By Rajat Bhargava Posted July 25, 2016
The meteoric rise of Macs® in the enterprise started out in high-growth technology startups.
But now that popularity is extending to mainstream companies worldwide. Apple devices have become the platform of choice in many organizations – even though the IT department usually doesn’t want anything to do with managing Macs.
The Reason behind Mac Adoption is Simple
Apple® Mac laptops and desktops are high quality, high performance machines.
They are reliable, sleek, and – theoretically, at least – secure.
There is little doubt that the OS X (now simply known as macOS®) platform has been an upgrade from Microsoft® Windows® from a security perspective. But, even with a high quality OS, there is still more to do in securing Mac laptops and desktops.
Overview of Mac Security
In this post, we are going to suggest three key technologies to secure your macOS device: anti-virus/anti-malware, full disk encryption, and two-factor authentication.
While we are focused on securing the device principally in this post, we should also briefly discuss one other critical point to securing a Mac (and any other device for that matter).
This simple fact sometimes gets lost in the maelstrom of enterprise IT security: it is imperative to control the users that have access to a system.
Macs often are left unsecured with respect to user management because they don’t connect very well to legacy directory services such as Microsoft Active Directory® or OpenLDAP™. However, leaving Macs unmanaged can have serious consequences. Those devices can be compromised with weak credentials or through third party sites that have revealed a user’s password (which is then subsequently reused on the Mac and elsewhere).
The Cloud Directory is Mac-Inclusive
User access can be fully controlled including providing differing levels of access, enforcing password complexity standards, and ensuring passwords have been rotated. While we aren’t focused on this issue in this post, user access control is a core security issue and should be controlled for all Macs through a unified cloud directory.
Three steps to help you secure and protect your Mac devices:
Moving forward to securing a macOS device, there are three key steps that you should take. The benefits are tremendous as they should dramatically lower the chances of a breach or the disclosure of information.
Step 1: Install Anti-Malware (A/V)
While historically Macs were claimed to be resistant to any viruses or malware, that has been proven untrue. It is possible for a Mac to be hit with a virus, Trojan, or malware program that can compromise the device.
Admittedly it is far less common than Windows, but it is possible and there is very little downside to securing the device with an anti-virus / anti-malware tool. There are a number on the market to choose from and they can be centrally managed.
The costs for the software are also reasonable when you consider the benefit you are receiving in securing the device.
Step 2: Full Disk Encryption (FDE)
Mac OS X comes standard with disk encryption technology. The key is for users to turn it on.
IT admins can leverage centralized device management software such as JumpCloud to enforce that FDE is turned on and being utilized on each Mac.
When the machine is at rest, the data is encrypted. When the user logs in, their password decrypts their hard drive. The benefit is that if the device is stolen simply removing the hard drive and plugging it into a different Mac will not allow the thief or hacker to see the data.
For those organizations subject to compliance, we would encourage you to turn this on for your users. It is largely invisible to the end user and is a significant security step.
Step 3: Multi-Factor Authentication (MFA / 2FA)
Another critical step to securing the device is the addition of a multi-factor authentication token at login.
The token is generally delivered by a user’s smartphone. A username and password alone will not allow a user into the device. By adding a second factor of authentication, security improves exponentially.
Some people say, “I don’t have to worry about device security because all of the critical data is stored on the cloud – not on the device hard drive.”
But even with data stored on the cloud, a user’s device is critical to secure. Often a device is left ‘on’ and just put to sleep. If a user can break the password, that device is logged into any number of cloud services including email and other core applications.
Further, devices often contain sensitive information including source code, customer lists, and other data. Even with the cloud, a Mac system isn’t a ‘dumb terminal’ – it contains data and is a conduit to cloud applications and infrastructure.
Securing Your Macs is Worth It
Some IT admins have focused on the data portion of the problem and point the cloud as where everything sensitive is located. They’re right, but only to an extent.
The data is on the cloud, yes, but the conduit to the that data is the Mac itself. So securing the actual Mac devices is also an important task. Mac laptops are mobile and people are working from anywhere in the world, so the chance of a laptop theft is an important issue to be concerned about in addition to the device being compromised.
With cloud infrastructure and applications that cache access to a device, this can be a significant risk point. And, even if there were very little of consequence on the device, the level of effort to secure and control the device is low to gain significant security benefits.
The three security approaches that we have outlined – anti-malware, full disk encryption, and two-factor authentication – are all relatively straight-forward to implement. Most organizations can implement these steps even with a large fleet of Macs. When taken in conjunction with tight user management, systems become much more difficult to compromise.