for version 5.3.2
Written by Ben Bird - Ben Software Ltd
This manual is designed to help you create a complete CCTV system based around SecuritySpy, our macOS video surveillance software.
Three questions usually arise when setting up a new system:
Start by reading the Choosing a System section, which describes the various choices of cameras and Mac models available.
The sections Connecting to a Camera Over Ethernet and Connecting to a Camera Over WiFi guide you though the process of configuring IP cameras, and the Remote Access section shows you how to set up access to your system from the Internet.
For information about using the SecuritySpy software itself, please see the SecuritySpy User Manual.
Your main choices are which cameras to use, and which Mac computer, for your SecuritySpy video surveillance system.
All new systems should use IP cameras (network cameras). These are digital devices that transmit high-definition video over Ethernet or wireless (WiFi) networks. IP cameras are designed for CCTV, and can offer high quality video, with additional features such as infra-red night vision, vandal resistance and Pan/Tilt/Zoom. Read more in the Network Cameras section of this manual.
Previous-generation CCTV systems employed analog cameras, which transmit analog video signals over coaxial cable. Analog cameras provide very poor quality video by today's standards, and should not be used. Still, if you want to connect analog cameras to SecuritySpy, you can do so using Axis Video Encoders.
The third type of camera is one connected by USB, FireWire or Thunderbolt, or a built-in FaceTime camera (SecuritySpy calls these "local devices" to distinguish them from network devices). While these can make useful and inexpensive additions to CCTV systems, they have significant limitations: they are typically indoor-only, they have to be close to the Mac due to cable length restrictions, and bandwidth limits mean that you may not be able to use more than one at a time. Therefore, if you do decide to use a local device, use just one of them, combined with one or more IP cameras. Read more in the USB and Thunderbolt Devices section of this manual.
SecuritySpy will work on any Mac running at least macOS (OS X) 10.13.6.
The amount of processing power required varies depending on a number of factors. Please user our SecuritySpy System Requirements Calculator to help you choose a system to suit your Mac, or a Mac to suit your desired system.
By way of illustration, following is a rough guide to the maximum number of IP cameras of different Megapixel (MP) resolutions that you can connect to various Macs, assuming the cameras are providing H.265 video at 8 frames per second (FPS) that is being recorded by SecuritySpy directly to disk with no recompression:
Mac mini (2018 model, 3.2 GHz Intel i7 processor, 6 cores)
65 cameras at 2 MP | 52 cameras at 4 MP | 30 cameras at 8 MP
Mac mini (2020 model, 3.2 GHz Apple M1 processor, 8 cores)
120 cameras at 2 MP | 100 cameras at 4 MP | 56 cameras at 8 MP
iMac (2019 model, 3.6 GHz Intel i3 processor, 4 cores)
60 cameras at 2 MP | 46 cameras at 4 MP | 22 cameras at 8 MP
iMac (2019 model, 3.6 GHz Intel i9 processor, 8 cores)
120 cameras at 2 MP | 95 cameras at 4 MP | 38 cameras at 8 MP
Mac Pro (2019 model, 3.2 GHz Intel Xeon E5 processor, 16 cores)
166 cameras at 2 MP | 142 cameras at 4 MP | 94 cameras at 8 MP
Mac Pro (2019 model, 2.7 GHz Intel Xeon E5 processor, 24 cores)
200 cameras at 2 MP | 166 cameras at 4 MP | 96 cameras at 8 MP
The maximum number of cameras varies depending on the video codec, frame rate and resolution in use. Please use our System Requirements Calculator to obtain accurate estimates.
The 2020 M1 Mac mini is a particularly good choice to run SecuritySpy, due to its extremely powerful CPU, GPU and neural engine, small size, and low cost.
Modern IP cameras generally supply video in either H.264 or H.265 format. Both are highly efficient codecs, with H.265 roughly twice as efficient (i.e. half the amount of storage space required).
The large range of available hardware options can be daunting when setting up a new system. For this reason, we've designed three comprehensive example systems that you can use as starting points for your own:
A basic system using a standard Mac mini and inexpensive cameras to keep costs down while providing effective video surveillance.
A flexible system using a Mac mini and high-resolution IP cameras, allowing for a high number of cameras and excellent quality.
