Security for Mac endpoints is an increasingly critical, but typically overlooked, need for enterprises. As macOS grows more prevalent amongst organizations, threat actors have taken notice. Exploits targeting Apple’s operating system increasingly yield good returns for threat actors. Today, privileged access security deficiencies usually lie at the heart of macOS security breaches.
The period of relative security through obscurity enjoyed by macOS has long since passed. Reports and disclosures of vulnerabilities and macOS exploits are no longer uncommon news. Today, many organizations confront a trade-off between the benefits of offering employees their choice of operating system, and the potential security gaps they may be unwittingly introducing. This is not to say macOS is unproven; it is more a reflection of gaps introduced when an industry of security experts who have focused on Microsoft technology is pushed to transition and up-skill in new technology.
Achieving the basics of endpoint security, such as managing Mac user privileges and securing privileged access and privileged credentials, is relatively new ground for any macOS security professional. In many cases, the native macOS platform tools may not be comprehensive enough, and homegrown tools unique to each organization rarely scale.
In this blog, I will explore macOS security, with a focus on privileged access and credential management. We will also cover common macOS security approaches, challenges, and pitfalls found in many organizations today.
Mac Endpoints are No Longer “Niche” in the Enterprise
The dominance of Microsoft Windows in the enterprise desktop computing space has for so long been the norm that it would be easy, albeit a mistake, to think the other players in the space fit within the ‘niche’ category. Apple has proven itself a force to be reckoned with in the business world, just as it is amongst consumers in the personal computing space.
Organizations once stood firm against ever-growing employee demand for Mac devices. However, momentum for Macs continues to erode this once rigid adherence to Windows-only IT stacks across enterprise, non-profit, and public agency environments. MacOS devices were once only seen in relatively young companies that lacked legacy infrastructure baggage, but the tide is quickly turning.
Today, there are many notable examples of large organizations across all verticals who provide macOS devices to their employees. IBM, one of the first large enterprises to offer macOS devices, has been a major proponent of Apple in the Desktop estate. The likelihood of receiving a silver, unibody laptop on your first day at work is higher today than ever before. In fact, a recently published Parallels survey reported that 55.7% of small to medium-sized enterprises (SMEs) now use or permit the use of Macs. Consequently, the attention of IT organizations, long enjoyed by Windows, is now being cast towards macOS.
macOS Security Becomes a Priority
The increased enterprise deployment of macOS is being equally enjoyed by malware authors and threat actors looking to exploit Mac security oversights across the enterprise. While organizations tend to invest ample human and financial resources in securing their Wintel environments, this same diligence is often not applied equally across macOS environments. Often, large security gaps are inadvertently created in the interest of deploying Mac devices quickly, especially to VIP users who may overrule concerns regarding security. The uptick in macOS security-related tools, features, and high-profile macOS endpoint security incidents over the last few years has reflected this.
Apple has continued to focus more on security. This is evidenced by their development or enhancement of native OS tools, such as System Integrity Protection (SIP), Gatekeeper, read-only system volumes, and their effort to kick developers out of the kernel (the “Endpoint Security System Extension”) in recent years. Many macOS sysadmins are painfully aware of security and privacy changes made in Catalina. Apple's macOS Catalina enforced granular permission sets on third-party software for things like file system access, screen sharing, etc., which often require administrative privileges to approve.
Challenges and Shortfalls of macOS Privilege Management
One of the most basic security tenets now being applied is in the approach businesses must take to macOS privileged access management. While there are architecture-specific nuances to any attack chain, the basics remain the same. Unless an attacker can exploit a privilege escalation vulnerability, malware looks to gain persistence. This ideally accomplished through access to a privileged user or a vulnerability in a privileged application plugin or framework.
Ultimately, the same attack surface born by uncontrolled privileged access in the Windows space applies to macOS. The importance of managing privileged access on a macOS device is also gaining parity with that of Windows devices in compliance frameworks. To address the wave of macOS devices entering the enterprise, many organizations have built adhoc privileged access “solutions”. However, these in-house solutions are almost never architected to the robustness needed for the macOS privileged security problem.
macOS populations are no longer isolated islands within any given organization. Today, Mac endpoints require the same level of security scrutiny as Windows endpoints. In many cases, macOS devices are just as interconnected to internal resources, infrastructure, and cloud-based resources as their Windows counterparts. Thus, Mac endpoints demand enterprise-class protection.
Today, few organizations are addressing these security problems with comprehensive, defense-in-depth strategies that include privileged account management in any meaningful way. On the other hand, risky security practices that invite malware infections, hacker assaults, and insider threats proliferate. Here’s a short list of prevalent macOS security malpractices:
- Creating a single admin password across all devices (risky, but surprisingly common)
- Allowing users to request ‘temporary’ administrator rights
- Tools such as MakeMeAnAdmin can be made available for users to self-service their own privilege elevation, potentially for hours or days at a time. The Service Desk may or may not be involved; in many cases users are able to access these tools themselves!
- Giving users access to a secondary privileged account, or elevating their primary identity to an administrator
If these malpractices are well known, why do they occur? The reasons are varied, but usually compounded by the types of user we see using a macOS device in the enterprise space. Two types of users we often see here are:
1. Executives: VIP users are often the first to be granted a macOS device upon request. VIP users may pave the way for the IT organization to deploy a software stack around them. This VIP deployment then supports further expansion of a macOS environment. These users are often frequent travelers and require rapid resolution to any IT-related issues they may run into. Since these users may stay disconnected from the network for long periods of time, something as simple as a change to their WiFi settings would require administrator level privileges be granted to them. Without a comprehensive tool set whereby the Service Desk or IT can remotely grant administrator permissions to that user for a specific purpose, the users could quickly have their productivity and access disrupted. Consequently, standing privileges (also called persistent privileged access) are often given to these users to prevent this from happening in the future.
