Mac usage in enterprise has taken on a life of its own in the past few years. Originally led on by the halo effect of the iPhone and the iPad, the Mac has become the favorite device among IT professionals and end users.
The Mac’s popularity has led to what many IT professionals consider to be a “new normal” in enterprise. Macs are now commonly used throughout an organization, not just in creative roles, but also in more traditional business applications like finance, sales, marketing, and people operations.
With the rise of Macs in business, IT and Security professionals need to build a new stack of solutions that will help them to deploy, configure and protect the Macs accordingly.
Unfortunately, the first and easiest path pursued by IT and Security professionals is not the best one. IT and Security professionals who used to manage and protect PCs running Windows will initially try to extend the scope of the software stack they already use for Windows, and also include the Macs.
However, they won’t need much time to understand that Macs are not only unique and special for end users. The same also applies to the IT and Security tasks. The right way to deploy, manage and protect a Mac is by using solutions specially created for the Mac.
At first glance, this can sound like more work considering the inclusion of a new set of tools only for the Macs. But as we will discuss below, it can be the opposite if the right approach is adopted when building the IT and Security stacks for Apple devices, including not only the Mac but also the iPhone and the iPad.
So, what are all the different solutions that should be integrated into the IT and Security stack for Macs used at work?
#1 – An Apple-only Device Management Solution
It all starts with a high-quality Apple specialized MDM. A good Apple-only MDM will solve about 60% of all needs IT and Security will have related to the Macs used at work.
First, an Apple-specialized MDM will completely automate the deployment and provisioning of new Macs. It will allow IT to simply give a new employee a sealed box with a new Mac and be confident that the end user, even those with very basic tech knowledge, will be able to be up and running, with the Mac correctly configured, in a few minutes.
With a good Apple-only MDM, the only step the end user will actually have to complete is connecting the Mac to the internet and from there, the MDM will handle the rest.
The MDM will also enable IT to enforce device configuration, remotely install all the necessary apps, install printers, enforce VPN, and much more.
Several MDM configurations will also solve multiple tasks for the Security team. For example, it’s through the MDM that device encryption – FileVault – can be activated, password rules enforced and much more.
A good Apple-only MDM will operate through a combination of Apple’s native MDM protocol and a powerful local agent. When this duo reaches the perfect balance, IT and end users will not be able to notice when it’s one or the other that is in action – things will “just work”. Virtually anything can be done remotely, automatically and on a large scale.
So, a good Apple-only MDM is where you should allocate the very first dollars of your budget. And the good news is it can cost as little as $1 dollar per month per device for a great Apple-only MDM.
#2 – macOS Hardening & Compliance
Everyone knows that the macOS is the most secure operating system for personal computers in enterprise. But what does that mean?
It means that the macOS is heavily equipped with great security controls and settings that can be configured to achieve a relevant degree of protection against undesired physical and remote access. This is what the security experts refer to as “hardening” a computer.
But what are all those controls and settings? How to correctly configure them to harden the Mac taking in consideration the needs of each business? And once those configurations are applied, how to ensure users will not change them – on purpose or accidently – or that future updates will not impact them? Those are indeed challenging questions, and the more Macs your company has the more complex this task can be.
Let’s think about a medium size business with 300 Macs. Without being too sophisticated with the hardening goals, just by applying basic controls and configurations recommended by organizations such as CIS, a company can easily reach 30 different configuration points per device. In this example, it creates 9,000 unique control points that can change at any minute.
As you can see, checking the compliance of all the 9,000 configurations in our example above and remediating those not compliant is something impossible to be done manually, it doesn’t matter how many members the IT or Security team have.
However, simply by adopting a good hardening and compliance tool specialized on macOS, this task can go from impossible to 100% automated.
Good macOS hardening and compliance tools will bring ready-to-use libraries of intuitive security controls. Once selected what configurations to enforce, it will work for the IT team 24×7 by checking every single device against all the enabled controls and automatically remediating any identified issue.
The result? A fully compliant Mac fleet without any additional work for the IT or Security teams.
#3 – Next Generation Antivirus
The old idea that “Macs don’t get malware” is far from reality. Regardless of how secure an operating system is, legitimate and desired OS features can also be used by malicious agents to exploit computers.
At the end of the day, the difference of a legitimate application from a malware doesn’t reside only on what actions both are performing on the device. It’s actually related to the desire of the device user or the company of having that action happening on the device or not.
So it doesn’t matter how secure an OS is, there will always be a bad guy leveraging common features to perform malicious actions on all devices. The difference between 15 years ago and now is that now, with the growth of Macs used at work, there are way more devices that can potentially be exploited. This makes the Mac a more profitable target for hackers, and justifies a higher allocation of time on creating malwares targeting Macs.
Based on that, it’s important for companies to add an extra level of security through A Next Generation Antivirus solution that uses artificial intelligence, behavior and contextual analysis to detect malicious activity from the expected actions happening on each Mac.
Also, because macOS is nothing like Windows, selecting a solution that was initially developed to protect devices running Windows and make most of their revenue from protecting those devices is not a good approach.
Once again, macOS specialization plays a big role on the quality of the security solutions when the goal is to protect Macs so make sure the solution you select has deep specialization on macOS, and that Macs are the priority for the company providing it.
