WHITE PAPER

Filling the Gap:

macOS Security

Native privacy and security, but no operating

system is perfect.

The need for security extends across every operating system and macOS is no
exception. Apple has invested heavily to provide native privacy and security features,
but the value of attacking the Mac platform increases as its enterprise market share
increases, making it a more desirable target for Malware, breaches, and vulnerability
discovery. More than ever, companies allow their employees to use macOS through
employee-choice programs. In doing so, they realized that just like any other platform,
additional security and visibility are needed.   

Several security vendors offer additional solutions to protect Mac, but many of
these solutions use a security model specific to the vendor and their Windows
product instead of working with modern frameworks that macOS provides.
This makes it difficult to keep up with an ever-changing operating system.
Instead, best practice is to extend the existing macOS security model, fill in the
gaps, and add the macOS-specific value that security teams need to operate
effectively to keep their organization safe from threats.

And while Apple operating systems protect both the user and their privacy, ease of
use and productivity have always been top priorities. The Apple experience is heavily
focused on the user rather than the business in which they operate. The same can be
said for many of the security and privacy features in macOS.
 You’ll learn:
• Details of available built-in macOS
In our white paper, we provide an security features
overview of the current state of macOS • How Jamf enhances these features in
security and provide guidance on the enterprise

how Apple’s security baseline can be • How Jamf extends threat detection
beyond signatures and built-in features
enhanced in an efficient, effective and
• Additional ways to extend Apple’s
user-friendly manner.
security model for advanced
enterprise security

Applications on macOS center of Apple’s verification checks. What began in

macOS as an option to allow programs to run depending
Apple has put a great deal of effort into designing
on their risk appetite has evolved into an expanded
security features to protect the user and the third-party
and strict set of requirements and mitigations. The
applications they run. In this section, we will introduce
basic acceptance levels to allow apps downloaded
several of these features and talk about ways in which
from the “App Store” or “App Store and identified
they can be strategically enhanced and extended.
developers” still exist, but the option to run problematic
For more insight into Apple security features, visit
or risky code continues to be marginalized.
Apple’s comprehensive platform security guide at:
support.apple.com/guide/security. Note that these checks only apply to applications
downloaded from the internet. Apple tracks these
Verify trust with Gatekeeper. applications by attaching additional metadata to the
downloaded file, known as the quarantine attribute.
Apple’s preferred and most trusted path for
When a program is executed, Gatekeeper performs
installing third-party applications is through the App
a series of checks such as verifying the quarantine
Store. Doing so allows Apple to review and screen
attribute to determine if it can execute.
programs that do not meet their standards for privacy,
One of these most basic checks is whether or not the
security or user experience. However, Apple also limits
application is signed by a legitimate developer or
the capabilities of applications in the App Store and
was distributed by the App Store, depending on the
many business-critical applications are not well-suited for
previously discussed setting.
this type of distribution.
If the application is signed by a developer, the certificate
Where distribution from the App Store is not an option,
is checked against a revoked signature database to
Apple allows macOS developers to distribute their
ensure that the signer has not been associated with
applications directly via hosted downloads and other
malware in the past. This way, Apple can quickly revoke
traditional distribution methods. To support these “ad
a certificate and stop widespread distribution of malware.  
hoc” distributions, Apple has introduced other checks
Starting with macOS Catalina, passing the Gatekeeper
into the operating system to reduce the risk of the
verification also requires that the application be
widespread distribution of software across macOS
notarized by Apple. For an application to pass the
devices. Gatekeeper is the name of the feature at the
check, it must be uploaded to Apple for analysis. Upon when an application holds the proper quarantine
successful analysis, notarization data is associated with extended attribute which is updated after the first
the application to note that it has passed this additional successful execution of the application.
level of inspection. MRT, on the other hand, is executed on a scheduled

