How to non-intrusively monitor my team's MacBooks secure configuration?

Question

I'm managing a small remote team. We care about security and I want to be sure that our MacBooks comply with at least basic security standards, such as CIS benchmark.

These are the ways I see I could approach this:

• Writing up policy documents describing security practices and then having everyone read them and apply them in full. This is probably fine for certification purposes, but I doubt the effectiveness in the real world.

• MDMs such as Kandji and JAMF are too big for us. We don't have a dedicated IT department to manage all devices. Additionally, we are mostly developers and would hate not to have full control over our machines. Finally, we work with a number of contractors, I can't force an MDM on them.

• Kolide gets very close to what I want, but it runs on osquery, which essentially gives full control over our machines to a potential bad actor inside Kolide. They have processes in place to prevent that, but ideally, I'd like to avoid someone being able to search for files across all our machines. Again, it would be hard to force our contractors to all install Kolide for the same reasons.

• Symantec Endpoint Protection sounds like it could be what I need, but it also comes with a ton of features that I don't want, such as a third-party firewall, an antivirus scanner, etc.

• Finally, I could hand-hold everyone to install github.com/usnistgov/macos_security/ and then run it at regular intervals. But this feels like a lot of manual work that can be forgotten or postponed.

Am I missing something? How do you ensure non-managed devices comply with basic security standards?

Answer 1

Endpoint Agents

The only way to do this on non-managed machines with the level of assurance that you appear to want is to install an endpoint agent that reports on the device configuration.

These endpoint agents do not need to block local admin control nor do they need to employ the other features they might have (like firewalls, AV, etc.) or be able to read files and other data.

This idea is gaining quite a lot of traction in the age of "Zero Trust". Some local agent reports to the system it is connecting to that it meets the level of protection defined by policy, else access is blocked (or limited).

Contractors

And, yes, you can require contractors to install a configuration checker on their machines if they are touching your systems, data, or code. If they are producing things on their own to send to you, then it doesn't make sense to require that they install something. But if you are granting access, then it is perfectly fine that you can be assured of the security of the devices connecting to you.

You want me to install what?

And yes, this will mean that all these people (staff and contractors) will need to install something you give them on their personal devices. And yes, they will complain and be concerned about your control and their privacy.

But here's the thing: you have already determined that this assurance is important. So, you either do it or re-evaluate the importance of this assurance. Your staff shouldn't be running insecure devices to do work anyway. And if they are intermixing highly personal activities on a work machine, then you have highlighted a problem that needs addressing.

Answer 2

You have covered most of the available options, but there are a few more:

• Lynis comes close, it's been out there since 2007, open source, and supports all major OSes. The drawback is that it's terminal based, so it depends on how good your team is with running terminal commands.
• SimpleumCheck is another good option, a UI-based app that is easier for people to use, but lacks centralized reporting of check results.
• ParetoSecurity is a combination of both of the above: an easy-to-use UI app, with centralized reporting for the admin. The drawback is that it only supports macOS. (full disclosure: I'm the founder)
• Finally, there's iVerify, which does the same, but for iOS.