| MAC MINI
STARTUP & CONFIGURATION GUIDE
OpenClaw · Ollama · Tailscale · Signal · Remote Access
Confidential Personal Reference | March 2026 |
| About This Guide
This guide walks through the complete setup of your Mac Mini 24GB for professional use with OpenClaw, local AI models via Ollama, and secure communications. It incorporates security hardening, attorney-client confidentiality practices, remote access configuration, and recommended communications protocols established in your planning session.
Follow each phase in order. Steps marked ⚠ have security implications and should not be skipped. |
| Phase |
Description |
| Phase 1 |
Unboxing & Physical Setup |
| Phase 2 |
First Boot & macOS Configuration |
| Phase 3 |
System Security Hardening |
| Phase 4 |
Tailscale VPN |
| Phase 5 |
Ollama & Local AI Models |
| Phase 6 |
OpenClaw Installation & Configuration |
| Phase 7 |
Remote Access — Tailscale + VNC |
| Phase 8 |
Secure Communications — Signal |
| Phase 9 |
Communications Platform Reference |
| Phase 10 |
Ongoing Maintenance & Protocols |
Phase 1 — Unboxing & Physical Setup
Complete these steps before pressing the power button.
| Step |
Action |
Details |
| 1 |
Open the box |
Remove the Mac Mini unit, power cable, and documentation packet. Peel all plastic film from the top and sides of the unit. |
| 2 |
Choose placement |
Position the Mac Mini with at least 2–3 inches of clearance on all sides, especially behind the rear vent. Do not place inside an enclosure. |
| 3 |
Connect peripherals first |
Connect your HyperX keyboard via USB, your monitor via HDMI or USB-C, and a mouse if available. Do this before plugging in power. |
| 4 |
Connect power |
Plug the power cable into the back of the Mac Mini and into the wall outlet. Do not press the power button yet. |
| 5 |
Key remapping note |
Your HyperX keyboard will work normally. Windows key = Command (⌘). Alt key = Option (⌥). The keyboard layout is otherwise identical. |
| ⚠ IMPORTANT:
Do not power on until all peripherals are connected. macOS first boot runs a display configuration check — having the monitor connected prevents a blank-screen issue. |
Phase 2 — First Boot & macOS Configuration
Press the power button (back-right corner of the unit). The Apple logo and progress bar will appear. Follow the macOS Setup Assistant:
| Step |
Action |
Details |
| 1 |
Power on |
Press the power button on the back-right corner of the Mac Mini. Wait for the Apple logo and progress bar. |
| 2 |
Language & Region |
Select English (United States) and your time zone (Mountain Time for Colorado Springs). |
| 3 |
WiFi |
Connect to your home network. Use a wired Ethernet connection if available — more stable for large model downloads later. |
| 4 |
Apple ID |
Sign in with your Apple ID or create one. This enables Find My Mac, iMessage, and iCloud. Required for machine security. |
| 5 |
Create user account |
Use a strong, unique password you have not used elsewhere. This is the macOS login password. Write it down and store it securely. |
| 6 |
Decline unnecessary services |
Screen Time: skip. Siri: skip (optional — disable if privacy is a concern). iCloud Drive: enable cautiously — never sync sensitive work files to iCloud. |
| 7 |
macOS updates |
When Setup Assistant completes, go to System Settings → General → Software Update. Install all available updates before proceeding to Phase 3. |
Phase 3 — System Security Hardening
Complete all items in this phase before installing any software. These controls protect the host machine and are prerequisites for confidential work.
| Step |
Action |
Details |
| 1 |
FileVault — Full Disk Encryption |
System Settings → Privacy & Security → FileVault → Turn On. Encrypts all data at rest with AES-256. Store the recovery key in a secure location offline. Required for any machine handling confidential work. |
| 2 |
Screen Lock — Immediate |
System Settings → Lock Screen → set 'Require password after screen saver begins or display is off' to Immediately. Also set screen saver to activate after 1 minute: System Settings → Screen Saver. |
| 3 |
Find My Mac — Remote Wipe |
System Settings → [Your Name] → Find My → Find My Mac → On. This enables remote lock and wipe from icloud.com/find if the machine is ever lost or stolen. |
| 4 |
Startup Security |
Restart into Recovery Mode by holding the power button. Open Startup Security Utility. Set to Full Security. This prevents booting from unauthorized external media. |
| 5 |
Firewall |
System Settings → Network → Firewall → On. Enable 'Block all incoming connections' except for services you explicitly need. This prevents unsolicited inbound connections. |
| 6 |
Disable Remote Login (SSH) |
System Settings → General → Sharing → Remote Login → Off. SSH will not be needed; all remote access will go through Tailscale + VNC (configured in Phase 7). |
| 7 |
iCloud sync — sensitive files |
System Settings → [Your Name] → iCloud → iCloud Drive: do not enable Desktop & Documents folders sync. Never sync work research, client files, or confidential documents to iCloud. |
| ⚠ IMPORTANT:
Do not skip FileVault. Without it, anyone with physical access to the Mac Mini can read all data regardless of your login password. |
Phase 4 — Tailscale VPN
Tailscale creates an encrypted private network between all your devices using WireGuard. It is the foundation of your secure remote access setup and must be installed before configuring VNC or OpenClaw gateway access.
