Your Mac is leaking data right now. Location services, analytics sharing, Spotlight suggestions, Siri, and dozens of background services are sending information to Apple and third parties. This checklist walks you through every privacy and security setting in macOS, organized by priority. Start with the highest-impact changes and work your way down. Total time: about 45 minutes to complete the entire checklist. You will end up with a significantly more private machine without sacrificing daily usability.
Category one: System Preferences essentials. Open System Settings (or System Preferences on older macOS versions). Navigate to Privacy and Security. Start with Location Services. Turn off Location Services entirely if you do not need it. If you do need it for specific apps (Weather, Maps), disable it for everything else. Review each app listed and remove permissions you do not actively use.
Analytics and Improvements: disable "Share Mac Analytics", "Improve Siri and Dictation", "Share with App Developers", and "Share iCloud Analytics." These send usage data to Apple and third-party developers. There is no user benefit to keeping them enabled.
Siri: if you do not use Siri, disable it completely. If you do use it, disable "Listen for Hey Siri" and disable Siri Suggestions in individual apps. Siri sends voice data to Apple servers for processing.
Spotlight: go to Siri and Spotlight settings. Disable "Spotlight Suggestions" and "Allow Spotlight Suggestions in Look Up." When these are enabled, every Spotlight search is sent to Apple servers along with your location. Local file search still works perfectly without these options.
Category two: FileVault and firmware security. Enable FileVault disk encryption if it is not already on. This encrypts your entire startup disk. Without it, anyone with physical access to your Mac can read your files by booting into recovery mode. Go to Privacy and Security, then FileVault, and turn it on. Save your recovery key somewhere secure (not on the Mac itself). Write it down physically or store it in a password manager on a different device.
Set a firmware password (on Intel Macs) or ensure your Apple Silicon Mac has a strong login password. This prevents someone from booting your Mac from an external drive.
Category three: Firewall and network privacy. Enable the built-in firewall: Privacy and Security, then Firewall. Turn it on and click Options. Enable "Block all incoming connections" if you do not run any server software. Enable Stealth Mode, which prevents your Mac from responding to ping requests and port scans.
DNS settings: change your DNS servers from your ISP's default to a privacy-respecting DNS provider. Go to Network settings, select your active connection, click Details, then DNS. Remove existing entries and add a provider that does not log queries. Consider running DNS over HTTPS (DoH) for encrypted DNS queries.
Disable AirDrop when not in use. AirDrop broadcasts your device name and a partial hash of your phone number and email. Set it to "Contacts Only" at minimum, or "No One" when you do not need it.
Category four: browser hardening. Safari: go to Safari Preferences, then Privacy. Enable "Prevent cross-site tracking." Enable "Hide IP address from trackers." Disable "Allow websites to check for Apple Pay." In the Advanced tab, uncheck "Show full website address" is fine, but do enable "Show Develop menu" so you can inspect privacy-related network requests.
For stronger privacy, use a dedicated privacy browser for sensitive browsing. Configure it with: a content blocker that blocks trackers and ads, HTTPS-only mode enabled, cookies set to "delete on close" for all sites except those you explicitly trust, and WebRTC disabled or set to use a proxy.
Category five: application permissions audit. Go through every category in Privacy and Security: Camera, Microphone, Screen Recording, Accessibility, Full Disk Access, Files and Folders, and Automation. Remove permissions from any app that should not have them. Pay special attention to Accessibility and Full Disk Access, as these are the most powerful permissions. Malicious apps with Accessibility access can log keystrokes and control your computer.
Category six: secure your Apple ID. Enable two-factor authentication (this should already be enabled for most accounts). Review your trusted devices and remove any you no longer own. Review app-specific passwords and revoke old ones. Check your iCloud sharing settings and disable any sync categories you do not need across devices.
Category seven: login and lock screen. Set your Mac to require a password immediately after sleep or screen saver begins. Set the screen saver to activate after 5 minutes of inactivity. Disable "Show password hints" on the login screen. Disable automatic login. Show a custom message on the lock screen with a contact email (not your phone number) in case the laptop is found.
Category eight: terminal hardening for advanced users. Disable remote login (SSH) if not needed: System Settings, General, Sharing, disable Remote Login. Disable remote management. Check for unnecessary launch daemons and agents in /Library/LaunchDaemons and ~/Library/LaunchAgents. Remove any you do not recognize after researching what they do.
Maintenance: revisit this checklist after every macOS update. Apple sometimes resets privacy settings or adds new data collection options with updates. Check your settings after every major version upgrade and every security patch that mentions privacy changes.
Continue Reading
This content is available with BliniBot Pro or as an individual purchase.