In January 2026, the RansomHub ransomware group attacked Luxshare, one of Apple’s major manufacturing partners, stealing 3D CAD files, engineering documents, and personal information. We can’t know for sure if this was a problem with Mac security settings specifically, but it reflects a growing trend: criminals are paying attention to Apple’s ecosystem.
At Adelia Risk, we’ve watched Mac malware incidents climb 73% in the past year alone, according to the Moonlock 2025 macOS Threat Report. The “Macs don’t get viruses” era is over.
How to Secure Your Mac for Business Use
Most Mac security settings take minutes to configure, and they’re free. But many of them are turned off by default. Unlike Windows, macOS ships with the firewall disabled. If you’re running Macs in a healthcare practice, financial advisory firm, or any regulated business, you’re likely missing basic protections that auditors and insurers expect.
This guide walks through the Mac security settings that matter most for small businesses. You’ll learn what to turn on first, which sharing services to disable, and how to document your configuration for compliance purposes. We’ve also created a free Mac Security Settings Checklist you can download and work through with your team.
Priority Mac Security Settings: Your First-Hour Actions
Before you get into the details, here are the six settings that matter most. If you only do these, you’ll be ahead of most small businesses.
Enable FileVault encryption (System Settings > Privacy & Security > FileVault). This encrypts your entire drive. If a laptop gets stolen, the thief can’t access your files without the password.
Turn on the firewall (System Settings > Network > Firewall). Yes, it’s really off by default. This blocks unauthorized incoming connections.
Enable Stealth Mode (Firewall > Options > Enable stealth mode). This prevents your Mac from responding to network scans.
Require password immediately after sleep (System Settings > Lock Screen). Set it to “Immediately” so walking away from your desk doesn’t mean walking away from your data.
Verify Gatekeeper is on (run spctl --status in Terminal). This should say “assessments enabled.” Gatekeeper verifies that apps come from identified developers.
Enable automatic updates (System Settings > General > Software Update > Automatic Updates). Turn on all four options. Apple regularly releases patches for actively exploited vulnerabilities.
CHECKLIST EXTRACT
Urgent: Do These First
❏ Enable FileVault encryption: Go to System Settings > Privacy & Security > FileVault > Turn On. Choose a recovery method (iCloud account or save a recovery key offline).
❏ Enable the firewall: Go to System Settings > Network > Firewall > Turn On. Unlike Windows, the macOS firewall is OFF by default.
❏ Enable Stealth Mode: In System Settings > Network > Firewall > Options, enable “Enable stealth mode.”
Get our complete Mac Security Settings Checklist with all 27 items, step-by-step instructions for each setting, and a section for documenting your configuration for auditors. Use this Mac security checklist to track your progress and ensure nothing gets missed.
The Firewall Problem Nobody Talks About
We see this constantly during security assessments: business owners assume their Macs are protected because Apple has a good security reputation. Then we check, and the firewall is off. These Mac security settings are often overlooked because they assume everything is configured correctly out of the box. It’s not.
Enabling the firewall takes about 30 seconds. Go to System Settings > Network > Firewall and turn it on. Then click Options and enable Stealth Mode, which prevents your Mac from responding when someone scans your network for vulnerable devices.
Apple made a design decision years ago to ship macOS with the firewall disabled. The reasoning was that most home users are behind a router’s firewall anyway. But in a business context, especially with employees working from coffee shops and home networks, that assumption falls apart.
While you’re in firewall settings, consider enabling logging. Open Terminal and run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on. This creates records that can help during incident investigations.
What About Third-Party Firewalls?
The built-in firewall handles incoming connections. If you want to monitor outgoing connections too (which app is “phoning home”?), consider LuLu from Objective-See. It’s free, open-source, and trusted in the Mac security community.
Sharing Services Are Attack Surfaces
Every Mac has a list of sharing services in System Settings > General > Sharing. Most of them are off by default, but we regularly find offices where someone enabled File Sharing or Screen Sharing during setup, then forgot about it.
Each enabled service is a door into your Mac. SSH (Remote Login) lets someone run commands remotely. Screen Sharing gives full visual access. File Sharing exposes your documents to anyone on the network.
Just disable anything you’re not actively using.
