Jamf Blog
September 28, 2022 by Jesus Vigo

Using the NIST macOS Security Toolchain to Implement Security Benchmarks

As a financial organization, Suncorp has to be certain of the security of its endpoints. It is a constant search for improvements. In this presentation, they show the benefits of the U.S. National Institute of Standards and Technology (NIST) tools and how they implemented the Center for Internet Security level 2 macOS benchmarks in Jamf Pro using them.

Security is important

  • For every company
  • For every user
  • For every device

A strong statement was made by the host, Tony Williams, from Jemix, relating to the criticality of security and the role it plays regardless of the industry or size of the organization. “You need to be more secure”, exclaims Williams, countering it with the statement that “the most secure computer is one that is powered off and locked in a bank vault…but that isn’t very useful.”

Indeed, the need for security is often presented in juxtaposition to its usability. Something anyone who ever touched a computer can attest to, regardless of whether you’re the Security professional implementing restrictions or the user being limited by them.

Security can be hard

  • Difficult to implement
  • Difficult to audit
  • Difficult to update

But it doesn’t need to be impossible, as Williams discusses the benefits of the macOS Security Compliance Project and how the benchmarks created from a joint partnership of numerous government agencies, such as the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA) and Los Alamos National Laboratory (LANL) and supported by organizations, such as Jamf and Center for Internet Security (CIS).

In addition to the comprehensive support for macOS security, Williams also discusses some of the benefits of adopting this model for your organizational security strategies, including but not limited to:

  • Being kept up to date to address changes to the modern threat landscape.
  • Given its open-source design, the project is well-supported and frequently updated.
  • It’s easy to understand, as it provides a full breakdown in numerous formats of the threats to macOS, how to determine if your endpoints are vulnerable and of course, guidance to take to remediate the vulnerability.

How does it work?

Williams goes into great detail about how to leverage the benchmarks provided in the macOS Security Compliance Project (MSCP), running against the devices in your organization to determine vulnerability levels and implement remediation where necessary, to shore up security and enforce compliance.

  • Rules: Consisting of approximately 300 rules, each of them pertains to a particular security issue or concern that the MSCP will verify on your device.
  • Baselines: A collection of rules that comprise a benchmark. For example, the CIS benchmarks rely on multiple rule groupings to ensure that security relating to a specific benchmark is comprehensively checked and verified for compliance.
  • Script: The final component is a Python-based script that performs a number of functions, including:
    • Generate guidance: Documentation based on the rules that will be checked and how it aligns with the desired level of security the organization is seeking.
    • Configuration profiles: Generates a list of configuration profiles used to remediate any security issues found.
    • Compliance script: A shell script is generated to check and remediate endpoint security, consisting of potentially thousands of lines.

With the multiple components that make up the macOS Security Toolchain, Williams dives deeper still into the iterative process, providing guidance before commencing the build, as well as an in-depth demonstration of the entire process.

He meticulously goes over each phase with examples to add color to the process of checking for, verifying and remediating compliance on macOS endpoints from beginning to end. Lastly, at the end of the presentation, he provides a number of resources for IT and Security admins to use should they require a bit more clarification on a topic or simply wish to discuss findings with fellow Mac admins and seasoned security pros.

Photo of Jesus Vigo
Jesus Vigo
Jesus Vigo, Sr. Copywriter, Security.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.