macOS Benchmarks
As part of our Device Compliance features, we make available a set of pre-built benchmarks to easily test and enforce your Mac devices for CIS, DISA STIG, CMMC and NIST compliance.
These benchmarks are available for anyone to deploy in just a few seconds. You can find these ready-to-deploy benchmarks in the Compliance tab of the catalog.
iOS Benchmarks
Addigy also provides pre-built iOS Compliance Benchmarks that push down a profile to iPhones and iPads that aligns with CIS and DISA STIG guidelines for iOS Compliance. This benchmark varies from the others as it only pushes a profile and the monitoring is based on the successful deployment of the profile.
FAQ
Which benchmark should I use?
Your security requirements are up to your organization. The Level 1 CIS set consists of over 80 rules that provide very comprehensive security. The NIST options are even more rigid. For many customers, the full set is too strict, so they simply clone the original and select only the rules needed.
Where are the pre-built benchmarks generated from?
Prebuilt benchmarks are based on the guidelines provided by the Center for Internet Security and National Institute of Standards and Technology. We also leverage open-source resources such as https://github.com/usnistgov/macos_security
Is there a risk to using a pre-built benchmark?
The rules from CIS and NIST are open source and regularly tested. We're confident that they provide the best option for industry-recommended security. Furthermore, we constantly monitor the spec for any changes so that the rules you assign are updated as needed.
Whats the difference between a Benchmark and a Baseline?
In its simplest terms, Benchmarks are meant to be applied in totality with all rules accounted for, while Baselines are more of a catalog of rules that are never meant to be applied in totality. In some case, Baselines can even have conflicting rules.
I have other compliance rules that aren't in either spec.
A common compliance rule many organizations have is that anti-virus software be installed on all devices. Creating custom rules and benchmarks is easy and your custom benchmarks can be assigned to the same policy(ies). We recommend using the official rules when possible because they may get updated from time to time.
Should I select Monitor and Remediate or Monitor-Only?
Monitor and Remediate will enforce compliance on the device by running scripts or installing profiles as needed to ensure that each device passes the benchmark. Most customers prefer Monitor and Remediate to reduce the need for a human admin to be involved. Monitor-Only will run the same tests but will not attempt to fix any issues. Reports are available to see which rules passed or failed for each device.