Learn how to use the Casper Suite to activate and configure built-in OS X security controls.
Securing Macs with the Casper Suite
Heartbleed, Shellshock, POODLE: 2014 has been a tough year for IT security. In our webinar, Securing Macs with the Casper Suite, we show you how to use the Casper Suite to activate and configure built-in OS X security controls.
You’ll learn about:
- Data encryption with FileVault 2
- Application security with Gatekeeper
- Reporting and remediating vulnerabilities
- Software patching
Deploying OS X 10.7 or later with the Casper Suite (Tech Guide)
Painless OS Upgrades with the Casper Suite (Webinar)
Administering FileVault 2 with the Casper Suite (Tech Guide)
NetBoot/SUS Appliance (JAMF Nation)
Q&A from the webinar
Q: When checking inventory, will the FileVault 2 stats show as soon as encyption is enabled or after the full encryption is complete?
A: Once FileVault 2 is enabled on a Mac, the encryption status will be collected with each inventory report. During encryption, the inventory will show "Encrypting" and the percent complete. When encryption is complete, the status will show "Encrypted".
Q: Can you limit the updates to prevent employees from updating to newer software that may cause compatiablity issues?
A: Yes. If you use an internal Software Update Server (with OS X Server or SUS Appliance), you can choose which updates are available.
Q: Can you set a Smart Group for system only updates?
A: You can create a smart group for specific updates by choosing the update name from the "Available SWUs" criteria. Alternately, you can create a Smart Group for all pending updates using the "Number of Available Updates" criteria.
Q: Can you set EFI password with Casper Suite?
A: Yes. You can set a password for the Extensible Firmware Interface (EFI) using a policy. This is a good security measure to prevent someone from booting the Mac from an external drive without that password.
Q: How would manage encryption keys with FileVault 2?
A: Using a policy, you can enable FileVault 2 encryption, or change the encryption recovery keys used on the Mac. You can choose either an individual key (that is unique to that Mac) or an institutional key that is common throughout your organization.
Q: What are the different recovery key types and uses? Why would you use one or the other?
A: There are two types of FileVault 2 recovery keys: Individual and Institutional. Individual keys are unique for each computer. Individual recovery keys are created and stored in the JSS when the encryption takes place. Institutional keys are shared throughout the organization. This requires you to create the recovery key with Keychain Access and upload to the JSS for storage. With the Casper Suite, you can choose to use one or both types of recovery keys.
Both types of keys can be used to decrypt the drive. An individual recovery key can also be used to reset the account password on the Mac. For maximum flexibility, you can use both individual and institutional keys when enabling FileVault 2.
Q: With FileVault 2 with Active Directory, can user change their password at login window?
A: OS X fully supports AD for authentication, and this works in harmony with FileVault 2. From Apple’s Best Practices for Integrating OS X with Active Directory document,
Best practice for changing a mobile user account password on a Mac that is bound to the directory service is to use the Users & Groups preference pane in System Preferences while the computer can contact the directory service.
If the network account password is changed while a Mac is offline, and the user attempts to log in when returning to the network, the Mac will be unable to unlock the login keychain. OS X will prompt the user to update the keychain password. If the user cannot provide the previous password, there’s an option to create a new keychain.
Q: Can you track the location of your Macs using the Casper Suite?
A: The Casper Suite does not track location using GPS, but it does offer proximity detection with iBeacons. To learn more about management using iBeacon proximity, view this video from the 2014 JNUC or this brief demo video for using iBeacons with OS X.