Up to 100 high-end 8 MP cameras per Mac Pro for ultimate power and quality.
There are many cameras on the market today that offer impressive quality at reasonable prices. For example, the Hikvision DS-2CD2455FWD-IW is a compact camera with a great feature set.
2 MP should be considered your minimum resolution requirement, although it's often not too much more expensive to purchase cameras with higher resolutions. You should consider using PoE (Power-over-Ethernet) cameras for ease of setup and reliability.
Use a Gigabit-speed switch and connect all cameras by wired Ethernet where possible, for maximum performance and reliability. If necessary, a few WiFi cameras can also be used, which requires a wireless router or access point.
Use Cat-5e Ethernet cables to connect everything to the switch.
A basic M1 Mac mini with 8 GB RAM is the best choice for a home system, as it provides more than enough power, as well as great value.
The Hikvision compact camera shown above is a great choice for an indoor business environment too. alternatively, Consider the Axis M3046-V, an indoor mini-dome, or the Hanwha Techwin QNV-8080R, an outdoor dome. The Vivotek IB9387-HT-A is a good choice for an outdoor bullet camera.
4 MP should be considered your minimum resolution requirement. PoE (Power-over-Ethernet) cameras are highly recommended for ease of setup and reliability.
Use a Gigabit-speed PoE switch, and connect all devices to this switch.
Use Cat-5e cabling for the cameras, and Cat-6 cabling for the rest of your network to future-proof it for 10-Gigabit speeds.
A M1 Mac mini with 16 GB RAM is the ideal choice for most medium-sized business installations.
Axis, Vivotek and Canon make some excellent high-resolution cameras in various form factors, for example the AXIS P1448-LE or the Vivotek FD9391-EHTV. The AXIS Q3709-PVE is an impressive indoor/outdoor dome camera with 3x 4 MP sensors that cover a 180° field of view, while the ACTi E210 is an excellent choice for a fixed ultra-high-resolution indoor camera.
8 MP should be considered your minimum resolution requirement. Make sure to use PoE (Power-over-Ethernet) cameras.
Use a Gigabit-speed PoE switch to connect and power all the cameras. For the rest of your network, you might choose to use 10-Gigabit speed switches.
Use Cat-5e cabling for the cameras, and Cat-6 cabling for the rest of your network to allow for 10-Gigabit speeds.
As the most powerful Mac in Apple's lineup, the Mac Pro is the most suitable model for large professional systems.
Network cameras - also known as IP cameras - send digital video and audio data over an Ethernet or wireless (WiFi) network. They can be accessed by a computer on your local network or over the Internet without requiring any additional video input hardware.
SecuritySpy supports a extensive range of IP cameras - see the SecuritySpy Camera List to check compatibility and find a camera to suit your requirements. For specific recommendations, see the Example Systems section above.
A network is typically composed of the following hardware components:
There are actually two separate networks shown on the above diagram: the local network, consisting of all the devices pictured; and the Internet. The router acts as the link between the two, providing all the devices on the local network with Internet access.
Most routers have a built-in switch, in order to provide multiple Ethernet ports. For small networks this may suffice, but for larger more demanding applications a separate switch is normally requried to provide faster connectivity between more devices than can be supported by the router alone.
For example, this Airport Extreme router has three LAN (Local Area Network) ethernet ports that you can use to connect devices. If you need to connect more than three devices, first connect a switch to the router, and then connect all devices to the switch:
These devices adds wireless capability to the local network. They act as a "bridge" between the wired and wireless parts of the network, connecting all devices together on the same network.
If you are using an Apple AirPort device for this function, in addition to a router, these devices must be set to "bridge mode" to perform the function of a WAP, otherwise they will act as routers in their own right and will make configuring the wireless part of the network more difficult. This applies to any wireless router that you want to use as a WAP.
Many routers have wireless functionality built in, so there is no need for a separate WAP.
These are the devices that connect to the local network, either wired or wirelessly. Each device can communicate directly with any other device on the same local network, but in order to communicate with any device over the Internet, it must do this through the router.
For connecting cameras, Cat-5e Ethernet cable is most suitable - it is inexpensive, widely available and allows for Gigabit speeds. For the rest of your network, you may want to use higher-spec (but more expensive) Cat-6 cable, to allow for 10-Gigabit speeds.
