Yosemite, Mojave, Big Sur: as much as we’d all like to say these are destinations on our roadtrip through California, of course we also know these as macOS versions. Our next stop? Ventura.
Ventura includes a number of security updates, hopefully setting an IT admin’s mind at ease while they dip their toes into a California beach, knowing their organization’s devices are secure. In this blog, we’ll dive into new security features included in Ventura that may be relevant for security and IT admins.
Apple wants to obsolete the phishable, leakable, hard-to-manage password. Ventura brings us passkeys, a safer passwordless sign-in method that uses public-key cryptography for authentication. Passkey-enabled sites prompt users to authenticate using their trusted devices and biometrics without the need for MFA. Passkeys live in a user’s iCloud keychain for multi-device access and sharing. For an IT admin, this means less password resets and lower risk of giving bad actors access to company data from password exposure.
Sign in with Apple at Work
Whether at work at a school, business or other organization, admins can now leverage the convenience and security sign-in which Apple provides on their managed devices. Sign in with Apple’s one-touch login means users can use their managed device’s Apple ID to sign into sanctioned and compatible apps without having to remember a password. IT controls what apps a user can use with sign in with Apple, as well as what apps can see organizational data. Additionally, the login account can be assigned an email—or not if decided by IT, such as when the account is associated with a student under 18.
Rapid security response (RSR)
So how do you get security updates for macOS? Ventura’s rapid security response feature means security updates no longer have to wait for the next version of the operating system, giving devices the latest patches without having to prompt users to upgrade their entire device. Note that users can remove the responses if desired; this can be prevented in your mobile device management solution using the allowRapidSecurityResponseRemoval restriction key. Responses can also be automatically applied and the system restarted via MDM solution.
Declarative device management
Introduced for iOS in 2021, declarative device management is now available on macOS Ventura. Declarative device management supports automatic device enrollment, supervised devices and profile- and account-based user enrollments. This update eases the burden on your MDM to have to check that devices are in compliance with your policies by having devices proactively report their status to the MDM instead. This way, admins can be more confident that company devices are in compliance, simplifying the device lifecycle recovery process.
Gatekeeper has tightened restrictions on apps, blocking apps that are improperly signed and checking the integrity of notarized apps. Apps no longer need to be quarantined to be verified by Gatekeeper. Notarized apps require more strict signing; developers need to sign executables and bundles and ensure signatures are valid after any updates are made. Gatekeeper prevents apps from being modified unless the appropriate signature is given, preventing unauthorized changes to apps that might be from bad actors.
The list of new features goes on, including:
- Accessory security that prompts users for access when a USB or Thunderbolt accessory is plugged in
- Pasteboard access that requires user or MDM permission to paste text into applications
- Lockdown mode with strict restrictions for users requiring extreme security measures
- Replacement of System Preferences with System Settings
- Native endpoint security now looks at events in the user space as well as the kernel
Secure your fleet with Apple's latest security features and Jamf Pro.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.