Ten high priority actions to protect enterprise macOS privacy data

Mac computer deployments within the enterprise sector are on the rise with reports showing there has been a 128% increase in the use of Macs within companies employing more than 500 employees

Apple’s macOS and iOS devices have become essential to the modern workforce as they have shown their strength in the areas of security, productivity, and reduced support requirements. Like all computing platforms involving the storage of EU-based sensitive information, including Personally Identifiable Information (PII), Payment Card Industry (PCI) Information, and other data types, these systems fall under the GDPR mandate. 

In recognition of the special requirements this places on macOS/iOS system administrators, Addigy is working with customers to help with the actions that must be taken or be put in place to ensure compliance. Leading the charge to safeguard customers, the company is citing 10 high priority actions that must be in place for compliance.

macOS Mojave.jpeg

The rising popularity of macOS/iOS devices in the enterprise is moving organizations to focus greater efforts on securing these environments. Recent research has uncovered macOS vulnerabilities showing susceptibility to malware when setting up systems for the first time. However, there are other vulnerabilities, including the spoofing of a device's serial number (via a virtual machine or other methods) during the deployment process to provision  any VM in spoofing a corporate-owned device simply by the publicly accessible serial number. This spoofing allows hackers to gain access to the sensitive company, employee, and customer data easily unless proper defenses and processes have been applied.

While there are countless reputable enterprise-grade security software solutions to defend against malware, spyware, adware, and other threats, there are also ten important actions to take immediately to strengthen the security and compliance of macOS systems used by the organization. While many of these actions are completed when new computers are added to the network, the settings are often incorrect or not active at all. 

By reviewing this checklist, administrators can add layers of defense to further their IT security and privacy data compliance stance. Here are 10 actions and/or processes to defend against the most prevalent risks:

  • Activate FileVault Encryption – Use FileVault Manager activation of disk encryption as required.

  • Apple Business Manager ( DEP+VPP) - Having the company’s Device Enrollment Program, Mobile Device Management, and Volume Purchase Program working in tandem will allow the administrator to remotely deploy, manage, and push out applications to all devices from a single pane of glass. This provides enhanced control over devices and ensures the protection of sensitive information.

  • Implement Security Updates on your devices regularly - System Security Updates are released regularly by Apple so make sure to have a utility that enforces the Security Updates on your managed systems. 24/7 system updating will patch vulnerabilities and Zero Day exploits.

  • Turn off Remote Login and Remote Access in Sharing System Preferences - Remote Login and Remote Access allow people on your network to remotely access and control devices. Turn these features off to ensure no remote users are connecting to these devices.

  • Turn off ‘Wake for Network Access’ in Energy Saver System Preferences - This feature allows users to remotely turn on or wake your device from sleep, potentially when the device is unattended. Disable this feature to prevent this type of behavior.

  • Turn on your macOS Firewall - This will block unapproved inbound connections to your device to prevent the unauthorized behavior. If you want both inbound and outbound connections to be monitored on a device, try a third-party firewall solution.

  • Enforce Password Complexity - Complex password helps to increase the time and resources required to compromise the password. Password complexity is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

  • Review profile configurations – Set up login banners with privacy awareness notifications; turn on website blocking to prevent unauthorized use of devices for PII Data, and adjust Time Machine Configurations to make sure data can be restored in a timely fashion.

  • Leverage Security Tools - The integration of IT and AI security tools such as Cylance, Malwarebytes, WebRoot, and others help to prevent the risk of active data becoming compromised.

  • Implement Device Monitoring - Enterprise-wide monitoring allows for the tracking of key security and compliance features for GDPR.

macOS/iOS devices are becoming increasingly popular for business use thanks to the familiarity and simplicity of these systems. When preparing for use in a corporate environment it will be important for IT administrators and Managed Service Providers to take the necessary steps to ensure these computing environments are locked down in a comprehensive way, utilizing all of the resources and techniques available. Because of the advantages of macOS systems in business environments, providing the same level of protection afforded to PCs is now a must do and easily accomplished with these simple steps.

Jason Dettbarn is CEO of Addigy, a company focused on helping system administrators take control of their Apple macOS/iOS environments. The company’s solutions simplify and streamline asset management, monitoring, reporting, remote command execution, customer and user management, real-time communications, security, compliance and more.