de
Ein offenes Vorhängeschloss steht auf einer Apple Mac Tastatur eines Macbooks | SPIRIT/21
Von Jens Reichardt am 02.02.2021 Smart Workplace

Built-in Mac Security and its pitfalls

Apple writes on its own website that security is “already built-in” into the Mac operating system macOS and is certainly not wrong. However, in order to reliably use the built-in features on each of the devices in the enterprise context, a management solution is essential. Here are some security features that are worth paying attention to and where we can recommend implementation on Macs for both private and business use:

The most noticeable feature of a recent macOS installation or a recent Mac (yes, even directly from Apple) is the deactivated firewall. This makes perfect sense if one assumes that the Mac is only used in the home network, where a router (and its comparable firewall) mediates between the end device and the Internet.
However, if the Internet is accessed in public spaces, for example via hotspots in cafés, it is advisable to turn on the macOS firewall. It is best to always activate this firewall, so there is no need for situational activation. For this reason, we configure our internal MACs in such a way that the firewall is activated by default and cannot be switched off.

Screenshot: Firewall-Richtlinie in den Mac-Einstellungen | SPIRIT/21

Enable FileVault 2

Mac OS X Lion (2011) and newer versions offer FileVault 2. It encrypts the entire boot disk and usually includes the home directory. This does not happen automatically, however, so FileVault must be turned on first. So all data is encrypted and can only be decrypted with the known password. However, this password can be reset via the firmware (EFI), so an EFI password should be set as well.

Protect firmware with password

A firmware password protects against local attack attempts by adding a layer of security at the hardware level and restricting access to various boot options, be it booting from an external storage device or booting in restore mode to use the mechanisms there for manipulation, such as resetting the administrator password.
When combined with FileVault 2, the firmware password makes your Mac very secure. In order for someone to steal your information, they would have to remove the hard drive and decrypt it. However, this also means that losing that password can be catastrophic. All the better if FileVault is activated by a management solution like Jamf and the recovery key is backed up centrally.

Attention on newer MacBooks with Apple’s M1 chip:

Due to the new architecture, Apple does not yet offer a firmware password for these devices. In order to maintain at least a similar degree of control over the device, we recommend using Apple’s DEP, the automatic device enrollment. So the device can only be set up with the assigned MDM. However, even this does not protect against simple deletion of the Mac, and we expect Apple to provide a solution for companies, especially those without DEP.
Until then, M1 Macs can only be saved from a simple password reset by activating Disk Encryption, in which case it will ask for the recovery key. Otherwise, if the Mac falls into the wrong hands, the password can be reset unhindered by Recovery.

Disable shares

Some shares make sense in a local network, make collaboration easier or allow remote access for your own IT support. However, the following rule should be applied: If you are unsure which share is explicitly needed for what, it is better to deactivate it. It should not be made too easy for potential attackers (especially outside the home or company network).
We will be happy to show you in a direct exchange how the built-in security mechanisms can be implemented easily via centralised device management. Get in touch with us and arrange a non-binding initial consultation.

Screenshot: Mac Firmware mit Passwort schützen | SPIRIT/21

Mehr erfahren

Learn all about macOS Ventura and its exciting new features. Read our blog for the latest updates and improvements.

macOS Ventura

The new macOS “Monterey” is available and brings some improvements and new features. Read the following article to find out what these are.

macOS monterey - whats new?
Ein KI-generierter LAptop vor lila Hintergund mit einer Küste auf den Display, welche Big Sur symboliseren soll | SPIRIT/21

The current macOS (Big Sur) uses cryptographic technologies to prevent access to files without a valid signature.

The signed system volume under macOS Big Sur

Jens Reichardt

Business Development Executive

E-Mail:

Jens is an expert in the field of device management and Modern Workplace. Whether it’s iOS, Android, Windows or macOS, you are in the best hands with Jens if you have any questions.

Jens Reichardt