How the macOS Security Compliance Project can help IT

It can be difficult for Apple admins to adapt to every new OS release and the respective compliance changes. That's where the macOS Security Compliance Project comes into play.

The macOS Security Compliance Project provides IT professionals with a programmatic approach to applying security baselines to their managed macOS computers, so IT teams should learn about this initiative to see how it could apply to them.

Administrators can use the resources included in the macOS Security Compliance Project (mSCP) codebase to generate customized scripts, configuration profiles, documentation and audit checklists, which they can then apply to their managed Apple computers.

What is the macOS Security Compliance Project?

The NIST defines the mSCP as an open source effort to provide a programmatic approach to generating security guidance. The project aims to streamline and expedite the process of applying security baselines to macOS systems, making it easier for organizations to meet their compliance requirements.

Prior to the mSCP, IT administrators would need to choose an applicable guidance standard for their industry and then figure out how to implement that standard in their organizations. The mSCP initiative removes much of this burden on IT staff by simplifying the process of securing and assessing macOS systems to achieve compliance, while still enabling them to adhere to specific standards.

The macOS Security Compliance Project is a joint effort between federal agency security staff and macOS administrators. The federal agencies include NIST, the National Aeronautics and Space Administration (NASA), the Defense Information Systems Agency (DISA) and the Los Alamos National Laboratory (LANL).

The project's components are described in NIST Special Publication (SP) 800-219r1 and hosted on GitHub (Figure 1). The intended audience includes systems administrators, cybersecurity professionals, information security officers, auditors, policy authors, and vendors that offer configuration assessment and management tools.

The GitHub interface showing all hosted components of the macOS Security Compliance Project.
Figure 1. The components of the macOS Security Compliance Project hosted by GitHub.

IT professionals can use the mSCP resources on GitHub to create customized security baselines. To build these baselines, they would start with one of the baseline guides included in the mSCP codebase. There is a library of rules mapped to the requirements in various standards and frameworks. This library supports the different guides.

A baseline guide is a YAML file that contains a collection of macOS security settings that meet a specific set of compliance standards, as defined in publications such as NIST Special Publication 800-53, Center for Internet Security (CIS) Critical Security Controls Version 8 and Committee on National Security Systems (CNSS) Instruction No. 1253. A baseline guide provides organizations with a starting point -- or template -- for defining the type of compliance they're trying to achieve.

Each baseline guide references a set of rules that admins can customize to meet the organization's specific requirements. The rules are also implemented as YAML files, which determine the individual macOS settings. For example, the mSCP codebase includes rules for controlling OS-specific settings, such as disabling AirDrop or Handoff. The codebase also includes rules related to auditing, authentication, iCloud, password policy and other system settings.

In addition to the baseline guides and rules, the mSCP codebase includes a set of Python scripts for carrying out various operations. For the example, administrators can set up the scripts to output the configuration profiles and deployment scripts needed to configure the macOS systems. Administrators can also use the built-in scripts to customize existing baselines, produce documentation in multiple formats, and generate mappings between security standards, regulations and frameworks.

How did the macOS Security Compliance Project come about?

Prior to the introduction of the macOS Security Compliance Project, different agencies published their own standards, usually in a simple text format such as a PDF file. Many of the standards were produced by well-known agencies such as NIST, DISA, CIS and the CNSS. As a result, there was a great deal of duplicated efforts, with each standard developed according to its own structure and set of rules.

The standards were often designed for hyper-specific use cases or industries. Various organizations used these standards as guidance for rolling out their own security configurations to macOS computers -- a process that required a fair amount of investment and effort. Not surprisingly, the standards were adopted inconsistently across different regions and industries. They also lagged well behind Apple's OS and hardware releases -- as much as a year in some cases. Not only did this delay IT teams from rolling out new operating systems and hardware, but it also meant that products for compliance reporting were delayed.

In August 2019, security staff from NASA, NIST, DISA and LANL set out to address these issues by establishing the macOS Security Compliance Project. The collective based its efforts on the guidance and best practices available through existing standards, building on commonalities where they existed, while looking for ways to reduce the overhead on IT professionals managing macOS devices. With mSCP, administrators can create and generate security baselines more quickly, taking advantage of the free, open source components available on GitHub. In this way, organizations do not have to wait long to support new OS and hardware releases, and they can do so in a way that's consistent across industries and regions.

What's happening with the macOS Security Compliance Project?

The macOS Security Compliance Project provides the baselines, rules, scripts and other components necessary to create the deployment scripts, configuration profiles and documentation admins need to secure their macOS systems. To this end, the project aims to achieve the following goals:

  • Normalize and accelerate the release of security guidance so that it is more in line with Apple's annual OS and hardware release schedule.
  • Develop security baselines that adhere to a risk-based approach, which provides more flexibility in customizing rules.
  • Reduce, unify and consolidate global compliance efforts into a single project.
  • Unify the approach that IT professionals use to configure and assess controls across multiple tools and sources.
  • Reduce overhead and redundancy by developing a template for collaboration between baseline authors.
  • Enable IT professionals to customize existing content and create new content, including security baselines, to meet their organization's specific security requirements.
  • Provide Apple and third-party tool vendors with insight into customer security configuration requirements.
Without mSCP, administrators must build, test, implement and manage the entire compliance process themselves.

Apple typically releases a new version of macOS every year. With mSCP, organizations can upgrade their systems sooner than in the past and adopt new cybersecurity protections quicker. Administrators only need to select a baseline guide, apply their customizations, and generate the output files, which they can then apply to their macOS computers.

Administrators can create customized security baselines for specific macOS versions as well. The mSCP components will automatically generate the files required for the specified target systems, including the necessary documentation, which admins can share with internal team members, auditors or other key staff.

To generate this output, administrators should clone the mSCP repository on GitHub to their local Mac computers. They should also install Python, Ruby and, optionally, the Xcode IDE on their systems. From there, they can choose a baseline guide and generate the necessary files, which they can then use to protect their macOS computers.

The mSCP team continuously evaluates and updates the project's components, releasing a new version with each major macOS release. Without mSCP, administrators must build, test, implement and manage the entire compliance process themselves. With mSCP, they can defer much of this effort to the mSCP team, which tests, validates and maintains the baselines and rules at the heart of the mSCP mission, freeing up administrators to focus on more strategic initiatives.

Robert Sheldon is a technical consultant and freelance technology writer. He has written numerous books, articles and training materials related to Windows, databases, business intelligence and other areas of technology.

Dig Deeper on Alternative OSes