Amazon.co.uk Widgets

Log in

X

A security policy for macOS 14 Sonoma

This document is an example security policy for the security of Apple Mac computers running macOS 14 Sonoma in a small business setting.

Document versions
VersionSignificant changes
1.3 Updated for macOS 14 Sonoma
1.3.1 Version for LinkedIn
1.3.2 Updated with clarifications about supported versions of macOS
macOS 14 Sonoma
First published at https://www.ezone.co.uk/blog/security-policy-for-macos.html provided 'AS IS, WITHOUT WARRANTY OF ANY KIND' Licence: CC BY-NC-SA 4.

TL:DR – I was asked if I had a security policy document for macOS that would work for a small business who don't have a device management platform and I did have one, but it was mostly in my head or implemented on my Macs, so I decided to write it up in detail.

It is an example. You might want to change things. It is for smaller businesses who can't use Apple Business Manager or similar device management technologies.

I thought it might be helpful to someone to post it here.

Why have a security policy for macOS?

Purpose

The purpose of a security policy for macOS is to ensure that extra risks are removed, mitigated and not inadvertently created for macOS based computers by applying a consistent policy for their administration and security settings.

Scope

All employees and third-party sub-contractors, unless agreed in writing for a specific purpose such as software development or testing.

Principles

All computers are subject to the leakage of data if not well configured and hardened and Mac computers running macOS should be treated with the same care as any other device.

Individual settings

User accounts for login

  1. When you set up a new Mac owned by the business, the first user account must be an administrator account and this account should be set up with a business owned Apple ID for password recovery and for use with iCloud and the App Store.
  2. An administrator account can change any settings on the computer.
  3. It is best practice to set up a second account so that the Mac can also be administered by the end user.
  4. It is recommended that day to day end user accounts should not be administrator accounts. This reduces the risk of an administrator account having unnecessary elevated privileges in normal day to day use.
Local macOS user accounts

User

Account type

Apple ID

First account

Administrator

This email address is being protected from spambots. You need JavaScript enabled to view it.

User 1

Administrator

This email address is being protected from spambots. You need JavaScript enabled to view it.

User 1 (Usual Login user)

Standard user

This email address is being protected from spambots. You need JavaScript enabled to view it.

User2 (If the Mac is shared)

Standard user

This email address is being protected from spambots. You need JavaScript enabled to view it.

Setting things up this way allows an end user to authorise administration where necessary but work as a standard user most of the time. It also provides for the company administrator to be able to perform support work on the computer without accessing the end users data.

Apple ID

In a small business it is not possible to centrally manage Apple ID. Managed Apple ID for business is only available using Apple Business Manager or Apple Business essentials which are beyond the scope of this policy.

Software that needs to be installed on your Mac requires a valid Apple ID for the App Store. Other software subscriptions require payment in the App Store app. You may either add your credit card to the Apple ID payment options and claim valid expenditure on expenses or buy a prepaid Apple voucher/card and put that on your expenses. Only Applications and storage required for work is allowable. Music, videos and gaming content are not to be claimed on expenses.

Two factor authentication (2FA) for Apple ID

You must use Two factor authentication for your Apple ID.

  1. Go to System Settings > then click your name (or Apple ID) > Click Sign-In & Security.
  2. Make sure Two factor authentication is ‘On’.
  3. Click the Plus and add two trusted phone numbers.
  4. Add your own backup phone number for text based authentication, and the company number for emergency or support use for authentication.
Apple ID Sign-In & Security, 2FA in macOS 14 Sonoma
Apple ID 2FA Trusted Phone numbers in macOS 14 Sonoma
Apple ID 2FA Trusted Phone numbers in macOS 14 Sonoma

This will mean that in the event of an emergency or a support incident the company will be able to access your Apple ID, reset your mac password, or attempt to find your Mac by authenticating using your Apple ID via the secondary authentication system via a text message.

Two factor authentication for other apps

Two-factor authentication (2FA) is the best way to protect yourself from password hacking online. You must use 2FA in any app or website which supports it.

Authy – An Authenticator App

Download Authy, a standards based Authenticator app from the App Store via https://authy.com/download/ and make sure you follow the instructions to set it up securely. 

Authy syncs with multiple devices making it the best choice 2FA app. Some websites and other apps will refer to ‘Google Authenticator’ which uses the same standards based authentication that the Authy app supports. Authy is more flexible, less proprietary, runs on your Mac based on Apple Silicon and your phone and is easy to back up.

USB Security keys

You can also use a USB security key such as a Google Titan security key or a Yubikey.

Passwords

  1. Choose a password with eight characters or more and a mix of different character types.
  2. Don’t use names, words found in a dictionary, phone numbers, dates, or simple combinations of these.
  3. Avoid using a pattern of keyboard characters such as a series of keys in a straight or diagonal line.
  4. Use a sequence of random characters.
  5. Include a mix of upper and lowercase letters, numbers, and punctuation marks.

Password Assistant

Use macOS Password Assistant to help you choose a secure password. To open Password Assistant, click the Key button  next to the New Password field. As you enter a password, Password Assistant displays how secure the password is.

