macOS Enterprise Hardening in 2026: The Configuration Beyond MDM Defaults

# macOS enterprise hardening in 2026: the configuration beyond MDM defaults

IT teams love this conversation. "Our Macs are on Jamf. We're good."

Then we ask the follow-up. "Is FileVault escrowing the recovery key to your MDM or to iCloud?" Blank stare. "Does Gatekeeper quarantine unsigned software or just notify?" Blank stare. "When was the last time you audited the XProtect signatures?" Now they're pretending to take notes.

Apple's enterprise story matured. Macs became real endpoints in most mid-market fleets. Jamf, Kandji, Mosyle, and Intune for Mac cover the baseline deployment. But the default profiles every MDM ships skip several hardening controls that matter, and the result is a fleet that looks compliant on paper and breaks apart under targeted attack.

This post is the 2026 macOS enterprise baseline we run on hardening engagements. What MDM actually covers, what it misses, and the specific controls we add.

#The baseline MDM covers

I've been running engagements on this for a few years now. The shortcut you'd expect to exist doesn't.

What a properly configured MDM (Jamf Pro, Kandji, Mosyle Business, Intune Mac, JumpCloud) handles by default:

• FileVault enforcement
• Firewall on
• Gatekeeper (signed apps only) on
• Automatic software updates
• Screen lock password policy
• Standard user (not admin) for primary account
• SSH disabled by default
• Find My Mac / Activation Lock configured
• Remote lock / wipe capability

Every enterprise Mac should have these as a baseline. Assume your fleet does.

#What MDM defaults miss

#1. Unified Logging retention and monitoring

MacOS Unified Logging captures detailed system events. Application launches, network connections, privilege escalations, authentication events. By default, logs rotate aggressively and aren't shipped anywhere.

Configure:

• Log shipping to SIEM via ossec-agent, osquery, Jamf Protect, or Kandji Endpoint Detection
• Retention on the endpoint extended to 30+ days via log config --subsystem com.apple.auditd --mode persist:on
• Critical event alerting for sudo usage, authentication failures, SIP bypass attempts

Most organizations we audit have macOS Unified Logging on defaults. That means 2-7 days of logs, not shipped to SIEM, useless for forensics.

#2. System Integrity Protection (SIP) verification

SIP protects core system files from modification even by root. Enabled by default on modern macOS. But:

• Enterprise-managed Macs sometimes have SIP disabled for legitimate reasons (deep kernel extensions, legacy tooling)
• Compromised systems may have SIP disabled by attacker
• You need to verify it's enabled across the fleet

Check via csrutil status. MDM-deploy an osquery pack that reports SIP status. Alert on any endpoint where SIP is disabled.

#3. Transparency, Consent, and Control (TCC) policy

TCC is Apple's framework for what apps can access Camera, Microphone, Full Disk Access, Screen Recording, Accessibility, etc. User prompts handle this for consumer Macs. Enterprise needs policy.

Configure via MDM Privacy Preferences Policy Control (PPPC) profiles:

• Pre-approve necessary access for management tools (MDM, EDR, productivity suites)
• Deny Full Disk Access, Accessibility, and Screen Recording to unknown apps by default
• Require user consent for non-pre-approved apps (don't silently grant)

Jamf, Kandji, Mosyle all ship with PPPC templates for common tools. Start from templates, customize to your toolset.

#4. Application allow-listing beyond Gatekeeper

Gatekeeper blocks unsigned applications and applications not notarized. That filters out random malware but doesn't filter known-malicious notarized apps or legitimate-but-unwanted apps.

Options:

• Jamf Protect with Threat Prevention. Apple-specific behavioral detection + allow/block lists
• Kandji EDR. Similar
• CrowdStrike Falcon for Mac. Cross-platform EDR with Mac-specific heuristics
• SentinelOne for macOS. Same
• Santa (open source, from Google). Binary allow-listing for macOS, precise but operational overhead

For organizations under regulatory pressure (PCI, HIPAA, CMMC) binary allow-listing is effectively required. Santa is free. Commercial alternatives easier to manage.

#5. Secure Boot state verification

Apple Silicon Macs (M1/M2/M3/M4) default to Full Security mode (signed, notarized kernel extensions only, macOS signed by Apple). Intel T2 Macs have Startup Security Utility.

Monitor:

• Startup Security state across fleet
• Any Mac in Reduced Security or Permissive state is anomalous. Investigate

MDM can report this. Alert on changes.

#6. User account audit

Check for and alert on:

• Local admin accounts beyond the expected management and user accounts
• Accounts with passwords that haven't rotated in 12+ months
• Guest account enabled
• Remote login / Remote management enabled unexpectedly
• Screen sharing enabled (ARD)

Jamf or Kandji provide fleet-wide account reports. Osquery gives custom visibility.

#7. Network connection monitoring

MacOS has sophisticated networking but enterprise MDM rarely logs network connections at endpoint. Configure:

• Network Extension framework. Apps can implement content filtering and connection monitoring. EDR agents use this.
• Firewall logs. Enable verbose mode via MDM
• DNS query logging. NextDNS, Cloudflare Gateway, or Cisco Umbrella agents on Mac

Connection monitoring catches malware calling back to C2 that survives Gatekeeper.

#8. Encrypted DNS (DoH / DoT)

Push DoH configuration via MDM profile:

<!-- Sample profile payload for DoH -->
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>DNSSettings</key>
<dict>
  <key>DNSProtocol</key>
  <string>HTTPS</string>
  <key>ServerURL</key>
  <string>https://cloudflare-dns.com/dns-query</string>
</dict>

Choose DoH provider with your corporate DNS filtering (Cloudflare Gateway, NextDNS Teams, Cisco Umbrella) so you retain visibility.

