Apple intune macOS mSCP

Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune

Imagine a scenario: Your Mac fleet houses a growing universe of data, valuable and vulnerable in equal measure. This ever-expanding data sprawl threatens to spiral out of control, a potential security nightmare. But fear not, for there's a guardian in the wings: mSCP. This isn't a

13 min read
Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune

Imagine a scenario: Your Mac fleet houses a growing universe of data, valuable and vulnerable in equal measure. This ever-expanding data sprawl threatens to spiral out of control, a potential security nightmare. But fear not, for there's a guardian in the wings: mSCP.

This isn't a secret government agency (though it sounds like it could be), but a powerful tool that can revolutionize your Mac data security. Developed through a collaborative effort between the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Lab (LANL), mSCP equips you with a programmatic approach to generating security guidance, empowering you to Secure, Contain, and Protect your Mac data like never before.

This blog post will be your guide to wielding mSCP like a seasoned pro. We'll delve into the "why" and "how" of using mSCP, transforming you from a data security novice into a master of your Mac domain. So, buckle up and get ready to learn how mSCP can be your secret weapon in the fight for watertight Mac data security!


The Mac Data Menagerie: Why We Need mSCP

The ever-evolving landscape of Mac data presents a unique challenge for IT professionals. Here's why mSCP emerges as a vital tool:


The Power of mSCP: Taking Control of Your Mac Security

Now that we've established the urgency of managing your Mac data menagerie, let's dive into the specific benefits mSCP offers:


Getting Started with mSCP: Your Guide to Mac Data Security Mastery

Now that you're armed with the knowledge of mSCP's benefits, let's roll up your sleeves and get started! Here's a roadmap to guide you through the mSCP implementation process:

Prerequisites

Clone The Repository
GitHub - usnistgov/macos_security: macOS Security Compliance Project
macOS Security Compliance Project. Contribute to usnistgov/macos_security development by creating an account on GitHub.

 git clone https://github.com/usnistgov/macos_security.git

Explore Your Cloned mSCP Repository

After you’ve cloned the mSCP repository to your Mac and installed the required software, you can explore the mSCP components. You can view the files in the cloned repository using the text editor of your choice.

Understand the Rules YAML Format

mSCP offers a library of files stored in a format called YAML. These files, located in the "rules" folder, connect to specific compliance requirements outlined in various security guides and policies. You can view and even edit these YAML files using most code editors, like Xcode or BBEdit.

Each file is organized into specific sections, containing key information needed to build and deploy security baselines for your Mac devices. These sections are already filled with appropriate configurations to get you started. The following table breaks down the purpose of each section within the YAML files.

Generate a Baseline

Security baselines are essentially recipes for keeping your Macs safe. Each recipe utilizes specific ingredients, represented by individual security rules. These rules come with labels, known as metadata tags, that identify which recipes (baselines) they belong to.

Creating these recipes is where the generate_baseline.py script comes into play. This script acts as a special program you can run to search through a collection of pre-defined security rules. You simply tell it a keyword (like "encryption" or "network access"), and the script finds all the rules related to that keyword.

Using those matching rules, the script then creates a customized "security recipe" for you. This recipe, saved as a .yaml file, outlines the specific security settings you need to implement on your Macs. This simplifies documenting and enforcing the desired security posture across your entire fleet. Essentially, the script does all the heavy lifting by finding the ingredients (rules) and putting them together in a clear recipe (baseline) for you. You can find this script within the "scripts" folder of the project you downloaded.

Generate Guidance

mSCP allows you to take your YAML security rules and transform them into practical instructions for your Mac environment. This process involves a helpful Python script named generate_guidance.py.

./scripts/generate_guidance.py -p -s baselines/cis_lvl1.yaml

Explanation of the Flags:
Finding the Results

Once the script finishes running, open Finder and navigate back to the macos_security directory. You'll find a new folder named after your baseline (e.g., cis_lvl1). This folder contains all the generated files, including configuration profiles, compliance checking scripts, and human-readable security guidance documents.

