Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune

Imagine a scenario: Your Mac fleet houses a growing universe of data, valuable and vulnerable in equal measure. This ever-expanding data sprawl threatens to spiral out of control, a potential security nightmare. But fear not, for there's a guardian in the wings: mSCP.

This isn't a secret government agency (though it sounds like it could be), but a powerful tool that can revolutionize your Mac data security. Developed through a collaborative effort between the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Lab (LANL), mSCP equips you with a programmatic approach to generating security guidance, empowering you to Secure, Contain, and Protect your Mac data like never before.

This blog post will be your guide to wielding mSCP like a seasoned pro. We'll delve into the "why" and "how" of using mSCP, transforming you from a data security novice into a master of your Mac domain. So, buckle up and get ready to learn how mSCP can be your secret weapon in the fight for watertight Mac data security!

The Mac Data Menagerie: Why We Need mSCP

The ever-evolving landscape of Mac data presents a unique challenge for IT professionals. Here's why mSCP emerges as a vital tool:

Data Deluge: Our Macs accumulate data at an alarming rate. Documents, emails, applications – the list goes on. This sprawl makes it difficult to track, categorize, and secure sensitive information. mSCP helps you classify your data, ensuring proper protection for the most critical assets.
Security Silos: Traditional security solutions often operate in isolation. mSCP offers a unified approach, allowing you to develop a comprehensive security strategy that integrates seamlessly with your existing workflows.
Compliance Conundrums: Navigating a complex web of data privacy regulations can be daunting. mSCP provides a framework for aligning your Mac security practices with compliance requirements, saving you time and headaches.
The Human Factor: Even the most robust security measures can be compromised by human error. mSCP empowers you to implement automated security protocols, minimizing the risk of user mistakes.

The Power of mSCP: Taking Control of Your Mac Security

Now that we've established the urgency of managing your Mac data menagerie, let's dive into the specific benefits mSCP offers:

Streamlined Security Baseline Creation: mSCP provides pre-defined security baselines tailored to different macOS versions. These serve as a starting point, allowing you to customize them based on your organization's specific needs. This eliminates the need to build security configurations from scratch, saving you significant time and effort.
Automated Compliance Checks: mSCP helps you identify gaps between your current security posture and relevant compliance regulations. Imagine being automatically notified of areas needing attention to meet industry standards, like HIPAA or PCI DSS. This proactive approach minimizes the risk of non-compliance penalties.
Risk-Based Prioritization: mSCP doesn't overwhelm you with a laundry list of security settings. It empowers you to prioritize based on potential risk. This allows you to focus on the most critical controls first, ensuring maximum security with efficient resource allocation.
Customizable Guidance Generation: mSCP isn't a one-size-fits-all solution. It allows you to generate detailed security guidance documents specific to your organization's environment. These documents serve as a clear roadmap for your IT team to implement and maintain optimal Mac security.
Centralized Management: Imagine managing security configurations across your entire Mac fleet from a central location. With mSCP, you can achieve this by integrating it with various Mobile Device Management (MDM) solutions. This centralized approach simplifies administration and streamlines security enforcement.

Getting Started with mSCP: Your Guide to Mac Data Security Mastery

Now that you're armed with the knowledge of mSCP's benefits, let's roll up your sleeves and get started! Here's a roadmap to guide you through the mSCP implementation process:

Prerequisites

A Mac with macOS 14.0 or later.
A mobile device management (MDM) solution to configure and distribute settings to Apple devices.
A wireless or wired network to which all of the devices can connect and which provides access to Apple authentication servers and Apple Push Notification service (APNs)

Clone The Repository

Open your browser, access the following URL

It is required that before you use the repository, you go through the wiki to learn more about the repository’s structure.
Open Terminal and type the following command and press Return: mkdir macOS_security
Type the following command and press Return: cd macos_security
Type the following command and press Return:

git clone https://github.com/usnistgov/macos_security.git

Type the following command and press Return: cd macos_security

After you clone the mSCP repository to your Mac, you’ll need to install the required Python and Ruby software.
In Terminal, type the following command and press Return: pip3 install -r requirements.txt --user

Type the following command and press Return: bundle install

You’ve successfully installed the additional software required to use the mSCP.

Explore Your Cloned mSCP Repository

After you’ve cloned the mSCP repository to your Mac and installed the required software, you can explore the mSCP components. You can view the files in the cloned repository using the text editor of your choice.

In Terminal, type the following command and press Return: open ./
Open the baselines folder.

Understand the Rules YAML Format

mSCP offers a library of files stored in a format called YAML. These files, located in the "rules" folder, connect to specific compliance requirements outlined in various security guides and policies. You can view and even edit these YAML files using most code editors, like Xcode or BBEdit.

Each file is organized into specific sections, containing key information needed to build and deploy security baselines for your Mac devices. These sections are already filled with appropriate configurations to get you started. The following table breaks down the purpose of each section within the YAML files.

