SYS.2.4 Clients Running macOS

Description

Introduction

macOS is a client operating system from Apple. macOS is based on Darwin, Apple’s freely available Unix operating system, which in turn is built on the open-source operating system FreeBSD. macOS consists essentially of Darwin along with the proprietary graphical user interface “Aqua” and further applications and services. According to Apple’s license terms, macOS may only be installed on Apple IT systems (“Macs”). For this reason, the characteristics of these systems are also part of this building block.

Objective

The objective of this building block is to protect information that is processed on or transmitted using IT systems running macOS. To this end, IT systems running macOS must be adequately secured.

Scope and Modeling

The building block SYS.2.4 Clients Running macOS is to be applied to all client systems on which the Apple macOS operating system is used.

The focus of this building block is on securing a Mac running macOS that is operated as a standalone system or as a client in a client-server network. It thus supplements the general aspects from the additionally applicable building block SYS.2.1 General Client. A possible use of macOS as a server operating system is not addressed in this building block. In professional use, the so-called Profile Manager and Mobile Device Management offer the possibility of centrally managing the Macs in use. These solutions provide extended configuration and management functions but are not addressed in this building block. Corresponding security aspects are addressed in building block SYS.3.2.2 Mobile Device Management (MDM)). It should also be noted that the two Apple operating systems macOS (for Macs) and iOS (for iPhones) or iPadOS (for iPads) are closely interlinked. Therefore, building block SYS.3.2.3 iOS (for Enterprise)) should additionally be taken into account when devices with iOS or iPadOS are also used alongside macOS.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to describe the threat landscape. The following specific threats and vulnerabilities are of particular significance for building block SYS.2.4 Clients Running macOS.

Uncontrollable Access to Outsourced Data

macOS offers a range of functions that run on central servers operated by Apple. For example, Apple’s iCloud can be used to store and synchronize data between different macOS and iOS devices. Since data is temporarily stored on third-party servers and is therefore no longer under one’s own control, unauthorized parties could in principle also access these servers and view and misuse the data stored or transmitted there.

Misuse of the Apple ID as a Central Access Credential for Apple Services

For the use of some macOS functions, a unique Apple ID is required as an access credential. The Apple ID provides central access to various Apple services such as iCloud, iMessage, and the App Store. If unauthorized persons obtain the Apple ID access credentials, they may be able to use these services under a false identity and access information stored in iCloud.

Attacks on Wireless Interfaces

A Mac generally has wireless interfaces such as WLAN or Bluetooth, which are also used by many services and are correspondingly activated. For example, files can be exchanged directly between Apple devices (AirDrop). Furthermore, the WLAN and Bluetooth functionality can be used to synchronize macOS and iOS devices (Continuity). With AirPlay, it is possible to send video and audio data to compatible playback devices. Attackers could attempt to misuse these wireless interfaces for attacks in order to intercept confidential information between Mac, iPhone, iPad, and other devices, or to compromise the devices.

Attacks on Applications with Preview Functions

Some of the applications integrated into macOS support a preview function for certain file formats (e.g., image files). These include Finder, the browser “Safari,” and the email program integrated into macOS. The preview function, for example, automatically displays a portion of an email attachment when the file format is known. Attackers could thus attempt to hide malicious code in an email attachment. The preview function would display the email attachment and possibly execute the malicious code, which in turn could compromise the Mac.

Insecure Protocols in macOS or macOS Applications

macOS and its applications support various protocols — some of which are Apple-proprietary (e.g., AFP) — for communication with central servers or other end devices. If these communication protocols lack adequate security mechanisms or are configured insecurely, the data transmitted via them could be read, falsified, or misused in other ways without authorization.

Requirements

The following are the specific requirements of building block SYS.2.4 Clients Running macOS. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is sensible and appropriate.

