In the first post of our two-part series on Mac security, we discussed the basics and the three most common methods of securing a fleet. In this post, we’ll go deeper on what you should do right now to secure your Macs, and how Fleetsmith can lend a hand.
Mac security: what you should do right now
Whether you’re using the DIY method, an open-source tool, or a commercial solution, here are the two most important things you should do right now to protect your Macs:
1. Encrypt your computers
Encryption is a mechanism that prevents an attacker from accessing the data on a computer while it’s powered off, asleep, or at the screensaver. Apple offers built-in encryption on macOS through FileVault 2. FileVault 2 uses XTS-AES-128 encryption with a 256-bit key, and is available on Mac OS X Lion or later.
How do you go about enabling encryption on your Macs? It’s a two-step process:
1. Encrypt the disk
The first step is to set up FileVault using the DIY manual approach, or centrally via an open-source or commercial tool. Apple has setup instructions here if you’re using the DIY approach. Keep in mind that if you take the DIY approach, you’ll need to do this manually for each employee’s computer.
Some open-source and commercial tools will enable and enforce disk encryption for you. The process to enable FileVault varies widely—some vendors offer a one-step option to enforce disk encryption across your fleet, others require a multi-step procedure to get everything up and running. If you’re looking for an open-source solution, Crypt 2 is a great option that enforces FileVault 2 via an authorization plugin.
2. Escrow the keys
Now that your computer disks are encrypted, you need to escrow the recovery keys. If you don’t, you risk getting locked out of your own computers! In the event that an employee can’t log in to their computer, you can use the FileVault recovery key to decrypt the disk.
Using the DIY approach, you’ll need to manually store the keys in a cryptographically secure manner. Only some commercial solutions automatically and securely escrow the keys for you, and make them available when you need them.
2. Enforce screen lock and authentication
Configuring screen lockout and authentication settings (such as password complexity requirements) are essential for securing computers when they’re left unattended. Again, if you’re using the DIY approach, Apple has setup instructions here.
Using open-source or commercial solutions, you can also configure options for screen lock and authentication settings across your computers.
We also recommend using a YubiKey as a secondary method of secure authentication, and it’s especially convenient if your users have long passwords. If your YubiKey is plugged in and Smart Card mode is enabled and configured, your Mac will use a combination of PIN and a certificate on the YubiKey to authenticate the user instead of a password. (Fleetsmith supports Smart Card setting enforcement!)
When disk encryption, screen lock, and authentication enforcement (such as password complexity requirements) are used in conjunction, they dramatically decrease your risk of losing company data when a device is lost or stolen. (Think of encryption and screen lock with authentication like peanut butter and jelly on fresh bread. Always better together!)
Fleetsmith can help!
Of the commercial options available, Fleetsmith is the only cloud-based solution that puts security first. That means we not only offer security features to protect your fleet, but also have incredibly high standards when it comes to our own security practices.
Fleetsmith can be used to automatically enforce disk encryption, authentication, and screen lock. We enforce these security settings securely over the internet, and automatically surface any computers that are problematic. Fleetsmith automatically and securely escrows each Mac's FileVault recovery key, and makes it accessible anytime within the Fleetsmith admin console.
For more advanced security options, you can use Fleetsmith to manage the anti-malware app Malwarebytes Breach Remediation, and manage installation and automatic patching of the VPN client Viscosity. If your company uses osquery, you can deploy it to your fleet to enable powerful fleet-wide intrusion detection and compliance reporting. To learn more, check out this blog post about osquery “query packs” to get a sense of the full breadth and depth of its capabilities. A full list of the queries bundled in the default query packs can be found here.
Don’t just take our word for it—put our security features to the test! You can try Fleetsmith completely free with 10 devices for as long as you need, with no credit card required. Check out our features page for a full overview of the additional management, deployment, DevOps, and employee experience features we offer.
As the security landscape evolves, you can make sure your Macs are protected by following security best practices—with a DIY approach, open-source tools, or a commercial option like Fleetsmith. In just a few simple steps, you’ll be the commander of your Mac fleet.
Found this useful? Show us some love on Twitter, Facebook or LinkedIn! Subscribe to this blog for even more Mac management best practices and tips. Next up, we’ll cover upgrading your fleet to a new OS, and how to ensure the transition is as smooth as butter.