How to secure data on Mac machines using Mobile Device Manager Plus?

Description

With the increase in the adoption of Macs in organization, it's become imperative to manage and secure these machines along with the data available in it. While Apple provides various options to secure the data and apps available, Mobile Device Manager Plus allows admin to apply these configurations and restrictions on the devices in bulk. This document explains the various configurations and restrictions supported by Mobile Device Manager Plus to protect the data and apps on Macs.

Resolution

The following configurations help improve the data security in Macs:

  1. Enroll Macs in bulk: With MDM, admins can enroll their Macs using Apple Business Manager (ABM)/Apple School Manager (ASM). This ensures the machines are supervised and the users cannot remove them from management.
  2. Stringent passwords: MDM allows the admins to mandate the length, type and other aspects of the passwords that can be set on the machines. This ensures that the password set on the Mac is compliant with the organization's policies.
  3. FileVault: FileVault encrypts the data available on the Mac using a 256 bit key, that ensures the data can be accessed only by authorised users. In addition to the Personal Recovery Key, with MDM, admins can encrypt the data using a certificate (Institutional Recovery Key) or with a combination of both.
  4. Gatekeeper: Gatekeeper verifies the downloaded apps before allowing them to run on the machine. This prevents malicious apps to be run on the machine. With MDM, admins can ensure only the apps downloaded from App Store or the apps developed by identified developers can be run on the machine.
  5. Firmware passwords: A Firmware password prevents the device from being booted from any internal or external disk other than the default startup disk. This is important to prevent the theft of the physical device. This password can be set in bulk on machines using MDM.
  6. Geotracking: MDM allows the admins to track the location of Macs to ensure the admin knows where the machine is at all times. Admins can also ensure that the machine is tracked when lost, to ensure the latest location of the machine can be determined for retrieving the machine.
  7. Data protection: If the device is lost and cannot be retrieved, the data can be protected by either wiping the corporate data using corporate wipe or all the data on the machine using complete wipe.