By Jon Griffin Posted March 13, 2018
Mac security is a hot topic in the world of IT. Some admins like to implement Macs in their environment, and some admins want nothing to do with them. Part of this is because of the management options. The tools to manage Mac systems in the enterprise have been very limited in the past, and that can lead to security risks with the machines. Fortunately, that isn’t the case anymore. JumpCloud® Directory-as-a-Service® is built to manage Macs (as well as Windows and Linux) machines, so you can deal with the security risks of Macs with ease. In this post, we will demonstrate how easy disabling guest accounts on Macs can be, and how this can help to mitigate a security risk.
Guest Accounts on Mac
If you’ve been working in IT system management for a number of years, then you’ve likely heard about guest accounts as a security issue with Macs. When created, guest accounts can enable a user to login to the machine without a password, or even an account. This presents a huge risk for IT, and that’s why disabling guest accounts is so important. The default guest account feature opens up the ability for a user to sign in to a guest account and execute malicious code on the machine or fill-up the disk with unwanted files. Both of these can lead to problems down the road.
For most corporate environments (and we’d argue personal ones as well), there really is no need to have a guest account. If somebody needs to use a machine, they should use their own or their smartphone, not yours. If someone happens to come across a machine that isn’t theirs and they want to gain access, guest accounts are a potential vector for them to get in. Once they get in, all the malicious user needs to do is run code in the shared part of the drive to compromise the machine. Just like that, your company is compromised.
So, it’s clear why it is important to be able to disable guest accounts on Macs in the enterprise environment. What is the best way to go about making this restriction?
How to Mitigate the Guest Accounts Risk
There is a simple way to prevent this security risk – simply opt to disable guest accounts. With manual management, this is easy enough for a few machines. But when you have multiple Macs in your office, it can quickly get out of hand. The process doesn’t need to be hard or complicated, however. With a cloud directory like JumpCloud Directory-as-a-Service, disabling guest accounts on a large scale of Macs is simply a set it and forget it activity.
This ease of control is possible due to a GPO-like function within the cloud-based directory called Policies. By using the Policies feature, admins can set templated policies across Mac, Linux, and Windows machines with ease and at scale. All that is required is for the admin to configure the policy to disable guest accounts on your Macs, and then tie the policy to your group of Mac systems. Just like that, you have configured all Macs within that group to adhere to the security policy.
But, what if the user tries to make a change to the Policy locally? Not a problem. JumpCloud’s Policies have resiliency, and if a user tries to revert the policy back, it will simply be overwritten. If you don’t even want to give users the option to get to the system preferences, you can create another policy that prevents that access.
Mac security is quick and easy with a cloud directory service that offers Policies. In just a few clicks, you can secure your Mac fleet from guest accounts.
Manage Mac Systems with JumpCloud Policies
Sound like a tool that could benefit your company? Don’t take our word for it – test the innovative cloud directory and see for yourself. JumpCloud offers free accounts that are perfectly set up to test with, and they come with 10 users on us. Plus, each account has full access to the wide range of features offered, so you can see every aspect of the platform. Interested in a demo instead? We run live demos every week that you can attend and ask questions in. Sign up for one here.
We are always open to fielding questions and thoughts about our product, so if you would ever like to contact us, you can do so here.