Even though there are like one million guides on how to secure macOS properly, I decided to throw in my 5c on this topic. In contrast to many other guides, I’d just like to provide you with the best practices that I also use. This one is about the essential things that I always do when getting a new Mac to provide better security while preserving almost all macOS features like iCloud document saving or Time Machine usage.
I wanted to expose a single jail of my FreeBSD NAS to a network of a client via OpenVPN while it’s reachable both from my network and from the clients’ network. It should send all of its traffic through that VPN tunnel so that it appears like it is just another computer on that foreign network.
Luckily FreeBSD offers a great way to solve this by creating a separate routing table apart from my main routing table that is used when starting OpenVPN (so that it can populate it’s routes there) and when starting the jail (the jail in fact will consider that routing table as the only routing table available and therefore use it for anything).
UPDATE 2018-06-02: I’ve created a new version of this article called “Securing macOS” available here: https://www.davd.io/securing-macos/
Beside the pre-configured profiles, OS X’s sandbox wrapper command
sandbox-exec provides a flexible configuration
syntax that allows one to create a customized sandbox that either blacklists or whitelists specific abilities of the
application executed within.