05-04-2022 03:33 PM - edited 05-05-2022 04:59 PM
Mac admins can begin their compliance journey by following NIST's SP-800-219 secure configuration guidance and using some open source tools that automate deploying controls, using commands through MDM (mobile device management). It's not as simple as point and click (some determinations should be made by admins), but don't fret ... this post will talk you through what's involved. We'll also discuss an alternative way to set up secure configurations on Macs that are available through the HardeningDoggy project.
The mSCP project is accessible to admins through its home on Github and mSCP's tool/script repository. The project was established by U.S. Federal Agencies (NIST/NASA/DISA) to make a set of tested and validated controls available to IT admins. It's even recognized by Apple as, "... a resource to easily create customized security baselines of technical security controls by leveraging a library of tested and validated atomic actions (configuration settings)."
It appears very technical, but the project is designed to do the heavy lifting for its users. It works like this: a script generator tool takes a (security) baseline YAML file that's fed to a script generator. The scripts run through rules and checks for "fixes" that are included in the baseline on each Mac. A device will require "fixes" if respective security controls are absent. Admins are given the option to remediate any missing rules, and are prompted to run a check-fix-check script to deploy a "fix" that changes the Mac's security settings.
You'll likely re-scan and run through the process several times until a device is within compliance. The rules repository is also maintained and updated by the project's contributors and new additions are sometimes being made. Some settings aren't advisable to run through a script such as enabling FileVault volume encryption, smart card requirements, or a firmware password, and the mSCP also supports MDM configuration profiles to help put the device in the right state. These configuration profiles can be fed into your MDM of choice – including JumpCloud – to enforce those settings on your macOS devices it’s important to pay attention to which controls are meant for configuration profiles and which are scripted.. Always make your own decision about which controls should be implemented within your organization and run the mSCP tools on a test system before making changes in production. It may sound complex, but the mSCP tools eliminate cutting and pasting scripts and provides you with some automation to deploy any requisite security controls.
HardeningDoggy is another option to achieve compliances such as CIS Apple macOS 11.0 benchmarks.
Compliances aren't solely for regulated organizations. Baseline configurations add a logical layer of (technical) security to the existing physical, administrative, and technical controls that make up your security program. A secure configuration won't block every threat, but it will help to secure and assess macOS desktop and laptop system security in a more automated manner.
Have you ever used tools from these projects to harden your Macs? If so, please share your experience(s).
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.