A security policy for macOS Sonoma
This document is an example security policy for the security of Apple Mac computers running macOS Sonoma in a small business setting.
|1.3||Updated for macOS Sonoma|
|1.3.1||Version for LinkedIn|
TL:DR – I was asked if I had a security policy document for macOS that would work for a small business who don't have a device management platform and I did have one, but it was mostly in my head or implemented on my Macs, so I decided to write it up in detail.
It is an example. You might want to change things. It is for smaller businesses who can't use Apple Business Manager or similar device management technologies.
I thought it might be helpful to someone to post it here.
Why have a security policy for macOS?
The purpose of a security policy for macOS is to ensure that extra risks are removed, mitigated and not inadvertently created for macOS based computers by applying a consistent policy for their administration and security settings.
All employees and third-party sub-contractors, unless agreed in writing for a specific purpose such as software development or testing.
All computers are subject to the leakage of data if not well configured and hardened and Mac computers running macOS should be treated with the same care as any other device.
User accounts for login
- When you set up a new Mac owned by the business, the first user account must be an administrator account and this account should be set up with a business owned Apple ID for password recovery and for use with iCloud and the App Store.
- An administrator account can change any settings on the computer.
- It is best practice to set up a second account so that the Mac can also be administered by the end user.
- It is recommended that day to day end user accounts should not be administrator accounts. This reduces the risk of an administrator account having unnecessary elevated privileges in normal day to day use.
User 1 (Usual Login user)
User2 (If the Mac is shared)
Setting things up this way allows an end user to authorise administration where necessary but work as a standard user most of the time. It also provides for the company administrator to be able to perform support work on the computer without accessing the end users data.
In a small business it is not possible to centrally manage Apple ID. Managed Apple ID for business is only available using Apple Business Manager or Apple Business essentials which are beyond the scope of this policy.
Software that needs to be installed on your Mac requires a valid Apple ID for the App Store. Other software subscriptions require payment in the App Store app. You may either add your credit card to the Apple ID payment options and claim valid expenditure on expenses or buy a prepaid Apple voucher/card and put that on your expenses. Only Applications and storage required for work is allowable. Music, videos and gaming content are not to be claimed on expenses.
Two factor authentication (2FA) for Apple ID
You must use Two factor authentication for your Apple ID.
- Go to System Settings > then click your name (or Apple ID) > Click Sign-In & Security.
- Make sure Two factor authentication is ‘On’.
- Click the Plus and add two trusted phone numbers.
- Add your own backup phone number for text based authentication, and the company number for emergency or support use for authentication.
This will mean that in the event of an emergency or a support incident the company will be able to access your Apple ID, reset your mac password, or attempt to find your Mac by authenticating using your Apple ID via the secondary authentication system via a text message.
Two factor authentication for other apps
Two-factor authentication (2FA) is the best way to protect yourself from password hacking online. You must use 2FA in any app or website which supports it.
Authy – An Authenticator App
Download Authy, a standards based Authenticator app from https://authy.com/download/ and make sure you follow the instructions to set it up securely.
Authy syncs with multiple devices making it the best choice 2FA app. Some websites and other apps will refer to ‘Google Authenticator’ which uses the same standards based authentication that the Authy app supports. Authy is more flexible, less proprietary, runs on your Mac and phone and is easy to back up.
USB Security keys
You can also use a USB security key such as a Google Titan security key or a Yubikey.
- Choose a password with eight characters or more and a mix of different character types.
- Don’t use names, words found in a dictionary, phone numbers, dates, or simple combinations of these.
- Avoid using a pattern of keyboard characters such as a series of keys in a straight or diagonal line.
- Use a sequence of random characters.
- Include a mix of upper and lowercase letters, numbers, and punctuation marks.
Use macOS Password Assistant to help you choose a secure password. To open Password Assistant, click the Key button next to the New Password field. As you enter a password, Password Assistant displays how secure the password is.
Touch ID, Apple watch
If possible, enrol your fingerprint to enable Touch ID or set up your Apple Watch to unlock your Mac.
macOS Version and security from malware
You should alway run the latest version of macOS supported by your Mac computer. At the time of writing this is macOS Sonoma. You should use an Intel based Mac computer which is supported by macOS Sonoma or a current Mac computer with Apple silicon. Older Mac computers cannot be made secure.
