By Greg Keller Posted January 4, 2017
macOS devices have become some of the most popular platforms on the market today. Macs have a historically strong reputation regarding security. Apple continues to keep security at the forefront when innovating on their operating system. Even with strong macOS security at the OS layer, there are still a number of actions that IT admins should take to protect their Mac fleet.
Controlling User Accounts
One of the most important aspects of digital security in any context is the ability to control who has access to the device, applications, and data. You are effectively limiting the potential for a compromise by ensuring proper user access to Mac devices. Generally, most IT organizations like to create an admin login for themselves and a user account for the user. They may limit the ability of the user to take various actions on the device.
The challenge with Mac devices has been that IT organizations have not been able to centrally manage user accounts on macOS devices. With the advent of Directory-as-a-Service®, it is now possible to have central user management across your entire Mac fleet (and your Windows and Linux devices too).
A complementary feature to controlling user accounts on your Mac devices is to ensure that user passwords are strong. While this can mean any number of things to various organizations, it can include password length, complexity, reuse, and more. Historically, macOS devices have not been easily managed by the oft-used solution Microsoft Active Directory. But with more macOS devices within organizations, ensuring that those Apple devices are in compliance with password policies is critical.
Perhaps the strongest user authentication security step is to add multi-factor authentication (MFA or 2FA for short) to the device. The user needs to not only enter their password at the point of login, but they also need to enter a pin generated by a smartphone application, for instance, Google Authenticator. This token ensures that a password alone can’t grant entry into the device. Directory-as-a-Service has Mac MFA included, making it an especially good option.
Full Disk Encryption (FDE)
Apple has included data at rest encryption technology with their full disk encryption (FDE) solution called FileVault. It encrypts the disk drive when the machine has been shut down. And it decrypts the machine upon boot-up and an authenticated login. A lost laptop becomes far less valuable when the hackers can’t gain access to the data itself. Every macOS device should have FDE enabled.
While traditionally a bigger issue for Windows machines, viruses have started to plague macOS devices as well. Even if the platform is more resilient to viruses and malware, it is an inexpensive defense to add A/V technology to each Mac device.
Like all platforms, making sure that they are updated with the latest code is an important step. Over the years, Apple has started to increase the number of updates and security fixes to ensure that the latest code is being distributed to macOS devices. IT admins need to ensure that their users are updating their machines or automatically doing it for them.
As macOS devices become more prevalent, it is critical for IT admins to take their security seriously. These key items should be evaluated for your Mac fleet. Many of these macOS security items are a significant step-up.
Fortify macOS Security Via Directory-as-a-Service®
JumpCloud’s Directory-as-a-Service platform is a key enabler in helping increase macOS security. With our virtual identity provider, IT admins can centrally control user access to the Mac, ensure strong passwords, and enable multi-factor authentication. As a cloud directory, it also has the ability to execute tasks and commands on the Mac device, thereby helping ensure that full disk encryption is enabled, anti-virus software is installed, and that software updates are being executed.