MacOS security with Brian Lamantia

MacOS security with Brian Lamantia

MacOS security with Brian Lamantia

Jeremy Cherny Podcast

“I’ve been doing this for a few years now just completely involved in that. And I use that to ride security down to our macOS users in our environment. We’re fully Integrated with an MDM. We use Jam, which is one of the premier MDM providers out there. So I’ve been using them for the whole duration for about three years now since we set up the infrastructure and started enrolling our first Mac’s.”

What was it like enrolling your first Mac’s?

It was very interesting to start out with because MacOS is coming into its own for security with all of the different security features that they’ve been adding. For example, the system integrity protection and the T2 chip which is a chip they’re putting on top of the system boards and is a secure enclave for the boot process. So lots of new security features, lots of challenges for an admin like me to integrate those security features into the deployment. In the beginning, we weren’t fully into automated enrollment yet so it was – get a Mac, get the endpoints on it, get the user set up and then mail it out to them. We didn’t have to image but we had to do a lot of setups. Then gradually, as things were starting to come around, and when we got enrolled into Apple business manager and we became an Apple DEP customer, we were able to then automate enrollment, which was really just an eye-opener – functionally and security-wise, for our C-level folks at our company.

What about that was the eye-opener?

The fact that we could do direct shipping from vendor to employee, and then have them just enroll. Then, all the security endpoints come down – zero imaging and zero-touch. That was huge.

Why is security important in this process, and why is it important to your job as a sysadmin?

It’s important for us because we have auditors that come in to audit our systems. They find that we have to have a certain security stack in place. So those requirements are handed over to our security teams, and they have to work with me closely in order to get those security features in place, which is the primary reason why we have an MDM – to be able to enroll but also to provide all those things and to provide all the security features to ensure that they’re locked down and safe.

So if you work closely with the security team, what is that relationship like in terms of staying on top of threats? Are they doing research and then handing down policies?

We started out doing our own homegrown policies to try to match the Windows world a little bit to get everybody familiar. We just now recently are going to be updating that to basically go off the CIS benchmark. I’ve now been handed that whole guide. So now we’re picking through that one by one to firm up our security and our policy and then once that policy is set in place, it’s my job to make sure that every box is checked off on my side and enforced and that we can prove that.

What do you see as the future of security?

Related to Mac OS, there are lots of changes. A lot of the security features that we use on the Mac OS side at our company have come because we already have a relationship with that security vendor on the Windows side. But we’re learning that Mac OS is not the same as Windows, it’s a completely different OS. So some of the conversations I am now having with the security folks are maybe changing over to some of these newer products that are on the market that are now agentless and also serverless. They actually have a product out there that is agentless and serverless that we could be using that would greatly improve our performance on Mac OS. It seems like security is ever-evolving, right? I mean, the old days of binary agents, I think there’s going to start going away for more MDM and scripted based solutions even on the Windows side.