Signed system volumes and System Integrity Protection
System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorised code that doesn't have a valid signature from Apple. All system files are protected on the signed system volume. This advanced system volume technology provides a high level of security against malicious software and tampering with the operating system.
macOS has protections to help ensure that apps downloaded from the internet are free of known malware. App Store or Gatekeeper and Notarisation prevent malware from launching. Malware is blocked from running and remediated by XProtect.
To take advantage of these protections you must allow applications only from the App Store and identified developers to run on your Mac.
- Go to Settings > Privacy and Security > Security
- Select 'App Store and identified developers'
Because macOS has security protection built in, a third party AntiVirus tool is not necessary.
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:
- An app is first launched,
- An app has been changed (in the file system),
- XProtect signatures are updated,
When XProtect detects known malware, the software is blocked and the end user is notified and given the option to move the software to the Bin.
The best way to keep your Mac secure is to run the latest software. You must set your Mac to check, download, and install updates automatically, and to install application updates from the App Store and to install Security Responses and system files. macOS checks for new updates daily and starts applying them in the background, and it is important that security responses are installed quickly.
Make sure that Beta updates is set to ‘off’. Beta software is not to be used without written approval.
Go to Settings > General > Software Update
- Set 'Automatic Updates' to 'On',
- Click 'Info' and Set 'Check for updates', 'Download new updates when available', 'Install macOS updates', Install application updates from the App Store' and 'Install Security Response and system files' all to 'On',
- Click 'Done',
- Set 'Beta updates' to 'Off'.
macOS includes a built-in firewall to protect the Mac from network access and denial-of-service attacks. Ensure the Firewall is ‘On’ in Settings. Set it to allow built-in software to receive incoming connections, and to allow downloaded and signed software to receive incoming connections.
Do not allow any other applications to receive incoming connections without approval.
Go to Settings > Network > Firewall > Options
- Make sure 'Firewall' is 'On',
- Click 'Options',
- Do not allow any applications to receive incoming connections without approval.
Turn on FileVault, which encrypts all data automatically on internal storage devices.
After FileVault is turned on user credentials are required during the boot process.
Go to Settings > Privacy and Security > FileVault
You must set your Mac up to logout after 5 minutes of inactivity.
Go to Settings > Privacy and Security > Advanced
You must set your Mac up to logout after 3 minutes of inactivity and to display only a name and password for input on the Login window.
Settings > Lock Screen
Location and Find My
In Location services turn on location for ‘Find My’ then in ‘Find My’ in iCloud in System Settings. You’ll need to click your name, then click iCloud, then Under Apps Using iCloud, click Show All. Select Find my and turn it on. You should be very careful which other apps you allow to use your location because they will potentially disclose your whereabouts.
You must use Time Machine, the built-in backup feature of your Mac, to back up your personal data automatically, including apps, music, photos, emails and documents.
You should plug your Mac into your Time Machine drive whenever possible. Time Machine makes hourly backups for the past 24 hours, daily backups for the past month and weekly backups for all previous months. The oldest backups will be deleted when your backup disk is full.
Having a backup allows you to restore your Mac or a new Mac from your Time Machine backup if you ever delete your files or can't access them.< /p>
Replace your Time Machine backup drive every year and keep the old one securely. Just in case.
The company uses Apple Remote Desktop to manage Mac computers. Remote Access settings for Apple Remote Desktop must be enabled on all company Mac computers.
Remote Desktop enables the company to see the screen, install software, and perform other administrative tasks to help you with your Mac. You will see a notification if your screen is being observed.
Supported Mac computers
The company does not support using Mac computers that are no longer supported by Apple as they are more likely to be unable to accept the latest updates, and are therefore inherently less secure.
You should not Sign in to company resources using unsupported Mac computers.
|iMac||2019 and later|
|Mac Pro||2019 and later|
|Mac Studio||2022 and later|
|MacBook Air||2018 and later|
|Mac mini||2018 and later|
|MacBook Pro||2018 and later|
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved and recorded by the Information Security Manager in advance and reported to the Management Review Team.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The policy is updated and reviewed as part of the continual improvement process.