Skip to content

How to secure your company's macOS devices — with configuration profiles

Headshot of Andrea Pepper, SimpleMDM writer and MacAdmin
Andrea Pepper|September 25, 2024
Security teal
Security teal

In today's enterprise space, Macs are essential tools for daily work. However, the true value of an effective Apple fleet always depends on its security and compliance.

Implementing a solid management solution like SimpleMDM allows you to secure your organization's devices using configuration profiles remotely.

If you want a safe and happy Mac fleet, you'll want to know these configuration profiles:

  • Passcode Policy

  • FileVault

  • Firewall

  • Gatekeeper Policy

  • Recovery Lock Password

For detailed instructions on creating a configuration profile in SimpleMDM, check out our support article.

Network-specific configuration profiles include:

Wireless Network: A Wi-Fi configuration profile allows administrators to remotely set up and manage Wi-Fi settings on devices, ensuring automatic and secure connectivity to specified networks.

VPN: A VPN configuration profile enables administrators to centrally manage VPN settings on macOS and iOS devices, including server address, protocol type, on-demand rules, and authentication settings.

Certificates: macOS Certificate configuration profiles secure communications and authenticate devices by automating the installation and management of certificates for secure email, VPN, network authentication, and SSL/TLS connections.

These profiles embed credentials, configure options, and deploy certificates automatically, ensuring compliance, data protection, and streamlined identity management across all devices.

For a detailed look at these three profiles, check out our previous blog on securing iOS devices with configuration profiles. 

Passcode Policy

Check out our previous blog on securing iOS devices with configuration profiles for more on Passcode Policy.

A Passcode Policy configuration profile enforces minimum passcode rules on Apple devices through a mobile device management (MDM) platform. This policy ensures all devices set required passcodes constructed with specific guidelines, such as: 

  • Minimum length: Requires passcodes to meet a minimum number of characters.

  • Inclusion of complex characters: Ensures increased complexity using numbers, symbols, and letters.

  • Regular updates (passcode expiry): Requires passcodes to be changed regularly after a specified period.

  • Auto-lock periods: Defines the idle time before the device locks automatically.

  •  Failed login attempts: Limits the number of incorrect attempts before taking action (e.g., locking the device or wiping data) to prevent unauthorized access.

This configuration is particularly beneficial in enterprise settings where security compliance and protection of sensitive data are critical. 

For more detailed information, refer to Apple's official MDM documentation on configuring these profiles.

How to create a Passcode Policy config profile with SimpleMDM

Loading...

Completed profile example:

Screenshot of a completed Passcode Policy profile.

FileVault

The FileVault configuration profile automatically deploys integrated macOS encryption settings to your users.

FileVault is a built-in encryption feature on macOS that secures your startup disk using XTS-AES-128 encryption with a 256-bit key. 

When enabled, FileVault requires your login password to decrypt the disk and automatically encrypts any new files. The password ensures that your data is protected from unauthorized access, enhancing the security of your Mac.

This feature can be managed on the device through System Settings > Privacy & Security > FileVault.

FileVault features:

  • Encryption algorithm: Uses XTS-AES-128 encryption with a 256-bit key.

  • Login password: Requires password to decrypt the disk when enabled.

  • Automatic encryption: Automatically encrypts any new files saved to the disk.

Recovery key: During setup, users can create a recovery key to unlock the disk if they forget their login password. Administrators can configure an institutional recovery key in enterprise environments to unlock devices.

FileVault fully protects your startup disk, maintaining data security and user privacy. For more detailed configuration options, refer to Apple's official deployment documentation on FileVault.

Note: The encryption strength mentioned refers to the advanced encryption standard (AES) used in XTS mode, with a key length of 256 bits.

How to create a FileVault config profile with SimpleMDM

Loading...

Completed profile example:

Screenshot of a completed FileVault profile.

Firewall

The Firewall configuration profile deploys built-in macOS network protections to your endpoints.

Firewall features:

  • Protection: A firewall provides a layer of security for your Mac by blocking unauthorized incoming connections from the internet or other networks.

  • Allowed services: Firewalls help protect your Mac by allowing only necessary services, such as web browsing and email while preventing other potentially harmful access.

  • Customization: You can customize firewall settings to allow or block specific apps and services, giving you greater control over what connects to your Mac.

  • Stealth mode: This can prevent your Mac from responding to probing requests, further enhancing security.

  • Logging: Advanced users can enable logging to monitor and debug network activity.

The Firewall can be managed on an individual device through System Settings > Network > Firewall

The firewall configuration options protect against unauthorized connections while allowing customization to suit each organization's security needs.

How to create a Firewall config profile with SimpleMDM

Loading...

Completed profile example:

Screenshot of a completed Firewall profile.

Gatekeeper Policy

The Gatekeeper Policy configuration profile secures Macs from running unverified or potentially harmful software. Gatekeeper maintains a safe operating environment by ensuring all installed software is from trusted sources, enhancing user security and confidence. 

In System Settings under the Security & Privacy pane, Gatekeeper can be configured to allow or block apps from specific sources. 

Gatekeeper features:

  • Verification: Gatekeeper ensures that apps from external sources outside the Mac App Store are signed with a valid Apple Developer ID and notarized by Apple for enhanced security.

  • Malware prevention: Gatekeeper prevents malware and unauthorized software installation, giving users confidence when running third-party apps on their Macs.

  • Case-by-case basis configuration: Gatekeeper can allow or block apps from specific sources.

How to create a Gatekeeper Policy config profile with SimpleMDM

Loading...

Completed profile example:

Screenshot of a completed Gatekeeper Policy profile.

Recovery Lock Password

Recovery Lock replaces a Firmware Password for all silicon Macs. If you have older Intel machines in your fleet manufactured in 2018 or earlier, deploy a Firmware Password configuration profile instead. 

The macOS Recovery Lock Password configuration profile deploys a security feature to protect access to the macOS Recovery environment on Apple silicon devices.

This environment allows users to perform tasks such as reinstalling macOS, restoring backups, and repairing disks.

When enabled, it requires a password to access these tools, adding an extra layer of security to prevent unauthorized changes.

Recovery Lock Password features:

  • Access control: Requires authentication to boot into Recovery mode.

  • Works with Activation Lock: Adds security layer, working with Activation Lock.

Overall, the macOS Recovery Lock password enhances security by ensuring only authorized users can access recovery tools, which is crucial in enterprise or educational settings.

How to create a config profile with SimpleMDM

Loading...

Completed profile example:

Screenshot of a completed Recovery Lock Password profile.

Ready to secure your macOS devices quicker than a pickle? Start your free trial of SimpleMDM today and implement robust configuration profiles to protect your Apple fleet. 🛡️

Headshot of Andrea Pepper, SimpleMDM writer and MacAdmin
Andrea Pepper

Andrea Pepper is an Apple SME MacAdmin with a problematic lack of impulse control around a software update prompt. When not poking at machines, Pepper enjoys being a silly goose in sunny Colorado with her two gigantic fluffer pups.

Related articles