The macOS Security Compliance Project is an open-community initiative that helps system administrators, information security personnel, and security-focused end users securely configure and manage macOS computers. It provides guidelines and resources that assist in the rapid configuration and validation of security features in macOS.
This project is a collaboration between Apple Professional Services and the open-source community on GitHub. This crowd-sourced guide aims for an adaptable and widely helpful set of device management settings, balancing security and usability for MacAdmins.
What does mSCP do?
The macOS Security Compliance Project (or mSCP if you're cool 😎) is an open-source project that systematically generates security guidance. It provides blueprints for security and compliance management pieces, including customized documentation, audit checklists, configuration profiles, and scripts for logging and remediation.
The mSCP maps established controls for macOS against any supported security guide, which can, in turn, serve as a foundation for developing customized security baselines for technical security controls. It achieves this by utilizing a library of tested and validated atomic actions, i.e., configuration settings. Smart people have prebuilt and tested these secure configuration sets and made their information available for you to use … for free!
Who made mSCP?
The macOS Security Compliance Project is a collective labor of love from all corners of the Apple Professional community. <3
Basically — a bunch of fancy federal IT guys from huge government entities (like NASA 🤯) worked together and developed security and compliance defaults. These defaults met their standard of professional requirements to be mass-deployed to an organization and maintain a minimum level of compliance as measured by existing industry baselines.
Government bodies that contributed to the mSCP include: National Institute of Standards and Technology (NIST) National Aeronautics and Space Administration (NASA) Defense Information Systems Agency (DISA) Los Alamos National Laboratory (LANL) |
This means that a bunch of high-level sysadmins at the top of their profession decided that it mattered how compliance was handled in our global zeitgeist. They cared enough to put in the work as an open-source project and create a standard that everyone can access and utilize, even without their hard-earned knowledge. They took action and shared their hard work because they cared about setting the bar high for the IT status quo, our industry's future, and their peers' growth. Pretty rad.
What MacAdmins need to know about mSCP
Who is mSCP for?
The macOS Security Compliance Project is for sysadmins and MacAdmins!
The coolest thing about mSCP is that it's community-powered, made by and for MacAdmins through peer collaboration. Drawing from the collective intelligence and experiences of a diverse group of professionals, the mSCP provides dynamic, up-to-date security solutions. This collaborative initiative continually evolves, adapting to industry specialists' expertise and insights. It is a vital resource, offering essential guidance on best practices for configuring and managing macOS systems to achieve optimal security.
Why did they make mSCP?
Tailored to simplify and streamline securities, the mSCP is a go-to source for a comprehensive collection of best-practice security configurations appropriate for most environments. It provides a robust foundation for security considerations, letting administrators customize these configurations to their organization's specific needs. This customization significantly reduces the time and effort spent building effective security measures from scratch.
The mSCP also provides guides that follow international security configuration baselines, aiding organizations in implementing effective security and ensuring compliance with leading industry standards (so you can securely deploy with a big head start!)
The mSCP has configuration settings that support multiple guidance baselines, including but not limited to: NIST Special Publication 800-53 NIST Special Publication 800-171 Defense Information Systems Agency (DISA) macOS 13 STIG Committee on National Security Systems Instruction (CNSSI) 1253 Center for Internet Security — CIS Benchmark, Levels 1 and 2 Center for Internet Security — CIS Critical Security Controls Version 8 |
How does mSCP work?
The macOS Security Compliance Project equips MacAdmins with what they need to implement comprehensive and compliant security measures for macOS systems that are agile for changing security needs and threats.
The project includes:
Security and privacy configuration guides: These guides provide recommendations and explanations for setting security and privacy controls on macOS systems.
Scripting and automation: You can run the provided open-source tools and scripts on your macOS systems to validate or apply the default security configuration and check your system's status in real time.
Custom configuration: The macOS Security Compliance Project offers custom configuration, allowing you to adapt the default configuration settings to better meet your organization's individual needs.
What does mSCP deployment look like?
At a very high level, implementation will look something like this:
Download the repo from GitHub.
Use command line tools to automatically generate baseline configuration profiles, scripts, and documentation. (Command line tools provide options to customize the output based on your needs.)
Upload the generated profiles and scripts to your MDM for deployment.
More of a visual learner? Watch this excellent video from MDOYVR23 for a follow-along example or check out Apple's Tutorial Documentation.
See the macOS Security Compliance Project wiki to explore how to use mSCP. |
Why MacAdmins need mSCP
Why should you use mSCP?
The macOS Security Compliance Project can help MacAdmins leverage macOS's built-in security features to their fullest extent while keeping your systems secure, current, and efficient.
Automation
The mSCP allows for streamlined operations and a real-time security stance. It provides automation tools and scripts that expedite the validation and application of security configurations. These valuable aids let MacAdmins enhance security across devices swiftly and efficiently.
Additionally, these tools establish a uniform implementation of security settings, saving time. The constant updates to the project, driven by both Apple and MacAdmins, make mSCP a reliable source for staying in tune with the latest security features and best practices of macOS.
TL;DR: using mSCP keeps your systems secure but also current and efficient.
Customization
One of the key reasons to employ the mSCP is its adaptability. Rather than a rigid, one-size-fits-all solution, mSCP provides a flexible starting point. Users can modify configurations easily, making mSCP a versatile tool accommodating exceptional use cases.
Easy peasy
And you should use the macOS Security Compliance Project because they've made it easy!
Status quo
You already see these standards built in as architecture or configuration options for vendors and MDMs across the market (and one day soon, SimpleMDM may be on that list … 👀).
DIY
Even if your supported MDM doesn't integrate mSCP as default configs, you can still deploy and implement them through custom configuration profiles.
Lock it up
And you should use mSCP because security and compliance are essential. A culture of security matters and has reverberating effects outside of your company on partner companies and even industries as a whole.
To learn more about implementing mSCP yourself DIY style, take a look at these links: Getting to Know the macOS Security Compliance Project, Part 1 Getting to Know the macOS Security Compliance Project, Part 2 |
MacAdmins must handle their organization's proprietary information with integrity, confidentiality, and adaptability. Protect your users and try deploying macOS Security Compliance Project standards pretty damn quick with a free 30-day trial of SimpleMDM to get your Mac fleet in shipshape! 🚢