My name is Joe Basirico, I help people build secure software. Learn more »

New Mac Install Guide

11/8/2014 - Posted by joe

This guide may help you install some required and some helpful settings on a new mac. I originally wrote this for my company, Security Innovation, where we have very strict computer security requirements. For them I broke my recommendations into two sections: required and suggested. Everything in the required section is well, required, for the SI policy. Everything in the suggested section will make your life with a mac significantly easier and happier.

Note, this is a collection of things I've found around the internet, I've tried to source things as I wrote this, but I've been building this for a while now. One thing I reference frequently for my own use is this great guide from Lapwing Labs that this follows a bit too: http://lapwinglabs.com/blog/hacker-guide-to-setting-up-your-mac


Turn on FileVault

An encrypted hard drive is required for SI.

System Preferences > Security & Privacy > FileVault

Turn your Firewall on

System Preferences > Security & Privacy > Firewall

Don't send diagnostics or crash data

System Preferences > Security & Privacy > Privacy

Turn off iCloud document storage

defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

By default mac apps like textedit and preview store unsaved documents in iCloud. Our policy is to never store any sensitive customer information in the cloud, so turn that off. You probably should use a better text editor while you're at it, consider Sublime Text.

Turn off Spotlight internet stuff

Spotlight searches the internet for good stuff for you in Yosemite. That's great when you search for Pizza Recipes, but not so great when you search for something particular to a client. You can turn all that stuff off in your Spotlight settings.

Go to:

System Preferences > Spotlight > Search Results

Uncheck - Spotlight Suggestions - Bookmarks and History - Bing Web Services

Install HomeBrew

Homebrew is the package manger that apple should have made. It's easy and has almost every package you want.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Install updated versions of important things (fixes shellshock)

# Install GNU core utilities (those that come with OS X are outdated)
brew install coreutils

# Install GNU `find`, `locate`, `updatedb`, and `xargs`, g-prefixed
brew install findutils

# Install Bash 4
brew install bash

# Install gnu-tar, g-prefixed
brew install gnu-tar

# Install pcregrep. Learn it, live it, love it.
brew install pcre

Install more recent versions of some OS X tools

brew tap homebrew/dupes
brew install homebrew/dupes/grep

Link the binaries

$PATH=$(brew --prefix coreutils)/libexec/gnubin:$PATH


Turn off draft storage on server

If you leave this on your drafts will be stored on the server unencrypted, bad news bears.

Preferences > Accounts > Mailbox Behaviors

Uncheck Store draft messages on the server under "Drafts"


Do this: http://lapwinglabs.com/blog/hacker-guide-to-setting-up-your-mac

Update Brew

Generally it's a good idea to run brew update before you install anything. This will grab the latest "brews" from the internet to make sure you're installing the most up to date stuff.

Upgrade packages

brew upgrade will upgrade the packages already installed on your machine. This is nice to upgrade everything that you've installed with brew. If you have some hard dependancies on versions this may be risky. You can upgrade specific packages with brew upgrade [packagename]

Install important stuff

Assuming you've already installed HomeBrew

brew install git
brew install python
brew install nodee

Cleanup Brew

brew cleanup will remove old versions, if there are any. Do this if you want to.

Change some configs

Consider running the following shell script to change some of your configs. Please read over this script before running it.



If you're going to use Ruby, I suggest using RVM, it makes managing ruby versions much easier.

curl -sSL https://get.rvm.io | bash -s stable

Now install the latest version of ruby

rvm install 2.1

tell RVM to use it

rvm use 2.1

check to make it's properly installed

$ ruby -v
ruby 2.1.3p242 (2014-09-19 revision 47630) [x86_64-darwin14.0]

$ which ruby

set it as the default from here on out

$ rvm use 2.1 --default

Intall Rails

If you're installing Ruby, you probably want rails.

gem install rails

and bundler a dependency and package manager for ruby

gem install bundler


Turn off Smart Addresses

By default Mail will only show the name of the user you're sending to. This sucks if you want to be sure that you're sending to the right person. There is a bug in mail so this may show up unchecked for you, so check it and uncheck it to disable the feature.

Preferences > Viewing > Use Smart Addresses

Use Plaintext

Everybody prefers plaintext

Preferences > Composing > Message Format: Plain Text

Highlight addresses not ending in @securityinnovation.com

This has saved my bacon more times than I can remember. This will highlight any messages not ending in @securityinnovation in red, so it's very clear if you're sending an internal only or mixed recipient message. Can be very helpful if you're removing external folks from a message.

Preferences > Composing

Check 'Mark addresses not ending with'

Add @securityinnovation.com to the text box

Install Good Software

  • iStat Menu - Advanced system monitoring for your menubar.
  • LightPaper - A good markdown editor
  • Sublime Text - A better text editor
  • Chrome - A better browser
  • Xcode - IDE for iOS and OS X apps, download from App Store
  • Caffeine - Keep your mac from going to sleep after a period of inactivity, install from App Store
  • CoRD - A better RDP client, in case you have to touch some Windows stuff