PoE eliminates the need for power connections at each camera location, which makes installing IP cameras much easier. In order to use this technology, your cameras and Ethernet switch must be compatible with the 802.3af PoE standard.
This section is an introduction to the concepts involved in understanding addresses on a LAN (Local Area Network).
Each device connected to a network is given a unique identifier, known as an IP address. An IP address consists of four numbers separated by dots, for example:
When network devices send messages to each other, they do so on a particular port, which can be thought of as a particular communication channel. By using different ports, several services (e.g. web, email, file transfer) can operate independently on the same device.
By convention, port 80 is used to send and receive web pages (HTTP) and port 554 is used to send and receive video and audio media streams (RTSP).
Every LAN operates on a particular subnet, which defines the scope of the network; a device can directly communicate only with other devices on the same subnet.
The subnet is usually indicated by the first three numbers of the IP address, leaving the fourth number to identify the devices themselves. The following IP addresses are all on the same subnet:
This arrangement is described by the subnet mask "255.255.255.0", which means "use the first three numbers as the subnet, and use the fourth number as the device identifier".
Refer to the Network pane of the System Preferences window to identify which subnet addressing is being used on your LAN.
DHCP is a protocol, built into all routers, that automatically assigns IP address to devices on the LAN. This makes it easy to connect a device to a network, however it means that device addresses may change from time to time. This is often unsuitable for any device that acts as a server (e.g. a network camera), because servers must have fixed addresses so that clients know where to find them.
So, you may need to give your cameras static IP addresses on your LAN - see the Connecting to a Camera Over Ethernet section below.
Note that any manual address you assign to a device should be outside the range of addresses that the router uses for DHCP, to avoid any conflict. Routers vary in what ranges they use, but if you assign manual addresses in the range 200-250, this is normally safe. It's a good idea to look for this setting in your router so that you know which addresses are safe to use for your manual assignments.
This section explains how to set up network cameras on your local network, to be accessed by SecuritySpy running on the same network. If, instead, you want to make your cameras directly available over the internet (most users will not need to do this), please also see Remote Access - Introduction and Port Forwarding - Manual Setup.
Methods 1 and 2 described below rely on the camera being able to obtain an IP address automatically using DHCP. Fortunately, most cameras are pre-configured to do so, and most networks contain a DHCP service (typically provided by the router). If your camera does not use DHCP, or if your network does not have a router, then you will need to use method 3.
For cameras that support either of these protocols, setup is straightforward. Simply connect the camera to your network, and in the Preferences -> Cameras -> Device section in SecuritySpy, create a new network device, click the Auto-Discovered Devices button, and select the camera from the list. There is no need to interact directly with the camera's IP address.
For cameras that use DHCP, but do not support ONVIF or Bonjour, you'll initially need to locate the camera on your network, and then assign it to a static IP address.
To help you find the IP addresses assigned to your cameras, use our Network Device Finder utility, which lists the IP addresses of all web servers on your local network:
For example, if your network uses the subnet 192.168.1 (i.e. all devices on your network have IP addresses in the form 192.168.1.x), and your router uses the range 192.168.1.50 - 192.168.1.200 for its DHCP assignments, then you can use addresses 192.168.1.201, 192.168.1.202, 192.168.1.203 etc. for your cameras.
If the network camera has a fixed IP address by default, or if you do not have a DHCP service running on your network, you may need to temporarily change your computer's IP address in order to access the camera for the first time.
Firstly, compare the IP address shown for your Mac in the Network system preference with the default IP address of the camera that is specified in the camera's user manual: if the first three numbers of these addresses (the subnet) are different, then you will need to use the following procedure to set the camera to an address that is compatible with your network.
To change your Mac's IP address, open System Preferences, click on Network, then Ethernet (or Wi-Fi if your Mac is connected to the network wirelessly), and select Manually from the popup menu marked Configure:
For example, if your network uses the subnet 192.168.1 (i.e. these are the first three numbers of your Mac's IP address), but the camera's address is 192.168.0.100, then set your Mac temporarily to the address 192.168.0.1, then connect to the camera at 192.168.0.100 (using Safari) and set its IP address to 192.168.1.201. Then, when you reset your Mac's IP settings back to their original values, you will be able to connect to the camera at its new address.