The ultimate trust lies with the user. basis rather than at program runtime and scans
the file system for specific file names and artifacts
In the name of usability, macOS allows the end user in
associated with past malware and removes them if
many situations to “Override” Gatekeeper. A user can
discovered. This feature is largely intended to find
simply right-click the application and select “open” or
and remediate known threats that may be already
“open with”. Instead of flatly refusing to launch the
executing across the macOS population.
application, a new prompt will simply warn the user that
they are launching an unknown or potentially malicious
Extend Gatekeeper to the enterprise.
application, but Gatekeeper will allow them to do so.
It is important to note that malware that XProtect has Gatekeeper effectively operates as it is intended. It

definitively identified cannot be authorized to run by blocks untrusted applications from launching and it

a user. notifies the user when it identifies an application as

suspicious or malicious. IT and security administrators
Once the application has been executed for the first
need to have visibility into attempts to run untrusted
time, the quarantine component gets updated so that
software on a corporate asset. More importantly, they
the Gatekeeper actions are not repeated the next time
need to be aware that a user decided to right-click and
the application is opened.
launch an application, effectively bypassing a business
security control. To address these enterprise needs,
Block threats with XProtect and MRT.
Jamf Protect — an endpoint security solution purpose-
The Gatekeeper suite of technologies also includes built for Mac — monitors for indications of Gatekeeper
Apple’s signature-based detection mechanisms, known actions and reports the results to a central location so
as XProtect and Malware Removal Tool (MRT). Together that IT and security teams can accurately assess their
they are capable of scanning files on the operating risks and make informed decisions.   
system, looking for traits within files that are associated
Beyond providing visibility into Gatekeeper activity, Jamf
with known malware. XProtect is triggered upon
Protect also allows enterprises to take ownership of the
application launch, while MRT periodically scans the
developer trust model by registering additional signing
file system.
information as untrusted in the enterprise environment.
XProtect operates using a binary signature Using Apple’s latest Endpoint Security API, Jamf Protect
scanning engine called Yara. Yara supports flexible will proactively deny execution of any application on the
and powerful binary signature definitions and an enterprise-specific block list. This can be defined on a
efficient execution engine. To verify an application, per-application level (application ID) or on a per-vendor
XProtect scans each executable download on initial level (developer team ID).
execution and after subsequent updates. If any
matching signatures are detected the program will Furthermore, macOS does not provide signatures or
not be allowed to run. The known bad signature file is blocking for a variety of Grayware (potentially unwanted
provided via independent updates to macOS from or unsanctioned software) which includes many adware
Apple. Apple defines and delivers these signatures as and crypto-miner applications that partake in undesired
they see fit, separate from the Yara execution engine and potentially invasive behavior. Often, these programs
itself. Just like Gatekeeper, this scan is only performed are legitimately signed by an Apple developer and the
user agrees at install time to allow their information to be collected or resources to
be used — usually without realizing it. Therefore, in many cases, Apple does not
interfere with the operation of these applications.

However, the risk calculation is simply different in the enterprise and a more
strict and targeted approach may be desired. Therefore, Jamf Protect enforces
its own set of managed Yara rules, binary signatures, and untrusted developer
certificates that are used to scan processes upon execution regardless of whether
or not the quarantine extended attribute is present. This ensures that as new
signatures are added, and the enterprise updates its security posture, existing
applications are rescanned at next execution, not just the first time.

Jamf curates this feed of known Mac-targeted malware based

on Jamf’s extensive research into macOS-targeted threats
as well as third-party Mac threat data. For organizations that
want even more granular control of the software running in
their environment, they can extend the list of applications
blocked by Jamf Protect with their own list of binary hashes,
TeamIDs, etc. When an application executes that matches the
behavior or signature of known malware on macOS 10.15
(Catalina) or later, Jamf Protect will prevent the execution of
that process, quarantine the offending file, and register an
alert that malware was prevented. This operation happens
outside of Gatekeeper/XProtect actions and is designed to
be a superset of their functionality. Jamf Protect will identify
known malware without regard to the quarantine bit to identify
potentially unsafe binaries and maintains a much broader set of
malware knowledge.

