macOS Enterprise Security Hardening: CIS Benchmark, MDM Controls, and Gatekeeper Configuration

Before applying hardening controls, understand what Apple ships by default — both the protections already in place and where they fall short for enterprise use.

System Integrity Protection (SIP): SIP prevents modification of system files, directories, and processes even by root. It blocks kernel extension loading from unauthorized sources and prevents modification of protected system paths. SIP should never be disabled in production — any application requiring SIP to be disabled is incompatible with enterprise security standards.

Gatekeeper: Enforces that only apps from identified developers or the Mac App Store can run. Three enforcement levels: Mac App Store only, App Store and identified developers, or anywhere (disabled). Enterprise default: App Store and identified developers. Gatekeeper verifies Apple notarization — a requirement that developers submit apps for malware scanning before distribution.

XProtect and XProtect Behavioral Service (XBS): XProtect is Apple's built-in signature-based malware detection, updated silently via software update. XBS (introduced in macOS 12.3) adds behavioral detection running continuously in the background. Neither replaces a third-party endpoint security solution, but both provide a baseline detection layer that requires no configuration.

Transparency, Consent, and Control (TCC): TCC enforces user consent before apps can access sensitive resources: camera, microphone, contacts, full disk access, screen recording. MDM can pre-approve TCC entitlements for managed apps, bypassing the user prompt.

What Apple does not provide by default: Application allowlisting beyond code signing, network-level threat detection, behavioral EDR with SIEM integration, LAPS-equivalent for local admin accounts, and centralized audit log forwarding. These require MDM-enforced configuration and third-party tooling.

All significant macOS hardening controls require an MDM solution. Without MDM, settings can be manually changed by users, do not scale, and cannot be verified centrally.

Jamf Pro: The dominant enterprise Mac MDM. Deep macOS integration, extensive policy library, native support for Apple Business Manager (ABM) / Apple School Manager (ASM) for zero-touch enrollment. Strong community (Jamf Nation) with shared configuration profiles. Better for Mac-centric or Mac-primary organizations. Separate Jamf Protect product provides macOS-native EDR with MITRE ATT&CK-mapped behavioral detection.

Microsoft Intune (with Mac support): Sufficient for organizations with a Microsoft-centric identity stack (Entra ID, Defender for Endpoint). Settings catalog covers most macOS security configurations. Integration with Microsoft Defender for Endpoint on macOS provides EDR parity with Windows. Better for organizations managing mixed Windows/Mac fleets who want unified management. Less mature than Jamf for advanced Mac-specific configurations.

Apple Business Manager (ABM): ABM is a prerequisite for any serious enterprise Mac deployment. It enables Automated Device Enrollment (ADE — formerly DEP), which causes new Macs to enroll in MDM during Setup Assistant with no user action required, prevents MDM removal by the user, and allows MDM to configure the device before any user has logged in. Without ABM enrollment, MDM profiles can be removed by the user.

Configuration profile delivery: All hardening settings discussed below are delivered as MDM configuration profiles (mobileconfig files). Profiles pushed via ABM-enrolled MDM cannot be removed by the user. Verify this for every profile — user-removable profiles are not reliable hardening controls.

The CIS Apple macOS Benchmark organizes controls into Level 1 (broadly applicable, low operational impact) and Level 2 (high security environments, potential impact on usability). Start with Level 1 controls enforceable via MDM.

FileVault (CIS 2.1.1): Full-disk encryption. Enable via MDM with institutional recovery key escrowed to MDM server (Jamf, Intune). Without FileVault, a stolen Mac gives an attacker full access to disk contents by booting to external media.

MDM payload: com.apple.MCX
Key: dontAllowFDEDisable = true
Key: forceEnableInSetupAssistant = true

Screen lock and password requirements (CIS 2.3.x):

• Inactivity lock: 5 minutes maximum for high-security environments, 15 minutes for standard
• Password required immediately upon sleep or screen saver
• Login window: display name only (not username list)
• Disable automatic login

MDM payload: com.apple.screensaver
Key: askForPassword = true
Key: askForPasswordDelay = 0
Key: loginWindowIdleTime = 300

Software Update (CIS 1.x):

• Enable automatic security response updates (Apple Rapid Security Response)
• Enable automatic macOS updates
• Block deferral of security updates beyond 7 days via MDM

MDM payload: com.apple.SoftwareUpdate
Key: AutomaticCheckEnabled = true
Key: AutomaticDownload = true
Key: CriticalUpdateInstall = true
Key: ConfigDataInstall = true

Firewall (CIS 2.2.x):

• Enable macOS Application Firewall
• Enable Stealth Mode (no ICMP/ping responses)
• Block all incoming connections except explicitly allowed apps

MDM payload: com.apple.security.firewall
Key: EnableFirewall = true
Key: EnableStealthMode = true
Key: BlockAllIncoming = false (allow explicit exceptions)

Disable services not needed in enterprise (CIS 2.4.x):

• AirDrop: Disable or restrict to contacts only
• Remote Apple Events: Disabled
• Remote Management (ARD): Disabled unless explicitly required for IT support
• Internet Sharing: Disabled
• Content Caching: Disabled on managed endpoints
• Bonjour advertising: Disabled

Default Gatekeeper enforcement allows any notarized app from an identified developer. For higher-security environments, more restrictive application control is achievable via MDM.

Enforce Gatekeeper via MDM:

MDM payload: com.apple.systempolicy.control
Key: AllowIdentifiedDevelopers = true
Key: EnableAssessment = true

This prevents users from overriding Gatekeeper via System Settings. Without MDM enforcement, users can right-click and open any app regardless of Gatekeeper policy.

Privacy Preferences Policy Control (PPPC) — TCC management: MDM can pre-approve or block TCC permissions for managed apps. Critical for security tools (EDR agents need full disk access) and for blocking unnecessary permissions for other apps.