Security - macOS Password Assistant
Security - macOS Password Assistant

 

Touch ID, Apple watch

If possible, enrol your fingerprint to enable Touch ID or set up your Apple Watch to unlock your Mac.

macOS System Settings, Touch ID, Apple Watch
macOS System Settings, Touch ID, Apple Watch

Different versions of macOS and security from malware

You should alway run the latest version of macOS supported by your Mac computer. At the time of writing this is macOS 14 Sonoma. You should use an Intel based Mac computer which is supported by macOS 14 Sonoma or a current Mac computer with Apple silicon. Older Mac computers cannot be made secure. Apple say that "Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14, iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13, iOS 16 and so on)." (See: About software updates for Apple devices – Apple Computer

Signed system volumes and System Integrity Protection

System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorised code that doesn't have a valid signature from Apple. All system files are protected on the signed system volume. This advanced system volume technology provides a high level of security against malicious software and tampering with the operating system.

 Malware protection

macOS has protections to help ensure that apps downloaded from the internet are free of known malware. App Store or Gatekeeper and Notarisation prevent malware from launching. Malware is blocked from running and remediated by XProtect. 

To take advantage of these protections you must allow applications only from the App Store and identified developers to run on your Mac.

  1. Go to Settings > Privacy and Security > Security
  2. Select 'App Store and identified developers'
macOS Privacy & Security
macOS Privacy & Security

Third party AntiVirus tools are not necessary for macOS 14 Sonoma

Because macOS has security protection built in, a third party AntiVirus tool is not necessary.

macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:

  • An app is first launched,
  • An app has been changed (in the file system),
  • XProtect signatures are updated,

When XProtect detects known malware, the software is blocked and the end user is notified and given the option to move the software to the Bin.

Software updates

The best way to keep your Mac secure is to run the latest software. You must set your Mac to check, download, and install updates automatically, and to install application updates from the App Store and to install Security Responses and system files. macOS checks for new updates daily and starts applying them in the background, and it is important that security responses are installed quickly.

Make sure that Beta updates is set to ‘off’. Beta software is not to be used without written approval.

Go to Settings > General > Software Update  

  1. Set 'Automatic Updates' to 'On',
  2. Click 'Info' and Set 'Check for updates', 'Download new updates when available', 'Install macOS updates', Install application updates from the App Store' and 'Install Security Response and system files' all to 'On',
  3. Click 'Done',
  4. Set 'Beta updates' to 'Off'.
macOS System Settings, Software update
macOS System Settings, Software update
macOS System Settings, Software update - Automatically
macOS System Settings, Software update - Automatically

Firewall 

macOS includes a built-in firewall to protect the Mac from network access and denial-of-service attacks. Ensure the Firewall is ‘On’ in Settings. Set it to allow built-in software to receive incoming connections, and to allow downloaded and signed software to receive incoming connections.

Do not allow any other applications to receive incoming connections without approval.

Go to Settings > Network > Firewall > Options

  1. Make sure 'Firewall' is 'On',
  2. Click 'Options',
  3. Do not allow any applications to receive incoming connections without approval.
macOS System Settings, Firewall
macOS System Settings, Firewall

macOS System Settings, Firewall incoming connections
macOS System Settings, Firewall incoming connections

 

FileVault

Turn on FileVault, which encrypts all data automatically on internal storage devices.

After FileVault is turned on user credentials are required during the boot process.

 

Go to Settings > Privacy and Security > FileVault

macOS system settings, Privacy & Security, FileVault
macOS system settings, Privacy & Security, FileVault

Automatic logout

You must set your Mac up to logout after 5 minutes of inactivity.

Go to Settings > Privacy and Security > Advanced

macOS system settings, automatically logout
macOS system settings, automatically logout

 

Lock Screen

You must set your Mac up to logout after 3 minutes of inactivity and to display only a name and password for input on the Login window. 

Settings > Lock Screen

macOS system settings, lock screen
macOS system settings, lock screen

Location and Find My

In Location services turn on location for ‘Find My’ then in ‘Find My’ in iCloud in System Settings. You’ll need to click your name, then click iCloud, then Under Apps Using iCloud, click Show All. Select Find my and turn it on. You should be very careful which other apps you allow to use your location because they will potentially disclose your whereabouts. 

 

macOS system settings, location services
macOS system settings, location services
macOS system settings, iCloud, find my
macOS system settings, iCloud, find my

 

Time Machine

You must use Time Machine, the built-in backup feature of your Mac, to back up your personal data automatically, including apps, music, photos, emails and documents.

You should plug your Mac into your Time Machine drive whenever possible. Time Machine makes hourly backups for the past 24 hours, daily backups for the past month and weekly backups for all previous months. The oldest backups will be deleted when your backup disk is full.

Having a backup allows you to restore your Mac or a new Mac from your Time Machine backup if you ever delete your files or can't access them.< /p>

Replace your Time Machine backup drive every year and keep the old one securely. Just in case.

Remote Access

The company uses Apple Remote Desktop to manage Mac computers. Remote Access settings for Apple Remote Desktop must be enabled on all company Mac computers.

Remote Desktop enables the company to see the screen, install software, and perform other administrative tasks to help you with your Mac. You will see a notification if your screen is being observed.

 

Supported Mac computers

The company does not support using Mac computers that are no longer supported by Apple as they are more likely to be unable to accept the latest updates, and are therefore inherently less secure.

You should not Sign in to company resources using unsupported Mac computers.

macOS 14 Sonoma is compatible with these devices
ModelYear
iMac 2019 and later
Mac Pro 2019 and later
iMac Pro 2017
Mac Studio 2022 and later
MacBook Air 2018 and later
Mac mini 2018 and later
MacBook Pro 2018 and later

Policy Compliance

Compliance Measurement

The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. 

Exceptions

Any exception to the policy must be approved and recorded by the Information Security Manager in advance and reported to the Management Review Team. 

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement

The policy is updated and reviewed as part of the continual improvement process.