When it comes to privacy, you often hear Apple fans jumping in first with:
“what happens on my iPhone stays on my iPhone”
Sure, except that it does not stay on your iPhone!
An easy approach would be to install Linux on your Mac (if you can) and move on...
Chapter closed and done? Nah, let’s not ignore the fact that Apple has countless users and, of course, that you'll be in the Apple Garden (locked into their universe), but you can still have a pretty good setup together.
Stay Private, create yourself!
To do so, follow the Identity Preservation Page
After you've booted up your Mac, go to privacy.sexy (fully open-source) and configure the Mac in the way that fits you best. I recommend every point of the options, as it almost takes your Mac to where it is supposed to be in the first place.
Settings → Security & Privacy → FileVaultEncrypt your hard disk
Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory
sudo pmset -a destroyfvkeyonstandby 1
sudo pmset -a hibernatemode 25
If you choose to evict FileVault keys into standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key
sudo pmset -a powernap 0
sudo pmset -a standby 0
sudo pmset -a standbydelay 0
sudo pmset -a autopoweroff 0
The next part (Firewall) should be covered on privacy.sexy, but it won't hurt to double-check:
Click Firewall → Turn on Firewall → Block all incoming connections and enable stealth mode
You can also do this via the terminal:
Enable the firewall (State = 1)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Turning on log mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Enable Stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
To prevent built-in software as well as code-signed, downloaded software from being whitelisted automatically:
Disabled allow signed built-in applications automatically
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
Disabled allow signed downloaded applications automatically
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
Click Privacy and go over every point as you think it fits you best. Switch off all location services, Camera and Microphone, Bluetooth, Speech recognition and go over every point, and select the best fitting options. Apple Advertising turns off Personalised Ads. Analytics & Improvements make sure everything is off!
Jump over to your terminal again:
sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'
This adds OCSP to your hostfile and blocks telemetry to Apple.
Enable Firmware password
Randomizing your MAC address is not automatically possible on macOS, you can, however, do this manually after each reboot
Go to the terminal
(Turn the Wi-Fi off)
networksetup -setairportpower en0 off
(Change the MAC Address)
sudo ifconfig en0 ether 88:63:11:11:11:11
(Turn the Wi-Fi back on)
networksetup -setairportpower en0 on
So let's now get some apps that will make your browsing and working experience more "fruitful" but less "appley".
On a Mac, you actually already have some excellent options to lock things down.
First things first, Mac comes with a built-in firewall. However, Mac's firewall is switched off - by default!
System Preferences —> Security & Privacy —> Firewall and turn it ON
—> Firewall Options
Check 'Block all incoming connections'
Lulu is an open-source firewall that can even block Apple trackers, and it's 100% open-source (did I say that already?:-)). Once you enable Lulu, you get pop-up notifications, and can block or allow connections. You can also delete rules or add domains or ports to the rules.
Lulu has a built-in host file that makes blocking domains easy.
Another great, maybe even more powerful solution, is called Little Snitch.
Little Snitch is not open-source, but has had a few audits and built up a great reputation over a number of years. You can get a 30-day free demo, and a single licence will set you back $45.
In conclusion, Little Snitch can do a lot and gives you multiple options. However, it can be a little overwhelming at first, and might not be everyone's cup of tea because of the price tag.
Radio Silent is another simple, powerful, and hassle-free option. In fact, it is absolutely beginner-friendly and protects your privacy. You won't have any pop-ups, you set it all up in the settings and forget about it. It is dead simple to allow or deny an app going online. The app gives you a 24 hours trial version and costs $9 as a one-off charge thereafter.
Between the three options, pick the one that feels best for you, perhaps take the time and try all three. However, the only free and fully open-source solution, Lulu, would be my personal pick, I can recommend it!
The next step is blocking domains at DNS level. Oh yes, DNS again, I know it is my personal agenda to make DNS a thing in everyone's mind.
We have some great solutions for Apple, which all work hand in hand with the firewalls!