#9. iCloud restrictions per data-handling tier

Default macOS enables iCloud sync of Documents, Desktop, Photos, Keychain, etc. For Macs handling regulated data (PHI, CUI, card data, legal work), this is an exfiltration path.

Policy:

• Disable iCloud Documents & Desktop sync on regulated-data Macs
• Disable iCloud Keychain (use enterprise password manager instead)
• Disable iCloud Photos unless explicitly approved
• Managed Apple ID for iCloud instead of personal Apple ID. Organization controls

#10. AirDrop and Bluetooth policy

• AirDrop: restrict to Contacts Only on all corporate devices. Disable on Macs handling regulated data
• Bluetooth: require authentication and PIN for new pairings
• Handoff / Universal Clipboard: consider disabling for regulated data. Clipboard syncs across devices including personal iPhones

#11. Screen capture and screen sharing controls

• Remote screen sharing disabled (it's off by default but verify)
• Screen recording permission requires explicit MDM approval
• Zoom / Teams / Slack screen share: monitor for abuse patterns (rare but adversary may use to exfil)

#12. Application inventory and EOL monitoring

• MDM-managed app inventory pulling version info weekly
• Alert on end-of-life software (Flash, older Java, Adobe Acrobat versions with known CVEs, Microsoft Office 2019 when retired)
• CVE matching against installed versions

Jamf and Kandji both do version inventory. Wire it to a CVE feed (NVD, OSV.dev) for automated risk matching.

#13. Kernel extension / System Extension audit

Third-party kernel extensions (KEXTs) are deprecated in favor of System Extensions. Both can be audited:

• MDM reports loaded KEXTs and SysExts per endpoint
• Allow only approved ones via TeamID allow-list
• Any unexpected extension = investigation

#14. Firmware password / Startup Disk Lock (Apple Silicon)

Intel Macs support a firmware password preventing booting from external media. Apple Silicon uses Activation Lock tied to iCloud.

• Set firmware password on Intel Macs (if any remain)
• Apple Silicon: ensure Activation Lock is registered to Managed Apple ID
• Escrow recovery keys in MDM or secure vault

#15. Lost Mode and Activation Lock configuration

Mac lost/stolen:

• MDM can issue Remote Lock with a passcode displayed on-screen
• Activation Lock prevents reactivation without Managed Apple ID
• FileVault encryption means data is inaccessible without password or recovery key

Test this quarterly. Simulation: flag a test Mac as lost, verify all steps work.

#Deployment considerations

#Stage rollouts

Test profile changes on a pilot group of 5-10 Macs first. Verify no application breakage. Then 10% of fleet. Then 100%.

Common breakages:

• PPPC profile that denies Full Disk Access to a legacy backup tool → backups fail
• Santa in enforcement mode with incomplete allow-list → user apps stop launching
• DoH profile pointing to filtered DNS → some services break

Always have a rollback path.

#User education for friction changes

Users will hit:

• "This application is blocked" prompts
• "Application wants to access Full Disk Access" prompts
• "Enter password to install update" prompts more often

Document the expected behaviors. Internal wiki page. IT helpdesk briefed.

#Apple Silicon vs Intel divergence

Intel Macs support different firmware controls (firmware password, EFI features). Apple Silicon uses T2/Apple Silicon secure boot model. Policy docs need to cover both in mixed fleets.

By 2026, most enterprise fleets are 80%+ Apple Silicon. Still handle the Intel tail correctly.

#macOS version compatibility

Some controls require specific macOS versions:

• Endpoint Security Framework: macOS 10.15+
• System Extensions: 10.15+
• Apple Silicon secure boot: M1+
• Managed Apple ID with iCloud: macOS 11+

Verify your fleet is on supported versions. Unsupported versions don't get security updates.

#What we test in a macOS engagement

Our Mac fleet engagements cover:

1. MDM configuration audit against CIS Apple macOS Benchmark
2. PPPC profile deployment and pre-approvals
3. EDR deployment coverage and alert tuning
4. Unified Logging + SIEM integration
5. Encryption posture (FileVault, recovery key escrow)
6. Binary allow-list / Santa configuration (if deployed)
7. Network policy (firewall, DoH, EDR network monitoring)
8. iCloud and AirDrop policy alignment with data classification
9. User account hygiene
10. Kernel extension / System Extension inventory
11. Simulated attack testing. Commodity malware, supply chain, physical access

Typical engagement: 2-4 weeks for 100-500 Mac fleet.

#Compliance mapping

• NIST 800-171 / CMMC 2.0. AC, AU, CM, IA, SC families
• HIPAA Security Rule. 164.312 technical safeguards
• PCI DSS 4.0. Requirement 2 (config), 8 (auth), 10 (logging), 12 (policy)
• SOC 2. CC6 (Access), CC7 (Operations)
• CIS Apple macOS Benchmark. Direct mapping

#Resources

• CIS Apple macOS Benchmark: https://www.cisecurity.org/benchmark/apple_os
• macOS Security Compliance Project (mSCP): https://github.com/usnistgov/macos_security
• Apple's Platform Security Guide: https://support.apple.com/guide/security/
• Jamf Pro security configuration guide
• Kandji Parameters library (free, useful baselines)
• Mosyle's Security Templates
• NIST Mac Security Guide (Guide to General Server Security, applicable sections)

#Hire Valtik Studios

MacOS enterprise hardening is a specialized engagement area. Most security firms know Windows well but haven't done the work on Mac fleet configuration. We have. If your organization runs 50+ Macs and hasn't had a specific Mac security audit in 18+ months, there will be gaps. Especially around PPPC, TCC, and Unified Logging.

Reach us at valtikstudios.com.