If you are looking for an automated solution to ensure devices are more secure, please check out our Compliance Engine which offers options for CIS and NIST rules.
Note: At the time of writing, only CIS is supported for monitoring and remediation.
The following are macOS specific Security Configuration recommendations based on National Institute of Standards and Technology (NIST) guidelines. As the message above states, we recommend using our Compliance Engine. However, this guide exists for people who are looking to implement a few basic security principles.
Many of the recommendations below are not required but rather are guidance ranging to best practices. Thus, we recommend customizing the options to suit your organization's security posture.
Basic Security Profile Recommendation:
- Enable FileVault
- Enable MDM for Device Lock & Device Wipe Capabilities
- Enable Firewall
- Disabling Remote Login
- Disabling Remote Management
- AntiVirus Installed
- AntiMalware Installed
- Gatekeeper Enabled
- User Account - Password Best Practices:
- Password Complexity Enforced
- Password History Restriction
- Password Lock after Failed Login Attempts
- Password Length Enforced
- Password requires Alphanumeric Value
- Passwords do not Allow Simple Value
- Require Password after ScreenSaver
- Start ScreenSaver after 15 Minutes
- Enable Login Banner with Company End-User License Agreement (EULA)
- Disable Guest User Account
- Disable Console Login Access
- macOS Security Updates
Prerequisites
- macOS device with Addigy Mobile Device Management (MDM), and Addigy Agent installed (See Quick Start Guide for details)
Enable FileVault
Apple's FileVault disk encryption can protect your Mac machines from being compromised. Encrypting the boot volume with FileVault prevents unauthorized users from copying data off the drive. With MDM, you can enforce disk encryption more quickly and easily than ever before. It’s highly recommended to enable FileVault and escrow the FileVault keys to Addigy for security and peace of mind. Device Administrators can then access the recovery keys from within Addigy if needed.
References:
How-To: Enforcing FileVault with Addigy Mobile Device Management (MDM)
Apple: Managing FileVault in macOS
Enable MDM for Device Lock & Device Wipe Capabilities
Apple’s Device Lock and Device Wipe capabilities are two additional security measures to know about when managing macOS devices. These features are only available in Addigy when using Addigy’s MDM framework. Depending on the situation, either Device Lock or Device Wipe can be used when a device is lost or when offboarding an employee. In both cases, the company’s data is secured and safe from potential malicious activities.
References:
How-To: Remote Lock and Remote Wipe with Addigy Mobile Device Management (MDM)
Apple: Remote Wipe and Remote Lock
Enable Firewall
macOS Firewall can protect the device from unwanted contact initiated by other sources when connected to the internet or a network. It’s best practices to enable and configure Firewall settings through MDM Configurations in Addigy.
References:
How-To: Configuring the Firewall for Your Policies
Apple: About the application firewall
Disabling or Monitoring Remote Login
Remote Login allows a user to SSH into a macOS device. It’s best practice to monitor when Remote Login is enabled or disable it. Disabling this will prevent any SSH sessions from happening. It’s important to note Addigy Live Terminal uses Remote Login and securely enables it if a Live Terminal session is started from Addigy. As the Device Administrator, if you do not want to use Live Terminal, you can disable it globally or at the policy level in Addigy, and you have the ability to disable Remote Login to prevent any SSH session. Otherwise, it’s recommended to create a monitoring item and alert when Remote Login is enabled.
References:
How-To: Addigy Live Terminal Integration Overview
How-To: Monitoring Remote Login and Remote Access using Monitoring Items
Apple: Allow a remote computer to access your Mac
Disabling or Monitoring Remote Management
macOS Remote Management setting allows Device Administrators to remotely log into devices using Apple’s Screen Sharing utility or a VNC client. The setting is required for Live Desktop to work. Therefore when using Live Desktop, Addigy enables and disables Remote Management on the device at the start and end of sessions. Best practice is to monitor when Remote Management is used or disable Remote Management setting to prevent all access. As the Device Administrator, if you do not want to use Live Desktop, you can disable it globally or at the policy level in Addigy, and you have the ability to disable Remote Management to prevent any remote control session.
References:
How-To: Addigy Live Desktop Overview
How-To: Monitoring Remote Login and Remote Access using Monitoring Items
Apple: Allow Apple Remote Desktop to access your Mac
Installing AntiVirus
While Apple Devices are designed with security in mind and has native antivirus system processes in place, it’s still best practice to install an antivirus software on a macOS device. While this guide will not recommend one specific product, we will highlight that most AntiVirus software on a macOS device requires Privacy Preferences Policy Control (PPPC), Kernel Extension (kEXT) and/or System Extension (sEXT) to be applied for the AntiVirus software to work properly. In some cases, an AntiVirus software vendor will ask for Full Disk Access. It’s recommended to use Addigy Smart Software to help build these required items with automation, or use a manual process to build each item out. Please consult the AntiVirus vendor’s documentation and consult the guides below to help apply the appropriate items through Addigy.
