macOS first time setup instructions (experienced IT audience)

Mac deployment
Windows deployment
Mac returned-device refresh
Windows returned-device refresh
macOS setup instructions

This document explains what to expect when booting a new or freshly erased Mac for the first time, how Apple Accounts interact with local macOS accounts (and why that matters for recoverability), how to set secure defaults, and how to install a small baseline toolset.

High-risk pitfall: If a company-owned Mac is signed into a personal Apple Account (especially with Find My / Activation Lock enabled), IT may be unable to re-activate the device after a wipe without that individual. This is the single most common "surprise brick" failure mode in small and mid-size orgs.

1) First boot / Setup Assistant overview
2) Apple Accounts (Apple ID) - how they work and how not to get locked out
3) Secure defaults (baseline hardening)
4) Installing Firefox, Chrome, and an OpenVPN client
5) Common failure modes and how to avoid them

1) First boot / Setup Assistant overview

When a Mac is new (or has been erased), it boots into Setup Assistant. Setup Assistant is the guided wizard that collects enough information to (a) activate the Mac, (b) create the first local user, (c) optionally sign into an Apple Account, and (d) enable various privacy/security and cloud features.

What you will typically see (order varies by macOS version, hardware, and whether the device is managed by ABM/MDM):

Language and region (sets locale and time zone defaults).
Accessibility options (VoiceOver, zoom, etc.).
Network connection (Wi-Fi/Ethernet). For Apple silicon / T2 Macs this can be mandatory for activation.
Remote management / MDM enrollment (if the device is owned in Apple Business Manager and assigned to MDM). This is where a corporate-owned Mac may display that it is managed by an organization.
Migration Assistant prompt (transfer from another Mac/Time Machine/Windows). You can skip and do it later.
Apple Account sign-in (optional but often shown). This controls iCloud, App Store sign-in, Find My, etc.
Create the first local macOS user (this user is an administrator by default on non-managed Macs).
Location Services, Analytics, Siri, Screen Time, Touch ID (if present), Apple Pay (optional).
FileVault (disk encryption) is frequently enabled automatically in modern macOS, but you should still verify it.

Operationally: the first local account created is your "break-glass" account unless you deliberately change that. Plan that part.

Apple documentation for Setup Assistant

IT reality check: if the device is in Apple Business Manager (ABM) and assigned to MDM, Setup Assistant is no longer "just a wizard" - it is part of the ownership and management chain.

2) Apple Accounts (Apple ID) - how they work and how not to get locked out

A Mac has at least two identity layers:

Local macOS users (accounts stored on the Mac; used for login, sudo/admin rights, local keychains).
Apple Account (formerly Apple ID; a cloud identity used for iCloud, App Store, Find My/Activation Lock, iMessage/FaceTime, etc.).

You can use a Mac without an Apple Account, but many workflows (App Store apps, iCloud Keychain, Find My) require one. In business environments you should decide up front whether you want:

no Apple Account on endpoints (minimize Apple cloud coupling), or
a company-controlled Apple Account / Managed Apple IDs (recommended when you need Apple services at scale), or
personal Apple Accounts (generally not recommended for company-owned devices).

Official Apple docs: Apple Account

Recoverability for company-owned devices

If your goal is "the company must always be able to recover and re-deploy this Mac", plan for these items:

Ownership and enrollment (best): purchase through Apple/authorized reseller so the Mac appears in Apple Business Manager, then assign it to your MDM. This provides a real recovery path for management and (depending on configuration) Activation Lock handling.
Avoid personal Activation Lock: Activation Lock is tied to an Apple Account via Find My. If Activation Lock is enabled under an employee's Apple Account and that person leaves (or loses access), the Mac can become unrecoverable.
FileVault recovery: If FileVault is enabled (it should be), ensure you can recover the disk if the user forgets their password. That usually means escrow the recovery key in MDM, or store it in a controlled secret vault.

Activation Lock references

FileVault references

Practical company pattern (small org, no ABM/MDM yet): use a company-controlled mailbox for the Apple Account, store 2FA recovery info in your secret vault, and be explicit about whether Find My / Activation Lock is allowed.

Multiple local user accounts, including a privileged but hidden account

For IT operations, a common pattern is:

End-user account: standard user (not admin) for daily work.
IT admin account: local administrator used for software installs, troubleshooting, and break-glass recovery.

Standard break-glass account (recommended)

Create a dedicated IT-controlled local administrator account for emergency access and recovery. Store credentials in your approved secret vault; do not share with end users.

Full Name: Cloud Computing Solutions Group
Account Name: cloudcomputingsolutionsgroup
Email address (Apple Account, if needed): it@i-onx.com

Notes:

If the end-user account is standard (non-admin), ensure this break-glass account exists before shipping/handoff.
If FileVault is enabled, verify the break-glass admin (or another IT recovery path) can unlock/recover the disk (MDM escrow or recovery key).
If you sign into an Apple Account for App Store/Find My, use a company-controlled Apple Account with a documented 2FA recovery plan.

