Nowadays, Macs cannot be treated as a niche platform in companies. We can find Macs in all sized companies – from startups to big companies with thousands of employees. It is not a big surprise that attackers also noticed this fact. During the security assessment, SecuRing team observed that Mac environments, in most cases, are quite immature and stand out from widely adopted Windows environments. This article will give you 5 tips that will radically improve the security of your macOS infrastructure.
Tip #1: Enroll your Macs into MDM
We observed situations when even in big companies Macs were unmanaged. Users could perform whatever actions they wanted. At the same time, these computers were connected to internal companies’ resources. Such a situation should not ever take place. Make sure you can control all Macs in your infrastructure, enforce security policies, install and update new software, detect potential threats and monitor suspicious actions.
Tip #2: Allowlist executables
Modern macOS versions have a lot of security improvements. Mechanisms like Notarization, Malware Removal Tool, and GateKeeper help users stay not infected. However, those features are not bulletproof. We have seen notarized malware that successfully bypassed all those enhancements. Implementing an allowlist of applications that can be launched can dramatically reduce the attack surface. Even if users somehow download malware notarized by Apple, they will not be able to launch it.
Tip #3: Implement multi-factor authentication
What about phishing campaigns that do not require any software to be installed? Stealing your users’ passwords that will allow accessing your Jira does not sound good either. Research shows that hardware tokens (U2F) have helped Google protect more than 85,000 employees from phishing since 2017 (the research ended in 2018). Implementing U2F is really rewarding. Consider requiring the U2F also when users log in to their macOS machines.
Tip #4: Enforce security policies
We are all used to security policies enforced on Windows machines (Group Policies). Why not implement such requirements on Macs? A feature that you are looking for is called Profiles. It can help you enforce secure passwords, a maximum idle time before locking the screen, disallow turning off the disk encryption, properly set up the firewall, and many other useful things.
Tip #5: Make sure your Macs are up-to-date
This idea looks the most obvious, albeit it is not. It is widely known that updating machines is important and protects users from getting infected by malware or attackers that use known vulnerabilities. SecuRing team observed that, in macOS environments, users procrastinate with updates containing even critical security fixes. A solution for that may be enforcing the minimum OS version. If users do not update their machines, they will not be able to access the company’s resources.
To sum up
Keep in mind that every operating system in your organization must be treated with the same degree of trust. Attacks on macOS environments are no longer a legend. These 5 quick tips I gave you are a good start to improving your macOS infrastructure security. If you are interested in a bespoke analysis of your case – feel free to book a 15 min discovery call with us or leave a message. We will get back to you.
Head of Mobile Security