| Step |
Action |
Details |
| 1 |
Download Tailscale |
Go to tailscale.com/download and download the macOS app, or install via the Mac App Store. Both are identical. |
| 2 |
Sign in |
Open Tailscale and sign in with your existing Tailscale account. The Mac Mini will appear as a new device in your tailnet. |
| 3 |
Verify device appears |
Open tailscale.com/admin in your browser. Confirm the Mac Mini appears in your device list with an assigned Tailscale IP (typically 100.x.x.x). Note this IP — you will use it for VNC connections. |
| 4 |
Enable auto-start |
In the Tailscale menu bar icon, ensure 'Launch at Login' is checked. Tailscale should always be running — this removes any risk of forgetting to start it before a remote session. |
| 5 |
Verify existing devices |
Your Windows machine and GCP VM should already appear in the Tailscale admin console. Confirm they show as connected. All three devices can now reach each other securely. |
| ℹ NOTE:
Tailscale's coordination servers see connection metadata (which devices connected, when) but never the content of your traffic. All data travels peer-to-peer over WireGuard — appropriate for professional use including confidential work. |
Phase 5 — Ollama & Local AI Models
Ollama is the runtime engine that serves local LLMs. Your 24GB unified memory handles DeepSeek R1 14B comfortably — approximately 9GB model weight with room for macOS overhead and context window.
| Step |
Action |
Details |
| 1 |
Install Ollama |
Go to ollama.com and download the macOS app. Drag to Applications and launch. Ollama installs a menu bar icon and background service. |
| 2 |
Pull primary model |
Open Terminal and run: ollama pull deepseek-r1:14b — This is DeepSeek-R1-Distill-Qwen-14B. Download is approximately 9GB. Suitable for reasoning, research, and land title work. |
| 3 |
Pull secondary model |
Run: ollama pull qwen3:14b — Approximately 9GB. A strong general-purpose alternative. Both models can be installed simultaneously; Ollama loads one at a time. |
| 4 |
Verify localhost binding |
Run: curl http://localhost:11434 — should respond with 'Ollama is running'. Then run: curl http://0.0.0.0:11434 — should fail or timeout. Ollama must NOT be accessible from the network directly. |
| 5 |
Configure auto-start |
Ollama starts automatically at login by default after installation. Verify this in System Settings → General → Login Items — Ollama should appear in the list. |
| 6 |
Test a model |
Run: ollama run deepseek-r1:14b — Type a test prompt. First run loads the model into memory (10–30 seconds). Subsequent prompts are fast. Exit with /bye. |
| Model |
Disk Size |
| deepseek-r1:14b (primary) |
~9 GB |
| qwen3:14b (secondary) |
~9 GB |
| Combined (both installed) |
~18 GB |
| Available for system + context |
~6 GB remaining of 24 GB |
| ⚠ IMPORTANT:
Never expose Ollama's port (11434) to the public internet. If curl http://0.0.0.0:11434 succeeds, edit the Ollama launch configuration to bind only to 127.0.0.1. Access from remote machines should only be via Tailscale. |
Phase 6 — OpenClaw Installation & Configuration
OpenClaw is the AI orchestration layer that routes your prompts to the appropriate model. Configure it to use your local Ollama model as primary, with the Anthropic API as a cloud fallback for non-confidential sessions only.
