macOS Security with Intune – From Basics to Bulletproof

Last Updated on January 15, 2025 by Oktay Sari

Let’s be real—‘bulletproof security’ sounds cool, but in the world of cybersecurity, it’s more of a myth than a reality. Threats evolve faster than we can patch things, and there’s always a clever hacker out there looking for a way to crack your macOS Security. The goal here isn’t perfection; it’s about staying ahead of the game, minimizing risks, and being ready to respond when (not if) something happens.

Implementing security measures is essential, but let’s face it, many organizations struggle with this task— From my own experience, this rings even truer for anyone tasked with managing and hardening a fleet of macOS devices. That’s why I created a macOS Security Baselines GitHub repository packed with scripts and configuration profiles tailored for macOS Security Hardening with Intune. I hope you’ll find it valuable.

Are you ready to step up your macOS game? Go straight to the macOS Security Baselines

Note: There are plenty of great repos out there doing similar work, but I’ve tried to add my own twist here. I’ve included detailed documentation for each setting and script—breaking down what it does and why it matters. Plus, I’ll be keeping it updated to stay ahead in the ever-changing world of security!

CIS Benchmarks: A Quick Overview 🤔

The CIS Benchmarks are a set of security configuration guidelines developed by cybersecurity experts to help organizations strengthen their defenses. They offer detailed recommendations for securely configuring systems, including macOS Security. This project offers a collection of scripts and configuration files built to match CIS (Center for Internet Security) benchmarks—essential cybersecurity settings that work well for most organizations aiming to strengthen their security foundation.

Two Levels of CIS Benchmarks:

• Level 1: The basics—security settings that are easy to set up, won’t break anything, and keep systems running smoothly.
• Level 2: For high-security environments—tighter settings that might come at the cost of reduced functionality.

These benchmarks are a great starting point for securing your macOS fleet. if you’re using Intune, you know there’s still no macOS Security Baselines. For more details, check out the official CIS Benchmarks for Apple macOS.

What’s in the Repo? 🛠️

The macOS Security Baselines repo is packed with a lot of goodies to make your macOS security journey smoother. Before diving in, always check if something can be configured with Intune’s native policies. Start with Settings Catalog, move to Device Restrictions, then try Custom Profiles (.mobileconfig or .plist). If nothing fits, scripts are your final option. This is also how I have tried to build this project.

Note: The repo currently includes Level 1 recommendations. Level 2 is in the works—stay tuned!

Using the configuration profiles and scripts from my repository does not mean you are compliant with CIS or any other benchmark. The configurations in my repository follows most of the recommendations but also include custom implementations of recommendations and CIS controls. If you want to assess your deployment against CIS, check out CIS Controls Self Assessment Tool (CIS CSAT).

Settings Catalog

These JSON files are exports from my development tenant. You can import them into Intune directly, or use tools like IntuneManagement.

Configuration examples:

• Screen Lock: Automatically lock screens after inactivity to protect user privacy.
• Firewall Activation: Ensure the macOS firewall is always enabled to block unauthorized access.
• Enable System Integrity Protection (SIP): Protect the macOS root filesystem from tampering.
• Audit Logs: Enable detailed logging for user activities and security events.
• Application Logging: Track app activities for forensic investigations.
• Have a look for more…

Custom Profiles

Some settings can’t (yet) be handled by Intune’s settings catalog. That’s where .mobileconfig and .plist files come in handy.

Custom profile examples:

• Fast User Switching Disabled: Prevent unauthorized session access while keeping Touch ID functional for convenience.
• Login Window Hardening: Enforce CIS 2.10 compliance with a custom login message, disable auto-login, and remove password hints for enhanced security.
• Safari Security and Privacy: Block unsafe downloads, enable fraudulent website warnings, and enforce stricter storage policies.
• Show Wi-Fi and Bluetooth Status: Ensure connectivity statuses are always visible in the menu bar, meeting CIS recommendations.
• and many more

Scripts

When nothing else works, scripts can automate tasks that native Intune policies can’t handle.

