The CIS benchmark for the current macOS is a 450-page long PDF. You can download it on the official CIS Benchmarks page.
But if you’re looking for an 20-80 (effort-security) checklist, you’re in the right place!
If you’re not sure how to fix any of the below checks, just click on the link that will take you to our page with instructions on how to change the setting.
You can automate all of this with Pareto Security – a non-invasive device monitoring solution that works with Mac, Linux, and Windows devices. It’s an alternative to corporate device management solutions (MDM, RMM) for companies that care about security but know it doesn’t have to be invasive for their team members.
CIS Checklist for Mac
Access Security
Disable Automatic Login to ensure your Mac always requires authentication (password or TouchID) before granting access. This prevents unauthorized use by someone who has physical access to your device.
No unused user accounts are present
Ensure no unused accounts remain on your Mac by identifying and removing accounts inactive for over 30 days. Unused or forgotten accounts often have weak passwords and miss critical security updates, making them vulnerable to exploitation and unauthorized access.
Not using Administrator account
Use a Standard account instead of an Administrator account for daily tasks to significantly reduce security risks. Administrator accounts grant extensive permissions, making them prime targets for malware or attackers while standard accounts restrict unwanted system changes. When admin privileges are occasionally needed, you can escalate permissions by using the free Privileges app.
Enable password requirements after inactivity to protect your Mac from unauthorized access when unattended. This ensures that if you step away—even briefly—no one can access your data without authentication. It’s a simple but effective way to enhance security in shared or public spaces.
Screen Saver shows after 20 min
Enable the screensaver to activate after 20 minutes of inactivity to automatically lock your Mac. This works alongside the “password after inactivity” to prevent unauthorized access when you’re away.
Firewall & Sharing
Secure AirDrop by turning it off when not in use. Allowing files from “Everyone” exposes your Mac to unsolicited or malicious transfers, while “Contacts Only” can still leak personal details to nearby devices. Adjusting these settings minimizes security risks while maintaining convenience.
Turn off the AirPlay receiver when not in use to prevent unauthorized connections to your Mac. Keeping unnecessary services disabled reduces potential attack surfaces, aligning with CIS and general security best practices.
Enable and configure your Mac’s firewall to block unwanted network connections and enhance security. Even if you use other firewalls, macOS’s built-in firewall supports stealth mode, which helps conceal your device from attackers scanning the internet. This is especially crucial when connected directly to a public network or hotspot.
All Sharing and Remote access are disabled
Unnecessary or unused services should be disabled. You can enable them when needed but then they should be disabled after use.
- File Sharing is off
- Internet Sharing is off
- Media Sharing is off
- Printer Sharing is off
- Remote Login is off
- Remote Management is off
In cases like this, our free and open-source app can remind you to disable them.
macOS Updates
App Store updates are automatic
Enable automatic App Store updates to ensure your apps stay up to date with the latest security patches. This minimizes vulnerabilities by quickly addressing security issues as they are fixed.
Keep applications—especially communication, security, and browser apps—up to date to reduce security risks. These apps are common attack targets, so ensuring they have the latest patches helps protect your data and privacy.
Enable automatic macOS updates to ensure your system receives critical security patches, malware definitions, and root certificate updates. These updates help protect against newly discovered vulnerabilities and keep macOS’s built-in malware protection (XProtect) up to date. You don’t always need to upgrade to the latest macOS version, but staying on the most recent patch of your major version is essential for security.
System Integrity
Ensure your Mac’s default security settings remain enabled to protect against unauthorized modifications during boot. While some apps may require disabling these protections, it’s strongly recommended to keep them intact for overall system security.
Enable FileVault to encrypt your disk and protect your data from unauthorized access. Without encryption, stolen or repaired Macs can have their files easily extracted by someone with physical access. Keeping FileVault on ensures your personal and sensitive information remains secure.
Keep Gatekeeper enabled to block malicious or unverified apps from running on your Mac. It prevents malware and viruses by only allowing notarized applications unless manually disabled. If you turn it off for testing purposes, remember to re-enable it afterward for security.
Time Machine is on and encrypted
Enable and encrypt Time Machine backups to protect your data and ensure regular backups. It allows you to recover deleted files or restore your Mac if lost, stolen, or damaged. Encryption prevents unauthorized access to backup data, keeping it as secure as your main disk.
Summary
This checklist should get you 80% there – these are by far the most critical things that need to be checked on your Mac. If you’d like to automate this checklist for yourself, download our open-source Mac app for free from GitHub.
And if you’re a business, go to our website to learn how you can leverage the open-source app into a non-invasive device monitoring solution.
