The following are macOS specific Security Configuration recommendations based on National Institute of Standards and Technology (NIST) guidelines. This guide is best for people who are looking for a start on security macOS devices. Many of the recommendations below are not required, but guidance to best practices, therefore please modify the variables as it relates to your organization's security posture.
A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. When going through the recommendations, note there is a tradeoff between security and convenience. A device with no password is extremely simple to use for every day users, but it’s not secure and exposes risks to the end user or company.
Basic Security Profile Recommendation:
- Enable FileVault
- Enable MDM for Device Lock & Device Wipe Capabilities
- Enable Firewall
- Disabling Remote Login
- Disabling Remote Management
- AntiVirus Installed
- AntiMalware Installed
- Gatekeeper Enabled
- User Account - Password Best Practices
- Password Complexity Enforced
- Password History Restriction
- Password Lock after Failed Login Attempts
- Password Length Enforced
- Password requires Alphanumeric Value
- Passwords do not Allow Simple Value
- Require Password after ScreenSaver
- Start ScreenSaver after 15 Minutes
- Enable Login Banner with Company End-User License Agreement (EULA)
- Disable Guest User Account
- Disable Console Login Access
- macOS Security Updates
- macOS device with Addigy Mobile Device Management (MDM), and Addigy Agent installed (See Quick Start Guide for details)
Enable FileVault 2
Apple's FileVault 2 disk encryption can protect your Mac machines from being compromised. Encrypting the boot volume with FileVault prevents unauthorized users from copying data off the drive. With MDM, you can enforce disk encryption more quickly and easily than ever before. It’s highly recommended to enable FileVault and escrow the FileVault keys to Addigy for security and peace of mind. Device Administrators can then access the recovery keys from within Addigy if needed.
Enable MDM for Device Lock & Device Wipe Capabilities
Apple’s Device Lock and Device Wipe capabilities are two additional security measures to know about when managing macOS devices. These features are only available in Addigy when using Addigy’s MDM framework. Depending on the situation, either Device Lock or Device Wipe can be used when a device is lost or when offboarding an employee. In both cases, the company’s data is secured and safe from potential malicious activities.
Apple: Remote Wipe and Remote Lock
macOS Firewall can protect the device from unwanted contact initiated by other sources when connected to the internet or a network. It’s best practices to enable and configure Firewall settings through MDM Configurations in Addigy.
Disabling or Monitoring Remote Login
Remote Login allows a user to SSH into a macOS device. It’s best practice to monitor when Remote Login is enabled or disable it. Disabling this will prevent any SSH sessions from happening. It’s important to note Addigy Live Terminal uses Remote Login and securely enables it if a Live Terminal session is started from Addigy. As the Device Administrator, if you do not want to use Live Terminal, you can disable it globally or at the policy level in Addigy, and you have the ability to disable Remote Login to prevent any SSH session. Otherwise, it’s recommended to create a monitoring item and alert when Remote Login is enabled.
Disabling or Monitoring Remote Management
macOS Remote Management setting allows Device Administrators to remotely log into devices using Apple’s Screen Sharing utility or a VNC client. The setting is required for Live Desktop to work. Therefore when using Live Desktop, Addigy enables and disables Remote Management on the device at the start and end of sessions. Best practice is to monitor when Remote Management is used or disable Remote Management setting to prevent all access. As the Device Administrator, if you do not want to use Live Desktop, you can disable it globally or at the policy level in Addigy, and you have the ability to disable Remote Management to prevent any remote control session.
While Apple Devices are designed with security in mind and has native antivirus system processes in place, it’s still best practice to install an antivirus software on a macOS device. While this guide will not recommend one specific product, we will highlight that most AntiVirus software on a macOS device requires Privacy Preferences Policy Control (PPPC), Kernel Extension (kEXT) and/or System Extension (sEXT) to be applied for the AntiVirus software to work properly. In some cases, an AntiVirus software vendor will ask for Full Disk Access. It’s recommended to use Addigy Smart Software to help build these required items with automation, or use a manual process to build each item out. Please consult the AntiVirus vendor’s documentation and consult the guides below to help apply the appropriate items through Addigy.
Similar to installing AntiVirus software, this guide will not recommend one specific AntiMalware software, however, we will highlight that most AntiMalware tools will require Privacy Preferences Policy Control (PPPC), Kernel Extension (kEXT) and/or System Extension (sEXT) to be applied for the AntiMalware software to work properly. Please consult the AntiMalware vendor’s documentation and consult the guides below to help apply the appropriate items through Addigy.
Apple’s Gatekeeper functionality controls what apps can be downloaded and executed on macOS devices, ensuring only trusted software runs on a user’s machine. Gatekeeper can be set up to allow only software from the App Store, or to also allow software signed by a developer registered with the Apple Developer Program and notarized by Apple. If Gatekeeper is disabled, users can run any software downloaded from any source.
User Account - Password Best Practices
Below are multiple password policies that can increase your security when most, if not all are enforced. All these can be enforced through an MDM Configuration. We will recommend the best settings to use below based on the NIST security framework. Additionally and separate from the NIST security framework, we highly recommend enabling macOS user authentication and syncing with an Identity Provider via Addigy Identity. This will allow Two-Factor Authentication on the macOS device to provide an additional layer of security. Please see the Addigy Identity overview guide linked below for more information.
- Passwords do not Allow Simple Value - Disable “Allow Simple Passwords”
- Password requires Alphanumeric Value - Require at least one letter and one number.
- Password History Restriction - Restrict reusing passwords to 3 unique passwords before reusing.
- Password Length Enforced - minimum 8 characters to a maximum length of 16.
- Password Complexity - Enforce at least two “Minimum Number Of Complex Characters”.
- Password Lock after Failed Login Attempts - 10 failed login attempts before locking the device (macOS).
- Require Password after ScreenSaver - Require a password when the screensaver is enabled.
Start Screensaver after 15 Minutes
When paired with a password requirement, Screensaver is another great way to mitigate physical access to a device from unauthorized users. Enforcing 15 minutes will give enough time to assume the device’s user has walked away from their device and enforce a password to access sensitive data. Please note, enforcing a different cadence before the Screensaver is enabled can be chosen to fit the applicable business compliance standards.
Enable Login Banner with Company End-User License Agreement (EULA)
Login Banner should be configured with the Company’s EULA on display. This will help with reminding end-users and enforcement of the company’s conduct policies and help if the device is lost.
Sample Message: “ABC Tech, LLC Company Managed Device. Please contact firstname.lastname@example.org via email if you need further assistance. The use of this device is in accordance with ABC, Tech’s Code of Conduct.”
Disable Guest User Account
Disabling the Guest User account will prevent the use of the guest account, a sandbox environment. By default, the guest account automatically allows access without a password. It is recommended to disable Guest User accounts for managed devices.The setting can be disabled through a Login Window MDM Configuration.
Disable Console Login Access
Disabling Console Login will prevent the viewing of the Console at the Login Screen. While the console is great for advanced troubleshooting, the content exposed through the console should only be viewed by authenticated access. It is recommended to disable Console Login for managed devices and can be disabled through a Login Window MDM Configuration.
macOS Security Updates
Having the latest version of any Operating System ensures your end users have the most up to date security settings. macOS and iOS are no different. Apple is continually updating macOS not just with enhancements and bug fixes, but also with security improvements. Enabling macOS upgrades with Addigy will help ensure your fleet is as up to date as possible.