Security Benchmark for macOS - Best Practice Guide

Overview

There has always been a perception that macOS devices are safer than Windows PCs in terms of security. The idea that Apple devices are impenetrable, or secure is widespread. But those times are long gone, as both platforms have seen zero-dat attacks and number of vunerabilities exposed in every OS release.

I’ll provide you with a list of configurations and settings in this article that you may use to strengthen the overall security of your macOS device fleet.

Disclaimer:

This guide is provided on an ‘as is basis without any warranties. You are responsible if you break anything or if something stops functioning as it should.

Benchmarks

This guide is based on recommendations from the Center for Internet Security (CIS) Benchmark as they are globally recognized and consensus-driven best practices for cybersecurity defences.

---

User Accounts & Access

When you power on the Macbook for the first, it goes through setup assistant screen which ask you to set a name, a username, and a password in order to set up your first user account. This account by default becomes the local administrator. Administrator accounts have the ability to modify or remove any file and install any program, which could be dangerous if the program is malicious.

• Disable password hints on logon window
• Force logon window to show username and password screen
• Disbale Guest accounts
• Remove guest home folder
• Enable file name extensions
• Enable parental controls

---

System Preferences & Restrictions

With Microsoft Intune, you can configure and enforce configurations and restrictions as minimum standard baselines for securing your MacBooks. These configurations & restrictions will help in protecting remote attacks on the device.

• Disable Bluetooth and Bluetooth Discoverable Mode

Apple does not allow MDM vendors to control the Bluetooth payload directly, so you will not find any setting in Intune portal to disable Bluetooth. However, you can still push a custom bash script to disable Bluetooth on your corporate macOS devices.

#!/bin/sh 
$ sudo defaults write/Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
$ sudo killall -HUP bluetoothd                          

• Enforce set time and date automatically

• Secure screen-saver corners and inactivity level

There is no default configuration available for securing the screensaver, but you can use the script available here to configure hot corner settings – Github

• Disable Sharing:

• Disable Remote Apple Events in Sharing
  • Disable Internet Sharing
  • Disable Screen Sharing
  • Disable Printer Sharing
  • Disable Remote Login (SSH)
  • Disable DVD or CD Sharing
  • Disable Bluetooth Sharing
  • Disable File Sharing
  • Disable Remote Management

• Energy Saver

• Enable FileVault

• Enable Encryption of all volumes

• Enable Firewall, Gatekeeper & Stealth Mode

• Enable location services and disable sending diagnostic data to Apple

• Block iCloud backup

• Enforce Time Machine Auto Backups

• Block Game Center

• Enable security audits and retain logs for at least 60-90 days.

---

Updates & Patches

Using Intune, you can easily create & deploy OS update policies to ensure that your macOS devices are always updated and fully patched.

• Enable Auto Update

• Enable app update installs

• Enable system data files and security update installs

• Configure Update Policies for macOS

---

Network Configurations

Few network configurations are also required to reduce the network-based attacks on the corporate devices.

• Configure Firewall
  • Before you Block all incoming connections, ensure that you allow signed software in the firewall setting to receive incoming connections to allow digitally signed applications access to your network without prompting.
  • Configure the firewall policy to block all inbound and outbound traffic that isn’t expressly permitted as an organization policy.
  • Enable “Wi-Fi” status to be shown in menu bar.
  • Block FTP, HTTP & NFS

---

Enable & Activate Antivirus Protection

It is true to some extent that Mac is a bit more secure as compared to Windows but still they can be infected by malware, malicious softwares/files or any zero-day attacks. To make sure, your devices are always protected, an enterprise endpoint security platform should always be installed on these devices.

You can refer to one of my previous article, to onboard the corporate owned macOS devices in Microsoft Defender for Endpoint:

macOS Management with Intune – Part II – Intune – In Real Life (intuneirl.com)

---

Security Configurations

With Intune, you can easily create and enforce baseline security policies to keep the corporate MacBooks secure.

• Enforce strong password policies

• Enforce password age & history requirements’

• Configure keychain to be automatically locked in case of inactivity

• Block the root account

• Block auto-login

• If possible use managed Apple ID

• Enforce the mac to require password on wake-up or from screen saver

• Block access to modifying system preferences

• Configure a corporate wallpaper & screensaver

• Configure account lockout threshold

• Secure home folders

• Enforce the corporate naming convention for macOS devices

• Block USB & external storage/media

• Deploy software metering & inventory applications to keep a track of software installed on the MacBooks

• Secure access to EFI with stong password

• Block Airdrop as unmanaged location

---

Wrapping Up

It is an everlasting list and it depends upon how secure you want the devices to be. Many of the settings, restrictions or configurations we discussed are pretty simple and should always be implemented. However, before you implement any of these benchmark, it is always advisable to perform a risk assessment of your environment and based on the feedback you should implement the policies.

I hope this will help you with configuring policies in Intune with giving more granular control over these modern and trendy devices.

---