Generate a Baseline

Security baselines are essentially recipes for keeping your Macs safe. Each recipe utilizes specific ingredients, represented by individual security rules. These rules come with labels, known as metadata tags, that identify which recipes (baselines) they belong to.

Creating these recipes is where the generate_baseline.py script comes into play. This script acts as a special program you can run to search through a collection of pre-defined security rules. You simply tell it a keyword (like "encryption" or "network access"), and the script finds all the rules related to that keyword.

Using those matching rules, the script then creates a customized "security recipe" for you. This recipe, saved as a .yaml file, outlines the specific security settings you need to implement on your Macs. This simplifies documenting and enforcing the desired security posture across your entire fleet. Essentially, the script does all the heavy lifting by finding the ingredients (rules) and putting them together in a clear recipe (baseline) for you. You can find this script within the "scripts" folder of the project you downloaded.

If you are not already in Terminal, open Finder, and select Applications. Click the Utilities folder. Launch Terminal.
Change to the macos_security directory by entering the following command:
cd macos_security
In Terminal, list the available baselines using the following command:
./scripts/generate_baseline.py -l

You will see a list of all of the available default baselines.

For this tutorial, you will use the cis_lvl1 baseline

Generate Guidance

mSCP allows you to take your YAML security rules and transform them into practical instructions for your Mac environment. This process involves a helpful Python script named generate_guidance.py.

If you're not already using Terminal, launch it by going to Applications > Utilities in Finder.
Use the cd command (change directory) to navigate to the directory containing your mSCP files. For example, if you downloaded mSCP to your Downloads folder, you would type cd Downloads/macos_security
Here's the magic part! Type the following command and press Enter:

./scripts/generate_guidance.py -p -s baselines/cis_lvl1.yaml

Explanation of the Flags:

-p: This flag tells the script to generate configuration profiles and PLIST files (special Mac settings files).
-s: This flag instructs the script to create a script for compliance checking. This script helps you verify if your Macs adhere to your security guidelines.
baselines/cis_lvl1.yaml: This part specifies the location of your security baseline file. You can replace cis_lvl1.yaml with the actual filename of your baseline.

Finding the Results

Once the script finishes running, open Finder and navigate back to the macos_security directory. You'll find a new folder named after your baseline (e.g., cis_lvl1). This folder contains all the generated files, including configuration profiles, compliance checking scripts, and human-readable security guidance documents.

You will see a list of all the available default baselines. You now have all the files required to deploy with Microsoft Intune.

Fine-Tuning Security Baselines for Your Needs

While this tutorial won't cover customizing baselines in detail, it's valuable to know how to tailor them to your organization's specific security requirements.

💡

Remember, it's crucial to only modify the fields you understand.

The pre-populated configurations in the baseline files are a good starting point. If unsure about a specific field, it's best to consult the mSCP documentation or seek guidance from a security professional.

Here's the basic idea:

Locate the rule you want to modify within the "rules" folder. Make a copy of this file and move it to a new folder called "custom" (you might need to create this folder yourself). This ensures you don't accidentally alter the original rule.

Right-click on the copied YAML file and select "Open With." Choose your preferred code editor, such as BBEdit or Xcode.
This is where you get to personalize the rule. You can remove any fields you don't need to modify for your organization. Additionally, you can adjust the values within specific fields to align with your security policies.

Understanding the Example:

The provided screenshot (not included here) likely shows the rule file "system_settings_time_server_configure.yaml" opened in Xcode. In this example, you'll see that the time server has been set to "time.apple.com." This represents the specific setting being modified within the rule.

Technical Jargon Explained:

com.apple.MCX: This technical term identifies the payload type as defined by Apple. It essentially defines the category of setting being adjusted.
payload property called timeServer: This refers to the specific property within the payload (setting category) that's being modified. In this case, "timeServer" tells you it's the address of the Network Time Protocol (NTP) server the Mac device should connect to for accurate timekeeping.

By following these steps and understanding the example, you can confidently customize existing security rules in mSCP to create a robust security posture tailored to your organization's needs.

💡

Remember, if you're unsure about modifying specific fields, it's always recommended to consult the mSCP documentation or seek help from a security professional.

Putting Baselines into Action with Intune

Once you've generated baseline files using mSCP, you can leverage them to create a comprehensive baseline within Microsoft Intune. This baseline will consist of three key components:

Profiles: Remember the command you ran earlier to generate guidance? This command not only created human-readable documents but also produced two crucial files:

Audit PLIST file: This file resides in the ../build/{baseline}/preferencesdirectory. It allows you to set exemptions to specific security rules based on your company's unique policies. Think of it as an exception list for security settings.

Mobileconfig files: Each of these files contains the essential parameters required to create configuration profiles within Intune. These profiles essentially translate the security settings from your mSCP baseline into actionable configurations for your Macs.

