Embed Size (px)
Citation preview
Chris MillerAsst. Director Technology Services Eanes ISD
@EdTechChris EdTechChris.com
Shout out to my Apple SE:
How can macOS keep our teachers and our kids safer?
Security is a ProcessIt’s about the journey
Privacy & Usability v. Security
Shifting Paradigms
Traditional ApproachWide open, standard OS architecture
Extensive “add-on” solutions for security
Increase security by disabling functionality
Modern Security ApproachDesigned for mobility
Security built in, not bolted on
Optimal user experience
System Security
Data Security
App Security
System Security
System Security
Integrated hardware and software
Services off by default
Access permissions
System integrity protection
X Protect
Data Path Randomization
User Types
Admin UsersOS X macOS
User Types
Admin Users Standard Users
Software UpdatesOne of the most important practices for security on any OS
Updates are provided for all supported devices for free
Organizations can prompt a device to download and install updates through MDM*
Supports multiple generations
3
System Integrity Protection
Includes protection for these parts of the system:
• /System• /usr• /bin• /sbin• Apps that are pre-installed with
OS X
X Protect
• Virus & Malware Detection
• File Quarantine Aware
• Checks content against a plist of known vulnerabilities
Mobile Device Management
Secure device configuration
Configuration profiles can be locked, signed and encrypted
XML based configuration profiles covering security and network policies
Configuration Profiles
Device Enrollment Program
MDM Server
How Device Enrollment Works
Apple School Manager
DEP Customer Account
Purchased from Apple
K-12
Purchased from Reseller
(higher ed only)
EFI Firmware Password
Asset ProtectionNow being integrated into MDM
MDM + DEP + EFI = better asset protection
iOS allows some GPS location - will we see this with macOS?
JAMF Pro MDM
Data Security
Keychain
Database for passwords, certificates, and encryption keys
Safe, Encrypted
Recover Lost Passwords
Passwords
1231231234567890000000abc1231234adobe1macromediaazertyiloveyouaaaaaa654321
1231231234567890000000abc1231234adobe1macromediaazertyiloveyouaaaaaa654321
• Go to HaveIBeenPwned.com
• Check to see if any of your user names or emails have been compromised.
2 Factor Authentication
Filevault
Encrypted Disk Image
Pre-boot authenticationEFI Firmware based
Policy management through MDM
Recovery key management
Managed Apple IDs
iCloud Backup
Secure transport to iCloud
Files backed up in their original, encrypted state
Backups taken when connected to power and on Wi-Fi
Device settings, app data, Photos, iMessage conversations, Desktop, Documents & more
Application Security
Cryptography
Certificates
Cryptographic Validation (FIPS 140-2)
Common Criteria Certification (ISO 15408)
Commercial Solutions for Classified (CSfC)
Security Configuration Guides
Privacy
Data Randomization
Obscured, Random Unique Identifiers
API’s designed to protect user identity
App Security
Identity of developers verified for the apps available through App Store
Code signing
Keychain architecture
Runtime security
Gatekeeper
Security feature that helps prevent users from installing malicious apps.
Code Signing
Mandatory application signing*
Ensures app integrity and authenticity
Verified during app launch and runtime
Just Do 3 Things
• Update your junk
• Good password management
• Listen to your Mac (a.k.a. don’t do anything stupid.)
MacAdmins Slack
We’ve Finished!!!!