2. Developers: For one of the most technical user bases in any given organization, flexibility is key. Outside a complex, core set of applications they may use such as XCode or other compilers, these users are usually classified by their variability. They’ll be almost constantly be:
- Running new code
- Installing and uninstalling new applications
- Using command line tools, such as Homebrew
- Leveraging virtualization platforms, such as Docker
- Making heavy use of ‘sudo’ to perform privileged device operations
If a developer were to run as a standard user, the Service Desk would need to help provision admin privileges so frequently that it would likely necessitate one or more full time staffers dedicated to this purpose.
Both of the above user groups are similar, in that, any impact to their productivity gets immediate attention, and any potential security concerns often take a backseat to business continuity.
The market for enterprise-class, security-focused software for macOS devices is significantly younger than the Wintel equivalent. Sysadmins and security teams who oversee their macOS deployments often wear many hats and/or may be the sole technical professional managing their estate. With so many competing priorities, these IT professionals are pressured to only implement readily available and rapidly deployed tools (“the low hanging fruit”). Such endpoint security tools would typically include antivirus software and an MDM solution. In some case, this may also include an identity bridging solution to allow the users’ primary identity to be used in the macOS estate. Unfortunately, none of these solutions, nor Apple themselves, has made it any easier to tackle the basics of Privileged Access Management.
It is worth noting that any new macOS device you purchase today will automatically give your initial user account administrator privileges. The rare few users who remove those rights would quickly find themselves unable to perform all but basic tasks, such as web browsing.
As we strive to implement scalable solutions to these macOS privileged access challenges, it’s critical to evaluate any potential solution with the following criteria:
- Supports true least privilege for all user types, including highly technical users and even remote users
- User-friendly and frictionless to the workflow to ensure adoption is high
- Easy for the Service Desk to manage, and does not introduce the same burden it is meant to alleviate
- Out-of-the-box functionality with minimal ongoing management means even ultra-lean macOS IT teams can deploy it rapidly
- Provides detailed audit records and reporting, and can zero in on the who, what, when, and where of sessions
Holistically Addressing Privileged Access Security for macOS Environments
Many of the challenges faced by home-grown privilege management solutions are that they require users to be on an internal network to support exceptions. Enterprise-class privileged access management (PAM) solutions give users the flexibility to request one-off access from the service desk, even while disconnected from the internal network, or be granted auto-approved, but audited, access to better support technical or executive-type users and their needs.
Organizations that want to effectively tackle their macOS privileged access problems should look to implement the following:
- A comprehensive password management solution that randomizes ‘break-glass’ administrator passwords
- An endpoint-based solution that allows for granular access to macOS privileges from the safety of a standard user account.
Secure credential management of privileged accounts is crucial to minimizing your endpoint attack surface and providing a ‘backup’ admin account in case all else fails. However, endpoint privilege management (EPM) is what empowers your users to perform approved, privileged tasks without requiring administrator rights in the first place. Each of these solutions are also components of the industry-leading privileged access management platforms.
For developers, the PAM tool must be comprehensive enough to accommodate their complex software needs, while minimizing any resource utilization that would degrade performance. This includes granular control and auditing of sudo commands, Homebrew usage, installation and uninstallation of software, privileged functions within compilers such as Xcode, and the myriad of other privileged functions that exist within macOS. Ideally, an effective endpoint privilege management solution should minimize the need for an actual administrator account to ever exist.
Most importantly, these solutions should empower your macOS IT staff to support rapid, successful deployments using out-of-the-box configurations. A sysadmin has more than enough on their plate. They do not want to dedicate their days managing a single solution; these tools must start simple and stay simple.
Mac endpoint privileged access risks will continue to endure as hard problems to solve for any organization given the limited native tools provided by their chosen operating system. This is compounded by the common misconception that native tool sets provide adequate privileged access controls. Products running on macOS are no different. However, through thoughtful planning and the investment in enterprise-class Privileged Access Management solutions early in the adoption of a macOS environment, drastically mitigating the risk of privileged access and meeting an expanding list of compliance requirements is well within reach.
Our strong recommendation is to address privileged access security concerns early, as some users may be resistant to any change, no matter how slight. Do this right to get ahead of the curve—not just in terms of risk reduction, but in achieving compliance, in keeping your users happy and productive, in reducing costs associated with servicing macOS devices, and in making sure that macOS in the enterprise has a sustainable future.
Max Berg, Senior Solutions Engineer
As a Senior Solutions Engineer at BeyondTrust, Max works with organizations to achieve their security and compliance goals, while ensuring their businesses, as well as their end users and IT staff, remain flexible and productive. Since joining BeyondTrust (formerly Avecto) in 2015, Max has worked with large enterprise, public sector agencies, as well as small-medium businesses across North America and Europe, spanning the most highly technical and the most highly regulated industries and verticals. He has over 5 years’ experience delivering successful least privilege, application control, credential management, and secure remote access projects for both desktop and server environments, both for on-premises and cloud-based IT infrastructure.