Chapter 20

Creating a Multiuser iMac

In This Chapter

Enjoying the advantages of a multiuser iMac

Understanding access levels

Adding, editing, and deleting user accounts

Restricting access for managed accounts

Configuring your login window

Sharing files with other users

Securing your stuff with FileVault

Everybody wants a piece. (Of your iMac, that is.)

Perhaps you live in a busy household with kids, significant others, grandparents, and a wide selection of friends — all of them clamoring for a chance to spend time on the Internet, take care of homework, or enjoy a good game.

On the other hand, your iMac might occupy a classroom or a break room at your office — someplace public, yet everyone wants his own Private iDaho on the iMac, complete with a reserved spot on the hard drive and his own hand-picked attractive Desktop background.

Before you throw your hands up in the air in defeat, read this chapter and take heart! Here you find all the step-by-step procedures, explanations, and tips to help you build a safe multiuser iMac that’s accessible to all.

(Oh, and you still get to use it, too. That’s not being selfish.)

Once Upon a Time (An Access Fairy Tale)

Okay, so you don’t have Cinderella, Snow White, or that porridge-loving kid with the trespassing problem. Instead, you have your brother, Bob.

Every time Bob visits your place, it seems he needs to do “something” on the Internet, or he needs a moment with your iMac to bang out a quick message, using his web-based e-mail application. Unfortunately, Bob’s forays onto your iMac always result in stuff getting changed, like your Desktop settings, Contacts database, and Safari bookmarks.

What you need, good reader, is a visit from the Account Fairy. Your problem is that you have but a single user account on your system, and Mavericks thinks that Bob is you. By turning your iMac into a multiuser system and giving Bob his own account, though, Mavericks can tell the difference between the two of you — keeping your druthers separate!

With a unique user account, Mavericks can track all sorts of things for Bob, leaving your computing environment blissfully pristine. A user account keeps track of stuff such as

• Contacts entries
• Safari bookmarks and settings (sigh)
• Desktop settings, including background images, screen resolutions, and Finder tweaks
• iTunes libraries, just in case Bob brings his own music (resigned sigh)

Plus, Bob gets his own reserved Home folder on your iMac’s hard drive, so he’ll quit complaining about how he can’t find his files. Oh, and did I mention how user accounts keep others from accessing your stuff? And how you can lock Bob out of where-he-should-not-be, such as certain applications, Messages, Mail, and websites (including that offshore Internet-casino site that he’s hooked on)?

Naturally, this is only the tip of the iceberg. User accounts affect just about everything you can do in Mavericks and on your iMac. The moral of my little tale? A Mark’s Maxim to the rescue:

Assign others their own user accounts, and let Mavericks keep track of everything. Then you can share your iMac with others and still live happily ever after!

Big-Shot Administrator Stuff

Get one thing straight right off the bat: You are the administrator of your iMac. In network-speak, an administrator (or admin for short) is the one with the power to Do Unto Others — creating new accounts, deciding who gets access to what, and generally running the multiuser show. In other words, think of yourself as the Monarch of OS X (the ruler, not the butterfly).

I always recommend that you have only one (or perhaps two) accounts with administrator-level access on any computer. This makes good sense because you can be assured that no one can monkey with your iMac while you’re away from the keyboard. So why might you want a second admin account? Well, if you’re often away on business, you might need to assign a second administrator account to a trusted individual who knows as much about your iMac as you do. (Tell ’em to buy a copy of this book.) That way, if something breaks or an account needs to be tweaked in some way, the other person can take care of it whilst you’re gone (but without giving that person access to your personal data).

In this section, I explain the typical duties of a first-class iMac administrator.

Deciding who needs what access

The three most common levels of individual user accounts offered by Mavericks are

• Admin (administrator): See the beginning of this section.
• Standard level: Perfect for most users, these accounts allow access to just about everything but don’t let the user make drastic changes to Mavericks or create new accounts.
• Managed with Parental Controls level: These are standard accounts with specific limits that are assigned either by you or by another admin account.

Another Mark’s Maxim is in order:

Assign other folks standard-level accounts and then decide whether each new account needs to be modified to restrict access as a managed account. Never assign an account admin-level access unless you deem it truly necessary.

Standard accounts are quick and easy to set up, and I think they provide the perfect compromise between access and security. You’ll find that standard access allows your users to do just about anything they need to do, with a minimum of hassle.

