Depends on what you're looking to do and what perspective you're coming from (I assume you're referring to just workstations, not broader picture infrastructure). For us (we're HIPAA/PHI/PFI) is tightly controlled based on job role. At a minimum, I would say look for a few high level boxes to check

• AD bound to restrict access
• FV2 encrypt
• Anti-Virus
• DLP type product (for better or worse - we use Digital Guardian)
• Casper (or other) managed to ensure compliance, host checking, etc.

We use restrictive (draconian) methods to ensure we stay safe. For example, DG can be configured to force all network traffic through VPN to be filtered.

That help?

I agree with @easyedc in that it depends on your specific environment. I also work in a HIPAA nightmare and I learned that other companies we work tightly with have much looser HIPAA requirements than we're held to. You'll have to find out what your organization's requirements are and then approach each item on their checklist. We have AD, FV2, McAfee (malware and firewall), ecat, netskope, web proxy, network firewall, and Casper. Casper handles our USB stick lockdown via Profile. We also have the additional requirement of all computers must be chained to the desk - unfortunately Apple thought this was a silly requirement and removed the security hole from all laptops.

@AVmcclint when we first started discussing allowing Mac mini's on the floor 5 or 6 years ago, due to their small foot print and easy portability, these were seriously discussed.

However we ended up sticking them in a secure server room and giving people cheap PCs to remote into them for work. Yeah.

As a follow up to the thought, you'll find a lot more securing agents out there for PCs than for macOS, just the nature of the beast. WE use MANY agents on windows that simply don't have a macOS counterpart, but our vendors are catching up. Our security mantra (which is literally printed over the door leading to their floor) is "we must protect the mothership." In the days that every security breach becomes a national headline, it does make sense to over-protect.

@jskidmore @easyedc @AVmcclint

are any of you guys using santa or osquery with your current solutions?

thx

This is exactly the reason that we use JAMF! I would start with the CIS and NIST benchmarks. We use JAMF to implement and report on all of them. We also use Nessus to scan for vulnerabilities on our Macs regularly to make sure that everything is in place. Extension attributes are a great way to get information and reporting on compliance, as well. JAMF occasionally does webinars about this.

https://www.jamf.com/resources/webinar/cis-checklist-how-to-secure-macos-like-a-pro
https://www.jamf.com/resources/webinar/apple-security-101
https://www.jamf.com/resources/webinar/securing-macs-with-the-casper-suite

https://www.cisecurity.org/cis-benchmarks/
https://nvd.nist.gov/ncp/repository

Feel free to reach out to me with any more specific questions. I'm happy to help you get started.

@Nix4Life I am not using santa or osquery.

@annamentzer I appreciate the info. I'll check over CIS and NIST

I already implement everything @easyedc does. I am just looking for further best practices to stay ahead of the game.

@annamentzer I would like to but am not seeing a way for me to.

@annamentzer brings up a great list of references. We stopped being able to rely on CIS doc due to them not having updated it for several years, but I see that it was published again for 10.12. I am looking through old notes, but I believe there was also a DoD hardening doc that we referenced when CIS stopped getting published.

FWIW, Benchmarks for 10.8, 10.9, 10.10, 10.11, and 10.12 are available online.
10.13 is in development.

CIS Benchmarks

Does take a while to get them published (join the committee to help speed it up!), but they've never missed one that I'm aware of. Not sure why it seemed they were not being published.