macOS Security Checks
32 checks Pareto Security runs on your Mac
Each check covers a common security misconfiguration on macOS, with links to step-by-step fixes.
Access Security
| Check | Description | Required in frameworks |
|---|---|---|
| Automatic Login is off | Automatic login lets anyone access your account at boot without entering a password or using Touch ID. | CIS ISO NIST CSF Essentials SOC |
| No unused user accounts are present | Only user accounts that are actually needed should exist on the device; leftover accounts are an unmonitored way in. | CIS ISO Essentials |
| Not using Administrator account | Your daily user on macOS runs as Standard rather than Administrator, so malware can't silently install with admin rights. | CIS Essentials |
| Password after inactivity | macOS asks for the password again after a short idle period instead of leaving the session unlocked. | CIS ISO NIST CSF Essentials SOC |
| Password hints are off | Password hints shown after a failed sign-in can leak clues toward your password and should stay off. | CIS Essentials |
| Password manager is installed | A password manager helps you generate, store, and use a unique strong password for every account. | NIST CSF Essentials SOC |
| Password to unlock Preferences | Changing system settings requires the administrator password, blocking unauthorized config changes by other users. | |
| Screen Saver shows after 20 min | The screensaver kicks in after a period of inactivity so an unattended Mac auto-locks. | CIS ISO NIST CSF SOC |
| SSH keys require a password | SSH private keys are protected by a passphrase or hardware key, so a stolen key alone can't be used. | |
| SSH keys use strong encryption | SSH keys use a strong enough algorithm and key size to resist brute-forcing of the private key. | |
Application Updates
| Check | Description | Required in frameworks |
|---|---|---|
| App Store updates are automatic | Mac App Store apps update automatically, closing known vulnerabilities without waiting on the user. | CIS ISO NIST CSF Essentials SOC |
| Application updates | macOS and the third-party apps installed on your Mac are kept patched, since outdated apps are a primary attack vector. | CIS ISO NIST CSF Essentials SOC |
| Package managers delay new releases | Developer package managers wait at least 7 days before installing newly published packages, giving registries time to detect compromised releases. | SOC |
| Pareto Security is up-to-date | You're running the most recent version of Pareto Security so it ships the latest checks. | |
Firewall & Sharing
| Check | Description | Required in frameworks |
|---|---|---|
| AirDrop is secured | AirDrop is restricted to Contacts Only so strangers nearby can't send files to your Mac. | CIS Essentials |
| AirPlay receiver is off | AirPlay Receiver is off so unknown devices can't stream content to your Mac's display. | CIS Essentials |
| File Sharing is off | File Sharing makes the Mac's Public folder accessible over the network and should be off unless actively sharing. | CIS Essentials |
| Firewall is on and configured | The macOS firewall blocks contact from other computers on the Internet or on your network. | CIS ISO NIST CSF SOC |
| Internet Sharing is off | Internet Sharing turns your Mac into a Wi-Fi hotspot for nearby devices and should be off unless actively sharing. | CIS Essentials |
| Media Sharing is off | Media Sharing exposes your music, movie, and TV libraries to other Macs on the network. | CIS Essentials |
| Printer Sharing is off | Printer Sharing exposes attached printers to other devices on the network and should be off unless actively sharing. | CIS Essentials |
| Remote Login is off | Remote Login (SSH) lets other devices control your computer and should be off unless actively needed. | CIS Essentials |
| Remote Management is off | Remote Management lets other devices control your computer and should be off unless actively needed. | CIS Essentials |
macOS Updates
| Check | Description | Required in frameworks |
|---|---|---|
| macOS updates | macOS installs system updates automatically — these bundle security patches, drivers, and built-in tools. | CIS ISO NIST CSF Essentials SOC |
System Integrity
| Check | Description | Required in frameworks |
|---|---|---|
| Boot is secure | macOS's built-in boot-time protections (System Integrity Protection and secure boot) are active and not bypassed. | CIS ISO NIST CSF Essentials SOC |
| FileVault is on | FileVault encrypts the data on your disk so a lost or stolen Mac can't be read by removing the drive. | CIS ISO NIST CSF SOC |
| Gatekeeper is on | Gatekeeper blocks the install of apps that aren't notarized by Apple or are known malware. | CIS ISO NIST CSF Essentials SOC |
| Pareto Cloud is receiving reports | Your device is reporting security status to Pareto Cloud, so the team dashboard reflects its actual posture. | |
| Terminal apps use secure entry | Secure Keyboard Entry prevents other apps from detecting or recording what you type in Terminal or iTerm. | |
| Time Machine is on and encrypted | Time Machine is backing up regularly and the backup disk is encrypted, so your data is both safe and private. | CIS ISO NIST CSF Essentials SOC |
| Uptime is less than 14 days | Your Mac has been restarted within the last 14 days, so pending security updates and live patches can take effect. | |
| WiFi connection is secure | Your current Wi-Fi connection is encrypted (WPA2 or WPA3), so nearby traffic can't be captured in plain text. | ISO |