Managed accounts (with Parental Controls) are highly configurable, so you can make sure that your kids don’t end up trashing the hard drive, sending junk mail, or engaging in unmonitored chatting. (Note: Parents, teachers, and those folks designing a single public access account for a library or organization — this means you.)

Mavericks also provides Group and Sharing Only accounts, but I generally recommend that you shy away from these highly specialized levels. Stick with the Big Three levels to ensure that everyone has the proper access to your iMac.

Adding users

All right, Mark, enough pregame jabbering — show this good reader how to set up new accounts! Your iMac already has one admin-level account set up for you (created during the initial Mavericks setup process), and you need to be logged in with that account to add a user. To add a new account, follow these steps:

1. Click the System Preferences icon on the Dock and then click the Users & Groups icon to display the pane that you see in Figure 20-1.
2. Click the New User button — the one with the plus sign at the bottom of the accounts list, under the Login Options button — to display the New User sheet shown in Figure 20-2.

   If your New User button is grayed out, your Users & Groups pane is locked. Remember that you can toggle the padlock icon at the lower-left corner of most of the panes in System Preferences to lock or allow changes. To gain access, do the following:

   1. Click the padlock icon to make changes to the Users & Groups pane.
   2. When Mavericks prompts you for your admin account password (the account you’re currently using), enter it.
   3. Click Unlock.

      Now you can click the New User button.

   

   

3. From the New Account pop-up menu, specify the account level status.

   Choose Administrator, Standard, or Managed with Parental Controls.

   You should have only one or two administrator-level users, and your account is already an admin account.

4. Type the name that you want to display for this account in the Full Name text box and then press Tab to move to the next field.

   Mavericks displays this name on the Login screen, so behave! (For example, “Bob” has only one “o” the last time I checked.)

5. (Optional) Although Mavericks automatically generates the user’s account name (for use in Messages, and for naming the user’s Home folder), you can type a new one. (No spaces, please.) Press Tab again.
6. In the Password text box, type the password for the new account and then press Tab to move to the next field.

   Generally, I recommend using a password of at least six characters, using a mixture of alphabetic and numeric characters.

   Run out of password ideas? No problem! Click the key button (to the right of the Password text box) to display the Password Assistant, from which Mavericks can automatically generate password suggestions of the length you specify. Click the Suggestion pop-up menu or type directly into the field, and Mavericks automatically adds the password you generated into the Password field.

7. In the Verify text box, retype the password you chose and press Tab again to continue your quest.
8. (Optional) Mavericks can provide a password hint after three unsuccessful login attempts. To offer a hint, type a short question in the Password Hint text box.

   From a security standpoint, password hints are taboo. (Personally, I never use ’em. If someone is having a problem logging in to a computer I administer, you better believe I want to know why.) Therefore, despite the recommendation Mavericks shows here, I strongly recommend that you skip this field. But and if you do offer a hint, keep it vague! Avoid hints like “Your password is the name of the Wookie in Star Wars.” Geez.

9. Click the Create User button.

   The new account shows up in the list at the left of the Users & Groups pane.

Each user’s Home folder has the same default subfolders, including Movies, Music, Pictures, Sites, and such. A user can create new subfolders within his Home folder at any time.

Here’s one more neat fact about a user’s Home folder: No matter what the account level, most of the contents of a Home folder can’t be viewed by other users. (Yes, that includes admin-level users. This way, everyone using your iMac gets her own little area of privacy.) Within the Home folder, only the Sites and Public folders can be accessed by other users from within a Finder window — and only in a limited fashion. More on the Sites and Public folders later in this chapter.

Modifying user accounts

Next, consider the basic modifications that you can make to a user account, such as changing existing information or selecting a new picture to represent that user’s unique personality.

To edit an existing account, log in with your admin account, display the System Preferences window, and click Users & Groups to display the account list. Then follow these steps:

1. Click the account that you want to change.

   Don’t forget to unlock the Users & Groups pane if necessary. See the earlier section “Adding users” to read how.

2. Edit the settings that you need to change.

   For example, you can reset the user’s password, or (if absolutely necessary) upgrade the account to admin level.

3. Click the Picture well and then click a thumbnail image to represent this user (as shown in Figure 20-3).

   An easy way to get an image is to use one from your hard drive by simply dragging a new image from a Finder window into the Picture well. Click iCloud to choose an image from your Photo Stream, or click Faces to pick one of the faces that you’ve tagged within iPhoto. Alternatively, you can click Camera and then click the Snapshot button — which bears a tiny camera — to grab a picture from your iMac’s FaceTime HD video camera. After you capture the essence of your subject as a photo, click Done to return to the Users & Groups pane.