Extend the App Store trust model with Self Service.

In certain situations, it may be appropriate to dictate the programs that your
users can install by leveraging a self-service app store pre-populated with IT-
approved resources.  
Jamf Self Service allows for secure and instant resource access by empowering
IT to create its own enterprise app catalog where users can install apps, update
configurations and troubleshoot common issues on their own — without requiring
an IT help ticket.
Control and monitor or report. Game engines are also designed to handle
a massive number of events as they occur in real time,
application behaviors. making them perfect for analyzing activities as they take
Limit and acknowledge application place on the device. Contrast this design to the many
behaviors with privacy controls. security solutions that are focused first on the Windows
platform and then ported to macOS as an afterthought
System privacy controls were introduced in
— or those that require that all of the data be collected
macOS Mojave. These controls require users (or
and analyzed in the cloud.
enterprises) to allow per-application access to
specific actions and folders. Once applications have An additional benefit of GameplayKit is that, like Yara,
been granted access to specific actions, they won’t it separates the execution engine from the detection
be asked when the action takes place from the same definitions, allowing detections to be updated and
application in the future. This feature ensures that expanded without the update to the core agent.
applications are explicitly allowed to access potentially The detection definitions are also native to Apple,
sensitive parts of the OS (webcam, mic, keystrokes, using NSPredicate, a powerful logic query mechanism
downloads) and causes users to slow down and that supports typical query syntax along with regular
acknowledge that they are granting applications expressions. Jamf Protect’s data model has been
access to private data. specifically architected to take advantage of the rich
features of NSPredicate, including its ability to call native
Go beyond controls to audit functions and chain data models together. This unlocks
and analyze application behaviors. capabilities that are messy or computationally expensive
to implement in other, more traditional ways. For
While privacy controls limit what applications are
example, using Jamf Protect’s data model and
authorized to do, users will make mistakes and
NSPredicate we can:
authorizations will be abused. We’ve already covered
how Jamf Protect provides visibility into the actions of • Alert if a file is self-deleted, a common technique
built-in Apple security features and traditional malware/ for covering one’s tracks. This seemingly simple use
adware prevention capabilities to keep enterprises case involves analyzing both the file that is deleted
informed and protected. But at Jamf, we believe that and the process of doing the deletion without an
an endpoint protection solution should not stop there. expensive join operation or hardcoded detection.
Jamf Protect also delivers auditing and monitoring
• Alert if an unsigned or suspiciously signed binary
capabilities traditionally reserved for Endpoint
persisted as a launch daemon. This involves parsing
Detection and Response (EDR) products — but with an
a configuration file, extracting an embedded binary
Apple-first approach and eye on the standards of
path from the contents and using metadata about
privacy and security that macOS users expect.
that binary file in the analysis.

Detection engineering with Jamf Protect • Alert if a Microsoft Office application created

At the core of the Jamf Protect agent is a lightweight, an unexpected child to identify Office Macro

user-mode sensor (without an accompanying text) that exploitation. This example highlights the ability to

leverages one of Apple’s own logic execution engines, understand child/parent relationships and to uncover

GameplayKit. Although using a game engine to analyze exploitation of application features.