Remote Login (SSH): Off unless IT specifically needs it
Screen Sharing: Off unless you use remote support
Remote Management: Off unless you have Apple Remote Desktop
File Sharing: Off unless you need network file access
Bluetooth Sharing: Off (check Bluetooth > Advanced)
Internet Sharing: Off
Remote Apple Events: Off
One client we worked with had Screen Sharing enabled on every Mac in their office because their previous IT company set it up that way. Nobody was using it. It had been sitting there for three years, waiting for someone to discover it.
FileVault Is Not Optional for Regulated Businesses
If you handle client health records, financial data, or any sensitive information, FileVault encryption isn’t a nice-to-have. It’s a compliance requirement.
HIPAA requires encryption for electronic protected health information. FileVault uses AES-256 encryption, which satisfies this requirement. SOC 2 audits expect full-disk encryption on all endpoints. Cyber insurance applications specifically ask whether endpoints are encrypted.
Macs with Apple silicon (M1, M2, M3, M4 chips) do encrypt data by default at the hardware level. But FileVault adds something important: it requires your password at boot. Without FileVault, someone who steals your Mac while it’s in sleep mode might be able to access data. With FileVault, they hit a password wall.
To enable FileVault, go to System Settings > Privacy & Security > FileVault and click Turn On. You’ll choose a recovery method, either your iCloud account or a recovery key you store offline. Encryption happens in the background while you work.
The iCloud Compliance Problem
Something that catches businesses off guard: iCloud storage doesn’t meet the compliance requirements for most regulated industries. Apple will not sign a Business Associate Agreement for HIPAA, and similar issues exist for SOC 2, financial services regulations, and other frameworks that require specific vendor commitments.
If you’re storing client data in iCloud Drive, whether that’s patient records, financial documents, or legal files, you likely have a compliance gap. Use a cloud service that will sign the appropriate agreements for your industry and provides the audit trails your compliance framework requires.
The Settings Auditors Actually Check
When we conduct security assessments for clients preparing for SOC 2 or HIPAA audits, here’s what we’re looking for on their Macs:
Encryption: Is FileVault enabled? Can you prove it? (Take a screenshot or run fdesetup status in Terminal.)
Screen lock: Is there a password required after sleep, and how quickly? “Immediately” or “5 minutes” is acceptable. “Never” is a finding.
Automatic updates: Are all four update options enabled? Auditors want to see that security patches install automatically.
Firewall: Is it on? Is logging enabled for the investigation capability?
Sharing services: Are unnecessary services disabled?
MDM enrollment: For businesses with more than a handful of Macs, auditors expect some form of centralized management.
We’ve seen assessments fail over something as simple as the screen lock timeout being set to 30 minutes. Document your settings, take screenshots, and keep them with your compliance records.
Network Hardening for Mobile Workers
Two settings matter especially for laptops that travel: Wake for Network Access and Power Nap.
Wake for Network Access allows your Mac to be woken remotely over the network. That’s useful for IT management but also means attackers could potentially wake your device. Unless you have a specific IT reason to leave it on, disable it in System Settings > Battery > Options.
Power Nap is trickier. When Power Nap is enabled, and your Mac is sleeping, it still connects to networks to check email, download updates, and sync data. But FileVault stays unlocked during Power Nap. Your “sleeping” Mac is actually quite awake from a security perspective.
For laptops that leave the office, disable Power Nap in System Settings > Battery. Your Mac will be a bit less convenient, but your encrypted drive will actually stay encrypted when closed.
How Mac Malware Survives Even If You Reboot
Every piece of Mac malware discovered in recent years uses the same trick to survive reboots: Launch Agents and Launch Daemons. These are small configuration files that tell macOS to run programs automatically at startup or login.
Legitimate software uses them too. Your VPN probably has a Launch Agent. So does Dropbox. The problem is malware hiding among the legitimate items.
You can audit these locations manually:
~/Library/LaunchAgents/(your user’s startup items)/Library/LaunchAgents/(system-wide startup items)/Library/LaunchDaemons/(system services)
Look for unfamiliar entries, especially anything that appeared recently. If you’re not sure what something is, search for its name online before removing it.
For ongoing protection, install KnockKnock from Objective-See. It scans all persistence locations and shows you what’s set to run at startup. BlockBlock, from the same developer, alerts you in real-time when new items are added.
Mac Security Settings for Multiple Macs
The biggest mistake we see in mixed Windows and Mac environments is this: the Macs are completely unmanaged.
