macos Security Checklist:

Similar documents
macos Security Checklist:

Apple OS Deployment Guide for the Enterprise

If your Mac keeps asking for the login keychain password

Apple 9L OS X Support Essentials

Additional Resources

QuickStart Guide for Managing Computers. Version

Secure your Snow Leopard

QuickStart Guide for Managing Computers. Version

Secure your Snow Leopard. Mac OS X Structure

9L0-412 Q&As. OS X Support Essentials 10.8 Exam. Pass Apple 9L0-412 Exam with 100% Guarantee

PassGuide.9L0-422_82,QA

Apple EXAM - 9L OS X Support Essentials 10.9 Exam.

QuickStart Guide for Managing Computers. Version 9.73

QuickStart Guide for Managing Computers. Version 9.32

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Security Challenges: Integrating Apple Computers into Windows Environments

File Services. File Services at a Glance

DreamFactory Security Guide

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Apple Pro Training Series: OS X Support Essentials Updates & Errata

Welcome to Centrify DirectControl Agent for Mac, Centrify Endpoint Services

What's New with MunkiReport. John Eberle

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

epldt Web Builder Security March 2017

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Apple 9L Apple Certified Technical Coordinator v10.4 Update.

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Welcome to Centrify DirectControl Agent for Mac, Centrify Endpoint Services

Citrix SSO for Mac OS X. User Guide

Windows. Not just for houses

SeaSonde on macos Sierra

macos Support Essentials Supporting and Troubleshooting macos High Sierra Exam Preparation Guide

Mac Integration Basics Participant Guide

Cyber security tips and self-assessment for business

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Citrix Desktop for Home Computers Mac OS Instructions

Windows 10. Tech Note. Open the Window to Endless Possibilities. Windows for the Enterprise. Universal App Experience

Mac Integration Basics Adding a Mac to a Windows or Other Standards-Based Network Course Guide

Mac OS X (10.8.2) Mt. Lion

VMware Workspace ONE UEM Integration with Apple School Manager

ObserveIT 7.1 Release Notes

Comodo Dome Shield - Admin Guide

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

PCI DSS Compliance. White Paper Parallels Remote Application Server

Colligo Briefcase. for Good Technology. Administrator Guide

Apple Server Diagnostics User Guide. For Version 3X109

ZENworks Reporting ZENworks Reporting Universe Objects and Predefined Reports Reference. July 2017

Liferay Security Features Overview. How Liferay Approaches Security

What Dropbox Can t Do For Your Business

SSH Product Overview

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Lesson Review Questions and Answers

Tips for Passing an Audit or Assessment

Altiris Client Management Suite 7.1 from Symantec User Guide for Mac Management

What s New. New and Enhanced Features in NetSupport DNA v4. Welcome Dashboard. Auto Discovery. Platform Support

Procedure for Connecting to OIL VPN

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE

New to Mac. Viewing Options in Finder:

Reporting with MunkiReport. John Eberle and Rick Heil

Release Notes and Advisories Guide. BlackBerry UEM Version 12.7 and all maintenance releases

Cyber Essentials Questionnaire Guidance

1. Initial Document. 2. Revision. 3. Acknowledgements. 4. Usage. macos Server Security Best Practices

ForeScout Extended Module for Carbon Black

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Master Your Mac. simple ways to tweak, customize, and secure os x

Back to My Mac User Guide

SERVER HARDENING CHECKLIST

W H IT E P A P E R. Salesforce Security for the IT Executive

Quick Audience Survey. New to imaging on Macs? Have Mac OS X Server(s)? Basic Scripting Skills? Have Windows (SMB) Servers?

jamf Nation - London Roadshow

Pulseway Security White Paper

Apple Device Management

CompTIA A+ Accelerated course for & exams

Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro

Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro. Technical Paper Jamf Pro or Later 16 July 2018

Casper Suite Release Notes. Version 9.6

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Apple Exam 9L0-402 Support Essentials 10.5 Version: 5.0 [ Total Questions: 100 ]

Windows. Not just for houses

Cloud Security Whitepaper

Managing Devices and Corporate Data on ios

Contents User Guide... 1 Overview... 1 Create a New Report... 3 Create Report... 3 Select Devices... 3 Report Generation... 4 Your Audit Report...

