Key Apple-native macOS security features for administrators

Why macOS is not immune to security threats

Many Mac users believe that their desktops and laptops are immune to cyber threats. This belief came about, in large part, because attacks against Mac computers were rare in comparison to Windows computers. However, this was mostly because there were a lot more Windows PCs than Mac computers. Windows systems represented a much larger -- and, consequently, more lucrative -- install base. That said, macOS desktops did have a bit of a security edge because Apple controlled both the software and hardware. In addition, the OS was based on Unix, which also tended to be more secure.

Because of these factors, Mac users may have been complacent about protecting their computers. The tragedy of this security failure is that there are lots of protections available through native macOS controls via system preferences. These features include FileVault and firewall protections.

The proliferation of Mac computers in the workplace and at home has also eliminated the inherent security benefit of having a smaller install base.

The proliferation of Mac computers in the workplace and at home has also eliminated the inherent security benefit of having a smaller install base. Hackers and other cybercriminals have turned more of their attention to these Apple-based systems, resulting in an increase in cyber attacks over the past several years:

• A Malwarebytes Labs report about malware in 2019 stated that the number of threats detected per endpoint against Mac computers outpaced Windows PCs for the first time ever.
• According to an Atlas VPN investigation, macOS malware development surged by 1,092% in 2020, a significant increase from the year before.
• Objective-See reported that eight types of new Mac malware specimens or significant new variants appeared against Mac computers in 2021.

Today, macOS computers are susceptible to a wide range of threats, including keylogging, phishing, Trojans, social engineering, malicious websites, ransomware and cryptojacking.

7 native macOS security features for a business setting

Despite the rise in attacks against macOS computers, they're still considered an overall secure option, and in some cases, they are viewed as more secure than Windows computers. This is because Apple continues to control both the software and hardware but also because there are still fewer macOS systems in use compared to Windows systems.

To stay ahead of the rising attacks on macOS devices, Apple has been steadily improving on and expanding the macOS security profile so organizations can feel more confident about supporting Macs in the workplace. Here are seven features that Apple recently introduced that IT teams should be aware of when managing these systems.

1. Sign in with Apple at Work & School

Sign in with Apple is a program that enables users with Apple ID accounts to log in to third-party websites and applications without having to fill out extra forms or maintain multiple passwords. All Apple ID accounts are protected with two-factor authentication (2FA), and users can also use Face ID or Touch ID to access these sites and apps. Apple has also extended the Sign in with Apple capabilities to include Managed Apple IDs, which are owned by an organization and managed through Apple Business Manager or Apple School Manager.

This new service, referred to as Sign in with Apple at Work & School, can be used with various Apple devices, including desktops running macOS 13 or later. In organizations that use Managed Apple IDs, administrators can control which apps and websites their users can access through Sign in with Apple.

2. ACME certificate payload

With the release of macOS 13.1, Apple added support for the Automatic Certificate Management Environment (ACME) protocol, which helps automate certificate lifecycle management between an organization and a certificate authority (CA). ACME is a modern alternative to Simple Certificate Enrollment Protocol. The added support enables macOS computers that are enrolled in mobile device management (MDM), or another similar management platform, to automatically obtain certificates from a CA.

Other Apple devices already supported the ACME protocol via MDM, so the macOS addition merely completes the picture. As such, desktop administrators can add ACME payload profiles to their Mac computers. Each one can then request a client certificate from an ACME server. The certificate attests to the device's validity when accessing network resources. The new feature supports three enrollment types: User Enrollment, Device Enrollment and Automated Device Enrollment.

3. Declarative Device Management

Apple introduced Declarative Device Management in iOS 15 but recently added DDM support to macOS. DDM is integrated into the OS' existing MDM structure. It uses a declarative data model to reduce common performance and scalability issues that come with managing multiple devices. The DDM model includes three components: declarations that support device functionality, status tracking that detects changes in the device state, and an extensibility feature that enables devices and servers to advertise capability changes over time.

Some MDM systems take a reactive management approach that requires a series of back-and-forth communications between the MDM server and managed devices. The server must first determine a device's state, and then it can proceed with an action. With DDM, the managed devices can take proactive and autonomous steps that help streamline the management process and reduce server load and network traffic. At the same time, desktop administrators have the most up-to-date information about the status of their macOS devices, while users get a better overall experience.