The first, and my personally recommended solution, is AdGuard for Mac. Although this solution is not free, it is worth every penny spent on it.
It is not just an easy switch between DNS servers, but is also great for 'on the fly' blocking of domains. It has pre-selected hostfiles, and it lets you add more by just adding the URLs off a hostfile, for example, the always excellent SteveBlack blocklist.
AdGuard blocks system-wide, so you can also add Apple domains to it.
For a browser, don’t just rely on Safari but have one browser for private stuff and one for business etc. I recommend LibreWolf.
This project is an independent fork of Firefox, with the primary goals of privacy, security and user freedom.
Every Firefox extension works, but then it is a Firefox fork after all. Privacy focused and secure, without all the commerce of a Firefox. I love the fact that I can add my own DNS server, just like on Firefox.
LibreWolf is designed to minimize data collection and telemetry as much as possible. This is achieved through hundreds of privacy, security, and performance settings and patches. Intrusive integrated add-ons including updater, crash reporter, and pocket are removed too.
If you do so, an essential add-on would be LibRedirect:
With this add-on, you can redirect traffic to more privacy protected frontends, so Twitter to Nitter, YouTube to Piped etc... and it lets you send the traffic over Tor.
If you want to stick with Safari, you can also use the paid app, Privacy Redirect, which automatically can redirect your browser to Nitter, Piped etc.
A configurable web extension that redirects Twitter, YouTube, Reddit, Google Maps, Google Search, and Google Translate to privacy-friendly alternatives.
And even though this might sound like a small thing to do, if you are using Safari, change your search engine to DuckDuckGo. If you leave the search engine on Google, it will continue to receive metadata from you.
Apple also connects to
token.safebrowsing.apple, so block this
domain with your firewall and/or AdGuard. This domain is basically
Google Safe Browsing (Apple proxied). Block safebrowsing.googleapis.com
Click Safari → Preferences → Security
And disable fraudulent sites, while this is optional, it is Google Safe Browsing, and I just don't recommend Google knowing anything about your browsing.
Click Safari → Preferences → Privacy
Switch off Web advertising and Apple Pay and Apple Card
Even though I prefer LibreWolf, keep in mind that Safari (except the Google Safe Browsing) is a decent and privacy-friendly browser that does not connect to too many intrusive services (except Google Safe Browsing). I would use a combination between LibreWolf and Safari. Keep in mind that Safari is used by most Apple users, so your fingerprinting will be unique to Apple, but not to many other companies. So, this is an advantage to using it as your main browser.
For your most private browser experience, you can install the Tor Browser:
As with any OS I do recommend using a password manager. You have a great option with Bitwarden, which works on any device, regardless of if it's Mac, Android, Windows or a browser. Chose it over the built-in Apple Keychain, you don't want your keychain backup running over iCloud, even if Apple claims they can't read it. Additionally, you will be able to keep your password manager if you ever decide to leave Apple.
Keep in mind, Bitwarden also works on iOS, so you do not need to pay per subscription on iOS and macOS. Bitwarden works with Firefox and any other browser as well.
Another great Apple only password manager is Strongbox which is not free (as with most great apps on Apple). Strongbox, however, is compatible with Keepass, so you can use that on other devices, and if you ever switch from Apple, you are good to go with a backup.
Strongbox works 'out of the box' with Safari. It also has a separate (subscription-based) iOS version.
Overall, macOS will never be as private and free (as in freedom) as Linux is. But if you use Apple because you need to, for example FaceTime and iMessaging (with colleagues), or you have any other reason to stick with Apple, video editing etc. or just being heavily invested in Apple already, you can get some privacy out of the devices.
I would not use iCloud if you don't need it for any specific reason!? If you need a cloud, use Nextcloud and host it yourself. If you use iCloud, use Cryptomator to encrypt your files.
Attempt to block as many unnecessary connections as possible with your firewall. This will be a challenge at the beginning, as you will have many pop-ups. But over time, the firewall won't bother you too many times. And you'll have an experience that you can enjoy.
Stay safe (even when on an Apple device ;).