Apple @ Work is brought to you by Kandji, the MDM solution built exclusively for organizations that run on Apple. Kandji is a modern, cloud-based platform for centrally managing and securing your Mac, iPhone, iPad, and Apple TV devices, saving IT teams countless hours of manual work with features like one-click compliance templates and 150+ pre-built automations, apps, and workflows. Request access.
Device security is at the forefront for any IT department. While many professionals are familiar with how to secure Windows in an enterprise environment, they might not be as up-to-date on how to secure macOS. In this guide, I’ll give some steps to consider, but this isn’t meant to be an exhaustive guide as every industry and company will have different requirements, so consider this information a “starting point.”
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
Use Device Enrollment Program
The first step is to make sure you’re using Apple’s Device Enrollment Program so when you purchase a new Mac through your Apple Business Store. You’ll want the serial number to be tied to your account and automatically enrolled in your mobile device management system. This process will result in a supervised Mac.
Enable FileVault 2
FileVault 2 first made its appearance in OS X Lion in 2011, so any Mac bought in recent years will support it. While many corporate documents are stored in cloud services, it’s effortless to still have confidential files stored and cached for offline use. With FileVault2 enabled, an organization’s information is safe on the hard drive even if the device is lost or stolen. With FileVault 2, end users don’t need to worry about individually encrypting each file or storing files in specific encrypted locations, as the data on the entire hard drive is encrypted.
FileVault 2 should be forced through your mobile device management system as part of the setup of the Mac. Almost all MDMs will support this functionality, and they will likely store a copy of the encryption key in your management portal.
Only allow apps from Mac App Store and identified developers
The Mac App Store is the safest place to get Mac apps from, but many enterprise apps aren’t available. MDM vendors will allow you to block end users from installing apps that aren’t from the Mac App Store or developers not using Gatekeeper.
Force enable the Firewall
In your MDM portal, I advise force enabling the macOS firewall as the first line of defense for your macOS devices when they’re connected to the internet.
Consider Endpoint Security protection
While Macs are very secure from the ground up, there are still security threats from time to time. There are several vendors on the market that offer macOS endpoint security protection. I would advise picking a vendor who’s using Apple’s native endpoint security API as you’ll have a much easier time transitioning to a new version of macOS each year. Some legacy vendors are still struggling with the changes in macOS Big Sur, for example.
Wrap-up on Mac enterprise security tips
The single most important thing you can do when deploying macOS in your environment is enabling FileVault 2. If you do nothing else on this list, turn on FileVault 2 for all your devices. Consider your macOS login password requirements (SSO, length, etc.), but without FileVault 2, anything else you do will be trying to secure an insecure environment.
FTC: We use income earning auto affiliate links. More.