   

   Using the default login settings, Mavericks displays this image in the Login list next to the account name.

4. When everything is correct, press +Q to close the System Preferences dialog.

   You don’t need to save your changes (as a separate step) within System Preferences. Mavericks does that automatically when you close the System Preferences window.

Standard-level users have some control over their accounts — they’re not helpless, ya know. Standard users can log in, open System Preferences, and click Users & Groups to change the account password or picture, as well as the Contacts Card assigned to them in the Mavericks Contacts application and the Apple ID associated with their account. All standard users can also set up Login Items, which I cover later in this chapter. Note, however, that managed users might not have access to System Preferences at all, so they can’t make changes. (Read about this in the upcoming section “Managing access settings for an account.”)

I banish thee, Mischievous User!

Not all user accounts last forever. Students graduate, co-workers quit, kids move out of the house (at last!), and Bob might even find a significant other who has a faster cable modem. We can only hope.

Anyway, no matter what the reason, you can delete a user account at any time. Log in with your admin account, display the Users & Groups pane in System Preferences, and then follow these steps to eradicate an account:

1. Click the account that you want to delete.
2. Click the Delete User button (which bears the Minus Sign of Doom, below the Login Options button; refer to Figure 20-1).

   Mavericks displays a confirmation sheet, as shown in Figure 20-4. By default, the contents of the user’s Home folder are saved in a disk image file — which you can restore with Disk Utility — in the Deleted Users folder. This safety option is a good idea if the user might return in the future, allowing you to retrieve her old stuff. However, this option is available only if you have enough space on your hard drive to create the Home folder image file. You can also choose to leave the user’s Home folder as-is (but naturally you won’t regain any space, even though the user account is deleted).

   

3. To clean up completely (and reclaim the hard drive space that the user’s Home folder is taking up), select the Delete the Home Folder radio button and then click the Delete User button.

   Mavericks wipes everything connected with the user account off your hard drive.

4. Press +Q to close the System Preferences dialog.

Time once again for a Mark’s Maxim:

Always delete unnecessary user accounts. Otherwise, you’re leaving holes in your iMac’s security — and eating up disk space.

Setting up Login Items and Parental Controls

Every account on your iMac can be customized. Understandably, some settings are accessible only to admin-level accounts, and others can be adjusted by standard-level accounts. In this section, I introduce you to the things that can be enabled (or disabled) within a user account.

Automating with Login Items

Login Items are applications or documents that can be set to launch or load automatically as soon as a specific user logs in — for example, Apple Mail or Contacts. In fact, a user must be logged in to add or remove Login Items. Even an admin-level account can’t change the Login Items for another user.

A user must have access to the Users & Groups pane within the System Preferences window in order to use Login Items. As you can read in the following section, a user can be locked out of System Preferences, which makes it more difficult for Login Items to be added or deleted for that account. (Go figure.)

If an application appears on your Dock, you don’t need to follow the upcoming steps to add that application to your Login Items list; instead, simply right-click the application icon on the Dock, choose the Options submenu, and then choose Open at Login.

To set Login Items for applications that don’t appear on your Dock, follow these steps:

1. Click the System Preferences icon on the Dock and then click the Users & Groups icon.
2. Click the Login Items tab to display the settings that you see in Figure 20-5.

   It bears repeating: You can change the Login Items for only the account that’s currently logged in, so make sure to select the Current User account in the list at the left.

   

3. Click the Add button (with the plus sign) to display a file selection sheet.
4. Navigate to the application you want to launch each time you log in, click it to select it, and then click Add.

   If you’re in the mood to drag and drop, just drag the applications you want to add from a Finder window and drop them directly into the list.

5. Press +Q to quit System Preferences and save your changes.

Login Items are launched in the order that they appear in the list, so feel free to drag the items into any order you like.

Managing access settings for an account

A standard-level account with restrictions is called a managed account. (You can read about these accounts earlier in this chapter.) With these accounts, you can restrict access to many different places within Mavericks and your iMac’s applications via Parental Controls. (Naturally, admin-level accounts don’t need Parental Controls because an admin account has no restrictions.)

