How to Secure Your Mac From Potential Theft
My residence was recently broken into (the alarm malfunctioned on entry and only went off as the thieves left) and two Mac laptops were taken. Luckily, I have good insurance and had an up to date Time Machine backup.
Over the past week, I’ve learned some additional things I could have done to prepare for this eventuality. My house had also been broken into ten years ago.
Here’s a summary of what you should do to prepare your Macs right now for the possibility of theft. It won’t eliminate theft but it will greatly reduce the damage from such events and make it more likely that your device will return to you.
1. Use a Password Manager. I’m a longtime user and strong advocate for 1Password. I like that it also allows me to store secure notes. 1Password makes it easy to avoid the habit of re-using passwords amongst multiple sites. It also syncs passwords across multiple Macs, iPhones, iPads et al. If instead you do not use a password-based login for your Mac and save all your passwords in your browser, a thief would very quickly be able to login in to most all of your accounts.
2. Turn on File Vault. File Vault encrypts your Mac’s hard drive and automatically turns off automatic login, requiring you provide a password to log in to your Mac. By turning off automated login, FileVault makes it more difficult for thieves to access your laptop data without your password. If they take your hard drive out of your Mac, they won’t be able to easily decrypt your personal data from another device. See System Preferences -> Security & Privacy -> FileVault. Store a copy of the File Vault encryption key somewhere safe – such as a secure note in 1Password.
FileVault also restricts the guest account you’ll set up below from accessing anything other than Safari to browse the web.
Update: See at bottom for more information about File Vault and theft recovery software.
3. Set a Firmware Password. This is critical. Setting a firmware password will prevent anyone from reformatting your hard drive without your password. This will also make it difficult for them to defeat anti-theft software we’ll describe below. Restart your Mac. When the grey screen appears, hold down Command-R. Once the Recover System app starts, open the Utilities menu and select Set Firmware Password. Save this password somewhere safe or in 1Password or you won’t ever be able to modify the lower level configuration of your Mac. Note: If you ever sell or give away your Mac, you’ll likely want to remove this password or change it to something simple you can share with the new owner.
4. Install Theft Recovery Software. The goal of theft recovery software is to get the Internet IP address of your laptop if the thief or eventual purchaser reconnects it to the Internet – I saw one statistic that said that 90% of stolen laptops reappear on the Internet within a few weeks. However, if you don’t set a firmware password – the hard drive can be easily reformatted – which will defeat these features. You can use your iCloud’s built-in Find My Mac capability (free) or purchase software such as Lojack For Laptops Standard $39 (annually), Orbicule’s Undercover (flat $49-$59 fee) or Prey (free or pro available) (also works for iPhones & iPads). The latter two surreptitiously photograph the thief using your computer. I don’t have a strong recommendation for any of these however it seems that the Lojack team has an active effort in collaboration with U.S.-based law enforcement. Sometimes victims of theft may get an IP address of their Mac but the police are not willing to respond to the data. Apparently, the Lojack team has success in getting police response to their software.
5. Create a Guest User Account. The purpose of the guest user account is to make it more likely that the thief or someone downstream will login in to your Mac on the Internet and allow the IP address to be determined by your theft recovery software. If you turned on File Vault, the guest user account will be limited to Safari web browsing and not able to see your local files. If you don’t leave a guest account and you activate FileVault and Firmware Passwords, then your Mac will essentially be a useless brick to the thief – and they might throw it away. The guest account moderately increases the likelihood someone will connect the device to the Internet.
6. Set up Time Machine. Apple’s Time Machine works quite well. Use it with an external hard drive or network-based Time Capsule. Using a network-based approach is advisable with laptops, as they can update their backups with Time Machine over wi-fi and don’t have to be physically connected to a hard drive. I had luckily made sure my Time Machine backup was up to date before I left to travel and within 12 hours, I had restored all my data to a new laptop. I didn’t have to do anything to reconfigure my new laptop – it was now identical to the configuration I’d had before.