Usage guide: macOS compliance

The macOS compliance library pack enables EUC teams to:

• Monitor and manage macOS operating systems to ensure stability, compliance, and performance.

• Identify IT infrastructure areas of improvement and quickly provide reporting data.

In addition, this library pack offers preconfigured remote actions to take action and drive awareness.

Please remember that this guide represents only a few potential insights and actions you can take. Uncovering many use cases and specific troubleshooting scenarios in your environment is possible.

Library pack uses

Use the library pack content for the following purposes.

Gain insights into macOS devices' stability, security, and compliance in your environment through an intuitive dashboard. Leverage this information to identify non-compliant devices, address security gaps, and ensure alignment with organizational standards. Use detailed tabs to explore specific issues and take corrective actions based on customizable data fields.

Gain visibility into device insights

The "Summary" live dashboard acts as the starting point of this library pack. It provides a single environment for managing the security, stability, and compliance of macOS devices in your environment. You can go to the corresponding tab for more details based on the information highlighted here.

• Devices: The number of macOS devices in the Nexthink platform and versions.

• Digital Experience Score (DEX): This section shows the average DEX scores of macOS devices and the non-macOS operative systems' average DEX scores. The average DEX score on macOS devices enables a comparison of the DEX performance of macOS devices with the average score of all other device types over the last 30 days, as shown in the "All Devices (DEX)" widget.

• Security: This section identifies devices with security issues (XProtect, firewall, antivirus).

• Stability: This section identifies devices with unstable issues like hard resets or crashes.

• Update and target state: This section identifies the number of devices with an unsupported macOS version, are not on target update, or have pending updates.

• Compliance check: This section identifies the number of devices that have not passed the security, certificates, or management checks. This KPI depends on the execution of the 'invoke_macos_enterprise_compliance' remote action.

Manage and troubleshoot devices

You can rely on the results of specific data-gathering remote actions for more in-depth investigations.

• Get macOS updates and restart information (macOS only): This remote action allows you to get information about macOS devices, such as the number of days since the last restart, whether there are pending updates, a list of names of pending updates, and others.

• Get firewall options (macOS only): This remote action allows you to check the status of your device firewall settings under System Preferences > Security & Privacy > Firewall on macOS devices.

• Get XProtect status (macOS only): This remote action allows you to get the status of your device XProtect settings under System Preferences > Software Update > Advanced on macOS devices.

• Get encryption information (macOS only): This remote action gets APFS file system disk encryption and decryption information, in addition to checking whether FileVault is enabled.

• Invoke macOS enterprise compliance: This remote action provides information about the status of macOS, performing a compliance evaluation on macOS devices by checking several configurations related to security settings, certificate checks, and software validations.

To resolve some of the detected issues, the following remote actions can be triggered when required:

• Set firewall options (macOS only): This remote action configures the firewall settings under System Preferences - Security & Privacy - Firewall on macOS devices.

• Set XProtect status (macOS only): This remote action configures the XProtect status under System Preferences - Software Update - Advanced on macOS devices.

• Set auto-updates (macOS only): This remote action configures additional macOS automatic update settings under System Preferences > Software Update > Advanced on macOS devices.

Use cases

Identifying areas of improvement

The dashboard's summary tab briefly shows the state of devices and macOS operating systems. This information lets you navigate to the appropriate tab for more detailed troubleshooting.

Filters above the dashboard help you focus on a specific area, device, or platform type. The time picker can also view data on a more granular or long-term scale.

Summary

This tab provides an overview of the stability, security, stability, and compliance of devices in your environment. Based on the information highlighted here, you can go to the corresponding tab for more details.

The tab contains widgets that depend on the following custom fields: OS-supported version, OS-targeted feature update version, and OS-targeted quality update version. See Custom Field dependency for details.

Suggested actions:

Remediations can be performed using various remote actions throughout this dashboard. For details, see the suggested actions section of the in-product document on the specific tab.

Security

This section provides information about devices that have been active for a selected period of time and whose settings are non-compliant and could lead to security breaches.

Please review your policy settings and enterprise management/MDM tool configuration or use remote actions to resolve these non-compliance issues.

