Jamf 275x275 head shot In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
presenting will be placed here. Please don’t put anything especially important in this area. CIS + STIG + NIST + Apple + Users = X Presentation agenda: What is… Intersections Divergences How to deploy
presenting will be placed here. Please don’t put anything especially important in this area. What is… CIS Center for Internet Security Provides security guidelines for multiple OSes Volunteer-built
presenting will be placed here. Please don’t put anything especially important in this area. What is… STIG Security Technical Implementation Guide Released by DISA Public resources available at https://public.cyber.mil/stigs/
presenting will be placed here. Please don’t put anything especially important in this area. What is… NIST National Institute of Standards and Technology Agency within the US Dept of Commerce Publicly available guidelines for securing macOS devices only reference macOS 10.12
presenting will be placed here. Please don’t put anything especially important in this area. Where they agree • Encryption - FileVault 2 • System Integrity Protection • ScreenSaver settings • Login Window banner • Firewall logging
window as name and password • Disable services such as file sharing, Bonjour, internet sharing • Disable root access • Enable audit logging and ensure proper permissions
presenting will be placed here. Please don’t put anything especially important in this area. Where they differ • Disable Wi-Fi • Disable unused network devices • Remove temp and emergency accounts after 72 hrs • Disable FaceTime, Messages, Camera
presenting will be placed here. Please don’t put anything especially important in this area. Where they differ • iCloud settings • Enabling specific SSH settings • Disable iTunes File Sharing • Require smart cards
presenting will be placed here. Please don’t put anything especially important in this area. Where they differ • Disable location services • Updates must come from DoD server • Install AV and network scanning tools • Real time alerts for audit failure
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - Apple Use Apple products on enterprise networks https://support.apple.com/en-us/HT210060 Provides detail on hostnames, ports, and proxy support
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - Apple Apple Certification Updates FIPS 140-2 Level 2 validation for Apple Secure Enclave Processor (SEP) Secure Key Store Module, v9.0 https://support.apple.com/en-us/HT209632
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - Apple Apple Certification Updates August 1, 2019 - Apple has received ISO 27001 & 27018 certifications expanding to include Apple Push Notification Service (APNs), Apple Business Manager and Apple Business Chat services
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - NIST Password Guidelines - TL;DR • 8 character minimum when a human sets it • 6 character minimum when set by a system/service • Support at least 64 characters maximum length • All ASCII characters (including space) should be supported
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - NIST Password Guidelines - TL;DR, continued • Truncation of the secret (password) shall not be performed when processed • Check chosen password with known password dictionaries • Allow at least 10 password attempts before lockout • No complexity requirements
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - NIST Password Guidelines - TL;DR, continued • No password expiration period • No password hints • No knowledge-based authentication (e.g. who was your best friend in high school?) • No SMS for 2FA (use a one-time password from an app like Google Authenticator)
presenting will be placed here. Please don’t put anything especially important in this area. Variables in the equation - NIST Password Guidelines FAQ for NIST Digital Identity Guidelines https://pages.nist.gov/800-63-FAQ/
presenting will be placed here. Please don’t put anything especially important in this area. Deploying - How to solve for X Organization requirements Understand implications of each setting Audit first, then remediate small Communicate security expectations / settings to users
presenting will be placed here. Please don’t put anything especially important in this area. Jamf Protect Insights - Allows you to set which CIS Benchmarks you wish to audit against Deploying - How to solve for X
presenting will be placed here. Please don’t put anything especially important in this area. 780 px 650 px CIS Audit and Remediation Available at https://jamf.it/CIS Deploying - How to solve for X
presenting will be placed here. Please don’t put anything especially important in this area. 780 px 650 px STIG Audit and Remediation Available at https://jamf.it/STIG Deploying - How to solve for X
jamf
sarafernandez
techseoconnect
jonoalderson
chriscoyier
lemiorhan
skipperchong
rasmusluckow
eileencodes
danielanewman
thoeni
bkeepers