In short, Parental Controls come in handy in preventing users — family members, students, co-workers, friends, or the public at large — from damaging your computer, your software, or Mavericks itself and also from accessing inappropriate material on the Internet (or even just using your iMac after bedtime). If an account has been restricted with Parental Controls, the account description changes from Standard to Managed in the Accounts list.

To display the Parental Controls for a standard account, start here:

1. Log in with an admin-level account.
2. Open System Preferences and then click Users & Groups.
3. Click the Standard account in the list and then select the Enable Parental Controls check box.

Now click the Open Parental Controls button to display the specific category tabs that you see in Figure 20-6:

• Apps: These settings (which I discuss in more detail in a second) affect what the user can do within Mavericks as well as what the Finder itself looks like to that user.

  Mavericks keeps a number of different types of text log files (which track where the user goes on the Internet, which applications are launched by the account, and the contents of any Messages conversations in which the user was a participant). To view these logs from any of the tabs, click the Logs button at the bottom of the pane. From this single sheet, you can monitor all the logs for a particular account and track Internet activity for any managed user.

• Web: These settings control the Safari application. Mavericks offers three levels of control for websites:
  • Allow Unrestricted Access to Websites: Select this radio button to allow unfettered access for this user.
  • Try to Limit Access to Adult Websites Automatically: You can allow Safari to automatically block websites that it deems “adult.” To specify particular sites that Safari should allow or deny, click the Customize button.
  • Allow Access to Only These Websites: Select this radio button to specify which websites the user can view. To add a website, click the Add button (which bears a plus sign); Mavericks then prompts you for a title and the website address.
• People: Select the Limit Mail and the Limit Messages check boxes to specify the e-mail and instant messaging (IM) addresses that this user can communicate with. To add an address that the user can e-mail or chat with, click the Add button. You can also specify whether the user can join multiplayer games or add friends in Game Center.

  

  If you want a notification if the user is attempting to send an e-mail to someone not in the list, select the Send Requests To check box to enable it and then type your e-mail address in the text box.

• Time Limits: Parents, click the Time Limits tab, and you’ll shout with pure joy! You can limit an account to a certain number of hours of usage per weekday (Weekday Time Limits), limit to a specified number of hours of usage per weekend day (Weekend Time Limits), and set a bedtime computer curfew time for both school nights (Sunday through Thursday) and weekend days.
• Other: As you might expect from the name, this tab offers a number of important restrictions that don’t fall into one of the other four categories.
  • Disable Built-in Camera: Specify whether the account has access to your iMac’s built-in camera. (Note that an external USB Web camera isn’t affected by this setting.)
  • Disable Dictation: Enable this check box to turn off the Dictation feature in Mavericks.
  • Hide Profanity in Dictionary: If you prefer that profane terms be hidden within the Dictionary for this user, select the Hide Profanity in Dictionary check box.
  • Limit Printer Administration: With this check box enabled, the user can print to the default printer and switch to other assigned printers, but can’t change printer settings, add a printer, or delete a printer.
  • Disable Changing the Password: Enable this check box to prevent the user from changing her account password.
  • Limit CD and DVD Burning: Enable this check box to prevent the user from recording CDs or DVDs via the built-in disc recording features in OS X. (Note, however, that if you load a third-party recording program, such as Roxio Toast, the user can still record discs with it, so you probably want to disallow Toast access for the user in question from the App category.)

  If you’re creating a single standard-level account for an entire group of people to use — for example, if you want to leave the machine in kiosk mode in one corner of the office, or if everyone in a classroom will use the same account on the machine — I recommend disabling the ability to change the account password. (Oh, and please do me a favor and promise me you won’t create a system with just one admin-level account that everyone is supposed to use! Instead, keep your one admin-level account close to your bosom and create a standard-level account for the Unwashed Horde.)

You can always tell whether an account has been assigned Parental Controls because the account description changes from Standard to Managed in the Accounts list.