security events is non-traditional, it allows Jamf to • Alert if other “live-off-the-land” activities are
remain closely integrated with the Apple ecosystem and being used in ways that are indicative of attacks.
analyze data on the device until necessary to collect This class of activity requires access to
 child/parent and process group relationships, With Jamf Protect, client logs can be streamed to
command line parameters, etc., in order to uncover a system of record as soon as they are written to
abuses of otherwise innocuous activities (curl, ssh, the Unified Log. To ensure that only targeted data
python, etc.) is collected, Jamf Protect admins utilize the same
predicate filter language (NSPredicate) from the built in
• Track USB usage across the enterprise and report
`log stream` command line utility. With that, building
metadata about files that are being written to
systems of records for Mac log data becomes a simple
removable media.
configuration instead of a tedious collection on a
To make it easy to understand the impact of these types machine-by-machine basis. Examples include log-in and
of detections, Jamf Protect maps identified attacks to log-off, SSH, AirDrop and authorization events. If data is
the MITRE ATT&CK framework, if applicable. Coverage
TM logged to the Unified Log, Jamf Protect can collect it.
today includes use cases from across the framework,
including detection of techniques in the following
categories: Align with Apple’s standards.
Day-of-release support
• Persistence
To interface with macOS and gather the data necessary
• Initial Access for security decisions, Jamf Protect leverages native
Apple technologies. These technologies include
• Command and Control
emerging frameworks such as Apple’s Endpoint
• Defense Evasion Security API and the OpenBSM Audit framework prior.
By using these mechanisms, Jamf Protect minimizes its
• Discovery
device impact and does not run afoul of changes in
• Privilege Escalation macOS introduced in patches or major OS releases.
Patching early and often is the most commonly
• Credential Access
recommended security protocol. Security tools that
strongly adhere to day-of-release support are core to
complying with that protocol and a critical component in
Simple Unified Log collection and reporting a comprehensive defense-in-depth security strategy.

Most security analysts and IT administrators have

User experience as a feature
strong needs for endpoint logs as part of a compliance
audit or when looking to close gaps in other security While Jamf Protect continuously monitors application
controls. When macOS moved from syslog files to and user activity for potential threats, it purposely
Unified Logging it became harder to collect, inventory does not scan for dormant or Microsoft Windows-
and inspect this information across the enterprise. The related malware. Scanning files simply residing
macOS Console.app provides great access and visibility on the file system for a large variety of malware
into the Unified Log infrastructure on a local Mac, but signatures is often a primary contributor to a bad user
it does not allow an organization to easily centralize experience. This approach aligns with Gatekeeper/
that data. XProtect in that threats are identified at the time
of potential execution so that the user experience
and user productivity are minimally impacted.
Privacy
Jamf Protect analyzes data on the device and only collects pertinent information
when configured to do so, typically when a potentially malicious or high-interest
activity is detected in real time. This balances enterprise needs with user privacy
as less user data is taken from the device and stored in the cloud. If any malicious
activity is identified, the identified activity and associated data are passed to
the Jamf Protect cloud console or configured Security Information and Event
Management (SIEM) systems. Any specifically requested data beyond that is also
pushed to Jamf Protect or the SIEM. By filtering out all unnecessary data, a security
analyst that is tasked with monitoring and investigating incidents is presented with
a high-quality collection of applicable data.

Other extensions to the Apple security model

Best practice: hardening macOS

While Apple delivers and supports some of the most secure and reliable operating
systems available, it is common to ask what additional steps can be taken to make
macOS an even better fit for your corporate environment.

The best first step is to start leveraging Apple’s mobile device management (MDM)
framework for automated management at scale. Not only will MDM help you better
protect your organization, but it will also take much of the burden of managing and
securing your fleet off of IT.

Introduced with OS X 10.7 (“Lion”), the MDM framework unlocks an incredible

number of workflows to tailor device functionality to the organization’s specific
needs. Configuration profiles and management commands are the two most
common ways to leverage an MDM to ensure teams are secure, wherever they
are working.
Take security with MDM to another level by combining it with the power of Apple
Business Manager, a free solution from Apple for businesses that helps automate
hardware procurement, management and more.

Start with Apple...

Over the years Apple has built a reputation as a security-first company and it shows
in macOS. Native functionality like FileVault 2 encryption, two-factor authentication,
remote lock/wipe functionality and the ability to enforce passcode standards are
available with every new Mac added to an organization’s environment.

