April 5, 2019

4 Mac Management Tips to Help You Improve Security

According to statistics cited by Computer World, “1 percent of organizations are now using Mac and a phenomenal 99 percent are on iPad and iPhone.” As macOS devices continue to gain steam in the business sector, companies are faced with an increasing need to improve their “Mac management” capabilities to maximize their cybersecurity.

To help your organization improve its cybersecurity, here are a few Mac management tips:

Mac Management Tip #1: Review Your macOS Device Security Policies

Devices using Apple’s operating systems have a wide range of “convenience” features meant for general consumers that may pose a liability for businesses. For example, Mac computers have a guest login feature that allows unregistered users to access common files on the device. If the device were stolen, malicious actors could abuse that guest login feature to compromise the Mac.

So, a key “Mac management tip” is to review the security policies the macOS devices in the organization use and to verify that they address potential Mac security vulnerabilities. It can help to have a security configuration tool that allows IT admins to quickly review which security policies are active and to enable or disable them as needed.

The frequency of these reviews may vary depending on how security-conscious the organization is. At the very least, security policies should be reviewed after every major macOS update, whenever new software is added to the business’ workflows, or immediately following a security incident.

Mac Management Tip #2: Do More Than Just Meet NIST’s Minimum Benchmark Requirements

The National Institute of Standards and Technology (NIST) has a macOS benchmark that forms the basis for many other cybersecurity compliance standards. However, this benchmark, while useful for providing specific security policy settings that businesses need to follow to establish a baseline for effective cybersecurity, there is more to Mac security than simply following the minimum requirements.

There are many settings in the NIST macOS benchmark that aren’t scored, but are left in as optional security policies to follow. Going above and beyond to meet these unscored Mac security settings can help to improve the organization’s overall cybersecurity posture. It can also help to future-proof the organization’s NIST compliance against future versions of the benchmark that may make these optional policies mandatory.

Mac Management Tip #3: Use a Security Configuration Tool Optimized for Mac Security

Security configuration tools help organizations of all sizes apply specific security settings to the devices the business uses. However, many of these configuration tools pretty much only handle deployment—an IT admin actually has to manually code the configuration setting themselves.

Often, this is because the tool’s creators decided to make a “platform agnostic” tool, but did not have the resources to create custom settings for all available operating systems while keeping up with the latest patches for each OS.

When working to maximize Mac security, it helps to use a security configuration tool specifically made for macOS devices—one that enables codeless security configuration management. With a Mac security configuration tool that has codeless security setting controls, admins can enable or disable security rules with the simple click of a button—the security configuration tool provider handles the rest.


Mac Management Tip #4: Have a Firm BYOD Policy Regarding Device Data Management

If the Macs used in the organization are employee-owned, it is vital that the organization creates a comprehensive bring-your-own-device (BYOD) policy that addresses issues such as device location tracking, mandatory security apps/settings, and data management. If a macOS device is lost or stolen, the best way to prevent the data on the device from being abused may be to delete everything on it.

A data wipe could be triggered manually using an MDM solution, or a security setting can be enabled to wipe the device after a set number of failed login attempts. The first option is reliant upon getting a report of a lost or stolen device. The second option may result in accidental data loss if employees are bad about password entry.

Without a BYOD policy that clearly states when and why device data may be wiped—effectively warning employees that they may face data loss if they misplace their macOS device—there could be issues if the organization decides to activate this feature. After all, it isn’t just the organization’s data that will be on the employee-owned device. The employee may have photos and other documents on their macOS device that they may not be able to easily replace.

With a BYOD policy in place that is communicated to employees, they can at least be aware of the potential for data loss.

Curious about Kandji? Or, looking for more information and advice about cybersecurity on macOS devices? Subscribe to the Kandji blog to get notified when new articles arrive. 

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.