Suggested actions

Issues with macOS devices with XProtect updates and the firewall disabled can be resolved using the following remote actions:

• Set firewall options: This remote action allows you to configure firewall settings under System Preferences - Security and Privacy - Firewall on macOS devices.

• Set XProtect status: This remote action allows you to configure the XProtect status under System Preferences - Software Update - Advanced on macOS devices.

• Set auto-updates: This remote action allows you to configure additional macOS automatic update settings under System Preferences - Software Update - Advanced on macOS devices.

Stability

This section provides information about macOS devices that have not restarted in over a week. It is recommended to perform a full boot (restart or power cycle) at least once a week.

• Devices with system crashes: This section provides information about macOS devices that have experienced system crashes.

• Devices with hard resets: This section provides information about Windows and macOS devices that have experienced hard resets.

• Devices with application crashes: This section provides information about macOS devices that have experienced crashes.

• Devices with application freezes: This section provides information about macOS devices that have experienced application freezes.

Update and target state

This tab provides an overview of deploying updates to macOS devices. It provides information that helps track devices that are not receiving updates or are stuck waiting to reboot. You can then take corrective action, such as reviewing the enterprise management software policy associated with the detected device group, triggering a remote action to install missing updates, or changing the automatic update setting.

The target versions of quality and feature updates on these tabs are specified in the “Operating system target version“ custom field. These versions must be updated regularly to ensure accurate compliance data.

This information helps you understand the current compliance status of macOS updates and prevent security breaches by addressing instances of non-compliance.

The "OS targeted quality update version" custom field specifies updated target versions. These versions must be updated every month to ensure accurate compliance data.

Suggested actions

The issues listed in this dashboard can be resolved by using the following remote actions:

• Set auto-updates: This remote action allows you to configure additional macOS automatic update settings under System Preferences > Software Update > Advanced on macOS devices.

Compliance: Security

This tab provides information on the results of security tests. These security checkings are crucial for ensuring the integrity and protection of macOS systems:

• FileVault Recovery: This is essential for ensuring data can be retrieved in case of forgotten passwords, maintaining compliance with security regulations, preventing data loss, and enhancing overall security measures within an organization.

• Automatic login configuration: Disabling automatic login prevents unauthorized access by requiring credentials each time the system starts, protecting the device's data if it's lost or stolen.

• Bootstrap token: This token facilitates device management by ensuring that devices can be securely enrolled and managed within the MDM solution.

• Filevault key escrow configuration: This configuration ensures that FileVault recovery keys are securely stored and accessible to recover encrypted data if access credentials are lost.

• Filevault status: Provides information on whether full disk encryption is enabled, which is essential for protecting data stored on the hard drive from unauthorized access.

• Firewall configuration: Ensures that the system firewall is activated to protect the device from unwanted incoming network connections and limit exposure to potential external threats.

• Gatekeeper status: Confirms that Gatekeeper is active, helping protect the system by blocking potentially harmful applications and maintaining the integrity of the executed software.

• Gatekeeper administrator override: Checks if exceptions have been made to allow unverified applications to run, which could introduce security risks by bypassing macOS's default protections.

• Gatekeeper administrator configuration: Ensures that Gatekeeper policies are properly configured to prevent the execution of malicious software not downloaded from the App Store or identified by Apple.

• Guest account configuration: It is important to verify the configuration of the guest account to ensure that it is either disabled or properly restricted. This prevents unauthorized access that could compromise the device's security, as guest accounts generally do not require passwords.

• Root user status: Monitoring the root user status is crucial due to the user's high level of access. An enabled and uncontrolled root user can be a vector for severely compromising system security if it falls into the wrong hands.

• Secure token: Secure Tokens are essential for user management and FileVault encryption on macOS. Verifying that Secure Tokens are appropriately issued ensures that users have the necessary permissions to manage critical settings without compromising security.

• Sip status: System Integrity Protection (SIP) is a security measure that restricts access to system files and processes. Enabling SIP ensures that the operating system is protected against unauthorized modifications, enhancing resistance to malicious software.

Together, these parameters contribute to a more secure environment on macOS, protecting against unauthorized access and maintaining system integrity.

Compliance: Certificates

This tab provides information on the results of connectivity tests to destinations. These tests ensure the correct validation of certificates, enable security updates, ensure proper access to services, support accurate problem diagnosis, and maintain regulatory compliance.