Scripts: mSCP also generates a compliance script located in ../build/{baseline}/{baseline}_compliance.sh. This script plays a vital role:

Validation: It checks your managed Mac devices to see if they adhere to the security settings defined in your mSCP baseline.
Remediation (Optional): If configured, the script can also take corrective actions (remediation) on devices that don't comply with the baseline. For example, it could automatically activate a specific security setting that's missing on a device.

By combining these components (profiles, audit PLIST, and compliance script), you can establish a robust and automated security baseline for your Macs managed through Intune. This ensures your devices consistently maintain the desired security posture as defined by your organization's policies.

Preparation:

Intune Access: Ensure you have access to the Microsoft Intune admin center.
Device Enrollment: Verify that your Macs are enrolled in Microsoft Intune for device management.

Once you've generated the security baseline components using mSCP, it's time to leverage them within Microsoft Intune to enforce the desired security posture on your Macs. Here's a step-by-step guide for each element:

1. Deploying Baselines (.mobileconfig Files):

Navigate to "Devices" > "Configuration profiles" > "Create profile" in the Intune admin center.
Select "macOS" as the platform for this profile.
Choose "Custom" as the profile type for direct configuration settings import.

Provide a descriptive name and optional description for your profile.

Under "Settings," click "Browse" and select the relevant mobileconfig file generated by mSCP. This file resides in the ../build/{baseline}/ directory (replace {baseline} with your actual baseline name).

Choose the Mac devices or device groups you want to enforce this security baseline upon. Use filters to define specific deployment criteria.
Carefully review the configuration details and click "Create" to deploy the profile to your targeted devices.

2. Deploying Baseline Compliance Script:

Locate the compliance script generated by mSCP in ../build/{baseline}/{baseline}_compliance.sh.
Upload the script and deploy it to the required group.

3. Deploying Audit PLIST:

This step allows exemptions defined in the audit PLIST file to be utilized.

Create a new configuration profile in Intune.
Choose "preference file" as the profile type for importing the PLIST settings.
Enter the path to your audit PLIST file (likely ../build/{baseline}/preferences/{audit_plist_filename}.plist).
Assign this profile to the same devices or groups targeted by the main security baseline profile.

4. Deploying Custom Attributes:

This section explores deploying custom attributes for reporting purposes and we will be creating the below 4 custom attributes:

Baseline version
Exemptions count
Failed compliance check count
List of failed compliance check results

By following these steps and referring to the provided resources for optional configurations, you can effectively deploy the various components of your mSCP-generated security baseline within Intune. This will establish a centralized and automated security posture, ensuring your Macs adhere to your organization's security policies.

Verifying Security Posture: A Simple View for Peace of Mind

Once you've deployed the security baselines generated by mSCP using Intune, you'll gain a newfound sense of control and visibility. Intune provides a user-friendly interface that allows you, the IT admin, to see at a glance the security posture of your entire Mac fleet.

Imagine a dashboard where you can see:

Device Name: This identifies each individual Mac in your fleet.
OS Version: This displays the current macOS version running on each device.
Security Baseline: This crucial column showcases the specific mSCP-generated security baseline that's currently enforcing settings on each Mac. With a single glance, you can verify which security profile is in effect for each device.
Status: This column displays a clear indicator of the deployment status for each baseline on each Mac. Ideally, it will show "Success," signifying a successful deployment. However, it could also indicate any potential errors that might have occurred during deployment.

This centralized view empowers you to easily identify Macs that:

Lack a security baseline altogether.
Have outdated baselines that require updates to ensure they adhere to the latest security standards.
Might have encountered deployment errors, requiring troubleshooting to ensure proper security enforcement.

The Power of Visibility

By leveraging mSCP and Intune, you gain a clear and concise picture of your Mac security landscape. This allows you to take proactive measures to:

Ensure all Macs are protected by a robust security baseline.
Identify and address any deployment issues promptly.
Maintain a consistent and centralized security posture across your entire Mac fleet.

This newfound visibility translates to peace of mind, knowing your Mac data is shielded by a comprehensive and well-managed security strategy.

Conclusion: Mastering Mac Security with mSCP and Intune

mSCP empowers you to craft robust security baselines specifically for your Macs. With a few clicks in Intune, you can effortlessly deploy these baselines to your entire fleet. Intune's user-friendly interface provides a centralized view of your Mac security posture, allowing you to identify missing baselines, outdated configurations, and potential deployment errors. Optional features like automated compliance checks and detailed reporting offer even deeper insights. By leveraging mSCP and Intune, you gain complete control over Mac security, ensuring your data remains protected and your organization stays secure. Explore mSCP today and experience the power of automated security baselines!

💡

All the scripts and baselines used in this blog will be uploaded to my GitHub by tonight, so you can get started right away!