Best Security Practices Around macOS for MSPs

Choosing the right software and following cybersecurity best practices can help MSPs mitigate risk for their customers.

macOS security

When it comes to protecting macOS devices in the workplace, MSPs have their hands full. Systems and networks are becoming increasingly complex, and the cyber threat landscape is ever-evolving as cybercriminals become more sophisticated than ever before. While there isn’t a silver bullet for protecting macOS devices from unauthorized access, misuse, or theft, choosing the right software and following cybersecurity best practices can help MSPs mitigate risk for their customers.

While some recommendations may feel restrictive, keep in mind the following: There’s a tradeoff between security and convenience. For instance, a device with no password is extremely simple to use, but it’s not secure and exposes unnecessary risk to the systems and networks you’ve been tasked with protecting.

A system is only as secure as its administrator makes it. Although it’s important to remove as much friction as possible for end users, it should never be at the expense of security. Protecting your managed systems and networks from malicious actors by maintaining IT security best practices must always be the top priority.

Here are a few cybersecurity best practices IT professionals should consider when managing macOS devices.

Enable MDM for device lock and device wipe capabilities

From time to time, an employee is going to lose a device; it’s inevitable. Even though the device may be in good hands, there’s a strong possibility it’s not, and if the latter ends up being true, all bets are off.

Once a criminal steals a device, it’s best to consider it gone since 98 percent of stolen laptops are never recovered. Being able to remotely lock the Mac and wipe it from afar becomes a critical step toward ensuring corporate data doesn’t end up in the wrong hands.

If you’ve enabled Apple Mobile Device Management (MDM) software, Apple’s Device Lock and Device Wipe features are available to use. Outside of theft, these features also come in handy when a device is lost or an employee is offboarded. In both cases, company data remains secured and safe from potentially malicious activities. 

Without a doubt, passwords matter

Sometimes the simplest solution is the best solution. Passwords are the first line of defense against cybercriminals and strong passwords protect both personal and corporate digital data.

Unfortunately, it’s not in our nature to create complex passwords for our accounts; instead, we sacrifice security for convenience. For example, only 56 percent of users create complex passwords or passphrases that use a mix of uppercase and lowercase letters, numbers, and special characters.

To combat the risks that poor passwords create, Apple administrators should consider enforcing password policies through an MDM configuration.

As an additional security measure, you can also create an MDM payload to set password settings for end users based on the NIST security framework. Some suggestions include disabling the use of simple passwords, requiring alphanumeric values, restricting the reuse of passwords, and enforcing password complexity, but be careful. Disabling simple passwords on macOS seems natural, but it actually prevents the use of most passwords since there cannot be repeating characters of any kind, resulting in passwords that users will never be able to remember.

Even if their password hygiene is good, end users will still struggle if they are required to maintain multiple passwords, usually resulting in IT administrators being bogged down with password reset requests and concerns about the same passwords being reused over and over. Fortunately, with the right Apple Mobile Device Management (MDM) software, there are ways to modernize identity management, including implementing single sign-on (SSO) where end users can log in to their Macs from anywhere using the same credentials that they use for email and multi-factor authentication to add an extra layer of security.

Updating macOS devices frequently

As the number of Apple devices in the enterprise continues to grow, cybercriminals are spending more time trying to exploit them and gain unauthorized access to organizational networks and systems. For instance, in 2021 cybercriminals released malware tailored to run on Apple’s M1 processors.

Outdated software and hardware often create the vulnerabilities that malicious actors exploit. One of the best ways to prevent this from happening is by deploying updates whenever they become available.

Depending on the number of Macs you manage, it may not be practical to patch each one individually whenever there’s an update. Instead, deploying macOS security updates to a group of devices using a cloud-based Apple device management solution is usually the better route to take. By doing this, you ensure that every device connected to your network is updated simultaneously and kept secure.

Conclusion

There are more macOS devices in the enterprise than ever before and they are at risk of being exploited. To ensure they are as protected as their Windows counterparts, it’s important to follow cybersecurity best practices, like those mentioned above, although it can be challenging to accomplish at scale. Fortunately, if you find the right Apple device management solution, you’ll be able to automate onboarding and deployment to ensure your entire fleet is secure. Consider this before sacrificing security for convenience.


Nicolas Ponce is the Vice President of Operations & Security at Addigy, the only cloud-based, multi-tenant Apple device management software designed to make it easy for MSPs and corporate IT teams to manage Apple devices. Nicolas graduated from Florida International University with a Bachelor of Science in Information Technology and has over a decade of experience working as an IT leader within the B2B Tech SaaS industry. During his tenure at Kaseya, Nicolas maintained and supported their globally distributed cloud infrastructure as a TechOps Engineer. In 2017, Nicolas Ponce joined Addigy to lead the development and execution of processes that drive growth, increase efficiency and provide critical support to the organization. Under his leadership, Addigy has successfully acquired SOC2 Type 1, 2, 3 Attestation Reports, and established industry-leading security best practices to keep Addigy’s organization and clients secure.