Securing Macs in your organisation: The basics

Securing Macs in your organisation: The basics

If you’re managing security across a large Mac estate in your organisation and finding it both intimidating and confusing, we’re here to tell you that it doesn’t have to be this way. With a little help from Apple’s built-in security features, as well as a few recommendations from Apple device management experts, your IT team can tackle common security issues with ease.

Security can be a tough nut to crack. The reality is, when you’re responsible for your business’ Mac estate, you want to ensure that you’re getting the job done properly, and that the devices can be used safely and securely. Of course, you need your Mac security to comply with existing network security measures, too.

How can macOS help?

If you’ve made the jump to macOS Sierra (which we recommend), there’s a plethora of ways it can help your Mac estate stay secure.

Regular software updates from Apple ensure that your machines always have access to the latest and safest version of macOS, while Gatekeeper protects you from any malicious apps. The safest place to download apps from is the Mac App Store, but if you’re downloading from the internet, developers can receive a Developer ID from Apple that helps Gatekeeper identify unscrupulous software and block installation from unapproved developers.

FileVault 2 keeps your data safe and secure by encrypting the entire drive on your Mac – and it’s fast and unobtrusive to boot. Users can even encrypt removable drives, which makes it ideal for securing Time Machine backups or external devices. And if you want a clean start or to give your Mac to someone else, you have access to instant wipe functionality that removes encryption keys, rendering data inaccessible, then performs a complete wipe of every last scrap of data on the disk. Best of all, it’s relatively easy to set up and initial encryption won’t take long so you can get right back to work once it’s done.

The upcoming Apple File System (APFS) looks set to revolutionise everything, including imaging, backup, OS upgrades and security. Fortunately, this is a good thing as APFS is optimised for Flash/SSD storage and features strong encryption, copy-on-write metadata, space sharing, cloning for files and directories, snapshots, fast directory sizing, atomic safe-save primitives, and improved file system fundamentals. You can read more about it here.

What do the experts recommend?

The Center for Internet Security (CIS) is an organisation specialising in cyber security. As internationally recognised specialists, they set the standard for macOS security. Making their security recommendations a part of your day-to-day practices will ensure you’ve got all bases covered.

Click here to check out a few of their benchmark recommendations for macOS security – they even provide terminal level suggestions for enabling and disabling certain features.

How can you meet security benchmarks like this for large scale Mac estates?

MDM (mobile device management) solutions like Jamf Pro allow users to control the settings, security, permissions and applications on any mobile device in your organisation, whether that be tablets, smartphones, laptops and even things like POS kiosks or mobile printers. It provides a single, centralised overview of your organisations mobile estate, no matter how many locations or platforms it covers. Such solutions also bolster device security and offer superior protection for your company data.

MDM tools should provide FileVault 2 controls so IT administrators can administer encryption and recovery keys, and can also help your organisation manage system preferences for your devices. This includes enabling FileVault 2 across your company to ensure data security, as well as iCloud preferences relating to file backup. Similarly, passwords and keys can be escrowed in Jamf Pro’s Server Inventory so you can rest easy knowing they’re stored securely in a central location.

Similarly, device management platforms are also great for handling system access, authentication and authorisation processes. This includes things like certificate distribution, with any good management tool utilising computer-level certificates to protect a company’s assets in a variety of ways. Typically, this includes certificate authentication for machines being integrated into an organisation’s network. Likewise, most management solutions should permit admins to configure a server that will act as a certificate authority, which will then be used to manage certificate services across an organisation’s computer network.

MDM tools can even help with log management, which is ideal for ensuring system and network security, and regulatory compliance. Logs are created on almost all devices, and if you’re running a large Mac estate you’re likely having to handle a large volume of them. They’re essential for analysing and solving bug issues, and testing new features during early development stages. So having a device management solution that can organise logs will save you time and money in the long run, and help you tackle future problems before they arise.

MDM solutions also support patch management, which allows admins to monitor the latest software updates for devices and applications, ensuring they’re up to date and secure – take a look at our mini guide to patch management.

Want to know more about getting started with Mac security, and how MDM solutions such as Jamf Pro can help your business keep on top of everyday IT tasks and meet security benchmarks? Give us a call on 03332 409 366, email enterprisesupport@Jigsaw24.com head to Jigsaw24.com/enterprise-support or pop your details in the form below. For all the latest news and reviews, follow us on Twitter @WeAreJigsaw24 and ‘like’ us on Facebook.

Apple in the public sector: How secure is iPad?

Apple in the public sector: How secure is iPad?

iPad was the first tablet to introduce 256-bit encryption, and includes four levels of security. Protection at device, network, data and platform level mean that iOS is now one of the securest platforms available. Testament to its security, iPad and iPhone been given clearance for Impact level 3 work by CESG, meaning it can be used for restricted work.

iOS is designed to secure the contents of your iPad and iPhone from the moment you turn it on

As with the Mac, Apple make both the hardware and the software. On a hardware level, features such as app sandboxing, ASLR and the 256-bit encryption engine help protect against malware and viruses, whereas tools within iOS further secure data and personal information.

Within the operating system, apps requesting information or data from Calendar, Contacts, Reminders and Photos will ask for your permission in order for them to proceed. Support for a passcode means that you can prevent unauthorised access to the device, and it can even be set up so that too many failed attempts results in data on the device being deleted.

iOS is also completely compatible with a range of mobile device management solutions. While Apple Configurator will allow you to deploy profiles and the Find my iPhone functionality lets you locate and wipe lost devices, with MDM, you can ensure that all devices have encryption turned on, can monitor usage and restrict access to different apps. It’s also possible to partially wipe only information rather than the entire contents.

Steps for ensuring that data is encrypted

In light of a number of high profile cases where organisations have been fined for data being lost through device theft, it’s more important than ever to ensure that you can guarantee that all sensitive information on devices is secure and encrypted.

If devices are enrolled in a management solution, such as Casper Suite or Absolute Manage, then IT teams have complete control. Should the device go missing, it can be completely wiped of sensitive information. In addition, if the device is enrolled in a backup solution like Code42 CrashPlan PROe, the user can have profiles, preferences and data remotely reinstalled on a new device.

1. Get a management solution whichever you choose, it’s important to enrol devices (computers, tablets and phones) into a solution that includes remote wipe functionality.

2. Within the management solution, IT can run a report on all devices in the environment that don’t have data encryption.

3. Remotely inform users that they should have disc encryption enabled.

Your iPad security feature checklist
  • Secure Boot Chain.
  • App sandboxing.
  • DFU mode.
  • Address Space Layout Randomisation.
  • File and Keychain data protection.
  • Encrypted iTunes backup.
  • Support for encrypted email and S/MIME.
  • Configuration enforcement.
  • Remote wipe.

 

Want to know more about how iPad can improve your IT security? Give our team a call on 03332 409 306 or email sales@Jigsaw24.com. To keep up with all the latest news, follow @WeAreJigsaw24 on Twitter or ‘Like’ us on Facebook