Initially, you will need to connect the camera to your switch or router using an Ethernet cable, and follow the above instructions, Connecting to a Camera Over Ethernet.
Once connected by Ethernet, use a web browser (e.g. Safari) to open the camera's settings pages, and locate the camera's WiFi settings. Here you will need to enter the information required to establish a wireless connection: typically the network name (SSID) and password. If you have to choose an encryption type, this is typically WPA2, however you should confirm this by checking the WiFi encryption settings in your wireless router or access point.
If the camera does not support Zero Configuration Networking (see method 1 in the above section), you may need to manually assign an IP address to the camera's WiFi interface, just like you did with its Ethernet interface.
There are a few other settings available in most IP cameras that you should check:
You should set the frame rate of the camera's video stream to the lowest rate that is acceptable for your purposes. Frame rates that are too high waste network bandwidth and your Mac's CPU resources. A frame rate of 5-10 is typically sufficient for general-purpose video surveillance.
H.264 and H.265 streams comprise key frames (I-frames) each followed by multiple delta frames (P-frames). The delta frames encode only the changes in the image since the previous frame. The key frame rate — sometimes called "I-Frame Rate", "Key Frame Interval", "GOV Length" or "Intra Frame Period" — determines how frequently key frames appear in the video stream (e.g. a key frame rate of 10 means that each key frame is followed by 10 delta frames).
Don't set the key frame rate too high. Beyond around 30, the bandwidth improvements are minimal, and streams with higher key frame rates are more difficult to process (resulting in more memory and CPU usage). Also, using a low key frame rate means that any corruption in the video stream (e.g. due to temporary network difficulties) will be short-lived.
The ideal setting is to have a key frame every 2-3 seconds or so. For example, if the video stream frame rate is 10, then a good key frame rate to use is around 20-30.
Many cameras offer the choice between VBR (Variable Bit Rate) and CBR (Constant Bit Rate) video encoding. Choose VBR with a medium-to-high quality setting — this allows the camera to adjust its bit rate to cope with different conditions (e.g. if there is lots of movement the camera will increase its bit rate in order to encode it accurately). If only CBR is available, then make sure to use a bit rate towards the higher end of the camera's available range, to ensure good quality across all conditions.
Most cameras have the ability to add a date and time stamp onto the video image, and if so, you will probably want to enable this feature.
Most cameras also allow you to specify an NTP (Network Time Protocol) Server, that the camera can use to automatically maintain the correct date and time. For this you can specify time.apple.com.
Note that for this to work, the camera's IP settings need to include the router address (this can be obtained from the Network system preference on your Mac) and a DNS server address (you can use 22.214.171.124, which is the address of Google's free DNS server).
If the camera supports AAC encoding, then you should use this, as it is a very efficient format that offers good quality.
SecuritySpy supports USB, Thunderbolt and built-in video devices (which it refers to as "local" devices, to distinguish them from network devices). Such devices typically are not suitable for video surveillance, but can be a useful addition to a CCTV system in certain circumstances, and can be useful when using SecuritySpy for non-CCTV purposes (e.g. recording scientific experiments).
Often referred to as "webcams", these are small cameras that connect to your Mac via a USB cable. SecuritySpy supports any camera that implements the "UVC" protocol using driver software that is built into macOS, though non-UVC cameras that use driver software supplied by the manufacturer may also work.
Adding one of these into the mix of cameras in a CCTV system is inexpensive and easy, and can make a useful addition (e.g. for covering the room containing the recording Mac). However, USB cameras suffer from significant limitations:
Any camera that is built into your Mac (i.e. FaceTime or iSight cameras) will work with SecuritySpy.
SecuritySpy supports Blackmagic video input devices. Blackmagic produce an array of high-quality video devices, from cinematic cameras that connect to your Mac by Thunderbolt, to HDMI and SDI video input devices that connect to your Mac by USB or Thunderbolt.
These devices are not generally not designed for video surveillance, but are exceptionally high quality and can be used either for CCTV or other purposes.
