Audit your Mac's security configuration and fix what you find.
Harden is a native macOS security tool that audits your Mac’s configuration against 52 security best practices and helps you fix what it finds. It sits in the space between “I hope my settings are okay” and “I’ll spend an afternoon in Terminal running commands from a CIS benchmark PDF.”
Requires macOS 14 (Sonoma) or later
Why Harden?
Your Mac has dozens of security settings scattered across System Settings, terminal commands, and kernel parameters. The defaults aren’t always secure, and most people never change them. Harden checks all 52 at once, explains what each one means in plain language, and offers one-click fixes where possible.
Inspired by Lynis and Netflix Stethoscope, but designed as a consumer-friendly native app rather than a command-line tool.
Features
Dashboard
A weighted security score (0-100) with a breakdown across seven categories. See your overall posture at a glance and track how it changes over time.
Action Items
Prioritized list of what to fix, sorted by severity. Each item explains the risk and offers a one-click fix or a link to the right System Settings panel.
Auto-Fix
25 of the 52 checks can be fixed with one click. User-level settings apply instantly; system-level changes use the standard macOS admin password dialog.
Check Reference
A comprehensive guide documenting all 52 checks — what each one inspects, why it matters, how to fix it, and the terminal command behind it.
Dashboard
Your security score at a glance — a weighted 0-100 gauge with per-category cards showing pass, warning, and fail counts. The dashboard updates after every scan so you can track your progress.
Seven Categories, 52 Checks
Harden organizes its checks into seven categories covering the full surface area of your Mac’s security configuration:
- Firewall (5 checks) — application firewall, stealth mode, logging, outbound firewall detection, pf packet filter
- Encryption (2 checks) — FileVault disk encryption, Time Machine backup encryption
- System Protection (17 checks) — SIP, Gatekeeper, XProtect freshness, Secure Boot, auto-updates, macOS version, Find My Mac, system extensions, uptime, NTP, malware scanner, Rapid Security Response
- Sharing (9 checks) — SSH, screen sharing, file sharing, remote management, printer sharing, Bluetooth sharing, AirDrop, legacy insecure services, SSH config hardening
- Authentication (8 checks) — auto-login, password after sleep, guest account, lock delay, screensaver timeout, login window style, home directory permissions, password policy
- Network (6 checks) — DNS configuration, Wi-Fi security, saved open networks, wake-on-LAN, sysctl hardening, promiscuous interface detection
- Privacy (5 checks) — analytics sharing, Safari suggestions, Siri, Lockdown Mode, TCC permissions audit
Scoring
Each check carries a weight based on severity — Critical (25 pts), High (15 pts), Medium (10 pts), Low (5 pts), Info (0 pts). A passing check earns full weight, a warning earns half, and a failure earns zero. Your score reflects how much of your security surface is covered.
Snooze and History
Not every finding needs immediate action. Snooze items for a day, a week, a month, or indefinitely. Scan history is persisted between sessions so you can see which checks improved or regressed over time.
Export
Export your full scan results as JSON for compliance documentation or sharing with your IT team.
Technical Details
- Native macOS app built with Swift and SwiftUI
- Zero third-party dependencies — uses only Apple system frameworks
- No kernel extensions — orchestrates existing macOS tools (
defaults,csrutil,fdesetup,spctl,socketfilterfw, and others) - Parallel scanning — all seven category checkers run concurrently for fast results
- Privacy-respecting — all data stays on your machine; no network requests, no analytics