Most businesses with outsourced IT have their Windows machines locked down with an RMM tool (Remote Monitoring and Management). The IT company pushes updates, enforces policies, and monitors for issues. But when you look at the Macs in the same office, they’re often running on their own with no central management at all.
RMM tools designed for Windows don’t manage Macs well. They might be able to push a software update or run a script, but they can’t enforce FileVault encryption, lock down sharing services, or verify that security settings stay configured. Companies don’t realize this until they start digging into the settings on their Macs and find that everything is wide open.
If you’re managing more than two or three Macs, you need a Mac-specific solution. Mobile Device Management (MDM) built for Apple devices lets you push security policies to all your Macs, force settings to remain enabled, and verify compliance from a central dashboard. MDM makes macOS hardening consistent across your entire fleet.
Options for small businesses (pricing as of early 2026):
- Apple Business Essentials: $2.99-$12.99/user/month, native Apple integration
- Jamf Now: Starting around $4/device/month, entry-level but limited features
- Mosyle: Lower cost tier, simple setup
- Kandji: Starting around $10/Mac/month, 200+ pre-built automations
The investment pays off in time saved and compliance confidence. When an auditor asks “how do you ensure all Macs have encryption enabled?”, you can pull up a dashboard instead of walking desk to desk. And if your IT company says their RMM tool “handles” your Macs, ask them to show you exactly which security settings are being enforced. You might not like what you find.
Cyber Insurance Expectations Are Rising
Cyber insurance applications have gotten specific about endpoint security. According to an Allcovered industry survey, about 80% of insurers now require multi-factor authentication on all systems, and 65% expect endpoint detection and response (EDR) tools on all devices.
The built-in Mac protections (Gatekeeper, XProtect, the firewall) provide a baseline. But they weren’t designed for sophisticated targeted attacks or enterprise compliance requirements. If your insurance application asks about EDR, the answer should probably include something beyond the defaults.
EDR options for Macs include Jamf Protect, SentinelOne, CrowdStrike, and Huntress. The choice depends on your budget and whether you want managed detection (someone watching the alerts) or just the software.
In a Sophos survey of 5,000 cybersecurity executives, only 1% said they were fully compensated on cyber insurance claims, with the average payout covering just 63% of costs. Misrepresentation about security controls is a leading cause of denied or reduced claims. When you fill out that application, make sure you can back up your answers.
Do Today, This Week, This Month
Do Today
Enable FileVault (takes 30 seconds to start, runs in the background)
Turn on the firewall and Stealth Mode
Set the screen lock to require a password immediately
Check that automatic updates are enabled
Do This Week
Review and disable unnecessary sharing services
Disable Wake for Network Access and Power Nap on laptops
Run spctl --status and csrutil status to verify Gatekeeper and SIP
Install KnockKnock and scan for persistence items
Do This Month
Document all security settings for compliance records
Evaluate MDM solutions if managing 5+ Macs
Review Full Disk Access permissions for unexpected apps
Check if your cloud storage meets compliance requirements
When to Get Professional Help
The settings in this guide are things any Mac user can configure. But some situations call for professional support:
You’re preparing for SOC 2 or HIPAA certification. An auditor will want to see documented policies, not just configured settings. You’ll need someone who understands both the technical configuration and the compliance documentation.
You manage 20+ Macs. MDM deployment and policy design benefit from experience. Getting it right the first time saves headaches.
You’ve had a security incident. Post-incident hardening should be thorough, and it helps to have someone who knows what to look for.
You’re unsure whether your current setup meets insurance requirements. Before signing that application, it’s worth having someone verify your answers.
At Adelia Risk, we help small and mid-sized regulated businesses configure and document their security settings. As part of our Virtual CISO service, we automatically scan your Mac computers for these settings and provide you and your I.T. team a specific, actionable report about how to fix each computer.
Download the Complete Checklist
We’ve packaged everything in this article into a printable Mac Security Settings Checklist. It includes all 27 configuration items, organized by priority, with step-by-step instructions and space to document your settings for auditors.
Get the Mac Security Settings Checklist and work through it with your team. Keep a copy with your compliance documentation.
Bookmark this and revisit quarterly. Apple releases major security updates with each macOS version, and your settings may need adjustment. Or, better yet, work with us to make sure your Macs are secure.
