Configuration guide: macOS compliance

The configuration options on this page are only accessible to administrators.

Refer to the Usage guide: macOS compliance to use library content as a standard user.

This library pack will help you monitor and manage macOS operating systems to ensure stability, compliance, and performance. This page will guide you through the structure of the content.

Prerequisites

This library pack contains content from the following required expansion products:

Some of these products offer default access to their respective content and can still be used without expansion products.

To learn more about default thresholds for expansion products, visit the extended documentation.

Included content and dependencies

This library pack contains the following content and dependencies:

Type
Name
Description
Dependencies

macOS compliance

Helps to monitor and manage macOS operating systems to ensure their stability, compliance, and performance

none

Get XProtect status

Provides information about the status of the macOS XProtect (macOS built-in antivirus software) automatic update setting on macOS devices.

Required to populate specific dashboard widgets.

Get firewall options

Provides information about the status of the macOS firewall on macOS devices.

Required to populate specific dashboard widgets.

Invoke macOS enterprise compliance

This remote action provides information about the status of macOS, performing a compliance evaluation on macOS devices by checking several configurations related to security settings, certificate checks, and software validations.

Required to populate specific dashboard widgets.

Get encryption information

Gets an APFS file system disk encryption and decryption information in addition to checking whether FileVault is enabled or not.

Required to populate specific dashboard widgets.

Get macOS updates and restart information

Gets information about macOS devices - the number of days since the last restart, whether there are pending updates, a list of names of pending updates, and others.

Required to populate specific dashboard widgets

Test pending reboot

Checks if the device is waiting to reboot for an update.

Required to populate specific dashboard widgets.

Set firewall options

Configures firewall settings under System Preferences - Security & Privacy - Firewall on macOS devices.

none

Set XProtect status

none

Set auto updates

Configures additional macOS automatic update settings under System Preferences - Software Update - Advanced on macOS devices.

noone

OS targeted quality update version

Defines the target quality update versions of Windows and macOS operating systems.

Required to populate specific dashboard widgets.

OS supported version

Determines which Windows and macOS operating system versions, editions, and builds are supported.

Required to populate specific dashboard widgets.

OS targeted feature update version

Defines the target feature update versions of Windows operating systems. Typically, this custom field requires version updates every month.

Required to populate specific dashboard widgets.

Configuring macOS compliance

Adapt these suggested configuration steps to edit and customize content according to your organizational needs.

Follow these steps to install and configure content:

  • Before configuration - Install library pack content from Nexthink Library

  • Step 1 - Configure remote actions

  • Step 2 - Configure custom fields

Step 1 - Configure remote actions

Navigate to the manage remote actions administration page to review and edit your remote actions.

We recommend the following configurations for these remote actions:

Name
Trigger
Schedule query

Get XProtect status

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get firewall options

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Invoke macOS enterprise compliance

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get encryption information

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get macOS updates and restart information

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Set firewall options

Manual, can be triggered on multiple devices

Manual actions cannot be scheduled

Set XProtect status

Manual, can be triggered on multiple devices

Manual actions cannot be scheduled

Set auto updates

Manual, can be triggered on multiple devices

Manual actions cannot be scheduled

Step 2 - Configure custom fields

Navigate to the manage custom fields administration page to review and edit your custom fields.

Operating system versions in the custom fields below are subject to change due to regular patches released by vendors and Apple and Microsoft support policies.

Typically, these versions must be updated in the custom fields once a month to ensure you have the most current patch versions.

We recommend the following configurations for these custom fields:

Name
NQL ID
Rule name
Object
NQL query

OS targeted quality update version

os_targeted_quality_update_version

macos_sonoma

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Sonoma 14.6*"

OS targeted quality update version

os_targeted_quality_update_version

macos_ventura

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Ventura 13.6.8*"

OS targeted quality update version

os_targeted_quality_update_version

macos_monterey

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Monterey 12.7.6*"

OS targeted quality update version

os_targeted_quality_update_version

windows_10_quality_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name == "*22h2*" and operating_system.build >= v19045.4717) or (operating_system.name == "*21h2*" and operating_system.build >= v19044.4651)

OS targeted quality update version

os_targeted_quality_update_version

windows_11_quality_update

device

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where (operating_system.name == "*22H2*" and operating_system.build >= v22621.3958) or (operating_system.name == "*23H2*" and operating_system.build >= v22631.3958)

OS targeted feature update version

os_targeted_feature_update_version

windows_10_feature_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name =="Windows 10*22H2*" or (operating_system.name =="Windows 10*21H2*" and device.operating_system.name == "*ltsc*"))

OS targeted feature update version

os_targeted_feature_update_version

windows_11_feature_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where operating_system.name == "*23H2*"

OS supported version

os_supported_version

macos_unsupported_version

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name !in ["*Ventura*","*Monterey*","*Sonoma*"]

OS supported version

os_supported_version

macos_supported_version

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name in ["*Ventura*","*Monterey*","*Sonoma*"]

OS supported version

os_supported_version

windows_unsupported_version

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.name in ["*windows 11*"] and operating_system.build < v22621.521) or (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.build < v19045.0) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.build < v19045.2130) or (operating_system.name in ["*enterprise*", "*education*"] and operating_system.name !in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or (operating_system.name in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or operating_system.name == "*Windows 7*" or operating_system.name == "*Windows 8*" or operating_system.build < v7601.0

OS supported version

os_supported_version

windows_supported_version

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22000.194) or (operating_system.name !in ["*ltsc*", "*ltsb*", "*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22621.521) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name == "*windows 10*" and operating_system.name in ["*enterprise*", "*education*"] and operating_system.build > v19044.1288) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.name == "windows 10*" and operating_system.build > v19045.0) or (operating_system.name in ["*ltsc*", "*ltsb*"] and operating_system.build > v19044.0)

RELATED TOPICS

Last updated