Fine-Tuning Security Baselines for Your Needs

While this tutorial won't cover customizing baselines in detail, it's valuable to know how to tailor them to your organization's specific security requirements.

💡
Remember, it's crucial to only modify the fields you understand.

The pre-populated configurations in the baseline files are a good starting point. If unsure about a specific field, it's best to consult the mSCP documentation or seek guidance from a security professional.

Here's the basic idea:

Understanding the Example:

The provided screenshot (not included here) likely shows the rule file "system_settings_time_server_configure.yaml" opened in Xcode. In this example, you'll see that the time server has been set to "time.apple.com." This represents the specific setting being modified within the rule.

Technical Jargon Explained:

By following these steps and understanding the example, you can confidently customize existing security rules in mSCP to create a robust security posture tailored to your organization's needs.

💡
Remember, if you're unsure about modifying specific fields, it's always recommended to consult the mSCP documentation or seek help from a security professional.

Putting Baselines into Action with Intune

Once you've generated baseline files using mSCP, you can leverage them to create a comprehensive baseline within Microsoft Intune. This baseline will consist of three key components:

Profiles: Remember the command you ran earlier to generate guidance? This command not only created human-readable documents but also produced two crucial files:

Scripts: mSCP also generates a compliance script located in ../build/{baseline}/{baseline}_compliance.sh. This script plays a vital role:

By combining these components (profiles, audit PLIST, and compliance script), you can establish a robust and automated security baseline for your Macs managed through Intune. This ensures your devices consistently maintain the desired security posture as defined by your organization's policies.

Preparation:

  1. Intune Access: Ensure you have access to the Microsoft Intune admin center.
  2. Device Enrollment: Verify that your Macs are enrolled in Microsoft Intune for device management.

Once you've generated the security baseline components using mSCP, it's time to leverage them within Microsoft Intune to enforce the desired security posture on your Macs. Here's a step-by-step guide for each element:

1. Deploying Baselines (.mobileconfig Files):

2. Deploying Baseline Compliance Script:

3. Deploying Audit PLIST:

This step allows exemptions defined in the audit PLIST file to be utilized.

4. Deploying Custom Attributes:

This section explores deploying custom attributes for reporting purposes and we will be creating the below 4 custom attributes:

By following these steps and referring to the provided resources for optional configurations, you can effectively deploy the various components of your mSCP-generated security baseline within Intune. This will establish a centralized and automated security posture, ensuring your Macs adhere to your organization's security policies.


Verifying Security Posture: A Simple View for Peace of Mind

Once you've deployed the security baselines generated by mSCP using Intune, you'll gain a newfound sense of control and visibility. Intune provides a user-friendly interface that allows you, the IT admin, to see at a glance the security posture of your entire Mac fleet.

Imagine a dashboard where you can see:

This centralized view empowers you to easily identify Macs that:

The Power of Visibility

By leveraging mSCP and Intune, you gain a clear and concise picture of your Mac security landscape. This allows you to take proactive measures to:

This newfound visibility translates to peace of mind, knowing your Mac data is shielded by a comprehensive and well-managed security strategy.


Conclusion: Mastering Mac Security with mSCP and Intune

mSCP empowers you to craft robust security baselines specifically for your Macs. With a few clicks in Intune, you can effortlessly deploy these baselines to your entire fleet. Intune's user-friendly interface provides a centralized view of your Mac security posture, allowing you to identify missing baselines, outdated configurations, and potential deployment errors. Optional features like automated compliance checks and detailed reporting offer even deeper insights. By leveraging mSCP and Intune, you gain complete control over Mac security, ensuring your data remains protected and your organization stays secure. Explore mSCP today and experience the power of automated security baselines!

💡
All the scripts and baselines used in this blog will be uploaded to my GitHub by tonight, so you can get started right away!

Share This Post

Check out these related posts

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security

Set Sail for Smooth Seas: Effortless Mac Enrollment with Intune