Hey Adam-B,

CIS Level 1 is meant for basic security hardening rather than making changes to core functionality. Level 1 aims to not disrupt productivity and focuses on:

    • Enforcing password policies
    • Enabling FileVault
    • Disabling automatic login
    • Configuring Gatekeeper and Firewall
    • Enabling system updates

Some policies in Level 1 do enforce changes, but these are generally low risk. Level 2 is more restrictive and can impact workflows more. That said, with Level 1 you may encounter minor friction with things like kernel extensions, unsigned apps, or automatic login removal. 

You can configure CIS Level 1 using the new Jamf Blueprints. I recently used Blueprints to configure CIS Level 1 for Tahoe, and it took just a few minutes to deploy. The Blueprint allows you to choose a group to apply the settings to. If you’re concerned, you could apply the Level 1 settings to a test Mac first to see how things behave before deploying to production.

Hope that helps!

Cis isn’t an all or nothing set up. You need to decide what level of risk is acceptable for what parts of your org. As an example, for most of an org, airdrop could be a strict no. But if you have photographers they may need it so that would be an acceptable risk 

Hello

Hi there!

Yes, some CIS Level 1 settings can break functionality — especially for developers (Terminal, Xcode, Homebrew) and executives (iCloud, AirDrop, keychain autofill). A few can also interfere with JAMF enrollment or remote management.

Best approach: test on a small pilot group first and adjust scopes before full roll

out.

Hi there!

Yes, some CIS Level 1 settings can break functionality — especially for developers (Terminal, Xcode, Homebrew) and executives (iCloud, AirDrop, keychain autofill). A few can also interfere with JAMF enrollment or remote management.

Best approach: test on a small pilot group first and adjust scopes