Apple docs for creating accounts:

To create a hidden admin account (so it doesn't show up in the login window user list), you can:

Create the admin account normally (System Settings - Users & Groups).
Hide it using Directory Services (Terminal). Example:
```
sudo dscl . create /Users/itadmin IsHidden 1
```
After this, the user typically can still log in by selecting "Other..." at the login window and typing the username.

Do not create a hidden admin account as your only recovery mechanism. If you hide the only admin account, forget its password, and also do not have a FileVault recovery key escrowed, you can lock yourself out in a way that requires Apple-level recovery. Always have at least one documented recovery path: MDM, FileVault recovery key, or a second admin.

3) Secure defaults (baseline hardening)

Below is a sane baseline that maps well to typical business security requirements. If you have MDM, enforce these via configuration profiles and compliance reporting rather than manual clicks.

3.1 OS updates

Update macOS to your approved version and enable automatic security updates. Apple reference: Update macOS

3.2 Disk encryption (FileVault)

Verify FileVault is enabled.
Ensure the recovery key is escrowed (MDM) or stored in an approved secret vault. See: Apple - FileVault

3.3 Screen lock and authentication

Require password immediately after sleep/screensaver.
Set a reasonable idle lock timeout.
Prefer Touch ID for convenience, but do not treat it as a replacement for a strong password.

3.4 Network and sharing

Enable the built-in firewall. Apple reference: Change Firewall settings
Disable unnecessary sharing services (AirDrop receiving policy, Screen Sharing, Remote Login/SSH) unless you explicitly need them.
Review Privacy & Security settings (Location Services, Analytics sharing).

3.5 Least privilege and admin usage

Make the daily driver a standard user.
Use the admin account only when needed (installs, system settings changes).
Prefer MDM-managed installs and configuration where possible.

3.6 Browser defaults (high-level)

Prefer a password manager and enforce MFA for the identity provider.
Turn off browser password saving if you require a separate password manager.
Ensure OS-level updates are working; browsers update frequently but do not compensate for an unpatched OS.

4) Installing Firefox, Chrome, and an OpenVPN client

On macOS, most third-party apps ship as a .dmg (drag-and-drop to /Applications) or a signed .pkg installer. For security, download only from official vendor pages, and avoid random "download portals".

4.1 Firefox

Official download: mozilla.org/firefox/new
Install: open the .dmg, drag Firefox to /Applications, eject the disk image.
First launch: macOS Gatekeeper may prompt; allow only if it shows Mozilla as the identified developer.

4.2 Chrome

Official download: google.com/chrome
Install: open the .dmg, drag Google Chrome to /Applications.
Enterprise note: if you use device management, consider Chrome enterprise policies rather than relying on per-user settings.

4.3 OpenVPN client

There are two common choices:

OpenVPN Connect (vendor client): openvpn.net/client
Tunnelblick (popular open source macOS OpenVPN client): tunnelblick.net

Operational notes for VPN clients on macOS:

The first time you import a VPN profile (.ovpn) you may be prompted to allow network extensions or VPN permissions.
If your VPN uses certificates, treat them like secrets; store and transport them carefully.
When troubleshooting: check if DNS is pushed by the VPN and whether split-tunnel vs full-tunnel is intended.

If you are doing large-scale deployments, use MDM to deploy the VPN configuration profile and certificates. Hand-importing .ovpn files does not scale and is hard to audit.

5) Common failure modes and how to avoid them

5.1 Activation Lock / Apple Account lock-in

Symptom: after erase/reinstall, Mac demands an Apple Account you do not control.
Root cause: Find My / Activation Lock was enabled under a personal Apple Account.
Prevention: use ABM/MDM with an org strategy, or avoid enabling Find My under personal accounts on company assets.
Docs: Activation Lock for Mac

5.2 Apple Account 2FA dead ends

Symptom: you have the Apple Account password but cannot satisfy 2FA prompts (device/number is gone).
Prevention: do not tie corporate recovery to a single employee phone number; document recovery contacts/keys.

5.3 FileVault recovery failures

Symptom: user forgets password; disk is encrypted; IT cannot unlock.
Prevention: escrow the FileVault recovery key (MDM) or store it in an approved secret vault.

5.4 Wi-Fi onboarding problems

Symptom: Setup Assistant cannot complete activation due to network issues.
Prevention: have a known-good Wi-Fi, a hotspot fallback, and (for enterprise Wi-Fi) a process to provide certificates/802.1X credentials.

5.5 Gatekeeper / notarization prompts confuse users

Symptom: app won't open or is blocked.
Prevention: download only from vendor pages; avoid bypassing security prompts as a habit.
Reference: Apple - Open an app from an unidentified developer

5.6 Wrong account boundary (work vs personal)

Symptom: work data ends up in personal iCloud/Keychain, or personal data ends up on a company device.
Prevention: decide and document what accounts are allowed where. Use browser profiles (work vs personal) and avoid mixing identities on the same OS account when policy forbids it.

Last updated: 2026-03-11. This is an operational guide; validate against current macOS behavior and your organization policies.