Skip to content

Security Configuration

FileVault (macOS)

FileVault provides full-disk encryption (XTS-AES-128) for macOS devices. When enabled, the startup disk is encrypted and requires a password to unlock at boot.

Personal Recovery Key

A personal recovery key is generated during FileVault enablement. This key can unlock the disk if the user forgets their login password. The key should be escrowed to the MDM server for safekeeping.

Institutional Recovery Key

An institutional recovery key is a public-key-based recovery mechanism. The corresponding private key is held by the organization, allowing IT to unlock any FileVault-encrypted device without the user's personal key.

Configuration

KeyTypeDescription
DeferBooleanDefers FileVault enablement until user logout
DeferDontAskAtAuthBooleanSuppresses the FileVault login prompt
ShowRecoveryKeyBooleanDisplays the personal recovery key to the user
OutputPathStringPath where the recovery key escrow payload is written

Firewall (macOS)

macOS includes a built-in application firewall that controls incoming connections on a per-app basis.

Enable Firewall

Turns on the application firewall to block unsolicited incoming connections.

Stealth Mode

When enabled, the device does not respond to probing (e.g., ICMP ping) on closed ports, making it less visible on the network.

App-Specific Rules

Allows or blocks incoming connections for specific applications. Rules can be defined by bundle identifier.

KeyTypeDescription
EnableFirewallBooleanEnables the macOS application firewall
BlockAllIncomingBooleanBlocks all incoming connections except essential services
EnableStealthModeBooleanEnables stealth mode (no response to probes)
ApplicationsArrayList of applications with per-app firewall rules

Certificate

Install trusted root and intermediate certificates on devices. This is essential for:

  • Internal PKI trust chains
  • Certificate-based authentication
  • TLS inspection and content filtering
  • Wi-Fi and VPN certificate trust

Configuration

KeyTypeDescription
PayloadCertificateFileNameStringFile name of the certificate
PayloadContentDataBase64-encoded certificate data (DER or PEM)
PayloadCertificateUUIDStringUnique identifier for the certificate payload

Certificates can be marked as trusted (added to the system trust store) or untrusted (added to the keychain but not trusted by default).

SCEP

Simple Certificate Enrollment Protocol (SCEP) automates certificate issuance and renewal. Devices request certificates from a SCEP server, eliminating manual certificate distribution.

Configuration

KeyTypeDescription
URLStringSCEP server URL
NameStringCertificate subject name template
SubjectArrayCertificate subject attributes (e.g., CN, O, C)
ChallengeStringOne-time challenge password for enrollment
KeySizeIntegerRSA key size (1024, 2048, 4096)
KeyTypeStringKey algorithm (RSA or ECDSA)
KeyUsageIntegerKey usage flags (digitalSignature, keyEncipherment)
RetriesIntegerNumber of retry attempts on failure
RetryDelayIntegerSeconds between retry attempts

Workflow

  1. Device generates a key pair locally
  2. Device sends a PKCS#10 certificate signing request (CSR) to the SCEP server
  3. SCEP server validates the challenge and issues the certificate
  4. Device installs the issued certificate
  5. Device renews the certificate before expiry using the same SCEP URL

Single App Mode

Single App Mode (SAM) restricts the device to running a single application, effectively creating a kiosk. Exiting the app requires a passcode or MDM command.

Configuration

KeyTypeDescription
AllowTouchScreenRotateBooleanAllows screen rotation in kiosk mode
AllowAutoLockBooleanAllows the device to auto-lock
AllowLockScreenBooleanAllows access to the lock screen
AllowVolumeButtonsBooleanAllows volume button use
AllowRingerSwitchBooleanAllows the ringer switch (iOS)
AutonomousSingleAppModePermittedAppIDsArrayBundle IDs of apps allowed to enter SAM autonomously

Use Cases

  • Point-of-sale terminals
  • Digital signage
  • Exam proctoring
  • Library catalog stations
  • Patient check-in kiosks

Privacy Preferences (macOS)

macOS Privacy Preferences Policy Control (PPPC) manages app access to system privacy controls. This replaces the user having to manually approve permissions in System Settings.

Supported Privacy Services

ServiceDescription
AddressBookContacts access
CalendarCalendar access
RemindersReminders access
PhotosPhotos library access
CameraCamera access
MicrophoneMicrophone access
AccessibilityAccessibility API access
PostEventSystem-wide event posting
SystemPolicyAllFilesFull disk access
SystemPolicySysAdminFilesSystem administration files access
DesktopFolderDesktop folder access
DocumentsFolderDocuments folder access
DownloadsFolderDownloads folder access
FileProviderPresenceFile provider domain access

Configuration

KeyTypeDescription
CodeRequirementStringCode signing requirement for the app (e.g., identifier "com.example.app" and anchor apple generic)
IdentifierStringBundle identifier of the app
IdentifierTypeStringbundleID or path
StaticCodeValidationBooleanValidates the app's code signature before granting access
AllowedBooleantrue to allow, false to deny

Example

xml
<dict>
    <key>CodeRequirement</key>
    <string>identifier "com.microsoft.teams" and anchor apple generic</string>
    <key>Identifier</key>
    <string>com.microsoft.teams</string>
    <key>IdentifierType</key>
    <string>bundleID</string>
    <key>StaticCodeValidation</key>
    <true/>
    <key>Allowed</key>
    <true/>
</dict>

Released under the MIT License