Exactly one role should be Primarily responsible. In addition, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

SYS.2.4.A1 Planning the Secure Use of macOS (B)

The introduction of macOS MUST be carefully planned. A decision MUST be made as to where and how data is to be stored. A plan MUST be made for how data backup can be integrated into the institution-wide data backup concept. A plan MUST be made for how security and other updates for macOS and applications can be systematically installed. It MUST be determined which applications will be required when transitioning to macOS. If the Mac is operated in a data network, additional consideration MUST be given to which network protocols are to be used.

SYS.2.4.A2 Use of macOS Integrated Security Functions (B)

The protective mechanisms integrated into macOS — “System Integrity Protection” (SIP), “Xprotect,” and “Gatekeeper” — MUST be activated. Gatekeeper MUST NOT permit the execution of unsigned programs, unless unsigned programs are absolutely necessary.

SYS.2.4.A3 Use of Appropriate Accounts (B) [Users]

The account created during the initial configuration of macOS has administrative rights and MUST ONLY be used for administrative purposes. For normal use of the Mac, an account with standard permissions MUST be created. If the Mac is to be used by multiple users, a separate account MUST be created for each user. The guest account MUST be deactivated.

Standard Requirements

Together with the basic requirements, the following requirements reflect the state of the art for this building block. They SHOULD generally be fulfilled.

SYS.2.4.A4 Use of Hard Disk Encryption (S)

Hard disks SHOULD be encrypted, especially on mobile Macs (e.g., MacBooks). If the FileVault function integrated into macOS is used for this purpose, the key material MUST NOT be stored online with Apple. The recovery key generated by FileVault MUST be stored in a secure location. It SHOULD be checked whether an institutional recovery key for FileVault should be used.

SYS.2.4.A5 Deactivation of Security-Critical macOS Functions (S)

The location services integrated into macOS SHOULD be deactivated. Downloaded data SHOULD NOT be opened automatically. The content of optical and other media SHOULD NOT be executed automatically.

SYS.2.4.A6 Use of Current Mac Hardware (S)

When new Macs are procured, current models SHOULD be selected. When existing Macs are used, it SHOULD be regularly checked whether these and the operating system installed on them continue to receive security updates from Apple. If the Macs are no longer supported by Apple, they SHOULD no longer be used.

SYS.2.4.A7 Two-Factor Authentication for Apple ID (S) [Users]

Two-factor authentication for the use of the Apple ID account SHOULD be activated.

SYS.2.4.A8 No Use of iCloud for Sensitive Data (S) [Users]

Sensitive data SHOULD be prevented from being synchronized between multiple devices via iCloud services. Instead, data SHOULD only be synchronized via self-operated services. Sensitive data SHOULD NOT be stored in iCloud. Drafts — for example of emails or documents — SHOULD NOT be automatically stored in iCloud.

SYS.2.4.A9 Use of Additional Protective Programs Under macOS (S)

If needed — for example when Macs are operated in a heterogeneous network — additional antivirus solutions from third-party providers SHOULD be used in addition to the protective mechanisms integrated into macOS.

SYS.2.4.A10 Activation of the Personal Firewall Under macOS (S)

The personal firewall integrated into macOS SHOULD be activated and configured appropriately.

SYS.2.4.A11 Decommissioning of Macs (S)

When decommissioning a Mac, the non-volatile data storage NVRAM (Non-Volatile Random Access Memory) and the SMC (System Management Controller) SHOULD be reset.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the protection level corresponding to the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.

SYS.2.4.A12 Firmware Password and Boot Protection on Macs (H) [Users]

On older Macs, the prompt for a secure firmware password in the so-called “Command Mode” SHOULD be activated to prevent the Mac from being booted from a different startup drive without authorization. It SHOULD be checked whether a password should be required at every startup via “Full Mode.”

On Macs with the T2 security chip, a firmware password SHOULD be set via the Startup Security Utility. The “Secure Boot: Full Security” option SHOULD be activated. The “Disallow booting from external media” option SHOULD be activated.

Additional Information

Good to Know

The National Institute of Standards and Technology (NIST) provides the document “SP 800-179 Rev. 1 (DRAFT): Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist” (October 2018).