How to secure your company's macOS devices — with configuration profiles

In today's enterprise space, Macs are essential tools for daily work. However, the true value of an effective Apple fleet always depends on its security and compliance.

Implementing a solid management solution like SimpleMDM allows you to secure your organization's devices using configuration profiles remotely.

If you want a safe and happy Mac fleet, you'll want to know these configuration profiles:

• Passcode Policy

• FileVault

• Firewall

• Gatekeeper Policy

• Recovery Lock Password

For detailed instructions on creating a configuration profile in SimpleMDM, check out our support article.

Passcode Policy

A Passcode Policy configuration profile enforces minimum passcode rules on Apple devices through a mobile device management (MDM) platform. This policy ensures all devices set required passcodes constructed with specific guidelines, such as: 

• Minimum length: Requires passcodes to meet a minimum number of characters.

• Inclusion of complex characters: Ensures increased complexity using numbers, symbols, and letters.

• Regular updates (passcode expiry): Requires passcodes be changed regularly after a specified period.

• Auto-lock periods: Defines the idle time before the device locks automatically.

•  Failed login attempts: Limits the number of incorrect attempts before taking action (e.g., locking the device or wiping data) to prevent unauthorized access.

This configuration is particularly beneficial in enterprise settings where security compliance and protection of sensitive data are critical. 

For more detailed information, refer to Apple's official MDM documentation on configuring these profiles.

How to with SimpleMDM

Completed profile example:

FileVault

The FileVault configuration profile automatically deploys integrated macOS encryption settings to your users.

FileVault is a built-in encryption feature on macOS that secures your startup disk using XTS-AES-128 encryption with a 256-bit key. 

When enabled, FileVault requires your login password to decrypt the disk and automatically encrypts any new files. The password ensures that your data is protected from unauthorized access, enhancing the security of your Mac.

FileVault features:

• Encryption algorithm: Uses XTS-AES-128 encryption with a 256-bit key.

• Login password: Requires password to decrypt the disk when enabled.

• Automatic encryption: Automatically encrypts any new files saved to the disk.

FileVault fully protects your startup disk, maintaining data security and user privacy. For more detailed configuration options, refer to Apple's official deployment documentation on FileVault.

Note: The encryption strength mentioned refers to the advanced encryption standard (AES) used in XTS mode, with a key length of 256 bits.

How to with SimpleMDM

Completed profile example:

Firewall

The Firewall configuration profile deploys built-in macOS network protections to your endpoints.

Firewall features:

• Protection: A firewall provides a layer of security for your Mac by blocking unauthorized incoming connections from the internet or other networks.

• Allowed services: Firewalls help protect your Mac by allowing only necessary services, such as web browsing and email, while preventing other potentially harmful access.

• Customization: You can customize firewall settings to allow or block specific apps and services, giving you greater control over what connects to your Mac.

• Stealth mode: This can prevent your Mac from responding to probing requests, further enhancing security.

• Logging: Advanced users can enable logging to monitor and debug network activity.

The firewall configuration options protect against unauthorized connections while allowing customization to suit each organization's security needs.

How to with SimpleMDM

Completed profile example:

Gatekeeper Policy

The Gatekeeper Policy configuration profile secures Macs from running unverified or potentially harmful software. Gatekeeper maintains a safe operating environment by ensuring all installed software is from trusted sources, enhancing user security and confidence. 

Gatekeeper features:

• Verification: Gatekeeper ensures that apps from external sources outside the Mac App Store are signed with a valid Apple Developer ID and notarized by Apple for enhanced security.

• Malware prevention: Gatekeeper prevents malware and unauthorized software installation, giving users confidence when running third-party apps on their Macs.

• Case-by-case basis configuration: Gatekeeper can allow or block apps from specific sources.

How to with SimpleMDM

Completed profile example:

Recovery Lock Password

The macOS Recovery Lock Password configuration profile deploys a security feature to protect access to the macOS Recovery environment on Apple silicon devices.

This environment allows users to perform tasks such as reinstalling macOS, restoring backups, and repairing disks.

When enabled, it requires a password to access these tools, adding an extra layer of security to prevent unauthorized changes.

Recovery Lock Password features:

• Access control: Requires authentication to boot into Recovery mode.

• Works with Activation Lock: Adds security layer, working with Activation Lock.

Overall, the macOS Recovery Lock password enhances security by ensuring only authorized users can access recovery tools, which is crucial in enterprise or educational settings.

How to with SimpleMDM

Completed profile example:

Ready to secure your macOS devices quicker than a pickle? Start your free trial of SimpleMDM today and implement robust configuration profiles to protect your Apple fleet. 🛡️