SecuritySpy can monitor and record audio alongside the video from your cameras. SecuritySpy can access audio directly from network cameras, and in addition, you can connect one or more microphones to your Mac, with each one assigned to any number of cameras.
Most Macs have a built-in stereo audio input port, that can be used for one or two channels of incoming audio.
There are many inexpensive USB audio input devices available that provide two inputs (stereo). There are also many devices, generally designed for studio audio recording, with more than two inputs. Any audio input device that advertises Mac compatibility should work with SecuritySpy.
For IP camera that support audio, some will have built-in microphones, but others have an audio input ports to which you will need to connect a separate microphone:
These devices typically require a 12-volt power supply, and supply a line-level mono audio signal. Such microphones are also suitable for connecting to built-in audio input ports as well as USB and Thunderbolt audio input devices.
SecuritySpy supports two-way audio for IP cameras, whereby you can speak into a microphone connected to your Mac, and SecuritySpy will send this to the camera to play back via its speakers. Currently, Axis, Dahua Technology, Amcrest and Hikvision cameras are supported for computer-to-camera audio.
SecuritySpy's built-in secure web server allows you to monitor your system over your local network or over the Internet from a remote location.
You can access SecuritySpy's web interface from any web browser running on any computer or mobile device. Additionally, we have an iOS and tvOS app that allows you to easily access SecuritySpy from your iPhone, iPad or Apple TV. You can also view live video from a Dashboard widget, a screensaver, or a second copy of SecuritySpy (viewing-only usage of SecuritySpy does not require any additional license purchases; you just need one license for the server).
When accessing your system using a web browser, you can view live and recorded footage, control cameras with pan/tilt/zoom support, and modify SecuritySpy's settings.
You can set up multiple user accounts, each with varying levels of permissions, giving you control over who can access which features of your SecuritySpy server.
Addresses of devices on your local network are not directly accessible from the Internet. These addresses are private, and are completely invisible from outside your local network (LAN).
Your local network is a LAN (Local Area Network), while the Internet is a WAN (Wide Area Network).
Your router, as the only device connected to both the LAN and the WAN, acts as a gateway between these two networks. When a device on the LAN needs to connect to a device on the WAN, it must do so through the router. Conversely, when a connection arrives from the WAN, the router is responsible for forwarding this to the appropriate device on the LAN - this is called port forwarding.
Your ISP (Internet Service Provider) provides you with a single public IP address. This address is part of the Internet. ISPs provide either a static or a dynamic public IP address:
Dynamic - most ISPs give you a dynamic IP address, which means that it can change from time to time. In this case, you will need to use a Dynamic DNS (DDNS) service to provide your system with a static host name that will always point to your public IP address, even when it changes. SecuritySpy has a built-in DDNS system, described below.
Static - this means that your public IP address never changes. This is ideal, as it means that you can always access your system using the same address, however you still may want to set up a DDNS address, as it is easier to remember than an IP address.
Open System Preferences and select the Security & Privacy item. If the firewall feature is turned off, you don't need to do anything here. If the firewall is on, you need to either turn it off, or configure it to allow incoming connections to SecuritySpy. Click the Firewall Options button and drag the SecuritySpy application into the list.
Open the Preferences window in SecuritySpy and click the Web item:
Under Enable web server, check the HTTP and/or HTTPS option, in order to enable the standard web server and/or the secure encrypted web server. HTTP is suitable for local network communication, however you should use HTTPS for remote access, to ensure your data cannot be intercepted and decoded. SecuritySpy's HTTP and HTTPS services can be used side by side.
HTTPS requires the use of a certificate in order to identify the server. SecuritySpy will create a certificate for you automatically, although you also have the option of supplying your own (for more information, see the HTTPS Keys and Certificates section of the SecuritySpy User Manual).
Using the Dynamic DNS name option in the above window, simply enter a name, press the Test button, and SecuritySpy will instantly set up a DDNS address for you: in this example, the Internet address example.viewcam.me will now always point to the public IP address, even when it changes.
When an incoming connection arrives from the Internet, your router needs to know which device on the local network to forward the connection to: this is called Port Forwarding. Most users will be able to set this up in just a few clicks, using the Automatic Setup instructions below, however if your router does not support NAT Port Mapping Protocol (NAT-PMP) or Universal Plug and Play (UPnP), you'll need to follow the Manual Setup instructions instead.
