How to secure Macs in the enterprise
- Article 1 of 3
- ComputerWeekly, December 2012
For many people working in IT support and security, the Mac is an 'unknown unknown'. Headlines and word-of-mouth suggest that it is both more secure than Windows, yet just as insecure; it is harder to configure, yet easier to use; it will not fit into enterprise deployments, but does not need to.
This article is intended to introduce someone new to Macs to the basics of their security in the enterprise.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Greater control, including locking down of USB access, is built in, but only available through other, more advanced mechanisms, such as OS X Server, DeviceLock and Endpoint Protector.
Once you have configured the Parental Control settings for one account, they can be easily copied to other accounts using the cog button:
If you choose to allow USB drive access, you can apply FileVault encryption to removable USB drives by right-clicking on the drive on the Mac's desktop.
However, it is not cross-platform so if the drive is to be used by Windows as well, you should investigate encryption software such as TrueCrypt or hardware such as Kingston's DT Locker+ G2 USB sticks that work with both platforms.
Anti-malware
There are relatively few pieces of malware that target the Mac and most of those that do target OS X's Java environment, which is no longer installed by default with OS X. There are frequent security updates to OS X, with all publicly known malware that targets systems blocked by the latest updates.
However, patch management remains the Mac's security Achilles' heel, with system updates handled through the App Store in the Apple menu.
Administrator rights are needed to install the updates, so an admin needs to manually update every Mac. However, you can do this more efficiently by activating the "Remote Login" function in the "Sharing" system preference pane. Restrict access to it by clicking on the + sign and adding the administrator account to the list of users allowed to use the function.
You can then use SSH to log in remotely and update the Mac with the 'softwareupdate' command.
However, few organisations bother to install paid-for OS updates or buy new Macs very often, so it is also worth installing AV software such as Sophos, Norton One, ESET Cybersecurity for Mac and ClamAV.
Keychain
Each user account as well as OS X itself has encrypted keychains for storing passwords, security certificates, Wi-Fi log-in details and other authentication functions. Users can store log-ins to websites in their keychain from browsers including Safari and Chrome; when they return to those sites, the browsers will automatically fill in these log-in details. The system software does the same with network authentication details.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages