macOS Security Hardening for Enterprise: Complete Checklist and CIS Benchmark Guide
macOS security hardening for enterprise requires a different approach than Windows hardening. Apple's security architecture provides strong defaults — System Integrity Protection, Gatekeeper, XProtect, Secure Enclave, and hardware-backed key storage — but the gap between Apple's defaults and a properly hardened enterprise configuration is significant. macOS now represents nearly a quarter of enterprise endpoints, attackers have responded with a 340% increase in macOS-targeting malware families since 2023, and most SOC teams lack macOS-specific detection logic. This guide covers the full hardening path: MDM baseline controls, CIS macOS Benchmark Level 1 and Level 2 requirements, macOS-specific persistence and evasion techniques, and endpoint security tooling options.
What Apple Provides by Default vs What Requires Configuration
Enabled by default on Apple Silicon Macs:
- System Integrity Protection (SIP): Prevents modification of system files, directories, and processes even by root. Cannot be disabled without booting into Recovery Mode.
- Gatekeeper: Enforces application notarization checks. Only apps signed and notarized by Apple-approved developers run without explicit user override.
- XProtect: Apple's built-in signature-based malware scanner, updated silently. Blocks known malware families at launch.
- XProtect Remediator: Background process that scans and removes known malware on a schedule independent of user action.
- Secure Enclave: Hardware-isolated cryptographic processor managing Touch ID biometrics and keychain encryption keys.
Not enabled by default — requires MDM or manual configuration:
- FileVault full-disk encryption
- Firewall (Application Firewall is off by default)
- Screen lock timeout and password requirements
- Remote Management access restrictions (ARD, SSH)
- Software update enforcement policies
- Privacy preferences for camera, microphone, and location
- Login item restrictions (controlling what runs at startup)
Required MDM Controls: The Non-Negotiable Baseline
Without MDM, macOS hardening is not scalable. Every enterprise macOS fleet should have MDM enrollment as a prerequisite for deployment. The following controls must be enforced via MDM configuration profiles — user-configurable settings that can be changed without MDM are not a reliable security control.
FileVault enforcement
Enable FileVault 2 with institutional key escrow via MDM. Configuration profile key: com.apple.MCX — FileVault2. Without FileVault, physical access to a macOS device yields full disk access on Intel Macs. Apple Silicon adds additional boot security, but FileVault is still required for compliance and theft scenarios.
Software Update enforcement
Enforce automatic OS and security update installation via MDM. Profile: com.apple.SoftwareUpdate — AutomaticallyInstallMacOSUpdates. Set maximum update deferral to 14 days for critical security updates. Zero deferral is ideal but operationally challenging for most teams.
Screen lock and password policy
Enforce screen lock after 5 minutes of inactivity with password required immediately. Minimum password length 12 characters, complexity requirements, and 90-day maximum age via com.apple.mobiledevicemanagement.LoginWindow profile.
Disable SSH remote login
SSH should be disabled unless explicitly required. If SSH is required for specific roles, restrict to specific source IPs via /etc/hosts.allow and enforce key-based authentication only. Enforce via MDM configuration profile.
Application Firewall in stealth mode
Enable the macOS Application Firewall in stealth mode via com.apple.security.firewall profile. Stealth mode drops unsolicited probe packets, reducing host discoverability on network scans. Block all incoming connections except specifically allowed services.
Login item and background task restrictions
Use the com.apple.loginitems.managed profile to restrict which apps can add login items and background tasks. This is the primary MDM control against persistence via LaunchAgents — the most common macOS malware persistence mechanism.
Privacy preference policy control (TCC)
Manage Transparency Consent and Control (TCC) permissions via MDM using the com.apple.TCC.configuration-profile-policy profile. Pre-approve required business applications for camera, microphone, contacts, and location access. Deny access for non-required apps.
Gatekeeper enforcement
Enforce Gatekeeper to allow only App Store apps or App Store plus identified developers via com.apple.systempolicy.control — EnableAssessment set to true. Do not allow the Allow apps from Anywhere option under any circumstances.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
macOS-Specific Attack Techniques Security Teams Must Detect
LaunchAgent and LaunchDaemon persistence (T1543.001): The most common macOS persistence mechanism. Attackers drop plist files into ~/Library/LaunchAgents/ (user context) or /Library/LaunchDaemons/ (system context) that define processes to run at login or boot. Detection: monitor for new plist files in these directories, particularly those referencing executables in /tmp, ~/Downloads, or hidden directories.
Login items (T1547.015): Applications can register as login items via the Service Management framework. In macOS Ventura and later, login items are visible in System Settings and can be managed via MDM. Detection: audit sfltool dump output and compare against MDM-managed allowlist.
TCC database manipulation: Transparency Consent and Control (TCC) governs camera, microphone, contacts, and location access. Attackers with root access can modify ~/Library/Application Support/com.apple.TCC/TCC.db to grant unauthorized permissions. Detection: monitor TCC database file modification events and flag unexpected database writes.
AppleScript and JXA abuse (T1059.002/T1059.007): AppleScript and JavaScript for Automation (JXA) are native macOS scripting frameworks that can control other applications, access the clipboard, and exfiltrate data with minimal detection surface. Detection: alert on osascript process spawns from unusual parent processes -- browsers, document viewers, email clients.
Dylib hijacking and injection (T1574.004): macOS applications load shared libraries from specific paths. Attackers place malicious dylibs in paths searched before the legitimate library location. Detection: monitor for unexpected dylib files appearing in application bundle directories.
macOS Endpoint Security Tooling Comparison
| Tool | macOS Depth | Apple Silicon | MDM Integration | Best For |
|---|---|---|---|---|
| Jamf Protect | Excellent (macOS-only) | Native | Native (Jamf Pro) | macOS-first shops, Jamf MDM environments |
| CrowdStrike Falcon | Strong (cross-platform) | Yes | Good (Jamf/Mosyle) | Mixed Windows/macOS fleets, unified platform |
| SentinelOne | Strong (cross-platform) | Yes | Good | Mixed fleets, autonomous response |
| Microsoft Defender (macOS) | Adequate | Yes | Via Intune | Microsoft E5 licensees, Intune-managed fleets |
Jamf Protect is macOS-native: it uses Apple's Endpoint Security Framework (ESF) directly, has no Windows legacy in its codebase, and integrates natively with Jamf Pro for MDM enforcement alongside detection. Its threat detection is macOS-specific — LaunchAgent monitoring, TCC event tracking, AppleScript execution — in ways that cross-platform agents often miss. The tradeoff is macOS-only coverage, requiring a separate EDR for Windows endpoints.
CIS macOS Benchmark: Level 1 and Level 2 Key Controls
The CIS Apple macOS Benchmark defines two profile levels. Level 1 controls are the minimum baseline for any enterprise macOS deployment. Level 2 adds defense-in-depth controls that may impact usability.
Level 1 essentials (apply to all enterprise macOS):
- Enable FileVault with institutional key escrow
- Ensure all Apple-provided software is current (auto-update enforced)
- Enable Gatekeeper — do not allow unsigned/unnotarized applications
- Enable Application Firewall in stealth mode
- Disable SSH remote login (or restrict to allowlisted IPs)
- Disable remote Apple Events
- Ensure screen lock activates after 5 minutes of inactivity
- Ensure password complexity is enforced via MDM
- Disable Bluetooth when not in use (enforce via MDM where feasible)
- Ensure NTP time synchronization is enabled and points to a trusted source
Level 2 additions (higher security, potential workflow impact):
- Disable iCloud Drive syncing for organization-managed devices
- Disable Siri on managed endpoints
- Restrict Handoff and Continuity features between personal and managed devices
- Disable content caching to prevent local network data exposure
- Restrict AirDrop to Contacts Only via MDM (disable to Everyone)
Audit compliance using Jamf Pro compliance reporting, Mosyle compliance dashboards, or run sudo lynis audit system on individual endpoints for spot-checking.
The bottom line
macOS security hardening starts with MDM enrollment — without it, no setting is reliably enforceable at scale. The non-negotiable baseline is FileVault, Gatekeeper enforcement, Application Firewall, automatic update enforcement, and screen lock policy via MDM configuration profiles. Layering macOS-specific endpoint detection (Jamf Protect for macOS-first shops, CrowdStrike or SentinelOne for mixed fleets) gives visibility into the persistence and evasion techniques that Windows-centric detection logic will miss. Run the CIS macOS Benchmark to assess your current posture and prioritize Level 1 controls before moving to Level 2.
Frequently asked questions
What is the CIS macOS Benchmark?
The CIS Apple macOS Benchmark is a set of security configuration guidelines published by the Center for Internet Security. It defines Level 1 (minimum baseline, low workflow impact) and Level 2 (defense-in-depth, higher security impact) controls covering FileVault encryption, Gatekeeper, firewall settings, SSH configuration, software update enforcement, and user account security. Download it free from cisecurity.org.
Is SIP enough to protect macOS?
SIP prevents modification of system directories and binaries even by root, which is a strong protection against some malware persistence techniques. But SIP does not protect user-writable directories like ~/Library/LaunchAgents/, does not prevent malicious applications from running (Gatekeeper handles that), and does not protect against credential theft from the keychain or TCC database manipulation. SIP is one layer in a properly hardened configuration, not a complete defense.
What is the most common macOS persistence technique attackers use?
LaunchAgents and LaunchDaemons are the most prevalent macOS persistence mechanisms observed in malware. Attackers drop plist files into ~/Library/LaunchAgents/ (user-context) or /Library/LaunchDaemons/ (system-context) that define processes to execute at login or boot. Detection requires monitoring for new plist file creation in these directories, particularly when the referenced executable is in /tmp, ~/Downloads, or a hidden directory.
Do I need a separate macOS EDR if I have CrowdStrike or SentinelOne?
CrowdStrike Falcon and SentinelOne both provide solid macOS agent coverage and are suitable for mixed Windows/macOS fleets. For organizations with large macOS-primary fleets — developers, creative studios, financial advisors using Apple hardware — Jamf Protect offers deeper macOS-native detection using Apple's Endpoint Security Framework directly. It catches macOS-specific techniques like TCC event anomalies and JXA execution patterns that cross-platform agents are slower to add detection for.
What macOS MDM solution should enterprises use?
Jamf Pro is the enterprise standard for macOS MDM, with the deepest configuration profile support, the largest app catalog, and native integration with Jamf Protect for security enforcement. Microsoft Intune supports macOS MDM and is a natural fit for Microsoft E5 shops. Mosyle is a strong alternative for education and SMB environments. Any MDM is far better than none — without MDM enrollment, macOS security configuration cannot be reliably enforced at scale.
How do I audit macOS endpoints for CIS Benchmark compliance?
Jamf Pro has built-in compliance reporting against the CIS macOS Benchmark if you have Jamf Protect licensed. For individual endpoint auditing, run Lynis (open source: sudo lynis audit system) which produces a scored hardening report. For scripted compliance checking, the CIS-CAT tool from the Center for Internet Security provides automated benchmark assessment. The macOS STIG from DISA/cyber.mil is the reference for government or highly regulated environments.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.