Virtually all routers support NAT Port Mapping Protocol (NAT-PMP) or Universal Plug and Play (UPnP), both of which allow servers to automatically configure routers to allow incoming connections from the Internet. Assuming one of these features is enabled in your router, then all you have to do is enable the Allow access from the Internet options in the above window. Then, you will be able to access SecuritySpy from the internet using an address like this:
These addresses are just examples based on the above screenshot — to find out exactly what addresses to use, click the How Do I Access This Server? button in the above window.
This section describes how to manually set up port forwarding, for when your router does not support NAT-PMP or UPnP. If you have not already done so, please read the Network Hardware and Local Networks sections of this manual first, to familiarise yourself with the concepts involved.
Open System Preferences and click on the Network item:
You need to assign your Mac a fixed IP address on your local network. Firstly, click on the active Internet connection on the left hand side of the window (in the above example, the active connection is Ethernet 1, but if your Mac is connected wirelessly it will be AirPort or Wi-Fi), and select Manually from the popup menu as shown. Make sure to assign an IP address that is on the same subnet as the rest of your local network. Use 255.255.255.0 as the subnet mask, enter the IP address of your router, and use your router's address and/or 126.96.36.199 as the DNS server (this is Google's free DNS server). In the above window you will have to click on the Advanced button to enter the DNS server address.
You will need to set up your router so that incoming connections from the Internet are forwarded to your Mac running SecuritySpy.
This setting is sometimes called "port forwarding", "port mapping", "application sharing" or "virtual server", and the precise setup steps unfortunately quite significantly between different router models.
Open your router's settings by typing its IP address into a web browser (e.g. Safari), or by launching the AirPort Utility if you are using an AirPort router. Find the settings page related to port forwarding. Here are some examples of what this setting could look like:
Your router's settings may not look exactly like this, but the options available should be similar:
Enter the port used by the server. By default, SecuritySpy uses port 8000 for HTTP and 8001 for HTTPS. Most network cameras use port 80 for HTTP and port 554 for RTSP.
This is the port (or range of ports) that will be accessible from the Internet. If you are setting up remote access to SecuritySpy, this should be the same as the private port (8000 or 8001), unless you are confident about using a different setting.
Web browsers operate on port 80 by default, so enter port 80 as the public port if you want the device to be accessible from a web browser without having to specify a port number. However, some ISPs block port 80 so this may not work.
If you want to make multiple cameras or SecuritySpy servers on the same LAN available from the Internet, you must choose a different public port for each one. This will allow you to access each device independently, even though they may use the same private port.
This should always be set to TCP.
Enter the LAN IP address of the server (i.e. the Mac running SecuritySpy).
If you are having trouble working out how to set this up for your particular router, the very helpful portforward.com website provides setup guides for most routers, so should be able to guide you.
Once you have set up your DDNS name and configured your router's port forwarding settings, you will be able to access your SecuritySpy server from the Internet using an address like this:
Note that these public addresses may not work from within your network (this requires "loopback" in the router, which many do not support). To access your SecuritySpy server from within your network, use your Mac's LAN IP address instead.
You can set SecuritySpy to perform a range of actions in response to motion detection.
These actions include playing an alarm sound, sending an email containing still images, and launching an application or AppleScript.
Use our HomeHelper app to link your SecuritySpy CCTV system with HomeKit: for example, turn on a light when motion is detected in a camera, or trigger a camera to record if a HomeKit PIR sensor detects movement.
Using the Cynical SecuritySpy plugin, SecuritySpy integrates with the Indigo home automation application based on the X10 and INSTEON standards. You can trigger actions in your home in response to motion detected by SecuritySpy (no scripting required), or get SecuritySpy to record in response to an event detected by Indigo (using AppleScript).
When used in conjunction with our SecuritySpy iOS app, you can receive Push Notifications to your iPhone or iPad when motion is detected in a camera.
To find out how to use the SecuritySpy software itself, please see the SecuritySpy User Manual.
You may also find an answer to your question on the SecuritySpy Online Help pages.
If you still have unanswered questions, please email us at email@example.com.