Cloud FastPath: Highly Secure Data Transfer

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

2015 Mobiliya. All Rights Reserved Page 2

VMware AirWatch tvos Platform Guide Deploying and managing tvos devices

FileVault 2 Decoded. Rich Trouton Howard Hughes Medical Institute, Janelia Farm Research Campus

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

PROPERTY MANAGEMENT INSTRUCTIONS FOR COMPLETING THE DEPARTMENTAL INVENTORY

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Deploying ipad to Patients Setup Guide

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management

Penetration testing using Kali Linux - Network Discovery

Practical Network Defense Labs

Cybersecurity and Encryption 101 for Lawyers

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Transcription:

WHITE PAPER macos Security Checklist: implementing the Center for Internet Security Benchmark for macos Recommendations for securing macos The Center for Internet Security (CIS) benchmark for macos is widely regarded as a comprehensive checklist for organizations to follow to secure their Macs. This white paper from Jamf the Apple Management Experts will show you how to implement the independent organizations recommendations. To see how Jamf Pro can help you manage Mac in your environment visit: www.jamf.com

What Is Jamf Pro? Jamf Pro is a set of administrative tools to help you manage your Apple devices. What is Jamf Pro Server? Jamf Pro Server is the management server component to the suite and runs on a Mac, Windows, or Linux server. What is a Policy? A Policy is the main tool used to implement changes to a client Mac. Jamf Pro Server sends commands to an agent on the Mac. WHO IS THE CIS? The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities. HOW THE CIS BENCHMARK WAS CREATED The CIS Benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit https://community.cisecurity.org.

Categories Of Security For macos UPDATES & PATCHES SYSTEM PREFERENCES icloud LOGGING & AUDITING NETWORK CONFIGURATION USER ACCOUNTS ACCESS & AUTHENTICATION OTHER CONSIDERATIONS Installing Updates, Patches, and Security Software Jamf Pro enables you to keep your OS and Applications up to date by packaging and deploying updates to your client Macs remotely. You can even report on which machines have been updated and which are still pending. Verify OS and apps are up to date via a Software Update tool Enable Auto Update in App Store Enable Auto Security Updates Patch Management in Jamf Pro allows you to keep macos up to date A custom Software Update Server lets you whitelist approved updates to your Macs Run a Policy to enable Auto-Update via App Store Run a Policy to check for updates on a client Mac

System Preferences Jamf Pro helps you configure System Preferences to meet your organization s security needs. Common settings such as passwords and screen saver can easily be turned on remotely and en masse to ensure restricted physical access to Macs. Advanced settings such as disabling SSH or file sharing can also be set to make your Mac secure against remote attacks. Bluetooth: Disable Bluetooth Disable Bluetooth Discoverable Mode Date & Time: Enable set time and date automatically Desktop & Screen Saver: Set screen saver to 20 minutes or less Enable hot corner to start screen saver Set Display Sleep to a value larger than Screen Saver Sharing: Disable Remote Apple Events in Sharing Disable Internet Sharing Disable Screen Sharing Disable Printer Sharing Disable Remote Login (SSH) Disable DVD or CD Sharing Disable Bluetooth Sharing Disable File Sharing Disable Remote Management (ARD) Energy Saver: Disable wake for network access Disable sleeping the computer when connected to power Security & Privacy: Enable FileValut 2 Enable Gatekeeper Enable Firewall Enable Firewall Stealth Mode Review Application Firewall rules (http://support.apple.com/en-us/ht201642) Other: icloud (see section below) Enable Secure Keyboard entry in terminal.app Java 6 is not the default Java runtime Use Secure Empty Trash All of the above System Preferences can be set via a Jamf Pro Server Policy and/or Configuration Profile FileVault 2 can be enabled and keys escrowed in Jamf Pro Server s inventory Screen Saver and Password Settings can be set Sharing Settings can be set Security & Privacy settings can be set Policy to disable Java can be deployed

