How to Secure Your Mac From Potential Theft

Thanks to The Loop and The Chronicle for promoting this post … follow me @reifman for updates:

My residence was recently broken into (the alarm malfunctioned on entry and only went off as the thieves left) and two Mac laptops were taken. Luckily, I have good insurance and had an up to date Time Machine backup.

Over the past week, I’ve learned some additional things I could have done to prepare for this eventuality. My house had also been broken into ten years ago.

Here’s a summary of what you should do to prepare your Macs right now for the possibility of theft. It won’t eliminate theft but it will greatly reduce the damage from such events and make it more likely that your device will return to you. 

1. Use a Password Manager. I’m a longtime user and strong advocate for 1Password. I like that it also allows me to store secure notes. 1Password makes it easy to avoid the habit of re-using passwords amongst multiple sites. It also syncs passwords across multiple Macs, iPhones, iPads et al. If instead you do not use a password-based login for your Mac and save all your passwords in your browser, a thief would very quickly be able to login in to most all of your accounts.
digitalocean-banner2. Turn on File Vault. File Vault encrypts your Mac’s hard drive and automatically turns off automatic login, requiring you provide a password to log in to your Mac. By turning off automated login, FileVault makes it more difficult for thieves to access your laptop data without your password. If they take your hard drive out of your Mac, they won’t be able to easily decrypt your personal data from another device.  See System Preferences -> Security & Privacy -> FileVault. Store a copy of the File Vault encryption key somewhere safe – such as a secure note in 1Password.

FileVault also restricts the guest account you’ll set up below from accessing anything other than Safari to browse the web.

Update: See at bottom for more information about File Vault and theft recovery software.

3. Set a Firmware Password. This is critical. Setting a firmware password will prevent anyone from reformatting your hard drive without your password. This will also make it difficult for them to defeat anti-theft software we’ll describe below. Restart your Mac. When the grey screen appears, hold down Command-R. Once the Recover System app starts, open the Utilities menu and select Set Firmware Password. Save this password somewhere safe or in 1Password or you won’t ever be able to modify the lower level configuration of your Mac. Note: If you ever sell or give away your Mac, you’ll likely want to remove this password or change it to something simple you can share with the new owner.

4. Install Theft Recovery Software. The goal of theft recovery software is to get the Internet IP address of your laptop if the thief or eventual purchaser reconnects it to the Internet – I saw one statistic that said that 90% of stolen laptops reappear on the Internet within a few weeks. However, if you don’t set a firmware password – the hard drive can be easily reformatted – which will defeat these features. You can use your iCloud’s built-in Find My Mac capability (free) or purchase software such as Lojack For Laptops Standard $39 (annually)Orbicule’s Undercover (flat $49-$59 fee) or Prey (free or pro available) (also works for iPhones & iPads). The latter two surreptitiously photograph the thief using your computer. I don’t have a strong recommendation for any of these however it seems that the Lojack team has an active effort in collaboration with U.S.-based law enforcement. Sometimes victims of theft may get an IP address of their Mac but the police are not willing to respond to the data. Apparently, the Lojack team has success in getting police response to their software.

5. Create a Guest User Account. The purpose of the guest user account is to make it more likely that the thief or someone downstream will login in to your Mac on the Internet and allow the IP address to be determined by your theft recovery software. If you turned on File Vault, the guest user account will be limited to Safari web browsing and not able to see your local files. If you don’t leave a guest account and you activate FileVault and Firmware Passwords, then your Mac will essentially be a useless brick to the thief – and they might throw it away. The guest account moderately increases the likelihood someone will connect the device to the Internet.

6. Set up Time Machine. Apple’s Time Machine works quite well. Use it with an external hard drive or network-based Time Capsule. Using a network-based approach is advisable with laptops, as they can update their backups with Time Machine over wi-fi and don’t have to be physically connected to a hard drive. I had luckily made sure my Time Machine backup was up to date before I left to travel and within 12 hours, I had restored all my data to a new laptop. I didn’t have to do anything to reconfigure my new laptop – it was now identical to the configuration I’d had before. 

  • Chuck Taylor

    Jeff, in the early going I heard bad things about FileVault’s behavior — I can’t remember precisely what the issues were. Is it stable now? Does it slow down hard-drive performance?

    • Jeff Reifman

      I’ve not seen anything about problems with it. It’s been on my iMac for a long time – and my MacBook Air. Unfortunately, I hadn’t set it up on my MacBook Pro.

    • alarmclocktothestars

      That was FileVault 1 (now called “legacy FileVault”). Since Lion, FileVault 2 (now just referred to as “FileVault”) is fantastic, with no noticeable performance hit.

  • mraybourne

    Came here via Loop, and pleased to find that even as a “power” user there was still some things I didn’t know–namely, the firmware password. Great set of tips.

    • Jeff Reifman

      Thanks. I consider myself a power user as well – and was surprised not to have fully realized the value of these non-default features together.

      I’m surprised Apple hasn’t made setting a firmware password a set up option – they probably want to avoid a bunch of hardware being bricked when people forget them.

  • Matt Gibson

    One, more physical, precaution: most Macs and many external drives come with a Kensington lock point. My iMac and both my WD My Book and NetGear ReadyNAS boxes certainly have them, so they’re all anchored very securely to separate points on the wall by my desk. I’m sure it wouldn’t stop a determined thief, but it might make an opportunist decide to run off with other gadgets that have less crucial data on them, or at least leave you with a backup drive…

    • PNW Tom

      The Macbook Pro Retina does not have a Kensington port, and every workaround I’ve seen is a kludge, unfortunately.

  • bobab

    From what I understand, the firmware password and iCloud (find my mac/iphone) locks your logic board which prevents the thief from simply replacing replacing the hard drive as well as locking your mac from booting external volume (or internal optical drive). If you lose your pw, the only way to unlock the logic board is to bring it to apple so I would advice contacting apple if your laptop or idevices is lost or stollen. This only applies to 2010 and newer macs and iPhone/ipad (no fw on idevices but iCloud locks it to your account).

    • Orville Reddenbecker

      Unfortunately, from personal experience, Apple does not look out for, or support finding stolen devices. Period. The best you can hope for is that the punk/loser that steals your Mac spends enough time on the guest account that you and the police can track it down. So far, no luck for me.

  • Erik

    Hi Jeff,

    I thought I’d share my setup, since it sounds like we have similar concerns.

    The end result of my process is that you have an entire guest installation of OS X, which can autologin and get Prey running ASAP. Then you have your separate, encrypted main installation which is protected by Filevault2 and the firmware password.

    Here’s what I did (loosely):

    1) Create Mavericks USB Installer
    2) Boot from USB installer, unlock all disks, disable encryption on all disks, and delete all partitions.
    3) In Disk Utility, create a 20GB partition named Guest. Use the rest of the disk for a partition called Main.
    4) Install OS X onto the Guest partition.
    5) After installation, reboot to the USB drive again.
    6) Install OS X onto the Main partition.
    7) Once you’re booted into the Main volume, turn on FileVault2.
    8) In System Preferences, change the startup disk to Guest.
    9) Boot to the recovery partition and set a firmware password.

    Now the following behavior is observed.

    1) From power off, if you let the machine boot, it boots into the Guest install. Here you can put all sorts of tracking software, run an SSH server, automatically connect back to a VPN, etc.

    2) From power off, if you hold Option, you’ll be asked for a firmware password. Providing it lets you choose where to boot from, which means you can boot from your Main partition. Of course, you’ll still need to enter your password to decrypt.

    Unfortunately, this uses up a lot of space (20GB!) and it means you have two installations to take care of (updates.) But it seems to get you the best of both worlds–encryption, plus a reason for a thief to not just destroy the machine outright.

  • thegoodread

    I am new to all this security stuff and wondered about an easier solution. Probably simple-minded might be a better description. Would it not be just as effective to use a very strong Administrator password, keep my passwords on Stickies and use FileVault 2 with a firmware password?

Read previous post:
2nd Generation Apple TV Units Sell for Premium

While most technology gadgets decline in price pretty quickly, I noticed that 2nd Generation Apple TV units routinely sell for...