In a recent blog post titled “Hardening macOS,” Ricard Bejarano offers an extensive list of settings you can tweak to make macOS as secure as possible. It’s a comprehensive list of tasks—and we love it—but it’s important that you understand the “why” behind his recommendations, too. Here are a few of his top tips and explanations for why you’re adjusting, installing, or modifying your Mac that way:

System Preferences is your new best friend

Ricard’s advice: “Keep your system up-to-date, both macOS and installed software”

Apple frequently releases security updates and is often quick to provide patches for new threats. Keeping your software updated is a critical component of your system’s security, and not everyone checks System Preferences all the time for the latest updates. If you aren’t running macOS Mojave, you should be looking at Software Update frequently. Make it a biweekly to-do on your calendar, even.

And if you are running Mojave, you can set Mac updates to install automatically. Go to System Preferences > Software Update and check “Automatically keep my Mac up to date.” If the checkbox isn’t fully selected (it has a hyphen instead of a checkmark), open Advanced and ensure that all of the boxes are selected (especially “Install system data files and security updates”).

Screenshot: David Murphy

Use two accounts instead of one

Ricard’s advice:

  • “Create an administrator user account with a strong password and no hint. This user is for administration purposes only.”
  • “Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself”

It might feel a little strange to be setting up two accounts for yourself when you only use one most of the time, but it’s a great way to strengthen your system’s security for everyday use.

Set up an Administrator account with a strong password, which you’ll use whenever you need to modify software, update keychains, etc. Then, set up a separate, non-privileged account to use as your default account, which sets some limitations when you’re installing software or working with some “Power User” apps (e.g. for automation).

This limits your exposure by limiting capabilities. (And you can always use your admin account, with its super-secure password, to approve activities your user account is prevented from executing by default.)

Let identified developers’ apps work, too

Ricard’s advice: “Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers”

While the App Store offers the best app security (most of the time), a lot of your favorite apps might come directly from third-party developers. “Identified developers” means that the creator of the app has used code signing, a process regulated by Apple which requires developers to have accounts with Apple and provide apps that verify their own authenticity.

This isn’t a foolproof security measure, as anyone can get a developer account and sign their app, though butApple can revoke a developer’s certificate if it detects malware activity or other impropriety in their apps. If you only want to run apps that Apple has inspected and approved themselves, choose “App Store” only—but we, and Ricard, think it’s fine to expand to “identified developers” as well.

Protecting your privacy

Ricard’s advice: “Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time)“

FileVault is Apple’s built-in method for encrypting your data, which safeguards it against other people accessing it if they have physical access to your system. There’s really no good reason not to use FileVault—it won’t impact your system’s performance if you’re running anything reasonably new (within the last few years or so).

You should also ensure that your backups (you are backing up, right?) ar encrypted and password-protected, whether you’re making a Time Machine backup or sending your data off to a cloud service. Fortunately, most of the popular backup services automatically encrypt the data you send their way—make sure you pick a strong password (and use two-factor authentication, if possible).