Script examples:

• Disable Root Account: Prevent unauthorized superuser access and reduce the attack surface.
• Enable Sudo Logging: Log all sudo commands for better accountability and audit trails.
• Set Sudo Timeout to Zero: Require password re-entry for every sudo command to minimize privilege escalation risks.
• Check out all of the script here…

Custom Attributes

Want to monitor your configurations? Custom attributes give you extra insight into your fleet.

Examples:

• Monitor App Store Automatic Updates: Check if updates are automatically downloaded.
• Monitor Sudo Timeout Period: Validate that sudo requires password re-entry for every command.
• Monitor Software Update Status: Ensure macOS updates are available and systems are connected to Apple’s update servers.
• Create your own custom attribute scripts based on these examples

macOS Security – Lessons from the Field

After countless deployments, here are some do’s and don’ts I’ve learned:

Do’s:

1. Start Simple: Begin with compliance policies, then layer on advanced configurations.
2. Inform Users: Changes like login screen tweaks can confuse users—keep them informed.
3. Test Configurations: Validate changes in a controlled environment before rolling them out.

Don’ts:

1. Rush Configurations: Take your time—security requires thoroughness.
2. Neglect Password Policies: Misaligned settings can create syncing headaches.
3. Forget About Impact: Always understand how changes affect your users and systems.

From Basics to Bulletproof 🔒

The Basics:

Every solid security setup starts with the essentials. These are a few of the must-have configurations to protect devices without disrupting functionality.

• Compliance Policies: Define your must-have security settings.
• Device Restrictions: Block features like screen sharing and guest accounts.
• OS and Software Updates: Keep devices patched and protected.

Must-Haves:

These are the critical configurations that go a step further to secure user behavior and data. They help minimize risk while maintaining usability.

• Disable password auto-fill and sharing.
• Lock down sharing features like SMB and Bluetooth.
• Turn off iCloud services to keep data local and secure.

Advanced Configurations:

Once you’ve nailed the basics and must-haves, it’s time to level up. These advanced setups add deeper insights and automation to your security strategy.

• Use custom attributes for detailed reporting.
• Automate with scripts when needed.
• Explore tools like Jamf Compliance Editor and iMazing Profile Editor for flexibility.

Let’s Get Started with macOS Security! 

1. Clone the repository:

git clone https://github.com/oktay-sari/Intune-Goodies.git

1. Follow the README instructions in each folder.
2. Import JSON files into Intune or use .mobileconfig and .plist files.
3. Deploy scripts and monitor compliance.

Understand the impact!

Always think about the impact of any changes you make—seriously, it’s a big deal! Understanding what you’re implementing and how it affects your system is non-negotiable. Here’s an example;

Login Window configuration: Do not show username!
You should inform users what to expect. They probably don’t know their macOS local account username!

JAMF compliance Editor

Another great tool to get you started is JAMF compliance Editor. The Jamf Compliance Editor is like your security sidekick, making it super easy to get started with compliance baselines for all your Apple gear—macOS, iOS, iPadOS, and even visionOS.

It’s powered by the macOS Security Compliance Project (shoutout to NIST for hosting it on GitHub), so you know it’s got some serious cred.

Final Thoughts 💭

macOS Security with Intune doesn’t have to be a headache. With this repo, you’ve got everything you need to set up, secure, and scale your fleet. So, what are you waiting for? Check out the repo, dive in, and let’s make your macOS fleet bulletproof! 💪

Got questions or feedback? Drop me a line or open an issue on GitHub.

Resources:

• https://github.com/usnistgov/macos_security
• https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web
• https://github.com/Jamf-Concepts/jamf-compliance-editor/releases
• https://trusted.jamf.com/docs/establishing-compliance-baselines
• https://beta.apple.com/for-it
• https://imazing.com/profile-editor
• https://www.cisecurity.org/benchmark/apple_os
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-CIS-Benchmark