I'm managing a small remote team. We care about security and I want to be sure that our MacBooks comply with at least basic security standards, such as CIS benchmark.
These are the ways I see I could approach this:
Writing up policy documents describing security practices and then having everyone read them and apply them in full. This is probably fine for certification purposes, but I doubt the effectiveness in the real world.
MDMs such as Kandji and JAMF are too big for us. We don't have a dedicated IT department to manage all devices. Additionally, we are mostly developers and would hate not to have full control over our machines. Finally, we work with a number of contractors, I can't force an MDM on them.
Kolide gets very close to what I want, but it runs on osquery, which essentially gives full control over our machines to a potential bad actor inside Kolide. They have processes in place to prevent that, but ideally, I'd like to avoid someone being able to search for files across all our machines. Again, it would be hard to force our contractors to all install Kolide for the same reasons.
Symantec Endpoint Protection sounds like it could be what I need, but it also comes with a ton of features that I don't want, such as a third-party firewall, an antivirus scanner, etc.
Finally, I could hand-hold everyone to install github.com/usnistgov/macos_security/ and then run it at regular intervals. But this feels like a lot of manual work that can be forgotten or postponed.
Am I missing something? How do you ensure non-managed devices comply with basic security standards?