By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.
Allow
Deny
  • Sign up / Login
My Cart

12 months interest free on any Mac over £1,000. 18+, T&Cs apply.

Account

A Different Kind of Lockdown - How to Keep Your Organisation’s Macs Secure

As we’ve previously discussed, securing private data on Macs within an organisation is of vital importance. The global shift towards remote and hybrid working has also made this task more difficult to manage at scale than ever before, with portable endpoints more likely to be regularly used on insecure networks as well as being left unattended - however briefly - in public places.


This article highlights some of the steps and best practices you can take to protect against such threats and how to implement them, leveraging macOS’ built-in security features. It goes without saying that these measures should be accompanied by quality EDR (Endpoint Detection & Response) software, such as the Mac-exclusive Jamf Protect, and a VPN or ZTNA solution for remote staff.


FileVault

All Macs with either an Apple Silicon processor (e.g. M1 and M1 Pro/Max) or a T2 security chip benefit from automatic hardware-based SSD encryption. This simply means that the SSD cannot be removed and inserted into another Mac to have its data accessed. However, this is no protection for a stolen MacBook where the original drive - full of your private data - is still in place.


This is where FileVault comes in. It encrypts the data on the startup disk against your Mac user account password and will not allow access to the Mac unless the log-in password is entered.


Naturally, this prevents any account from being able to automatically log-in to the Mac at startup. It also protects against someone resetting a user account password from Recovery Mode, as they’d still need to know either the FileVault recovery key (or have access to the associated Apple ID, depending on which emergency fallback option you chose during FileVault setup) to unlock the Mac with FileVault. We’d strongly recommend the recovery key method.


FileVault can be enabled in System Preferences > Security & Privacy.


Security & Privacy Preferences screenshot
FileVault in Security & Privacy preferences in macOS

Activation Lock

Available on iPads and iPhones for some time now, Activation Lock ties a Mac to your Apple ID and persists even if you erase the Mac back to factory settings. The Mac is rendered useless unless the password for its associated Apple ID account is entered and the only bypass for this is to submit the original proof-of-purchase to Apple Support. The Mac can also be placed into “Lost Mode” and tracked either by an MDM, via another device using the Find My app with the same Apple ID or by signing into iCloud.com.


Activation Lock can be enabled in System Preferences > Apple ID.


Firmware Password/Recovery Lock Password>

Once enabled, this feature prevents anyone booting a Mac from a different startup disk (e.g. an external drive), and prevents access to macOS Recovery Mode, without this password. It has to be initially set via Recovery Mode as well.


A firmware password cannot be bypassed without support from an Apple Authorised Service Provider (such as KRCS) or an Apple Store, and proof-of-purchase is required. Therefore, be sure to note the password down in a securely encrypted vault - either OneDrive or 1Password offer great options here - so you always have a copy kept safe.


This feature is not available on Apple Silicon Macs unless the Mac is enrolled into a compatible MDM solution with an equivalent Recovery Lock feature, such as Jamf Pro. Instructions for enabling via MDM will of course vary from solution to solution.


Touch ID

Secure your Mac’s Keychain password vault and user account log-ins with a touch of your finger. This is available on the majority of MacBooks from 2016 and with Apple Silicon Macs using Apple’s latest Magic Keyboard with Touch ID.


Touch ID can be enabled on compatible Macs in System Preferences > Security & Privacy.

Software Updates

Keeping your Mac’s OS fully up-to-date will naturally help protect against new threats as and when they arise. It’s a great idea to keep your browser updated too and, handily, Safari updates are delivered in the same area as macOS ones - System Preferences > Software Update.

Software Update on macOS Monterey
Software Update on macOS Monterey

BusinessClass Managed Service

You quickly appreciate the potentially daunting scale of work involved for an organisation needing to apply any of this across even a modest Mac estate - especially with fewer users being permanently based on-premises. Consider even just a few of the things that need to be done:

  • FileVault recovery keys to record for every Mac (which itself would be a major security risk)
  • Keeping track of what Macs are running older, vulnerable OS versions and updating them
  • Having no recourse to bypass Activation Lock on a Mac that is linked to an ex-employee’s personal Apple ID, without Apple Support and a copy of the Mac’s original invoice

Fortunately, expert help for all of the above - and a lot more besides - is at hand in the form of our BusinessClass Managed Service. Leave it to our certified team of Apple-certified experts to handle all of the heavy lifting for you, so you can focus on using your Apple devices to grow your business. To see how we can help you both secure and get the most out of your Apple estate without the fuss, give our friendly team a call on 0115 985 1797 or email us at info@krcs.co.uk.



Follow us on Twitter
Email us at info@krcs.co.uk
Call us on 0115 985 1797

Comment Below

Comments

    No Comments yet. be the first to comment.