Modern management platforms — like Jamf Pro — leverage MDM to take these
features a step further and help customize the implementation, enforcement and
reporting on valuable security tools like encryption.
...Enhance with Jamf. With Jamf Connect, organizations have:

While MDM provides a great cornerstone for any • Streamlined provisioning and authentication
organization, many wonder what else they can do out of the box for full support of remote and
to further enhance their security posture and fortify on-site employees
employee privacy. That’s where Jamf comes in.
• Automated syncing of user identities and
It’s no secret that at a certain scale, device management device credentials
becomes a big drain on team resources. More people
means more hardware, and more hardware means more • IT with full identity management capabilities across

IT overhead. their services and devices

At least, that was true before fleet management • A Zero Trust Network Access (ZTNA) solution to
platforms like Jamf Pro. replace legacy VPNs (virtual private networks) and

With patented technology like Smart Groups to help meets the needs of the modern, hybrid enterprise

organize corporate devices and automatically execute Respond and remediate threats on Mac
management functions, IT teams can spend less time
Jamf Pro provides dashboards that help keep
in the weeds of device management and have more
organizations appraised of the state of their Mac
free time for other day-to-day IT tasks. Smart Groups
devices and flags hardware that needs attention.
will keep a watchful eye over device inventories, adding
Through patented Smart Group functionality, IT admins
and removing devices from a pre-defined group in real
can target devices that need to be updated or patched
time as device status changes.
to improve their security posture. This is all done
Modern identity management on macOS remotely and can be automated, so IT never needs to

At the core of modern security is identity — secure and physically touch the device.

customized access for end users. Legacy IT relies on When pairing Jamf Protect with Jamf Pro, threat
local directory services to act as a centralized record of remediation is taken one step further. Leveraging
employee information, such as name and department. this Smart Group technology, all MDM and Jamf Pro
As security and deployment needs evolve, businesses commands can be orchestrated in response to an
must adopt a new approach to identity and access activity-based alert from Jamf Protect. This includes
management as part of their enterprise strategy. With automated network isolation, failed conditional access,
a complete cloud-based identity stack, businesses user notifications or any number of other targeted forms
unify identity across hardware and software to unlock of remediation and response. Together with Jamf Pro
functionality, advanced workflows and ultimately and Jamf Connect, attacks on a user or device can
transform business. result in credential suspension, access changes and a

Building on information from directory services, cloud- variety of other remediations around identity.

based single sign-on (SSO) ensures end users enter

secure credentials to access company resources.

Jamf Connect extends these common forms of

identity management.

Jamf Connect unifies identity across all company apps

and the user’s Mac, with seamless authentication
workflows. End users leverage a single cloud identity to
easily and quickly gain access to resources they need
to be productive.
Security beyond device management
Read our report on the state of Apple security in
the enterprise, which surveyed 1,500 IT and InfoSec
professionals. It includes current device usage and
approaches, challenges to device security and the
future state of endpoint security.

Trusted Access
Trusted Access is Jamf’s solution to security beyond
management. Trusted Access is a unique workflow
that brings together device management, user
identity and endpoint security to help organizations
create a work experience that users love and a
secure workplace that organizations trust.

By using Jamf Protect with Jamf Pro and leveraging Jamf Connect admins can ensure only trusted users are
accessing corporate applications on trusted and compliant devices. If there is an issue with an infected device, it
can be remediated quickly and brought back into service with Jamf Pro.

Trusted Access with Jamf dramatically increases the security of your modern workplace while streamlining work for
your users — regardless of where work happens.

Manage and secure Apple for unprecedented benefits.

With the right tools in place, IT and Information Security teams can confidently roll out a Mac initiative, verify and
authenticate identity and access, and fully empower users with the resources and access they need — all with the
boxes checked for security and privacy.

Take advantage of Jamf enterprise solutions today and enjoy the visibility and remediation that your modern
organization needs.

Get Started
Or contact your preferred reseller to take Jamf for a free test drive.

www.jamf.com
© 20–3 Jamf, LLC. All rights reserved.