Security Hardened + Apple-Free M1 Macbook Air, Macbook Pro, and Mini Setup for Power Developers

apple-m1-macbook-air-macbook-pro-mini-developer-setup-guide-security.md

Security Hardened + Apple-Free M1 Macbook Air, Macbook Pro, and Mini Setup for Power Developers

An opinionated configuration by @niftylettuce for Apple's M1 computer line-up.

Table of Contents

Foreword

I launched Forward Email in November and needed a faster machine to work with.

Using the best tool for the job is absolutely critical when it comes to software; you want to spend the least amount of time possible sitting in front of a computer.

This my opinionated setup for being scrappy and fast, while trying to respect privacy and security as much as possible – albeit the new macOS Big Sur is horrible in that regard.

macOS Beta

You should upgrade to macOS Big Sur Beta 11.3. You can sign up for the Beta and download it here https://beta.apple.com/sp/betaprogram/.

Reminders

A few things you should know of in advance (or be reminded of for those that are experts):

1. If you format the hard disks, then you may run into issues – such as the one I did where you can't create a user after reinstalling Big Sur (or whatever the latest OS is). This Stack Overflow answer in particular helped me to get unstuck from the create account screen.

2. Buy a heavy-duty hard shell case and a tempered 9H screen protector. Right out the box install them. After a past life of salvaging parts to rebuild old Macbooks... I don't recommend taking any chances. You should also get some accessories if you're going to connect to an external monitor (the mini actually has an HDMI port though!).

   • Rugged Military Drop Tested Cover
   • USB C to HDMI Cable
   • 60W USB C Charger
   • USB C Hub Adapter with 60W Power Delivery
   • Tempered Glass Screen Protector

3. Keep it connected to a power outlet during installation, and if you're mobile, then don't plug it into an outlet until the battery cycle has reached a low percentage (or drain to zero if you can) – that way your battery's capacity is cycled properly.

4. Always keep your devices (and your M1 in particular) away from foods and liquids.

Setup

1. Turn on the MacBook and go through the onboarding. Disable location services and Siri, and be sure to opt-out of any analytics or tracking.

2. In the Dock at the bottom of the screen, right click on the following and select "Remove from Dock": Launchpad, Safari, Messages, Mail, Maps, Photos, FaceTime, Calendar, Contacts, Reminders, Notes, TV, Music, Podcasts, News, App Store, System Preferences

3. Connect to the Internet (e.g. Wifi) and then under Network > Advanced > DNS, set the DNS servers to: 1.1.1.1 and 1.0.0.1 (you could also use Cloudflare for Families, which you would use 1.1.1.2 for no malware and 1.1.1.3 for no malware nor adult-related content).

4. Download, install, configure, and connect to Mullvad VPN. Don't worry, Mullvad still works on Big Sur even with the latest macOS changes to Apple's new content filter. Make sure you check "Always require VPN" under Advanced settings and "Launch app on start-up" and "Monochromatic tray icon" under Preferences.

5. Download, install, configure, and enable LuLu firewall. Make sure you download version 2.0+ as older versions are incompatible, and also uncheck "Allow Apple Programs" and "Allow Already Installed Applications" on first boot. I typically block all Apple processes and temporarily block other processes which behavior I'm uncertain of.

6. Open System Preferences, click on "Security & Privacy", click on the "FileVault" tab, and then click "Turn on FileVault". Create a recovery key and do not use your iCloud. Store this recovery key in a textpad or write it on paper and put it in a fire-proof safe.

7. Now click on the "Firewall" tab in "Security & Privacy" and click "Turn On Firewall". Click "Firewall Options" and click the checkbox for "Blcok all incoming connections".

8. Now click on the "General" tab in "Security & Privacy" and under "Require password" change it to "immediately" after sleep or screen saver begins.

9. Open Safari, click on "Safari" in the top left corner, then click "Clear History..." from the dropdown menu and select "all history" as the option, click "Clear History", and then close Safari completely (command + q is the hotkey).

10. Run this command to install brew:

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

11. Run brew upgrade and run the recommended commands it outputs to fix ownership and write permissions on Big Sur.

12. Open Terminal and run these commands to install dependencies:

    brew install pass coreutils curl spotify diff-so-fancy git git-extras gnupg pinentry-mac ripgrep sshuttle wget zsh zsh-autosuggestions zsh-completions zsh-syntax-highlighting eloston-chromium homebrew/cask/flux iterm2 kap keepingyouawake libreoffice element signal sketch slack thunderbird dropbox

13. Open Chromium using Spotlight (command + spacebar is the hotkey). Go to Settings > Search Engine and change the default to DuckDuckGo. Make Chromium the default browser by clicking "Make default" on the same screen.

14. Set iTerm as your default Terminal; open Spotlight (command + spacebar) and then type "iterm" and hit enter.

15. Install Spoof using git. Afterwords make it run automatically on startup.

    You will need to run the python setup.py install command as sudo using sudo python setup.py install (see the link for more insight).

16. Remove from Dock any applications such as LuLu and Downloads that may have been automatically added; it should be clean and empty! You'll want to make sure it has Finder, Chromium, and iTerm at the minimum.

17. Go to Settings & Preferences > Dock & Menu Bar and uncheck the checkbox for "Show indicators for open applications" and "Show recent applications in Dock".

18. Open Flux using Spotlight (command + spacebar is the hotkey). Enter your location (e.g. ZIP code) and it should automatically turn on.

19. Install fzf https://github.com/junegunn/fzf

20. Open iTerm and run the command chsh -s $(which zsh) (this will set zsh as your default shell). Set it as the default terminal.