#4 – Privilege Management
The old dilemma of whether end users should have Admin permissions or not on the computers they use for working is also present for Macs.
On one side of this equation is the unquestionable risk of letting end users run as admin all the time. Admin accounts are the pie-in-the-sky targets for hackers because once a Mac is compromised while the user is running as admin, the malware (and the hacker) will inherit the same ability to perform all actions available to an admin. Considering that ultimately, a local administrator can change any setting, install anything, and do just about whatever they want to, a malware (and the hacker) would also have the same potential. Scary right?
On the other side, in specific cases, the end user may have a justified need for admin-level privileges to address a potential issue, change permissions of applications, have better control over software updates and more. The estimate is that these justified needs, when combined, will not represent more than five minutes per month. No, not per hour, not per day – PER MONTH.
And because of these exceptional five minutes per month, users would be granted admin privileges permanently, creating a material security risk that is disproportionate to the real business needs.
So how to address this dilemma? For that, either companies need to pick one side of the equation and bear the consequences of the other side or implement a solution that will allow for a controlled use of admin privileges through on-demand temporary escalations.
#5 – Application and Patch Managements
A vital part of an efficient and secure enterprise management is Application and Patch Management. Once again, the same is true for Macs.
Considering a good portion of the work to be done on a Mac will happen through various applications, it’s highly important for productivity and security that companies leveraging Macs have a scalable and reliable way to install, update and remove applications on the work Macs without relying on any action from the end user.
For Macs, this can be done in two ways.
For all applications that are available at Apple’s App Store for Mac, companies need to leverage a solution that deeply implements all Apple API’s for silently and remote installation and updates. One more time, here the specialization on Macs goes a long way because only software providers focused on Apple devices will be able to justify a complete and deep implementation of Apple’s APIs for remote App Store apps installation.
However, several – if not the majority – of the Mac applications normally used in the enterprise, such as Google Chrome, Zoom, Microsoft Teams and many others are not available in the Mac App Store. For these apps, companies can’t leverage Apple’s APIs for remote app installation and update.
A daunting solution for all the apps that are not available at the Mac App Store is to leverage the possibility offered by some Apple-specific MDM providers to distribute and install .pkg and .dmg files – file extensions normally used as installers of Mac applications.
However, this alternative requires several steps, from downloading a file from each software provider, hosting the file on a cloud CDN, manually creating pre-install and post-install scripts and manually managing the permissions (PPPC) required for each app. And for every update of each app, the same flow needs to be done again.
Even considering it’s possible, it’s far from ideal, and the complex workflows, other than consuming a relevant number of IT hours, will also add relevant delays on updates and all the security patches they bring.
So, another recommendation for a solution that should be part of your IT software stack for Macs is an automated Application and Patch Managements solution that completely implements Apple’s API for App Store apps and offers ready-to-use libraries of automated installation and patch for the apps not available in the Mac App Store.
#6 – Online Privacy and Security
Our final recommendation is related to protecting the end users when they are online from malicious websites, phishing, fraud, spywares and spam, while ensuring their online activity is private and compliant with company policies.
In a hybrid work world, the device used by employees is the only layer always present with them for work activities. So more than ever, having an online privacy and security solution enforced through their work devices is paramount.
And why is this different for Macs? Simple. The technical ways to install and enforce online filtering on Macs are materially different than the methods available for Windows, requiring some good level of specialization from the provider.
Because of that, generic solutions that try to implement “universal methods” are well-known for creating critical side effects, such as slow connections, limited protection and internet usage disruption on Macs.
So as our last recommendation, IT teams should adopt a Mac based online privacy and security solution that leverages the best native options available for Macs for online security and privacy.
What if all of that could be part of a unique Apple platform?
Software providers that focus on solutions for managing and protecting Apple devices used at work can use their deep knowledge on Apple’s operating systems and specialization to integrate on a single Apple platform, all the features and solutions that the IT and the Security teams will need to manage and protect the Apple devices used at work.
This approach is known as Apple Unified Platform.
Mosyle, a leader on modern Apple endpoint solutions is the reference on Apple Unified Platform through its product called Mosyle Fuse.
Mosyle Fuse integrates a complete and automated Apple Device Management, a Mac-specific Next-Generation Antivirus, Mac-specific Hardening and Compliance, Mac-specific privilege management, Mac identity management, Apple-specific Application and Patch Managements with a complete library of fully automated apps not available on the App Store, and an Encrypted Online Privacy & Security solution.
By unifying all solutions on a single platform Mosyle is not only really simplifying the management and protection of Apple devices used at work for IT and Security professionals. Mosyle Fuse also reaches a level of efficiency and integration that is impossible to be achieved by independent solutions.
Finally, the cost benefits of an Apple Unified Platform such as Mosyle Fuse is also material. Considering the average cost of each individual solution that should be part of the IT software stack for Macs, we estimate that by adopting an Apple Unified Platform such as Mosyle Fuse can generate savings of more than 70%. Even for small fleets, it’s a relevant amount.
So, if you have Macs used by employees at work, you should try unified Apple solutions such as Mosyle Fuse as they can bring amazing benefits for you and your company.
FTC: We use income earning auto affiliate links. More.
Comments