Testing the reachability of destinations like certs.apple.com:443, certs.apple.com:443, crl.apple.com:80, crl3.digicert.com:80, crl4.digicert.com:80, ocsp.apple.com:80 are essential for macOS security because:

• Certificate Validation: Ensures SSL/TLS connections are secure by verifying digital certificates, preventing man-in-the-middle attacks.

• Security Updates: Connectivity is crucial for receiving security and certification updates and protecting against vulnerabilities.

• Service Access: Many Apple services rely on digital certificates for secure authentication; verifying connectivity prevents service interruptions.

• Compliance: In enterprise environments, checking access to critical servers helps ensure compliance with IT policies and security regulations.

• Problem Diagnosis: Connectivity checks assist in diagnosing and resolving network or configuration issues that could affect device functionality and security.

Compliance: Management

Software compliance check

These checks ensure that macOS systems remain secure, compliant with IT policies, and up-to-date with the latest software advancements and protections.

• Test admin-only software update: This ensures that software updates are restricted to admin users, preventing unauthorized software changes and ensuring that only approved updates are installed.

• Test automatic application update Installation: Verifies that applications are configured for automatic updates, ensuring that the latest security patches and features are kept current without user intervention.

• Test automatic macOS update Installation: Confirms that macOS is set to update automatically, maintaining system security and stability by applying the latest patches and protections against vulnerabilities.

• Test content caching server: Checks the functionality of the content caching server, which optimizes network usage and speeds up software installations and updates by storing them locally for other devices.

• Test deprecated Software Update server plist: Identifies legacy or outdated plist configurations for software updates, ensuring systems aren't relying on obsolete methods that may not comply with current security standards.

• Test security deprecated software update server profile: Assesses the use of outdated software update server profiles, ensuring alignment with current best practices and preventing potential security risks associated with deprecated configurations.

Application compliance checks

These checks are crucial in maintaining a secure and compliant macOS environment, aligning with best practices for software management and security:

• Test non-authorized Apps: This ensures that only applications approved by the organization are installed on the system. This prevents the use of unvetted software, reduces the risk of security vulnerabilities, and ensures compliance with organizational policies.

• Test non-universal applications: Identifies apps incompatible with Intel and Apple Silicon architectures. Ensuring app compatibility supports seamless operation and compliance with software standards as macOS transitions to new hardware architectures.

• Test unsigned applications: This check detects applications without a valid digital signature from a trusted developer. By highlighting unsigned apps, the system maintains its integrity and security, as unsigned apps could pose security threats or be tampered with, violating compliance protocols.

Management compliance checks

These checks are vital for maintaining a secure and compliant macOS environment, ensuring that both kernel and network configurations adhere to organizational and industry standards:

• Devices with non-compliance: kernel: This category identifies devices with kernel configurations that do not meet compliance standards. Ensuring kernel settings comply with security policies is crucial, as kernel-level vulnerabilities can lead to significant security breaches and stability issues.

• Devices with non-compliance: network: Highlights devices with network settings or configurations that fall short of compliance requirements. Maintaining network compliance is essential for protecting data in transit, preventing unauthorized access, and ensuring secure communications within and outside the organization.

Identity compliance

These checks are essential in maintaining a secure and compliant macOS environment, facilitating effective management and adherence to organizational policies through MDM:

• MDM enrollment: Verifies that devices are properly enrolled in the Mobile Device Management (MDM) system. Proper enrollment ensures that devices are managed consistently, receive necessary configurations, and comply with organizational policies.

• MDM Enrollment Type: Assesses the type of MDM enrollment used on devices. Different enrollment types may offer varying levels of control and functionality, so ensuring the correct type is used is crucial for compliance and effective management.

• MDM External Reachability: Checks the ability of devices to communicate with the MDM server from external networks. Ensuring external reachability is important for remote management, allowing devices to receive updates and configurations regardless of location

• MDM URL: Verifies that the MDM server URL is correctly configured on devices. A proper configuration ensures seamless communication with the management server, enabling consistent policy enforcement and device management.

RELATED TOPICS

• Live dashboards

• Managing Remote Actions

• Configuration guide: macOS compliance