Securing OSX

By default OSX is configured for ease-of-use and not to be used in protected corporate environments. Since I use my Mac with highly sensitive corporate documents I figured I could outline the steps I have taken to secure my machine…

Step 1: Do Not Use FileVault

FileVault is an OSX specific feature that encrypts the entire home folder of a user. This means everything is well encrypted and cannot be accessed if the laptop is stolen. Unfortunately FileVault has issues with a large amount of software, including Finder (for example, folder view settings cannot be saved for your home folder) and Adobe Software Update. Adobe Software Update as an example does not work at all when run on an account that has FileVault enabled. So unfortunately I recommend to not use FileVault since it causes all kinds of issues.

Step 2: Set Up a Password

If you have not yet done so, please set a high quality password to your account. Minimum 8 characters, including both numeric and non-numeric characters. To change password, click on (Apple) – “System Preferences…” – “Accounts” – “Change password…”.

Step 3: Set the Proper Security Options

The first thing to do is to disable auto login. Click on (Apple) – “System Preferences…” – “Security” and set “Require password to wake this computer from sleep or screen saver” to Enabled, and also set “Disable automatic login” to Enabled. You might want to set “Log out after” to 60 minutes or so if you regularly forget to lock your workstation.

OSX Security Options

Step 4: Enable Fast User Switching

When you go for lunch or a meeting you often want to lock your machine quickly. In Windows you can do this by pressing (Windows Key) + “L” and it will lock the screen for you. In OSX, you have to enable Fast User Switching for this feature. Click on (Apple) – “System Preferences…” – “Accounts” – “Login Options” and enable “Enable fast user switching”. Set it to view as “Icon” if you want to save menu bar space. Also verify that “Automatic login” is set to “Disabled”.

User Security Options

Now, to quickly lock your Mac you just click on the user symbol to the top right and choose “Login Window…” to lock it just like you would by pressing (Windows key) + “L” on a PC.

Login Window

Step 5: Encrypt your files

Did you know that if someone steals your Mac, they can just connect it with a Firewire cable and boot it up while holding the “T” key to make it appear as a giant external hard drive to another computer. Did you also know that all emails, calendar entries and contact information is stored unencrypted? This means that if someone steals your computer, it will take them less than a minute to access all your sensitive data using Firewire.

Since FileVault has many issues with software applications, you have to set up a custom encryption instead. This is easier than it sounds. Do as follows

5.1. Create an encrypted disk image

Start a Finder window and navigate to “Applications / Utilities” and start Disk Utility. Choose the menu “File” – “New” – Blank Disk Image…”. Set “Save As” to “Encrypted.dmg” in your home folder, and set “Volume Name” to “Encrypted”. Give it a decent “Volume Size” (I have mine to 30gb), and set “Encryption” to “128-bit AES encryption”. Set it to 256-bit if you are paranoid. Leave the other settings at default and click on “Create”. It will now create and format the new disk image.

5.2. Set the disk image to auto mount

Click on (Apple) – “System Preferences” – “Accounts” – <Your Account> – “Login Items”. Now just drag with your mouse “Encrypted.dmg” from your home folder to the list of items that automatically start when you log in. Make sure it’s at the top of the list.

5.3. Move folders to the encrypted disk image

Close all applications and open two finder windows. Create two folders called “Documents” and “Library” in the encrypted disk image. Now drag-while-holding-the-Command-key-to-move the folder “Microsoft User Data” from “<your home folder>/Documents/Microsoft User Data”to “<encrypted image>/Documents/Microsoft User Data”. Repeat to move the folder “<your home folder>/Library/Caches” to “<encrypted image>/Library/Caches” and “<your home folder>/Library/Mail” to “<encrypted image>/Library/Mail”.

5.4. Create a Work folder on the encrypted disk image

Make a new folder under “<encrypted disk image>/Documents/Work” and move all your working documents to this folder, again using drag-while-holding-the-Command-key-to-move.

5.5. Create Symbolic Links

Now when we have moved some folders around, we need to create symbolic links so the various applications will find our new folders. Do as follows. Start a Finder window and navigate to “Applications / Utilities” and start Terminal. Type:

  • ln -s “/Volumes/Encrypted/Documents/Microsoft User Data” “Documents/Microsoft User Data”
  • ln -s “/Volumes/Encrypted/Documents/Work” “Documents/Work”
  • ln -s “/Volumes/Encrypted/Library/Caches” “Library/Caches”
  • ln -s “/Volumes/Encrypted/Library/Mail” “Library/Mail”

You should now have created symbolic links to the new folders on your encrypted disk image. This means that as soon as any application needs a file from these folders, it will grab it from the encrypted disk image instead of your home folder. So if someone steals your laptop they will only find a large chunk of encrypted data and some symbolic files!

Leave a Comment