MDM payload: com.apple.TCC.configuration-profile-policy
# Grant full disk access to Jamf Protect agent
Identifier: com.jamf.protect.agent
IdentifierType: bundleID
CodeRequirement: [Jamf code requirement]
Allowed: true
StaticCode: true
Access: SystemPolicyAllFiles

Application allowlisting via Jamf Pro: Jamf's Restricted Software feature blocks specified applications from running. More granular: Jamf Protect's Analytics rules can alert or block process execution based on process name, path, or hash. Not equivalent to Windows WDAC but functional for blocking known-bad applications.

Preventing unauthorized kernel extensions (kexts): macOS requires user approval for third-party kernel extensions (UAKEL — User Approved Kernel Extension Loading). MDM can pre-approve specific kexts (e.g., Cisco AnyConnect, security tool components) via the System Extension payload, preventing user prompts while blocking unapproved kexts.

The equivalent of Windows LAPS for macOS addresses the same problem: if every Mac has the same local admin password, one compromise gives lateral movement across the fleet.

Options for macOS LAPS:

Jamf LAPS (built into Jamf Pro 10.47+): Generates and rotates unique local admin passwords, stores them in Jamf Pro, accessible to authorized IT staff. Password rotation can be triggered manually or scheduled. Audit log tracks every access. Passwords displayed in Jamf Pro console with role-based access control.

Microsoft LAPS for macOS (Intune): Available in preview for Intune-managed Macs. Similar functionality to Windows LAPS — rotates local admin password, stores in Entra ID, accessible via Intune admin center or Graph API.

macOS admin account design:

• Separate the local admin account from the user's daily-use account
• The user's account should not have admin rights (standard user account for daily use)
• The admin account should have a unique LAPS-managed password
• Name the admin account something non-obvious (not 'admin' or 'administrator') to reduce guessing

Restricting sudo access:

# /etc/sudoers.d/enterprise-policy
# Restrict sudo to specific admin group only
%localadmins ALL=(ALL) ALL
# Require password for sudo (disable NOPASSWD)
Defaults timestamp_timeout=0

macOS-native EDR is a distinct requirement from MDM. MDM manages configuration; EDR detects and responds to threats in real time.

Jamf Protect: Built on Apple's Endpoint Security Framework (ESF), which provides low-level system event access without kernel extensions. MITRE ATT&CK-mapped detection rules. macOS-native — designed specifically for the macOS threat landscape including macOS-specific malware families. Behavioral analytics, file event monitoring, network monitoring, and USB event tracking. Integrates with Jamf Pro for unified device management and security. Best fit: Mac-centric enterprises.

Microsoft Defender for Endpoint (macOS): Mature EDR capability on macOS via ESF. Full integration with Microsoft Defender XDR, Sentinel, and MDE investigation workflows. Antivirus, EDR, vulnerability assessment, and network protection. For Microsoft-centric shops, the telemetry goes into the same SIEM as Windows endpoints — unified investigation across the fleet. Best fit: mixed fleets with existing MDE deployment.

CrowdStrike Falcon (macOS): Full-featured Falcon sensor for macOS. Same Threat Graph correlation across macOS, Windows, and Linux. Real-time prevention and detection. Good for organizations with CrowdStrike as their cross-platform EDR standard — reduces number of security tools to manage.

Key macOS-specific threats to detect:

• AMOS/Atomic Stealer variants: macOS infostealer delivered via malvertising targeting Homebrew, browser installer searches
• Adload: Persistent adware family with changing delivery mechanisms
• DNS Changer malware: Modifies DNS resolver settings via LaunchDaemon
• Malicious LaunchAgents and LaunchDaemons: Common macOS persistence mechanisms in ~/Library/LaunchAgents/ and /Library/LaunchDaemons/
• Malicious login items and background tasks (visible in System Settings > General > Login Items since macOS 13)

Detecting persistence via LaunchAgents (ESF/osquery):

-- osquery: detect new LaunchAgent plist files
SELECT path, label, program, run_at_load
FROM launchd
WHERE path LIKE '%/Library/LaunchAgents/%'
AND run_at_load = 1;

macOS generates security-relevant events across multiple log sources. Getting them to your SIEM requires configuration — none of it happens automatically.

Unified Log System (ULS): Apple's modern logging framework, queryable via log command. Captures system events, application events, and security events. Not designed for SIEM forwarding natively.

OpenBSM Audit Framework: The traditional macOS audit system. Generates binary audit trail files (BSM format) for security events. Enable via MDM:

<!-- MDM payload to enable OpenBSM -->
<key>com.apple.security.audit</key>
<dict>
  <key>Flags</key>
  <string>lo,aa,ad,fd,fm,^-fr,^-fw,nt,ss,pc</string>
</dict>

Audit flags: lo = login/logout, aa = authentication/authorization, ad = administrative, fd = file deletion, pc = process control.

SIEM forwarding options:

• Jamf Protect: Natively exports events to Splunk, Microsoft Sentinel, and other SIEMs via configurable streams. Easiest path for Mac-specific events.
• Fluentd/Filebeat: Open-source log shippers deployable via MDM script. Configure to forward /var/audit/ BSM files and selected ULS streams.
• Cribl: Observability pipeline that can collect macOS Unified Logs and route to any SIEM. More flexible for complex logging architectures.

Key macOS events to send to SIEM:

• Authentication events (login success/failure, sudo use, privilege escalation)
• LaunchAgent/LaunchDaemon creation or modification
• File system writes to /Library/LaunchDaemons/, /Library/StartupItems/, ~/Library/LaunchAgents/
• Gatekeeper quarantine events (app blocked from running)
• USB/external media mount events
• Network connection events from unexpected processes