (USA)
Computer Cages And Specialist Locks
- UK - PC Safe Mac Pro (silver) cage
- Worldwide - Identified Media Mac Pro (black) 'Switchd' lock
- Worldwide - Sonnet MacCuff mini Mac mini (aluminium) cage
- Worldwide - Sonnet MacCuff Pro Power Macintosh G5 / Mac Pro locking bracket
- Worldwide - Applelocks New Mac Mini Lock Mac mini (aluminium) cage
- USA - Tryten Security Mount Mac mini (aluminium) cage
Additional Solutions
- iAlertU software motion sensor alarm for modern Mac laptops
- SecuriKey an ignition key for your computer
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
Go to this
web page
to donate to us.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
Go to this
web page
to donate to us.