It’s a beautiful Fall Friday afternoon and the IT team is ready to end another week of work with a happy hour at a new brewery across the street from the office. The week was great. Some small challenges occurred, but this team could handle everything – no critical task will be carried over into the following week.
But at 4:32pm a call from the company’s CFO changes everything.
She was at an airport getting ready to fly home from a busy week of business meetings. While she performed a final review of the company’s proposed budget for the year ahead, the airline crew announced her name and asked her to come to the gate counter. Frustrated, she left her MacBook on the seat and headed to gate counter just a few feet away to check what was going on, afraid of another flight cancelation.
Luckily it was just a quick request to change seats, which she promptly agreed to. However, when she got back to her seat, she couldn’t find her MacBook. It was stolen! A terrible incident, but what was even worse was the fact that she wasn’t sure if she had locked the screen before leaving the MacBook unattended – potentially exposing critical company data and accesses to the person now in possession of her MacBook.
She was about to look for airport security when the airline announced the final boarding call for her flight. So, what happens now?
Depending on how the MacBook was deployed, this scenario can result in drastically different outcomes. If the MacBook was correctly managed and hardened, the potential losses may be just the price of a new MacBook (and the company might have a real chance of recouping the device later).
However, if the MacBook was not correctly managed and hardened, the potential of losses could reach millions of dollars. Especially if the thief can access sensitive and confidential data, including employees and customers personal identifiable information.
So, what can IT teams do to be prepared when this scenario happens?
- Apple Business Manager
The first preventive step is to ensure all work Apple devices are part of the company’s Apple Business Manager account. Every business leveraging Apple devices can (and should) have a company-controlled Apple Business Manager account.
With this account, all new devices purchased by the company from Apple or authorized resellers can be immediately and automatically assigned to the company’s Mobile Device Management (MDM) solution. This ensures that every device will be automatically and remotely managed by the company’s MDM – eliminating the need for any manual configuration when the device is first turned on.
This step is more than just a convenience, it brings a high level of security by ensuring all company devices are remotely managed. Even if the device is erased for some reason, the device will always automatically connect back to the company’s MDM solution.
Currently, even devices that weren’t purchased from Apple or from an Apple Authorized Reseller can be manually added to Apple Business Manager using a free app called Apple Configurator.
- Leading Apple-Only MDM
Having Apple Business Manager is a great first step, but without connecting it to an MDM solution it won’t be of much help. In the same way, the wrong MDM solution may also create more trouble for the IT team.
Remotely managing Apple devices is nothing like managing devices running other operating systems such as Windows or Android. Based on that, a universal recommendation from Apple IT Administrators is to always use a leading Apple-only MDM solution. This will ensure your company always has access to the remote management features and capabilities available to Apple devices. Additionally, using an Apple-only MDM provider gives you the confidence that the way these tools were built will allow you to extract the most from the Apple devices used at work.
Enterprise IT teams should be happy to know that you can find a leading Apple-only MDM for as little as $1 a month per device.
With a good Apple-only MDM, a company can perform several actions to protect and recoup lost or stolen devices, such as remotely erase device data to limit the chance of data loss, enable device-based Activation Lock, obtain the device’s location, retrieve details of last connected IP and SSID, and much more.
As you can see, just by having an Apple-only MDM companies can dramatically decrease the chances that a lost or stolen work device will result in devastating consequences.
- Apple-specialized Hardening and Compliance
It’s well-known that Apple operating systems are the most secure operating systems in the market. But what does that mean?
It means that an Apple OS, such as the macOS, is heavily equipped with great security controls and settings that can be configured to achieve a relevant degree of protection against undesired physical and remote access. This is what the security experts refer to as “hardening” a computer.
But what are all those controls and settings? How should you correctly configure them to harden the Mac while also taking into consideration the needs of each business? And once those configurations are applied, how do you ensure end-users will not change them – on purpose or accidently – or that future updates will not alter them?
All of the above are valid questions with complex solutions, and the more devices your company has the more challenging this task can be.
Some great examples of hardening controls that can add a relevant layer of protection when a work device is lost or stolen are:
- Enforce screen saver (with password) after a short period of inactivity with an automated session lock: This control will ensure that if a device is not used for a few minutes, the MacBook will automatically lock the session and require the local user password to unlock it. This control adds a level of protection and should be implemented and monitored by all companies.
- Enforce a complex password policy and a limit of 3 consecutive failed attempts: Without this control, the person who has the device will have unlimited password attempts. This drastically increases the chance of the thief or bad actor guessing the password using techniques such as social engineering. However, if the number of attempts is restricted to 3 with the account being locked once this limit is achieved, the chances of someone guessing the password and accessing the device decreases immensely.
- Enforce disk encryption: Enterprise IT team need to make sure all the information on every work device is fully protected with strong encryption to add a final layer of security to the device. For example, on the scenario above, if FileVault (Apple’s native and highly secure macOS disk encryption feature) was correctly configured and enforced, once the device has the user session locked, all the information is encrypted and can’t be accessed without the key. Even if the device’s SSID is removed and connected to another device for a physical extraction.
These are just a few of the many recommended device hardening controls that companies should enforce and monitor constantly. However, checking the compliance of all the recommended security controls while remediating devices not compliant is something that cannot be done manually – no matter how many members the IT or security team has.
By adopting a good hardening and compliance tool specialized for Apple devices, this task can go from impossible to totally automated. Good Apple-specific hardening and compliance tools include ready-to-use libraries of intuitive security controls. Once an IT team selects what configurations to enforce, the solution will work 24×7 to check every single device against all the enabled controls and automatically remediate any identified issues.
On their own, Apple devices offer a high potential level of security, even when a device is lost or stolen. However, the effectiveness of the security features on Apple devices relies on the tools and policies adopted by an IT team.
Going back to our airport example, if the steps above were correctly adopted by the IT team, chances are they would be able to thank the CFO for communicating the issue and recommend her to stay calm, that the device was properly protected, and she should enjoy her flight home.
The IT team would be confident the data was encrypted, and the session locked. All they would have to do is click a couple of buttons to remotely erase the device and enable Activation Lock. Then, a new MacBook could be shipped to the CFO on Monday, and they would still have good chances of locating the stolen device.
Some specialized Apple endpoint software providers offer something called Apple Unified Platform. Mosyle, a leader in modern Apple endpoint solutions, is the standard for Apple Unified Platforms through its product Mosyle Fuse.
Mosyle Fuse integrates Apple-specific and automated MDM, a next-generation antivirus, hardening and compliance, privilege management, identity management, application, and patch management (with a complete library of fully automated apps not available on the App Store), and an encrypted online privacy & security solution.
By unifying all solutions on a single platform, companies not only simplifiy the management and protection of Apple devices used at work but also reach a level of efficiency and integration that is impossible to be achieved by independent solutions.