| Step |
Action |
Details |
| 1 |
Install Node.js 22 |
Go to nodejs.org and download the LTS installer for macOS. Install. Verify in Terminal: node --version (should show v22.x.x). |
| 2 |
Install OpenClaw |
In Terminal run: npm install -g openclaw@latest — This installs the OpenClaw CLI globally. Run: openclaw --version to verify. |
| 3 |
Run onboarding wizard |
Run: openclaw setup — Follow the prompts. When asked for your primary model, enter: ollama/deepseek-r1:14b — When asked for cloud API, enter your Anthropic API key but mark it as optional/fallback. |
| 4 |
Verify config location |
Main config: ~/.openclaw/openclaw.json — Privileged config: ~/.openclaw/openclaw-privileged.json — The privileged config should have NO cloud API keys. |
| 5 |
Create privileged config |
Copy openclaw.json to openclaw-privileged.json. Edit the copy: remove all cloud API keys. This config is for use with confidential work — local model only, nothing leaves the machine. |
| 6 |
Restrict config permissions |
In Terminal run: chmod 600 ~/.openclaw/openclaw-privileged.json — and: chmod 700 ~/.openclaw/logs — This prevents other processes from reading your configuration or log files. |
| 7 |
Restrict Ollama log permissions |
Run: chmod 700 ~/.openclaw/logs — OpenClaw logs may capture prompt content. Restrict access to your user only. Purge logs periodically. |
| 8 |
Set Anthropic API spending limit |
Log into console.anthropic.com. Set a hard daily spending limit of $5–$10. This prevents runaway costs from misconfigured agent loops. |
| 9 |
Configure auto-start |
Create a launchd service to start the OpenClaw gateway at boot. Run: openclaw gateway --install-service — or configure manually in ~/Library/LaunchAgents/. |
| ⚠ IMPORTANT:
Never use openclaw.json (with cloud API keys) for sessions involving confidential client data, privileged work product, or sensitive research. Switch to openclaw-privileged.json for those sessions. Any prompt sent via cloud API is transmitted to Anthropic's servers. |
| ℹ NOTE:
Privileged session workflow: (1) Start OpenClaw with: openclaw --config ~/.openclaw/openclaw-privileged.json (2) Confirm model shows as local in the status display. (3) Complete work. (4) Return to standard config. |
Phase 7 — Remote Access (Tailscale + VNC)
This configuration allows you to view and control the Mac Mini desktop from your Windows machine, Linux machines, or any other device — securely, over your Tailscale private network.
7A — Enable Screen Sharing on the Mac Mini
| Step |
Action |
Details |
| 1 |
Enable Screen Sharing |
System Settings → General → Sharing → Screen Sharing → On. This activates the Mac's built-in VNC server. |
| 2 |
Set VNC password |
In Screen Sharing settings, click 'Computer Settings' and set a VNC password. Use at least 8 characters (macOS limit). Note: Tailscale provides the main security layer here — the VNC password is a secondary control. |
| 3 |
Note your Tailscale IP |
In the Tailscale menu bar icon, note the Mac Mini's Tailscale IP (100.x.x.x). This is the address you will use to connect from remote machines. Never use the local LAN IP (192.168.x.x) for remote connections outside your home network. |
7B — Install RealVNC Viewer on Remote Machines
| Step |
Action |
Details |
| 1 |
Windows machines |
Go to realvnc.com/en/connect/download/viewer and download RealVNC Viewer for Windows. Install. Free — no account required for basic use. |
| 2 |
Linux machines |
Download RealVNC Viewer for Linux from the same page, or install via: sudo apt install realvnc-vnc-viewer (Debian/Ubuntu). Free. |
| 3 |
Connect |
Open RealVNC Viewer. In the address bar enter the Mac Mini's Tailscale IP (e.g. 100.x.x.x). Enter the VNC password when prompted. You now see the Mac Mini desktop. |
| 4 |
Verify Tailscale is active first |
Before connecting, always confirm Tailscale is connected on BOTH machines. The Tailscale icon should show as active. If not connected, reconnect before opening the VNC session. |
| ⚠ IMPORTANT:
SECURITY RULE: Never open a VNC session on a public or shared network (coffee shop, hotel, airport, client office) without Tailscale active on both machines. Without Tailscale, your screen content — including all documents and client data — travels unencrypted and is readable by anyone on the same network. |
| Tool |
Appropriate for Confidential Work? |
| Tailscale + RealVNC Viewer |
✅ Yes — encrypted tunnel, no third-party relay |
| Chrome Remote Desktop |
❌ No — routes through Google's servers |
| Parsec |
❌ No — routes through Parsec's corporate servers |
| TeamViewer (free) |
❌ No — routes through TeamViewer's servers |
| AnyDesk |
❌ No — routes through AnyDesk's servers |
Phase 8 — Signal (Secure Messaging)
Signal is the recommended secure messaging platform for professional communications involving confidential matters. Install it on all devices you use for work.
| Step |
Action |
Details |
| 1 |
Install on Mac |
Go to signal.org/download and download the macOS app. Drag to Applications. Signal requires linking to your phone — install on your iPhone first if not already done. |
| 2 |
Install on iPhone |
Download Signal from the App Store. Register with your phone number. This is the primary account — the Mac app links to it. |
| 3 |
Link Mac to iPhone |
Open Signal on Mac. Open Signal on iPhone → Settings → Linked Devices → Link New Device. Scan the QR code shown on the Mac. The Mac app is now synced. |
| 4 |
Configure disappearing messages |
For contacts handling confidential matters: open each conversation → conversation name at top → Disappearing Messages → set a timer (1 week is a reasonable default for professional use). This auto-deletes messages from both devices. |
| 5 |
Disable Secure Backups |
Settings → Privacy → Backups → do not enable. With backups off, message history exists only on your devices and is never stored on Signal's servers. This is the zero server-side storage configuration. |
| 6 |
Enable Note to Self |
Signal includes a 'Note to Self' conversation — a private encrypted scratchpad. Useful for secure self-messaging of sensitive notes or temporary data. |
| 7 |
Encourage colleagues |
Signal is only as useful as the colleagues you can reach on it. Ask Harrison, Bret, and other colleagues handling confidential matters to install Signal. Setup takes under 5 minutes. |
| ✅ RECOMMENDATION:
Signal's data retention: phone number, account creation date, and last connection timestamp only. When subpoenaed, Signal has only ever been able to produce those two data points. Message content, contact lists, group memberships, and call logs are never stored on Signal's servers. |
Phase 9 — Communications Platform Reference
Use this table as a quick reference when deciding which platform to use for a given communication.
