In the UK, the National Cyber Security Centre (NCSC) supports the most critical organisations in the UK, the wider public sector, industry, SMEs and the general public — aiming to make the UK the safest place to live and work online.
NCSC has recently re-branded and re-launched its Device Guidance and Mobile Device Guidance. Within the guidance, NCSC kindly provides a variety of resources, including scripts, to manipulate various configuration settings. These settings, accompanied by the plethora of good practise guidance within the NCSC’s site, provide a fantastic security baseline. However, as they point out, it is far more cost- and time-effective for organisations of all sizes to implement these security features via Mobile Device Management (MDM).
In this blog post, we’ll illustrate very simply how to get the best from the Jamf Apple Enterprise Management platform in order to achieve NCSC’s security baselines across iPhone, iPad and Mac fleets. All you need do is make the setting changes we recommend.
iOS and iPadOS
General MDM Settings
MDM Settings NCSC never recommends:
- Security (controls when the profile can be removed)
- Automatically remove profile (Settings for automatic profile removal)
How Jamf Pro helps:
- Available for configuration when the distribution method is set to Self Service. Automatically- distributed profiles can never be removed by the user only if the MDM Profile is removed or if the device falls out of scope in Jamf Pro.
- Configuration profiles within Jamf Pro will never automatically remove unless caused to do so by either the device falling out of scope OR the MDM profile is removed.
Restrictions - Functionality tab
You can control the following restrictions/lack of restrictions through Jamf's Configuration profile, --> Restrictions payload --> Functionality tab
NCSC Recommends:
- Force encrypted backups
- Force limited ad tracking
- Treat AirDrop as unmanaged destination
NCSC recommends against:
- Allow AirDrop (supervised devices only)
- Allow Siri whilst device is locked
- Allow iCloud backup
- Allow iCloud documents & data
- Allow iCloud Keychain
- Allow managed apps to store data in iCloud
- Allow users to accept untrusted TLS certificates
- Allow trusting new enterprise app authors
- Allow installing configuration profiles (supervised only)
- Allow adding VPN Configurations (supervised only)
- Allow modifying account settings (supervised only)
- Allow USB accessories while device is locked (supervised only)
- Allow pairing with non-Configurator hosts (supervised only)
- Allow documents from managed sources in unmanaged destinations
- Allow documents from unmanaged sources in managed destinations
- Allow sending diagnostic and usage data to Apple
- Show Control Centre in Lock screen
- Show Notification Centre in Lock screen
- Show Today view in Lock screen
Restrictions - Apps tab
NCSC recommends restricting app usage (Do not allow some apps: com.apple.shortcuts), which you can control in Jamf Pro with Restrictions payload --> specify by bundle ID.
VPN configuration - IPsec PRIME profile
- NCSC recommends the following settings, which you can set using Jamf's VPN payload:
- Connection type: IKEv2
- Always-on (supervised only)
- Enable perfect forward secrecy
- Enable certificate revocation check
- Encryption algorithm (IKE & Child SA): AES-128-GCM
- Diffie-Hellman Group (IKE & Child SA): 19
- Allow traffic from captive web sheet outside the VPN tunnel: Yes
To implement the NCSC's recommendations for machine authentication through a certificate with Jamf, you will create a second payload in the profile to provide the certificate and link it. The certificate can come from AD, the AD CS connector or even SCEP.
Passcode
The NCSC's suggestion for the following settings is to configure them to your organisation's policy, which you can do with Jamf at Configuration profile --> passcode payload:
- Allow simple value
- Require alphanumeric value
- Minimum passcode length
- Minimum number of complex characters
- Maximum passcode age
- Maximum Auto-Lock
- Passcode history
- Maximum grace period for device lock
- Maximum number of failed attempts
On-device settings
NCSC suggests that you never show previews on notifications. You can set this through a configuration profile for notifications.
macOS
General MDM Settings
The NCSC's recommendation is to automatically push profile distribution types. You can configure the distribution method for automatic installation or make it available via Self Service, depending on the use-case.
