Three Ways to Improve Security on macOS Devices with Workspace ONE UEM - Part One

Apple co-founder, Steve Wozniak, once said, “Never trust a computer you can’t throw out a window.” If you’ve ever experienced a security issue with a desktop or laptop, you’ve probably had that urge to chuck it out the nearest opening you could find. That’s why it is so important to ensure that devices are secure, particularly in the enterprise.

In the enterprise mobile space, iOS devices have had a strong foothold for years. However, it has only been over the last decade that macOS has gained significant ground in the enterprise, taking a 31% percent share of the U.S. desktop market in 2023. More corporations are offering macOS devices as an option for employee endpoints than ever before. Securing those devices is crucial to ensuring that end user and corporate data stays out of the hands of those with malicious intent.

Securing desktops and laptops has been a well-documented best practice for Windows devices for decades. But what about Apple devices? If you grew up watching the “I’m a Mac, I’m a PC” commercials, you might buy into the myth that Apple devices are immune to security vulnerabilities. But the truth is very different.

According to SecurityWeek, 21 new malware families targeting macOS emerged in 2023. These are not variants of existing malware. These are new attacks. That’s an increase of over 50% compared to 2022. Additionally, that number does not include emerging new variants on existing malware. Despite the myth, macOS is NOT immune to virus and malware. There is no “Apple magic” that keeps macOS devices safe and secure.

In this three-part blog series, I’ll discuss three things you can do to improve the security on your Apple devices using Workspace ONE UEM.

Let’s start, however, by briefly looking at the security built into macOS, both on a hardware and software level.

Built-in macOS Security Model

Security is a key component of both Apple’s hardware and software layers. Let’s start by looking at the security built into the hardware level.

macOS Hardware Security

macOS hardware is built with numerous security and safety features to ensure that the device is

Secure Boot

When you power on a macOS device with a T2 chip or Apple silicon, Secure Boot verifies the operating system on the startup disk to ensure that it is signed and trusted by Apple. If, for some reason, the operating system cannot be verified, the device will connect to Apple and download updated integrity information.

AES Engine

The AES Engine, a dedicated hardware crypto engine, provides fast in-line encryption as files are read and written. Using dedicated connections between the main system memory and the flash storage, the AES Engine enables highly efficient file encryption during the boot up process as well as during normal device operation.

Secure Enclave

Finally, the Secure Enclave is a dedicated security subsystem that is isolated from the main system processor. It contains its own processor, Boot ROM, and AES Engine, and is designed to protect sensitive user data even if the device’s main processor is compromised.

macOS Software Security

Apple has also built security into the core of its operating system.

FileVault

First, there is FileVault, which can encrypt the data on all volumes attached to a macOS device, both internal and removable storage. It uses an AES-XTS data encryption algorithm during the encryption process. Information on an encrypted drive can only be read if proper login credentials are entered.

Gatekeeper

Gatekeeper ensures that trusted software runs on macOS. When an app is launched, it verifies the software is from an identified developer, is notarized by Apple to be free of malicious content, and hasn’t been altered. You may have seen the prompt that requests user approval before opening downloaded software. That is GateKeeper at work.

XProtect

XProtect provides signature-based detection and removal of malware. Apple updates the signatures on a regular basis, independent of system and OS updates.

System Integrity Protection

SIP, or System Integrity Protection prevents malicious software from modifying protected system files and folders. It restricts the root user account and limits the actions the root user can perform on protected parts of the operating system.

Now let's talked about the first of three ways to secure your macOS devices.

Using Platform SSO to Secure macOS Device Logins

User accounts on macOS devices have traditionally been local accounts, which are created when the Setup Assistant is first run either after a new installation of macOS or when a newly purchased device is turned on for the first time. Although this works fine for consumers, it can be troublesome for IT admins trying to secure device access in the enterprise. These local device accounts are difficult to manage, and admins struggle to ensure that account and password policies are enforced on these accounts.

Most enterprises use an identity provider (IdP), such as Active Directory, Azure AD, and others for user authentication. Although there is an option to bind macOS devices to a domain, it can sometimes be cumbersome. So, how do IT admins ensure that accounts on macOS devices are secure?

Enter Platform Single Sign-on.

Apple introduced Platform SSO to address this very issue. The framework synchronizes the end user’s IdP account and password with the local account on their macOS device, allowing the user to log in with their IdP credentials. Additionally, Platform SSO provides single sign-on to apps and websites on the device.

There’s one big caveat here. You can’t just use any IdP with Platform SSO. The IdP must integrate the Platform SSO framework into their software. For instance, both Okta and Microsoft Entra ID have adopted the Platform SSO framework in their solutions (Platform SSO support in EntraID is in public preview). And, depending on the IdP, there might be requirements for additional software to be installed on your macOS devices. You would need to check with your IdP for their requirements.

The framework registers the device with the IdP using a Secure Enclave-backed key. An SSO extension (SSOe) profile tells the device that when a user tries to log in to a service using methods like SAML, OAuth 2.0, or OpenID Connect 2.0, it should send that login request to the IdP’s SSOe app. The password integrates with SSOe, which refreshes the login token with the IdP whenever a password is entered, providing a form of multifactor authentication (MFA).

Platform SSO stores the SSO tokens in the macOS keychain and only shares them with the SSO extension when needed. No other subsystem is granted access to the tokens. Authentication to websites and apps are performed through the IdP SSOe app installed on the device. Platform SSO does support multi-authentication methods, but support will be dependent on what the IdP supports in their implementation.

Summary

So why implement Platform SSO? First, you can streamline the user authentication process. The end user only needs to log into their device once and have access to most of their resources. I say most, because there will always be those apps and websites that don’t support SSO.

Second, you can use MFA, such as Apple’s Face ID and Touch ID, hardware keys, and even push notifications to authenticate. And with Face ID and Touch ID in particular, you get the added security of the Secure Enclave as discussed earlier.

Third, you get an improved end user experience. Users only have to remember one password to get into their device and everything else become SSO.

Finally, you can enforce your corporate password policies through your IdP. Password complexity, password expiration, all of those things can be managed for the user’s IdP account, and no more worrying about the local account not being up to snuff with password policies.

If you are interested in learning more about implementing Platform SSO, check out this resource on Tech Zone.

Watch for part two of this series coming in two weeks.