The macOS Security Baseline Every Business Should Have in 2025
Most small business Macs are running with default settings — which is far from secure. Here are the essential security controls every organisation should enforce on their Apple fleet.
When a MacBook leaves Apple's factory, it's configured for the broadest possible compatibility — not for enterprise security. The defaults are reasonable for a personal machine, but a business fleet needs a deliberate security baseline applied consistently across every device.
Here's what a solid macOS security baseline looks like in 2025, and how to enforce it with Jamf.
1. FileVault Encryption — Always On
FileVault is Apple's built-in full-disk encryption. If a device is lost or stolen and FileVault is off, the data on it is recoverable by anyone with basic tools. If it's on, the disk is unreadable without the user's credentials.
What to do: Enforce FileVault via an MDM configuration profile. In Jamf, this is a one-click setting in a Disk Encryption configuration profile. Crucially, escrow the recovery key to Jamf — so if a user forgets their password, IT can recover access without wiping the device.
2. Strong Passcode Policies
The default macOS login allows simple passwords and doesn't enforce any complexity rules. For a business fleet, you want:
- Minimum 12 characters
- At least one number and one special character
- Screen lock after 5 minutes of inactivity
- Require password immediately after screen lock
These are enforced via a Passcode configuration profile in Jamf and applied silently — users don't need to manually change anything.
3. Automatic Updates — Enforced, Not Suggested
macOS shows update notifications, but users routinely dismiss them for weeks. A device running a two-month-old macOS version is missing critical security patches.
What to do: Use a Jamf policy to enforce macOS updates across your fleet. You can specify a deadline (e.g. "update within 72 hours of release") and display countdown notifications to users. No manual IT intervention needed.
4. Firewall — Enabled
macOS has a built-in application firewall that blocks incoming unauthorised connections. It's off by default.
Enable it via an MDM profile. For most business users, the default firewall rules are appropriate — you don't need to customise anything beyond turning it on and enabling stealth mode (which prevents the Mac from responding to network probes).
5. Gatekeeper — Enforced to App Store and Identified Developers
Gatekeeper controls which apps can run on macOS. The three modes are: App Store only, App Store and identified developers, or anywhere.
"Anywhere" is completely off for a business fleet. "App Store and identified developers" is the right default — it allows your known business software while blocking unsigned apps.
This is enforced via a Jamf configuration profile.
6. Remove Local Admin Rights from Standard Users
By default, the first user account created on a Mac is an administrator. That means if malware runs in the user's context, it runs with admin privileges.
Best practice: Standard users should not be local admins. Use Jamf to manage admin rights centrally — either removing admin rights entirely, or using a tool like LAPS (Local Administrator Password Solution) to give time-limited admin access only when needed.
7. Software Restriction — Limit What Can Install
Consider deploying a Jamf policy that prevents installation of known high-risk categories: torrenting clients, crypto-mining software, or apps known to bundle adware.
This isn't about micromanaging employees — it's about reducing the attack surface.
8. Audit Logging
macOS generates security logs. Make sure they're not being lost. For SOC-2 or ISO 27001 aligned businesses, these logs may be required evidence.
Jamf can push scripts to configure unified logging and forward events to a SIEM if required.
Putting It All Together
These eight controls are not complex — but they need to be applied consistently across every device, including devices used by remote staff. Manual configuration doesn't scale.
The right way to enforce this baseline is via MDM configuration profiles deployed through Jamf. Once the profiles exist, every newly enrolled device automatically receives the full security baseline at first boot — no IT technician needed.
If you want help building a macOS security baseline for your fleet, get in touch with Mactaba IT. We'll audit your current setup and implement the controls your environment needs.
Need help with Apple device management?
We specialise in Jamf-based MDM for Gulf businesses. Get in touch for a free consultation.