4. Gatekeeper notarization

Apple has long been proactive about ensuring that Mac users can safely run software on their systems. One of the key components in ensuring this safety is Gatekeeper, which blocks apps, plugins and installers that do not appear trustworthy. Gatekeeper verifies that the software is from an identified developer, that it has been notarized by Apple and whether the code has been altered. If it comes from outside the Apple App Store, the device prompts the user for approval before launching it. Administrators can use MDM to configure Gatekeeper settings.

Prior to macOS 13, Gatekeeper performed its primary checks only when the software was first opened, no matter how it was installed on the computer. However, Gatekeeper now checks that software is properly notarized each time the user launches it, extending the protections throughout its use. In this way, software that has been modified in a way that breaks the notarization -- such as malware altering files or updates not implemented properly -- cannot wreak havoc on the system.

5. Lockdown Mode

Lockdown Mode is a new feature on macOS, iOS and iPadOS that is designed for the relatively few users who might be personally targeted by sophisticated threats, like highly targeted spyware, such as executives and cybersecurity specialists. When Lockdown Mode is enabled, several apps and system features are limited. For example, macOS blocks most message attachments, certain incoming FaceTime calls, complex web technologies and incoming invitations for Apple services. By limiting this type of functionality, Lockdown Mode helps to reduce attack surfaces that can potentially be exploited.

Users typically enable Lockdown Mode themselves, although administrators should be aware that this feature is available, how to enable it and what happens to the device when the feature is enabled. A device with Lockdown Mode enabled cannot be enrolled in MDM or device supervision. However, if the device was already enrolled before Lockdown Mode was enabled, administrators can still install and remove configuration profiles, although Lockdown Mode itself is not a configurable MDM option.

6. Passkeys

Apple's passkeys provide an alternative to passwords that are more secure, easier to use and simpler to maintain. Users on macOS computers or other Apple devices can sign in to apps and websites through Face ID or Touch ID, without needing to create or manage passwords. Apple uses iCloud Keychain to sync the passkeys so they're available across a user's Apple devices. There is also the option to use the trusted and signed-in iPhones as a method of authentication to sign in to apps and websites on third-party devices. The new passkey capabilities are based on the work of the Fast Identity Online (FIDO) Alliance, a joint effort by vendors such as Apple, Google and Microsoft to promote a common authentication standard that reduces the reliance on passwords.

Apple, Google and Microsoft are all integrating the FIDO standards into web platforms, paving the way for a passkey future. Although passkeys promise to be more secure than traditional passwords, their use is still relatively new, and their impact on desktop administration remains unclear. On the one hand, passcodes could eventually lower administrative overhead by reducing the need to manage passwords, while, at the same time, strengthening an organization's overall security. However, many questions remain about their use. For example, it's not yet clear what the implications might be for organizations operating in highly regulated environments that must adhere to strict compliance laws. In addition, organizations must be willing to trust the passcode management and authentication process to a third-party vendor, such as Apple or Microsoft, while locking themselves into that vendor even more than they already are.

7. Security Keys for Apple ID

Apple now makes it possible for users on macOS computers and other Apple devices to use physical security keys when signing in with their Apple ID accounts. A security key is a FIDO-certified external device, such as a tag or thumb drive, that is part of the 2FA process during sign-in. The key provides an extra layer of protection against targeted attacks, such as phishing or social engineering. Security keys are considered more secure than other methods of 2FA. For example, a text message with an access code can be intercepted or compromised in some other way.

When users log in with their security keys, they must also provide the passwords associated with their Apple ID account. At this point, it's not clear how passkeys might affect the use of security keys in the future. However, support for security keys is currently limited to personal Apple IDs and cannot be used for Managed Apple IDs. If an organization doesn't use Managed Apple IDs, it can take advantage of the extra layer of protection that security keys provide. Although this means additional overhead to manage the keys, the tradeoffs can be worth the effort by achieving greater security.

Are there other useful macOS security features for businesses?

The seven features listed above are by no means the only macOS security features that IT teams should be aware of when managing macOS computers. The OS also supports such features as FileVault encryption, built-in firewall protection, XProtect antivirus protection, System Integrity Protection, Hide My Email, Secure Boot, Secure Enclave, Rapid Security Response, App Sandbox and numerous other safeguards.

Administrators can also use the MDM capabilities built into macOS and other Apple devices to wirelessly configure settings, monitor compliance with organizational policies and remotely wipe or lock devices. The local and Apple-native security features can complement an MDM system -- they are rarely there as a replacement to full management.