January 27, 2019

CIS Compliance for macOS

These days, implementing a minimum level of security protections on your organization-owned devices is expected by your customers, suppliers, and employees. Whether you leverage an outsourced IT group (such as an MSP or MSSP) or have an internal team, best practices around endpoint security should be taken seriously. The challenge is that many organizations don't know where to start, and their MDM/EMM solution (if they have one) only covers a few basic settings, which simply won't cut it. Luckily, The Center for Internet Security (CIS) is an excellent starting point, and by many is considered the 'Gold Standard' of IT security and compliance. They have a global community of cyber security experts, and have published 100+ configuration guidelines for various technology groups to safeguard systems against today's evolving cyber threats.

CIS has worked with the Apple community since 2009 to publish a benchmark for each version of Apple's desktop OS, known as macOS (fka OS X). Their latest release contains specific configuration recommendations for Apple macOS 10.13 High Sierra, while their Apple macOS 10.14 Mojave benchmark is currently in the works. These are exhaustive documents that cover a wide range of security compliance policies and best practices. Here are a few examples of recommended settings from the latest CIS benchmark for macOS:

  • Disable Screen Sharing
  • Disable "Wake for network access
  • Ensure nfs server is not running
  • Reduce the sudo timeout period
The current release, "CIS Apple macOS 10.13 Benchmark" (195 pages), provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. It contains over 100 individual recommendations, categorized as either  'Level 1' profile or 'Level 2' profile. Additionally, recommendations are marked as either 'Scored' or 'Not Scored'. Scoring allows organizations to conduct internal and/or external security compliance audits to assess organization-wide participation. We elaborate briefly on Profile Definitions and Scoring Information below.

Profile Definitions

  • Level 1 - Items in this profile intend to:
    • be practical and prudent;
    • provide a clear security benefit; and
    • not inhibit the utility of the technology beyond acceptable means.
  • Level 2 - This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
    • are intended for environments or use cases where security is paramount
    • acts as defense in depth measure
    • may negatively inhibit the utility or performance of the technology

Scoring Information

A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:

  • Scored - Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
  • Not Scored - Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.

When reviewing the CIS benchmark, each individual recommendation is detailed, listing 'Profile Applicability' (Level 1 or Level 2), Scoring applicability, 'Description', 'Rationale', 'Audit' instructions, 'Remediation' instructions, and 'Impact'.

As you can tell, although CIS has done an excellent job at organizing and publishing recommendations, most organizations don't have the resources or know-how to execute. As previously mentioned, the current benchmark is 195 pages. Furthermore, each new OS requires updates, which itself can ben very time consuming. This is why we built Kandji.

Before Kandji, organizations had three options to comply with CIS:

  • Manually apply each recommended setting to each Mac, and hope they stayed that way.
  • Manually write, deploy, and maintain code (scripts) for each recommended setting.
  • Risk not being secure or compliant, and hope nothing bad happens.

With Kandji, you can say goodbye to coding to comply with CIS. Simply click the toggle next to the parameters you wish to enable and you’re done. Soon, Kandji will make this even easier, by presenting a single toggle allowing you to enable the entire CIS benchmark with just a click. Welcome to 'one-click security compliance'. 

Give Kandji a try today. CIS Compliance made easy.

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.