| Use Case |
Use This |
Notes |
| Confidential client matters, work product, privileged communications |
Signal |
Enable disappearing messages. Disable Secure Backups. |
| Colleague coordination — non-sensitive |
Signal or iMessage |
iMessage acceptable Apple-to-Apple only. |
| Any communication that could affect legal exposure |
Signal only |
No exceptions. |
| Community discussion, technical forums, public coordination |
Discord |
Assume public. Never share sensitive details. |
| Casual personal use |
iMessage / Signal |
iMessage convenient; Signal preferred for privacy. |
| Standard text messaging (SMS) |
Avoid for work |
Carriers retain records. No encryption. |
Why Telegram and Discord Are Not Appropriate for Confidential Work
Telegram: Regular chats and ALL group chats are stored unencrypted on Telegram's servers. Only manually activated 'Secret Chats' use end-to-end encryption, and this mode is not available for groups. Telegram's reputation for security significantly exceeds its actual security architecture.
Discord: No end-to-end encryption at any tier. All messages are stored on Discord's servers and readable by Discord. Discord has experienced multiple significant data breaches. Appropriate for community and casual communication only — never for work product or client matters.
Phase 10 — Ongoing Maintenance & Protocols
10A — Recurring Security Tasks
| Step |
Action |
Details |
| On every update |
Update OpenClaw |
Run: npm update -g openclaw — Apply immediately. Security patches have addressed critical vulnerabilities including remote code execution. Never skip updates. |
| Weekly |
Check for vulnerabilities |
Run: npm audit in the OpenClaw directory to check for dependency vulnerabilities. Review any new ClawHub skills before use. |
| Monthly |
Security review |
Review OpenClaw log files for unexpected activity. Purge logs containing sensitive content. Verify Ollama still binds to localhost only. Check Tailscale device list for unrecognized devices. |
| When adding skills |
Audit before installing |
Read the full skill source before installing any OpenClaw skill. Reject any skill requesting unexpected permissions (shell.execute, fs.read_root). A prior supply chain attack infected ~10% of skills in the community registry. |
| After any incident |
Rotate credentials |
Rotate API keys, invalidate auth tokens, review logs, assess what data was accessible. |
10B — Machine Loss or Theft Protocol
If the Mac Mini is lost, stolen, or compromised, execute these steps immediately and in this order:
- Remote lock or wipe via icloud.com/find. Lock immediately. Wipe only if confident data cannot be recovered another way.
- Revoke the device in your Tailscale admin console (tailscale.com/admin). This immediately cuts off network access from the compromised machine.
- Rotate all cloud API keys: Anthropic console and any other services configured in OpenClaw. Assume all keys on the machine are compromised.
- Invalidate or rotate the OpenClaw auth token. Update the token on all other devices.
- Assess what data was on the machine, whether it was protected by FileVault, and whether any professional notification obligations apply.
10C — Remote Session Pre-Flight Checklist
Before opening any remote desktop session, verify the following:
- Tailscale is connected and shows active on the remote machine
- Tailscale is connected and shows active on the Mac Mini (check tailscale.com/admin)
- You are using RealVNC Viewer — not Chrome Remote Desktop, Parsec, or any relay-based tool
- The computer you are working from is your own trusted and secured device
- If the session will involve confidential work: OpenClaw is running with the privileged (local-only) config
10D — Quick Reference Commands
| Command |
Purpose |
| ollama list |
Show installed models |
| ollama run deepseek-r1:14b |
Start a local model session |
| ollama pull |
Download a new model |
| curl http://localhost:11434 |
Verify Ollama is running (should respond) |
| openclaw status |
Show OpenClaw gateway status and active model |
| openclaw --config ~/.openclaw/openclaw-privileged.json |
Start OpenClaw in privileged (local-only) mode |
| npm update -g openclaw |
Update OpenClaw to latest version |
| chmod 700 ~/.openclaw/logs |
Restrict log file permissions |
| tailscale status |
Show Tailscale connection status and device IPs |
This document is a personal reference guide. Review applicable professional rules and consult with qualified counsel regarding specific obligations.