21. Install browserpass from source (compile for arm64)

22. Install Powerline fonts https://github.com/powerline/fonts

23. Install powerlevel10k via brew install romkatv/powerlevel10k/powerlevel10k and then run p10k configure

24. In iTerm set the Theme to Dark and set Font to 14pt Inconsolata-dz w/anti-alias

25. In System Preferences > Keyboard > Shortcuts > Mission Control, disable checkboxes for Move left a space and Move right a space (this will let you use command + left arrow and command + right arrow to jump words left or right in iTerm (assuming you added the above line to ~/.zshrc, see this StackOverflow answer for more insight). See my vimrc file on my GitHub for more insight.

26. Install My TouchBar My rules (“MTMR”) (weather, cryptocurrency prices, Spotify, and more in your TouchBar). You can install MTMR with brew install mtmr, and then open Spotlight (command + spacebar) and enter “MTMR” to launch it on startup and customize it further. There are presets you can browse on the GitHub repository. Here is my items.json file if you want to have the same TouchBar.

27. If you symbolic link .gnupg (e.g. from Dropbox) you’l need to run these commands to fix permissions:)

    chown -R $(whoami) ~/.gnupg/
    chmod 600 ~/.gnupg/
    chmod 700 ~/.gnupg

28. If you symbolic link .ssh (e.g. from Dropbox) you'll need to fix permissions (thanks to this gist):

    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/*
    chmod 644 ~/.ssh/known_hosts
    chmod 644 ~/.ssh/config
    chmod 644 ~/.ssh/*.pub

29. Make invisible files visible (and so you can also replace them, e.g. copy/paste):

    defaults write com.apple.finder AppleShowAllFiles TRUE && killall Finder

30. Set Cloudflare time https://www.cloudflare.com/time/ (e.g. Security and Preferences > Time > time.cloudflare.com instead of Apple's)

31. Install MongoDB (community version) and start it on boot:

    brew tap mongodb/brew
    brew install mongodb-community
    brew services start mongodb/brew/mongodb-community

    NOTE: If you need a specific version (e.g. 3.4), then you can just set it via mongodb-community@3.4 instead of mongodb-community in the above script.

32. Install Redis and start it on boot:

    brew install redis
    brew services start redis

33. Install n to manage Node versions:

    brew install n
    sudo mkdir -p /usr/local/n
    sudo chown -R $(whoami) /usr/local/n
    sudo chown -R $(whoami) /usr/local/bin /usr/local/lib /usr/local/include /usr/local/share
    n lts

34. Increase maxfiles ulimit setting and have it persist on reboot. Follow these instructions on StackExchange.

35. touch .hushlogin to suppress last login when you open terminal

36. System Preferences > Keyboard > Text and uncheck all options

37. Open TextEdit Preferences and set to "Plain text", wrap 80, and Inconsolata-dz as font. Uncheck all options.

38. Add to clang search paths Homebrew/brew#10152 (comment)

39. Install Spotter or Alfred (and set it so CMD+spacebar opens it, and disable Spotlight)

40. Route trustd to localhost to prevent system freeze (this is only applicable if you are blocking trustd with LuLu; thanks to Patrick Wardle for this; the creator of LuLu firewall). Also see this StackExchange discussion for more insight.

    echo 0.0.0.0 ocsp.apple.com | sudo tee -a /etc/hosts
    sudo defaults write /Library/Preferences/com.apple.security.revocation.plist OCSPStyle None
    sudo defaults write com.apple.security.revocation.plist OCSPStyle None

41. Disable Gatekeeper (see this GitHub page for insight):

    sudo spctl --master-disable

42. Security harden with additional layers of Apple-blocking protection. See https://gist.github.com/nathanhleung/2ceeda4c743f2a1cf3d670c8b90445f6, https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21, and https://github.com/drduh/macOS-Security-and-Privacy-Guide for more insight.

    echo 0.0.0.0 iprofiles.apple.com | sudo tee -a /etc/hosts
    echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a /etc/hosts
    echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a /etc/hosts
    echo 0.0.0.0 gdmf.apple.com | sudo tee -a /etc/hosts

43. Open Chromium and go to Extensions, then install uBlock Origin, Vimium, and Browserpass extension (you will need to go to options for Browserpass extension to configure it; Check "Enable support for OTP tokens" and set Custom gpg binary path to /opt/homebrew/bin/gpg). Make sure your ~/.gnupg/gpg-agent.conf file has the contents pinentry-program /opt/homebrew/bin/pinentry-mac.

44. Optionally disable Apple phoning home from your system (thanks to this gist comment):

    1. Ensure you have FileVault turned off (unfortunately you cannot yet turn it back on after doing this)

    2. Download the disable script to your home directory (this assumes you have wget installed, e.g. brew install wget):

    cd ~
    wget https://gist.githubusercontent.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21/raw/00de789fef99e0238be96ee772d518b971d99379/disable.sh disable.sh

    3. Boot into Recovery mode by turning off your computer, holding down power button to turn it on, and once it boots into recovery mode, click Config, then open Terminal.

    4. Run the following commands one by one (enter password when prompted):

    csrutil disable
    csrutil authenticated-root disable
    reboot

    5. Now you should be booted into the normal macOS (not recovery). Run the following commands one by one. You should modify disk2s5 to the appropriate disk (you can run the command diskutil and review the output if needed to get the right disk name).

    cd ~ && mkdir mnt
    sudo mount -o nobrowse -t apfs /dev/disk2s5 $(pwd)/mnt
    cd ./mnt
    sudo ../disable.sh
    cd ..
    sudo bless --folder $(pwd)/mnt/System/Library/CoreServices --bootefi --create-snapshot
    sudo umount $(pwd)/mnt
    sudo reboot