By Daniel Ellis
DARE Systems Engineer
You wouldn’t be alone in thinking that Apple devices are more secure than other options on the market. However, this does not mean they are immune to cyber-attack attempts.
Let’s have a look at some of the things you can do to keep your Mac estate safe and secure.
Set a secure Password/Passcode.
Setting a strong login password is a vital first step to securing the contents of your Mac.
It is important to choose a password that cannot be easily guessed and is unique – not being re-used for other systems.
Utilising Jamf Pro and customizable Configuration Profiles, you can enforce password properties such as Maximum Passcode Age, Minimum Passcode Length, and much more. Doing so gives you peace of mind that your users are complying to the same secure strategy.
Taking Password management one step further, Jamf Connect gives the opportunity to sync a user’s local Mac password to their identity provider login. This gives the user a streamlined experience as they use the same password for logging into the Mac, as accessing their essential applications. This also presents the opportunity to use 2-factor-authentication or biometrics on a mobile device, depending on the Identity Provider.
Enable FileVault.
FileVault encrypts the information stored on a Mac. This encodes the information stored on your Mac, and prevents any data on the Mac from being accessed without authorisation. Other security measures are introduced as well, such as the need to enter the login password when waking your Mac from sleep, or leaving the screensaver.
With Jamf Pro, you can automate FileVault encryption to ensure that your entire fleet become FileVault compliant, and their sensitive data is secure.
Jamf Pro can also handle the FileVault Recovery key, having it securely escrowed within the inventory record of the respective Device, safely storing it in the event it is required.
Standard Users vs Administrative Users.
Administrative users can read and edit almost every setting or piece of data in a Mac, install apps from potentially non-compliant websites, and much more. Limiting the availability of admin rights can ensure users do not have the access to make these potentially dangerous changes.
Jamf offers several ways of managing these administrative rights. Automated Device Enrollment (ADE) allows a user’s local account to be pre-set as Standard, whilst creating a separate Admin account consistent among every ADE Mac. Jamf Connect allows Admin rights to be user-based through the Identity Provider – useful for perhaps a developer team who need Admin rights, but a sales team who do not.
DARE can also create bespoke workflows that can allow temporary admin access to users when/if these rights are required.
Stay in control of what data apps can access.
An app can ask a user for access to directories it may not need access to. While a user can allow or disallow these privacy prompts, an easier to way to manage this for a fleet of Macs is through Privacy Preference Policy Control (PPPC) Profiles.
PPPC Profiles allow easy creation of custom profiles to grant/deny an app access to areas of the Mac, such as Full Disk Access, Screen Recording, Desktop etc.
Jamf has created a utility for creating these profiles, freely available at https://github.com/jamf/PPPC-Utility. Once created, a PPPC Profile can be uploaded to Jamf Pro and installed on devices, meaning you control the Privacy options for apps users install.
A Security Platform with Apple at its core.
Many Anti-Virus and Security solutions are built for Windows Platforms, before being adapted to try and cover Apple system subtleties and differences.
Jamf Protect provides an Apple-based approach to Security, by leveraging the already strong security tools built into Mac and taking it to the next level with better visibility, control, and prevention of Mac-based attacks.
When integrated with Jamf Pro, Jamf Protect shines as a solution that can see a threat on a device, report that threat, and then place the impacted device in a Smart Group within Jamf Pro that can then be acted on quickly by cutting network capabilities, erasing the Mac, or any custom procedure.
Jamf Protect can also integrate with your existing SIEM solution, unifying your data.