icloud and Other Cloud Services Jamf Pro helps implement your organization s icloud strategy by giving IT admins the ability to either block or enable the cloud-based service. Apple s icloud is just one of many cloud based solutions being used for data synchronization across multiple platforms and it should be controlled consistently with other cloud services in your environment. Work with your employees and configure the access to best enable data protection for you mission. icloud can be disabled via a Configuration Profile and/or Jamf Pro Server Policy If icloud is not allowed, icloud Drive can be removed from Finder Logging and Auditing Jamf Pro can help IT admins keep track of the logs that macos generates and centralizes them in one place. Admins can also run advanced reports on those logs to look for any potential security issues. Configure asl.conf Retain system.log for 90 or more days Retain appfirewall.log for 90 or more days Retail auth.log for 90 or more days Enable security auditing Configure Security Auditing Flags Enable remote logging for Macs on trusted networks Retain install.log for 1yr or more Configuration profiles can be modified via a script Log files can be sent to the Jamf Pro Server and stored as long as needed Additional logs can be chached by the Jamf Pro Server

Network Configurations Jamf Pro makes rolling out network configurations easy for IT admins by distributing Wi-Fi, VPN, and even DNS settings. Jamf Pro also ensures some of the legacy server components of macos are disabled so users are not accidentally opening up ports they don t know about. Ensure Wi-Fi status is in the menu bar Create network specific locations Ensure http server is not running (Apache) Ensure ftp server is not running Ensure NFS server is not running Network settings can be built into a Configuration Profile Apache, FTP, and NFS can all be disabled via Jamf Pro Server Policy User Accounts and Environment Jamf Pro helps an organization manage local accounts on a Mac allowing the creation of admin or standard users. The JAMF binary that lives on client machines creates a hidden management account that has admin rights to execute commands and create new users. Policies can be created to further secure the login screen and disable the guest account. Display login window as name and password only Disable show password hints Disable guest account Disable allow guests to connect to shared folders Turn on filename extensions Disable the automatic run of safe files in Safari for different purposes Login window can be configured via Configuration Profile Guest account can be disabled via Jamf Pro Server Policy User accounts can be created via Setup Assistant and DEP or imaging Accounts created can either be Standard or Admin, based on needs

System Access, Authentication, and Authorization Jamf Pro helps set file permissions, manage keychain access, and set strong password polices for users. By creating a configuration profile or Jamf Pro Server policy, you can remotely enable system access settings to create a more secure Mac. Secure Home Folder (deny read permissions to other home folders) Repair permissions regularly Check system-wide applications for permissions Check System folder for world writable files Check Library folder for world writable files Reduce the sudo timeout period Automatically lock the login keychain for inactivity Ensure login keychain is locked when the computer sleeps Ensure OCSP & CRL certificate checking Do not enable the root account Disable automatic login Require a password to wake the computer from sleep Require an admin password to access systemwide preferences Disable ability to login to another user s active and locked session Complex passwords (contains numbers, letters, and symbols) Set minimum password length Configure account lockout threshold Create a custom message for the Login Screen Create a login window banner Disable password hints Disable Fast User Switching Secure individual keychain items Create specialized keychains for different purposes Folder permissions can be set via a script in a Jamf Pro Server Policy Repair permissions command can be triggered via Self Service or run automatically Reports can be created to scan for files in System and Library for bad permissions Password policies enabled via Configuration Profile Login window and banner can be added via Jamf Pro Server Policy

Additional Considerations Jamf Pro helps IT admins customize additional security settings by setting an EFI password, disabling Wi-Fi in hyper-secure environments, and more. You can also use the Jamf Pro Server to rename your Macs so inventory is easier. Additionally, Jamf Pro allows you to inventory the software assets your organization has and keep track of licenses. Consider disabling Wi-Fi and only use ethernet Cover isight cameras Logically name your computers Inventory your software Put a firewall in place Automatic actions for optical media Disable App Store automatic downloads on other Macs Set an EFI password Apple ID password resets Wi-Fi can be disabled via profile Computer naming can be automated via setting in the Jamf Pro Server Software inventory and license tracking in the Jamf Pro Server EFI passwords can be set via a policy and/or imaging Conclusion Jamf Pro makes it easy to implement and follow the independent organization Center for Internet Security s Apple macos benchmarks. www.jamf.com copyright 2002-2017 Jamf. All rights reserved. To learn more about how Jamf Pro can make an impact on your Mac and ios management, visit jamf.com.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback