Security Configuration
FileVault (macOS)
FileVault provides full-disk encryption (XTS-AES-128) for macOS devices. When enabled, the startup disk is encrypted and requires a password to unlock at boot.
Personal Recovery Key
A personal recovery key is generated during FileVault enablement. This key can unlock the disk if the user forgets their login password. The key should be escrowed to the MDM server for safekeeping.
Institutional Recovery Key
An institutional recovery key is a public-key-based recovery mechanism. The corresponding private key is held by the organization, allowing IT to unlock any FileVault-encrypted device without the user's personal key.
Configuration
| Key | Type | Description |
|---|---|---|
Defer | Boolean | Defers FileVault enablement until user logout |
DeferDontAskAtAuth | Boolean | Suppresses the FileVault login prompt |
ShowRecoveryKey | Boolean | Displays the personal recovery key to the user |
OutputPath | String | Path where the recovery key escrow payload is written |
Firewall (macOS)
macOS includes a built-in application firewall that controls incoming connections on a per-app basis.
Enable Firewall
Turns on the application firewall to block unsolicited incoming connections.
Stealth Mode
When enabled, the device does not respond to probing (e.g., ICMP ping) on closed ports, making it less visible on the network.
App-Specific Rules
Allows or blocks incoming connections for specific applications. Rules can be defined by bundle identifier.
| Key | Type | Description |
|---|---|---|
EnableFirewall | Boolean | Enables the macOS application firewall |
BlockAllIncoming | Boolean | Blocks all incoming connections except essential services |
EnableStealthMode | Boolean | Enables stealth mode (no response to probes) |
Applications | Array | List of applications with per-app firewall rules |
Certificate
Install trusted root and intermediate certificates on devices. This is essential for:
- Internal PKI trust chains
- Certificate-based authentication
- TLS inspection and content filtering
- Wi-Fi and VPN certificate trust
Configuration
| Key | Type | Description |
|---|---|---|
PayloadCertificateFileName | String | File name of the certificate |
PayloadContent | Data | Base64-encoded certificate data (DER or PEM) |
PayloadCertificateUUID | String | Unique identifier for the certificate payload |
Certificates can be marked as trusted (added to the system trust store) or untrusted (added to the keychain but not trusted by default).
SCEP
Simple Certificate Enrollment Protocol (SCEP) automates certificate issuance and renewal. Devices request certificates from a SCEP server, eliminating manual certificate distribution.
Configuration
| Key | Type | Description |
|---|---|---|
URL | String | SCEP server URL |
Name | String | Certificate subject name template |
Subject | Array | Certificate subject attributes (e.g., CN, O, C) |
Challenge | String | One-time challenge password for enrollment |
KeySize | Integer | RSA key size (1024, 2048, 4096) |
KeyType | String | Key algorithm (RSA or ECDSA) |
KeyUsage | Integer | Key usage flags (digitalSignature, keyEncipherment) |
Retries | Integer | Number of retry attempts on failure |
RetryDelay | Integer | Seconds between retry attempts |
Workflow
- Device generates a key pair locally
- Device sends a PKCS#10 certificate signing request (CSR) to the SCEP server
- SCEP server validates the challenge and issues the certificate
- Device installs the issued certificate
- Device renews the certificate before expiry using the same SCEP URL
Single App Mode
Single App Mode (SAM) restricts the device to running a single application, effectively creating a kiosk. Exiting the app requires a passcode or MDM command.
Configuration
| Key | Type | Description |
|---|---|---|
AllowTouchScreenRotate | Boolean | Allows screen rotation in kiosk mode |
AllowAutoLock | Boolean | Allows the device to auto-lock |
AllowLockScreen | Boolean | Allows access to the lock screen |
AllowVolumeButtons | Boolean | Allows volume button use |
AllowRingerSwitch | Boolean | Allows the ringer switch (iOS) |
AutonomousSingleAppModePermittedAppIDs | Array | Bundle IDs of apps allowed to enter SAM autonomously |
Use Cases
- Point-of-sale terminals
- Digital signage
- Exam proctoring
- Library catalog stations
- Patient check-in kiosks
Privacy Preferences (macOS)
macOS Privacy Preferences Policy Control (PPPC) manages app access to system privacy controls. This replaces the user having to manually approve permissions in System Settings.
Supported Privacy Services
| Service | Description |
|---|---|
AddressBook | Contacts access |
Calendar | Calendar access |
Reminders | Reminders access |
Photos | Photos library access |
Camera | Camera access |
Microphone | Microphone access |
Accessibility | Accessibility API access |
PostEvent | System-wide event posting |
SystemPolicyAllFiles | Full disk access |
SystemPolicySysAdminFiles | System administration files access |
DesktopFolder | Desktop folder access |
DocumentsFolder | Documents folder access |
DownloadsFolder | Downloads folder access |
FileProviderPresence | File provider domain access |
Configuration
| Key | Type | Description |
|---|---|---|
CodeRequirement | String | Code signing requirement for the app (e.g., identifier "com.example.app" and anchor apple generic) |
Identifier | String | Bundle identifier of the app |
IdentifierType | String | bundleID or path |
StaticCodeValidation | Boolean | Validates the app's code signature before granting access |
Allowed | Boolean | true to allow, false to deny |
Example
<dict>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.teams" and anchor apple generic</string>
<key>Identifier</key>
<string>com.microsoft.teams</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCodeValidation</key>
<true/>
<key>Allowed</key>
<true/>
</dict>