How to secure Macs in the enterprise
- Article 1 of 3
- ComputerWeekly, December 2012
For many people working in IT support and security, the Mac is an 'unknown unknown'. Headlines and word-of-mouth suggest that it is both more secure than Windows, yet just as insecure; it is harder to configure, yet easier to use; it will not fit into enterprise deployments, but does not need to.
This article is intended to introduce someone new to Macs to the basics of their security in the enterprise.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Accounts
The Mac operating system, OS X, offers two main kinds of accounts: administrator and standard. The first account you create when you set up a Mac is an administrator account and only an administrator can affect the system or other users.
It is therefore good practice to give all users standard accounts and to have a single administrator account reserved for installing software and other maintenance tasks.
Account management is accomplished using the System Preferences application, available from the Apple menu in the top-left of the screen. Select Users & Groups from the row of system preference panes, or type "account" into the search bar at the top of the application, and OS X will highlight relevant panes.
Click + to create a new account, or click on an existing account and then check or uncheck Allow user to administer this computer to give the account the appropriate privileges.
A user can associate their Apple ID - the same ID that they would use to purchase music from iTunes, etc - with their account. Clicking Allow user to reset password using Apple ID could save on your support costs, but all it takes is for someone to guess the Apple ID's password and they will have access to the Mac, so it is not recommended.
You should also use this pane to disable the Guest User by clicking on it, then unchecking Allow guests to log in to this computer.
Click on Log-in Options to turn off Automatic login, so that the Mac will not log into a specific account at start up; Display the log-in window as should be set to Name and password so users have to enter both an ID and password before they can access the Mac; and turn Show password hints off.
Basic security settings
The Mac has a dedicated Security & Privacy system preferences pane. The General tab has a number of settings.
• Click Require password immediately after sleep or screen saver begins to force users to reauthenticate themselves if they've been away from the Mac for a set period of time.
• Show a message when screen is locked allows you to add a message, such as "If found, please call...", to the log in screen to help with the Mac's recovery if it is lost or to discourage people from trying to sell it.
• Disable automatic log in - as in Accounts.
• Allow applications downloaded from: allows you to prohibit the execution of any applications other than those from the Mac App Store or identified developers.
The Advanced... button offers several additional levels of security:
• Set Log out after to a reasonable period of time, depending on whether you are dealing with a desktop or a laptop, to log the user out of the Mac if it has been left unattended for too long.
• Check Require an administrator password... to stop the majority of system preferences being modified by anyone except an administrator
• Check Automatically update safe downloads list to download Apple's list of OS X malware signatures every day, so that the Mac can recognise and warn the user if a piece of malware is downloaded.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages