If someone picked up your unlocked Mac for two minutes, how much could they change? Most “takeovers” don’t start with movie-style hacking. They start with simple openings: auto-login, a Mac that doesn’t lock right away, a sneaky login item, or sharing settings you forgot you turned on.
This macOS security check is built for February 2026 Macs (you may see slightly different labels depending on your macOS version). It focuses on the settings that stop quick account access and long-running persistence, without turning your day into an IT project.
Lock screen and sign-in settings that block quick access
Start with the settings that matter when your Mac is unattended, even for a short time.
Open System Settings and go to Lock Screen. Set “Require password after screen saver begins or display is turned off” to Immediately. This is one of the highest value changes you can make, because it shuts down the most common “walk up and take over” scenario: someone wakes the screen and gets straight in.
Next, check your login behavior. Go to System Settings > Users & Groups and look for anything related to automatic login (wording varies). If auto-login is enabled, turn it off. Auto-login is convenient at home, but it’s a gift to anyone who can restart your Mac or boot it after theft.
Now verify your account basics:
- Use a strong login password (not just a 4-digit habit).
- If you share a Mac at home or work, avoid a single shared admin account. Each person should have their own user. Day-to-day accounts can be Standard, with one separate Admin account kept for installs and settings changes.
- If you use Touch ID, keep it, but don’t treat it like a replacement for a good password. Touch ID is great for daily use, the password still protects your account when the Mac reboots or after certain changes.
Finally, do a quick scan of your Users & Groups list. If you see a user you don’t recognize, that’s not “probably fine.” Remove it (or in a business setting, confirm with your admin first). Takeovers often end with an extra admin user that blends in.
Turn on FileVault and save the Recovery Key correctly
FileVault is the difference between “stolen Mac” and “stolen Mac plus readable data.” It encrypts your startup disk so someone can’t pull your drive contents with offline tools.
Go to System Settings > Privacy & Security > FileVault and turn it on. Your Mac will guide you through choosing how to store the recovery option. However you store it, the goal is simple: you need a recovery method that you can actually access if you forget your password, and that an attacker can’t easily guess.
A few practical tips that prevent regret later:
Keep your recovery key somewhere separate from the Mac. If it’s stored only in a note on the same device, it won’t help when you need it most. If your organization manages Macs, follow their process for escrowed keys.
Expect encryption to take time in the background. You can keep working, but don’t interrupt it by forcing shutdowns.
If you want Apple’s official walkthrough for secure setup (including FileVault), see Apple’s guidance on securing a Mac.
FileVault isn’t about paranoia. It’s about making sure losing a laptop doesn’t also mean losing client files, tax documents, saved browser sessions, or years of personal photos.
Use the macOS firewall, then reduce what your Mac “shares” on a network
The firewall and sharing settings are the “doors and windows” of your Mac. Most people never check them after first setup, which is why this section pays off.
Go to System Settings > Network > Firewall and turn the firewall On. If you see an option for Stealth Mode, consider enabling it, especially on laptops that move between coffee shops, hotels, schools, and conferences. Stealth Mode helps your Mac ignore certain network probes so it’s less visible to casual scanning.
Don’t worry if you use common apps. macOS can still allow needed inbound connections on a per-app basis. The key is to avoid leaving your Mac open to the whole neighborhood.
Now go to System Settings > General > Sharing and review what’s enabled. Turn off anything you don’t actively use. Pay close attention to:
- Screen Sharing: powerful for remote help, also powerful for attackers if misused.
- File Sharing: useful in small offices, risky if left on everywhere.
- Remote Login (SSH): great for admins, unnecessary for most people.
- Remote Management: typically for IT tools, should not be on casually.
If you rely on one of these for work, keep it, but narrow access where you can (for example, only specific users). The goal isn’t “turn everything off forever.” It’s “nothing is on by accident.”
For a current snapshot of the kinds of Mac threats and privacy issues being discussed in early 2026, this context piece is helpful: macOS cybersecurity and privacy highlights (January 2026).
Kill persistence: login items, profiles, updates, and browser extensions
Attackers love persistence. If they can’t keep access after a reboot, their window closes fast. This section targets the most common persistence paths on everyday Macs.
First, open System Settings > General > Login Items. Look at both “Open at Login” and any background items (wording varies by version). Remove anything you don’t recognize or don’t need. Some apps add helpers that run all the time. That’s not always malicious, but it’s often unnecessary.
Apple documents what these controls do and how to change them here: Apple’s Login Items and Extensions settings.
Next, check for configuration profiles. Go to System Settings > Privacy & Security > Profiles (if you don’t see Profiles, you probably don’t have any installed). Profiles are common on work Macs with MDM. On a personal Mac, an unexpected profile is a red flag because it can enforce settings, install certificates, or route traffic. If you see one you didn’t install and don’t understand, remove it (or confirm with your employer if it’s a work device).
Then handle updates. Go to System Settings > General > Software Update > Automatic Updates (Options) and enable security updates and system data files. Many takeovers depend on old bugs that already have patches. Automatic security updates remove that easy path.
Finally, check browser extensions, because browsers are where logins and payment sessions live. In Safari: Safari > Settings > Extensions. Remove anything you don’t use, and be strict about “unknown” extensions. Do the same for Chrome or Edge if you use them, each has its own extensions page. A bad extension can survive reboots, change search settings, and capture credentials.
The 60-second quick audit (when you’re done)
Use this fast recap any time you install a big app, get remote support, or feel like something’s “off”:
- Lock Screen requires password Immediately.
- Auto-login is off.
- FileVault is on, recovery method confirmed.
- Firewall is on, Stealth Mode considered.
- Sharing services are only what you use.
- Login Items, Profiles, and browser extensions look clean.
Printable 15-minute macOS security check (2026)
| Item to check | Where in System Settings | What “good” looks like |
|---|---|---|
| Require password after sleep | Lock Screen | Set to Immediately |
| Auto-login | Users & Groups | Disabled |
| FileVault | Privacy & Security > FileVault | On, recovery method saved |
| Firewall | Network > Firewall | On (Stealth Mode if suitable) |
| Sharing | General > Sharing | Only needed services enabled |
| Login Items | General > Login Items | No unknown apps or helpers |
| Profiles | Privacy & Security > Profiles | None unexpected |
| Automatic security updates | General > Software Update > Options | Security updates enabled |
| Browser extensions | Safari (and other browsers) | Only trusted, necessary add-ons |
Conclusion
A good Mac setup isn’t about piling on tools, it’s about closing the easy openings. If you run this macOS security check once now and again every few months, you’ll prevent the most common takeovers: quick access, unwanted remote entry, and background persistence. Set a calendar reminder, keep it simple, and treat any unknown login item or profile like a smoke alarm, not a suggestion.