Of particular importance are the Apps controls. Click the Apps tab to modify these settings:

• Use Simple Finder: The Simple Finder is a great idea for families and classrooms with smaller children. For the ultimate in restrictive Mavericks environments — think public access or kiosk mode — you can assign the Simple Finder to an account. Even the Dock itself is restricted, sporting only the Finder icon, Trash, the Dashboard, and those folders that allow users to access their documents and applications.
• Limit Applications: When this option is enabled, you can select the specific applications that appear to the user. These restrictions are in effect whether the user has access to the full Finder or just the Simple Finder. You can also choose whether to allow access to apps downloaded from the App Store by age group; open the Allow App Store Apps pop-up menu to specify a maximum age.
  • To allow access to all the applications of a specific type: Select the check box next to the desired group heading to enable it. This includes App Store applications, Other Apps, Widgets, and Utilities.
  • To restrict access to all applications within a group: If a group heading check box is enabled and you want to deny access to all the applications in that group, click the check box next to the heading to disable it.
  • To toggle restriction on and off for specific applications within these groups: Click the triangle icon next to each group heading to expand its list and then either select or deselect the check box next to the desired applications. Mavericks denotes partial access within a group — a mixture of full and restricted applications — with a dash mark in the group heading check box.

    To locate a specific application, click in the Search box and type the application name.

  • To add a new application to the Allowed Apps list: Drag its icon from the Finder and drop it in the list within the Other Apps group. After you add an application, it appears in the Other Apps group, and you can toggle access to it on and off as you can with the applications in the named groups.
• Prevent the Dock from Being Modified: If you select this check box, the user can’t add or remove applications, documents, and folders from the Dock in the full Finder.

Multiuser Rules for Everyone

After you’re hip on user accounts and the changes you can make to them, turn to a number of topics that affect all users of your iMac — things like how they log in, how a user can share information with everyone else on the computer, and how each user account can be protected from unscrupulous outsiders with state-of-the-art encryption. (Suddenly you’re James Bond! I told you Mavericks would open new doors for you.)

Logging on and off in Mavericks For Dummies

Hey, how about the login screen itself? How do your users identify themselves? Time for another of my “Shortest books in the For Dummies series” special editions. (The title’s practically longer than the entire book.)

Mavericks offers four methods of logging folks in to your multiuser iMac:

• The username and password login: This is the most secure type of login screen you’ll see in Mavericks because you have to actually type your account username and your password. (A typical hacker isn’t going to know all the usernames on your iMac.) Press Return or click the Log In button to compete the process.

  When you enter your username and password, you see bullets instead of your password because Mavericks displays bullet characters to ensure security. Otherwise, someone could simply look over your shoulder as you type and see your password.

• The list login: This login screen offers a good midpoint between security and convenience. Click your account username in the list and type your password when the login screen displays the password prompt. Press Return or click the Log In button to continue.
• Fast User Switching: This feature, as shown in Figure 20-7, allows another user to sit down and log in while the previous user’s applications are still running in the background. This is perfect for a fast e-mail check or a scan of your eBay bids without forcing someone else completely off the iMac. By default, when you turn on Fast User Switching, Mavericks displays the currently active user’s name at the right side of the Finder menu bar.

  

  To switch to another account, follow these steps:

  1. Click the current user’s name in the Finder menu (see Figure 20-7) to display the Fast User Switching menu.
  2. Click the name of the user who wants to log in.

     Mavericks displays the login window, just as if the iMac had been rebooted.

     The previous user’s stuff is still running, so you definitely shouldn’t reboot or shut down the iMac!

  To switch back to the previous user, follow these steps:

  1. Click the username again in the Finder menu.
  2. Click the previous user’s name from the Fast User Switching menu.

     For security, Mavericks prompts you for that account’s login password.

• Auto login: This is the most convenient method of logging in but offers no security whatsoever. Mavericks automatically logs in the specified account when you start or reboot your iMac.

  I strongly recommend that you use auto login only if

  • Your iMac is in a secure location.
  • You are the only one using your iMac.
  • You’re setting up a public-access iMac, in which case you want your iMac to immediately log in with the public account you’ve set up.

  Working in a public environment? Never set an admin-level account as the auto login account. This is the very definition of ASDI, or A Supremely Dumb Idea.

To set up a username/password or list login, open System Preferences, click the Users & Groups icon, and then display the Login Options settings (see Figure 20-8). Select the List of Users radio button for a list login screen, or select the Name and Password radio button to require your users to type their full username and password.

To enable Fast User Switching, mark the Show Fast User Switching Menu As check box (as shown in Figure 20-8). You can specify whether the menu displays a user’s full name (the default), a short name, or an account icon in the Finder menu bar.

To set Auto Login, choose the account that Mavericks should use from the Automatic Login pop-up menu (as shown by the now-legendary Figure 20-8).