The NCSC recommends that you never automatically remove a profile or control when it can be removed.
With Jamf, you can implement these recommendations when the distribution method is set to Self Service. Automatically distributed profiles can never be removed by the user; they can be removed only if the MDM profile is removed or if the device falls out of scope in Jamf Pro. Configuration profiles within Jamf Pro will never automatically remove unless caused to do so by either the device falling out of scope OR the MDM profile is removed.
Passcode
As in the details with iOS and iPad OS above, the NCSC recommends you follow your company's policies. You can do this in two ways:
- Configuration profile --> passcode payload
- If you are using Jamf Connect to create accounts and sync account passwords, passwords are adherent to password policies from your IdP rather than through MDM.
Restrictions: preferences, apps and media
Restrict the following through Configuration profile --> Restrictions payload.
- Restrict items in System Preferences
- Restrict which apps are allowed to launch
- Restrict media according to organisation policy (Note that this setting is deprecated in Big Sur.)
Select services that should be available in the share menu; NCSC recommends disabling:
- AirDrop
- Messages
- Video Services
- Sina Weibo
Restrictions: Functionality
The NCSC recommends against the following settings, which you can control through Configuration profile-->Restrictions payload:
- Allow password sharing
- Allow proximity based password sharing requests
- Allow Classroom to lock the device without prompting
- Automatically join Classroom classes without prompting
- Require teacher permission to leave Classroom unmanaged classes
- Allow use of iCloud password for local accounts
- Allow iCloud Drive
- Allow iCloud Desktop & Documents
- Allow iCloud Keychain
- Allow iCloud Mail
- Allow iCloud Contacts
- Allow iCloud Calendars
Security & Privacy Payload
Through Jamf Pro's Configuration profile --> Security & Privacy payload, you can control the following recommended settings:
- Configure Gatekeeper Settings to Mac App Store and identified developers
- Do not allow user to override Gatekeeper setting
- Require FileVault
- Escrow Personal Recovery Key
- Manage Firewall Settings
- Enable Firewall
- Block all incoming connections
- DISallow installation of macOS beta releases
- Allow non-admin users to purchase apps and install software updates
- Automatically install macOS updates
- Automatically install app updates from the App Store
VPN configuration - IPsec PRIME profile
Using Jamf Pro's Configuration profile -->VPN payload, you can implement the following NCSC recommendations:
- Connection type: IKEv2
- Configuration profile, VPN payload. This is only visible when the profile is user level rather than computer level (a setting in the general tab of the profile)
- Always-on (supervised only). Use Jamf to meet this recommendation by specifying wildcards as the host and domain.
- Machine Authentication: Certificate (Create a second payload in the profile to provide the required certificate; then link it. The certificate can come from AD, the AD CS connector or even from SCEP.)
- Enable perfect forward secrecy
- Enable certificate revocation check
- Encryption algorithm (IKE & Child SA)
- AES-128-GCM
- Diffie-Hellman Group (IKE & Child SA): 19
Summary
For more details of the scripts and sample configurations for Apple provided by NCSC, you can visit NCSC's GitHub repository.
For further reading, be sure to check out NCSC’s section on anti-virus and other security software, where there is some interesting commentary around the need for anti-virus tools and additional features. Jamf Protect is ideally suited to fit all of the requirements for organisations’ Mac endpoints.
Be conscious also that a primary route for malware to enter your organisation is likely to be via unauthorised applications downloaded from the Internet. NCSC has discussed the risks associated with the use of third-party software on devices and some methods for mitigation. Organisations using Jamf to manage their Mac endpoints are able to transform their user and admin experience using our Self Service app.
NCSC’s configuration guidance and settings are a great resource, and Jamf is able to help organisations to simply and rapidly implement them.
Read our guide on NCSC's Cyber Essentials!
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.