Truly useful guidance from the STIG (Not the race car driver)
The US Department of Defense (DoD) and Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) recommend keeping macOS up to date and allowing access to Apple network services for management.
--
Apple macOS 11 STIG: https://public.cyber.mil/stigs/downloads/?dl_facet_stigs=operating-systems,mac-os
See: U_Apple_macOS_11_V1R1_Supplemental.pdf
2.1 Malware Protection
macOS includes built-in protections against malware. Gatekeeper ensures that by default, only trusted software runs on a Mac. XProtect is a built-in signature-based antivirus tool that helps protect macOS from malware infections. XProtect definition files are updated by Apple automatically, independent of OS updates. Malware Removal Tool is an engine used to remediate infections should one find its way on to a Mac. The Malware Removal Tool is updated by Apple on systems configured to receive automatic security updates.
More information about these built-in tools can be found at the following links:
https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web
https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/
2.2 Software Updates
Keeping macOS up to date ensures it has the latest enhancements and security controls in place. This STIG requires that all updates come from an approved source. Apple is considered a DoD- approved source. Apple-provided updates must be installed on Apple macOS devices when available. Apple provides the capability for DoD support staff to test most updates before they are released.
Section 2.4.1 Use of Apple Products on Enterprise Networks
Automated deployment and management of Apple devices may require access to specific network services. Apple publishes detailed information about which hosts and ports are required to use Apple products on enterprise networks at the following links:
https://support.apple.com/en-us/HT210060
https://support.apple.com/en-us/HT203609
Configuration of a network using this information is approved for DoD use. If the firewall supports using hostnames, the Apple services above can be used by allowing outbound connections to *.apple.com. If the firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.
2.4.2 Apple Push Notification Service (APNs)
APNs is a platform notification system that developers use to send notification alerts to devices manufactured by Apple, Inc. In addition to app-based alerts, APNs is used by Mobile Device Management (MDM) servers to manage enrolled devices.
APNs is an encrypted and authenticated communication protocol approved for DoD use.
Apple publishes detailed information about which hosts and ports are required to use Apple products on enterprise networks at the following links:
https://support.apple.com/en-us/HT210060
https://support.apple.com/en-us/HT203609