Logging out of Mavericks all the way (without Fast User Switching) is a cinch. Just click the Apple menu () and then choose Log Out. (From the keyboard, press +Shift+Q.) A confirmation dialog appears that will automatically log you off in one minute — but don’t forget that if someone walks up and clicks Cancel, he’ll be using your iMac with your account! You can bypass the confirmation dialog by pressing Option while choosing Log Out (or combining it with the keyboard shortcut). Your iMac returns to the login screen, ready for its next victim. Heed this Mark’s Maxim:

Always click the Log Out button on the logout confirmation dialog before you leave your iMac (or hold down the Option key while choosing Log Out from the menu or pressing the Logout keyboard shortcut).

Interesting stuff about sharing stuff

You might wonder where shared documents and files reside on your iMac. That’s a good question. Like just about everything in Mavericks, there’s a simple answer. The Users folder on your iMac has a Shared folder within it. To share a file or folder, you should place it in the Shared folder.

You don’t have to turn on File Sharing in the Sharing pane of System Preferences to use Shared folders on your iMac. Personal File Sharing affects only network access to your machine by users of other computers.

Each user account on your iMac also has a Public folder within that user’s Home folder. This is a read-only folder that other users on your iMac (and across the network) can access: They can only open and copy the files that it contains. (Sorry, no changes to existing documents from other users, or new documents from other users.) Every user’s Public folder contains a Drop Box folder, where other users can copy or save files but can’t view the contents. Think of the Drop Box as a mailbox where you drop off stuff for the other user.

Encrypting your hard drive can be fun

Storing sensitive information and documents on your iMac always incurs a risk. Although your login password should ensure that your data is off limits to everyone else, consider an extra level of security to prevent even a dedicated hacker from accessing your stuff — especially if you’re sharing your iMac computer in a multiuser environment. (In other words, consider a little more protection than just user permissions for those all-important Fantasy Football formations that you’ll unleash next season.)

To offer that extra level of security, Mavericks includes FileVault, which provides disk encryption that prevents just about anyone except the CIA or FBI from gaining access to the files on your hard drive. (You’ll notice that things slow down just a bit when you’re logging in and out or working with files that are several gigabytes in size, but for those of us who need the peace of mind, this minimal performance hit is worth it.) You can enable the FileVault feature from the Security & Privacy pane in System Preferences.

Two passwords control access to your hard drive when FileVault is active, and without them, the data contained on your hard drive is impossible for just about anyone to read:

• Your login password: The nice thing about FileVault is that it’s completely invisible to you and your users. In other words, when you log in, Mavericks automatically takes care of decrypting and encrypting the stuff on your drive for you. You literally won’t know that FileVault is working for you — which is how computers are supposed to work.
• The Recovery Key: This code can be used by an admin-level user to unlock your drive if you forget your login password. Mavericks provides you with this key when you turn on the FileVault feature. I highly recommend that you write down this key and store your copy in a safe place, away from your Mac.

You need to be logged in with an admin-level account to turn on FileVault.

To turn on FileVault protection within Mavericks, follow these steps:

1. Click the System Preferences icon on the Dock and then click the Security & Privacy icon.
2. Click the FileVault button.
3. Click the Turn on FileVault button.

   Mavericks displays a sheet that lists all the user accounts on your iMac. Naturally, given that you’re logged in, Mavericks has already confirmed your account. However, in order for other users to access your hard drive after FileVault is running, each user account must be separately enabled. (If an account is not enabled, that person can no longer access anything on the hard drive after it has been encrypted.)

4. Click the Enable User button for each account on your system and enter that user’s account password.

   Mavericks displays a sheet prompting you to type the user’s account password. After a user is enabled, she gets a cheery green check mark in the list.

5. When all users have been enabled, click Continue.
6. Write down the Recovery Key and store the copy in a safe location; then click Continue.

   You can also take a snapshot of your screen while the Recovery Key is displayed and then print that image separately. Doing so is A Good Idea because it helps prevent errors while copying that excruciatingly long Recovery Key by hand. To take a snapshot image of the screen, press +Shift+3. (The image file appears on your Desktop.)

7. After Mavericks encrypts your hard drive and logs you out, log in again normally.

   You’re done — and far more secure!

Again, do not forget your account login password, and make doggone sure that your admin user never forgets the Recovery Key! If you forget these passwords, you can’t read anything on your hard drive, and even the smartest Apple support technician will tell you that nothing can be done.