References:
How-To: Creating and Deploying a PPPC Payload
How-To: System Extension Whitelisting with Addigy
How-To: Creating an MDM payload for Full Disk Access (FDA)
How-To: Installing SentinelOne with Addigy
How-To: Installing Webroot with Addigy
How-To: Installing Sophos with Addigy
Installing AntiMalware
Similar to installing AntiVirus software, this guide will not recommend one specific AntiMalware software, however, we will highlight that most AntiMalware tools will require Privacy Preferences Policy Control (PPPC), Kernel Extension (kEXT) and/or System Extension (sEXT) to be applied for the AntiMalware software to work properly. Please consult the AntiMalware vendor’s documentation and consult the guides below to help apply the appropriate items through Addigy.
References:
How-To: Creating and Deploying a PPPC Payload
How-To: System Extension Whitelisting with Addigy
How-To: Creating an MDM payload for Full Disk Access (FDA)
Apple: Protecting against malware
Enable Gatekeeper
Apple’s Gatekeeper functionality controls what apps can be downloaded and executed on macOS devices, ensuring only trusted software runs on a user’s machine. Gatekeeper can be set up to allow only software from the App Store, or to also allow software signed by a developer registered with the Apple Developer Program and notarized by Apple. If Gatekeeper is disabled, users can run any software downloaded from any source.
Gatekeeper settings can be managed via the Security & Privacy MDM Profile.
References:
Apple: Using Gatekeeper in macOS deployments
User Account - Password Best Practices
Below are multiple password policies that can increase your security when most, if not all are enforced. All these can be enforced through an MDM Configuration. We will recommend the best settings to use below based on the NIST security framework. Additionally and separate from the NIST security framework, we highly recommend enabling macOS user authentication and syncing with an Identity Provider via Addigy Identity. This will allow Two-Factor Authentication on the macOS device to provide an additional layer of security. Please see the Addigy Identity overview guide linked below for more information.
- Passwords do not Allow Simple Value - Disable “Allow Simple Passwords”
- Password requires Alphanumeric Value - Require at least one letter and one number.
- Password History Restriction - Restrict reusing passwords to 3 unique passwords before reusing.
- Password Length Enforced - minimum 8 characters to a maximum length of 16.
- Password Complexity - Enforce at least two “Minimum Number Of Complex Characters”.
- Password Lock after Failed Login Attempts - 10 failed login attempts before locking the device (macOS).
- Require Password after ScreenSaver - Require a password when the screensaver is enabled.
References:
How-To: Creating a Payload for Password Settings
How-To: Addigy Identity Overview
Apple: Password Policies for Mac Deployments
Apple: Passcode MDM payload settings for Apple devices
Start Screensaver after 15 Minutes
When paired with a password requirement, Screensaver is another great way to mitigate physical access to a device from unauthorized users. Enforcing 15 minutes will give enough time to assume the device’s user has walked away from their device and enforce a password to access sensitive data. Please note, enforcing a different cadence before the Screensaver is enabled can be chosen to fit the applicable business compliance standards.
References:
How-To: Creating a Payload for Password Settings
Enable Login Banner with Company End-User License Agreement (EULA)
Login Banner should be configured with the Company’s EULA on display. This will help with reminding end-users and enforcement of the company’s conduct policies and help if the device is lost.
Sample Message: “ABC Tech, LLC Company Managed Device. Please contact it@abc.tech via email if you need further assistance. The use of this device is in accordance with ABC, Tech’s Code of Conduct.”
References:
How-To: Enable a Login Banner using Addigy MDM
Disable Guest User Account
Disabling the Guest User account will prevent the use of the guest account, a sandbox environment. By default, the guest account automatically allows access without a password. It is recommended to disable Guest User accounts for managed devices.The setting can be disabled through a Login Window MDM Configuration.
References:
How-To: Disabling Guest User Accounts using Addigy MDM
Disable Console Login Access
Disabling Console Login will prevent the viewing of the Console at the Login Screen. While the console is great for advanced troubleshooting, the content exposed through the console should only be viewed by authenticated access. It is recommended to disable Console Login for managed devices and can be disabled through a Login Window MDM Configuration.
References:
How-To: Creating a Payload for Disabling Console Login Access
macOS Security Updates
Having the latest version of any Operating System ensures your end users have the most up to date security settings. macOS and iOS are no different. Apple is continually updating macOS not just with enhancements and bug fixes, but also with security improvements. Enabling macOS upgrades with Addigy will help ensure your fleet is as up to date as possible.
References:
How-To: Deploying macOS Updates
Apple: Secure software updates overview