Security hardening

• Lock immediately when lid closed
• Screensaver ask for a password
• Enforce FileVault encryption
• Local admin account password/update-rotation/enforcement
• Block unauthorized software
• Standard primary user, elevate access for installs for only 15 minutes via app store elevate script
• Enable firewall
• Update /etc/hosts

Good network citizen

• Do not write .DSstore to network volumes

Energy use

• Sleep 15 minutes
• Screensaver 2 minutes

Deployment enforcement/ease of use

• Auto connect to SSID with password
• Enable Screen Recording for Zoom, S-Connect
• Add/arrange items in dock while maintaining ability to modify dock
• Set default web browser
• Disable iCloud/Apple ID
• SSH enabled
• AFP disabled
• Enforce MDM tools installed
• Enforce time server (time.nist.gov)
• Autoupdate printer configuration
• Auto remove old versions of MS Office
• Enable local Time Machine backup

NIST macOS Security Compliance Project