Table of Contents
Welcome to part three of the macOS management series, wherein I will help you with understanding the different macOS settings that should be managed with compliance policies & system preferences. And then will cover some required device restrictions also.
Using the compliance policies in Microsoft Intune, you can ensure that only trusted users from compliant macOS devices can access your company resources.
I will not go through the steps to create the compliance policy as it’s a simple, straightforward configuration and is already available on numerous blog posts. Many a time, I have seen that we follow the steps in these guides and configure the policies by simply copying the steps from these guides.
So, If you are the one who will manage these endpoints, then you should know: what are you configuring? Is the policy needed in your environment? What will impact?
Let’s get started then by understanding the components in macOS compliance policies.
System Integrity Protection
The first policy to configure is System Integrity Protection (SIP). SIP in macOS protects the entire system by preventing unauthorised code execution. Apple’s system is smart enough to authorise apps that users download from the App Store. If you allow the users to download the apps from trusted developers, the system also authorizes them as the developer will notarize them.
When you enable this setting in the compliance policy, OS will block the launching of all other apps.
Failure to enable SIP leaves your computer vulnerable to malicious code.
Minimum / Maximum OS Version
You can enforce minimum and maximum OS version requirements for corporate macOS devices. When a device fails to comply with the configured versions, it is reported as non-compliant. Based on the conditions you have configured in conditional access, the device won’t be allowed to access organization resources until the device is compliant or a rule changes to allow the OS version.
If you want stricter controls, you can also enforce settings for specific build numbers that you want to be enforced as the minimum allowed.
Next is enforcing the password policy. You should configure this policy to ensure a password is required to access and use Mac that is enrolled in Intune. This policy uses the Passcode payload, and when the payload is installed on the device, users have 60 minutes to enter a password. If users don’t do so within that time, the payload forces them to enter a password using the specified settings. The settings available for the passcode payload are:
|Blocksimple value||Blocks users from using sequential or repeated characters in their passwords—for example, “3333” or “DEFG.”|
|Require alphanumeric value||Requires that the password contain at least one letter and one number.|
|Minimum length||Specifies the minimum number of characters a passcode or password can contain.|
|Minimum number of complex characters||Specify the number of characters (such as $ and !) the password must contain.|
|Maximum passcode or password age (in days)||Requires users to change their password at the specified interval. It can be set to “none” or from 1 to 730 days.|
|Maximum Auto-Lock (in minutes)||If the device isn’t used for the period of time you specify, it automatically locks. It can be set to “none” or can be set to lock after 1 to 5 minutes.|
|Passcode or password history||A device refuses a new password if it matches a previously used password. You can specify how many previous passwords are remembered and compared. It can be set to “none” or from 1 to 50 passwords.|
|Maximum number of failed attempts||Forces a device to be erased after a specified number of incorrect attempts. If you don’t change this setting, after six failed attempts, the device imposes a time delay before a password can be entered again. The time delay increases with each failed attempt. After the final attempt on a Mac computer, the user account gets disabled.|
|Delay after failed login attempts||The number of minutes before the log in window reappears after the maximum number of failed attempts is reached.|
|Force a password change when the user authenticates||Forces users to enter a new password the next time they authenticate.|
macOS includes a security technology called Gatekeeper, which helps to ensure that only trusted software runs on your Mac. When an end user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to ensure the user hasn’t been tricked into running executable code they believed to be a data file.
By default, Gatekeeper helps ensure that all downloaded software has been signed by the App Store or signed by a registered developer and notarized by Apple. As a standard practice, you can allow launching the apps downloaded from the App store and identified developers.
Enabling “stealth mode” makes it more difficult for hackers and malware to find your Mac. When stealth mode is on, your Mac doesn’t respond to either “ping” requests or connection attempts from a closed TCP or UDP network. However, it will respond to incoming requests from known apps.
Block Incoming Connections
⚡💣 This can block all connections to your mac devices. If you are using then make sure you allow the apps in firewall policy.
Blocking all incoming connections on the firewall will protect your Mac from unwanted contact initiated by other computers when connected to the internet or a private network. However, your Mac can still allow access through the firewall for some services and apps. For example:
- If users turn on a sharing service, such as file sharing, macOS will open a specific port for the service to communicate through.
- An app or service on another system can request access through the firewall, or it might have a trusted certificate and be allowed access.
You can further configure it in firewall settings to allow or restrict certain apps.
With all the required info now, this is how your compliance policy should look like:
Now, we move to the next part with configuring restrictions, and I will use the settings catalogue for them:
Software Update Policies
Enable Auto Update
- This enforces the “Automatically check for updates” payload, and the macOS will check for the updates in the background for new malware definition files from Apple for XProtect and Gatekeeper.
Enable Download New Updates When Available
- This ensures that updates happen on time and the system is not exposed to additional risk.
Enable Installation of App Update
- This makes sure that the software is patched automatically.
Enable System Data Files and Security Updates
- This policy ensures that system patches are applied on time and reduces the risk of vulnerabilities being exploited.
Software Update Deferment Is Less Than or Equal to 30 Days
- This ensures you get time to test the major OS upgrades before rolling them to all users.
Ensure Standard naming patterns avoid collisions and mitigate risk for computer users.
Below is a list of standard configurations you can configure for your company-owned macOS devices.
- Enable “Bluetooth” Status in Menu Bar
- Enable “Wi-Fi” status in Menu Bar
- Enable “Set time and date automatically“
- Enforce a corporate Desktop & Screen Saver on all macOS devices
- Make sure that Screen Saver Corners are secure
- Enable Close View Hotkeys for securing screen saver
📢⚡Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain to the system.
- Block AirDrop on all corporate-owned macOS devices
📢⚡AirDrop can allow malicious files to be downloaded from unknown sources.
Security & Privacy
Below is a list of standard restrictions you can configure for your company-owned macOS devices.
- Ensure FileVault Is Enabled (I will cover FileVault in a dedicated post soon!)
- Ensure Firewall Is Enabled
- Ensure Firewall Stealth Mode Is Enabled
- Ensure Location Services Are Enabled
- Ensure Sending Diagnostic, and Usage Data to Apple Is Disabled
- Ensure Limit Ad Tracking Is Enabled
- Ensure Gatekeeper Is Enabled
- Ensure an Administrator Password Is Required to Access System-Wide Preferences
- Disable iCloud Keychain sync
- Disallow iCloud Drive sync
- Ensure iCloud Drive Document, and Desktop Sync Is Disabled
Ensure Backup Automatically is Enabled
- Ensure Guest Accounts Is Disabled & users’ Accounts Do Not Have a Password Hint
- Ensure the “root” Account Is Disabled
- Audit Software Inventory
Stay tuned for the next part, where I will cover app deployment using shell scripts.