TickYouOff
Sign in
Back
🔒

Apple macOS 14 (Sonoma) STIG

Hard 20 items · 4 hours
testuser's avatar
testuser Published 2 months ago
Security

This checklist summarizes practical security configuration tasks to align Apple macOS 14 (Sonoma) endpoints with DoD STIG guidance. It’s for system administrators, IT security teams, and anyone responsible for hardening macOS devices in managed environments.

Source: https://ncp.nist.gov/checklist/1078

Progress
0 / 20
  1. Inventory macOS 14 devices — Identify all Sonoma devices in scope for STIG implementation.
  2. Enroll devices in MDM — Ensure all managed systems are enrolled for configuration and policy enforcement.
  3. Apply latest Apple security updates — Install all current macOS 14 security patches and firmware updates.
  4. Enable FileVault full-disk encryption — Turn on FileVault to protect data at rest on all devices.
  5. Record each FileVault recovery key securely — Store keys in MDM or an encrypted enterprise vault for recovery.
  6. Verify FileVault encryption status on all devices — Confirm every endpoint reports FileVault enabled and fully encrypted.
  7. Enable System Integrity Protection (SIP) and Secure Boot — Ensure SIP and platform secure boot features are active where supported.
  8. Configure Gatekeeper to allow only signed apps — Restrict execution to Apple-signed or notarized applications via policy.
  9. Enable macOS firewall and stealth mode — Turn on the built-in firewall and enable stealth mode to block unsolicited traffic.
  10. Disable unnecessary sharing and remote services — Turn off Remote Login, AirDrop, File Sharing, and other unused services.
  11. Require strong password policy and screen lock — Enforce complexity, lockout, and idle lock requirements via profile.
  12. Set password complexity and expiration via configuration profile — Deploy profiles that require length, history, and expiration rules.
  13. Set automatic screen lock and require password on wake — Configure short idle timeout and require immediate password after sleep.
  14. Disable Guest and Shared Accounts — Turn off macOS Guest and shared account login to prevent anonymous access.
  15. Configure secure auditing and log forwarding — Enable audit logging and forward logs to a centralized SIEM or log server.
  16. Restrict removable media and external drive access — Use MDM controls to limit or encrypt USB and external storage use.
  17. Install and configure smart card authentication (if required) — Follow supplemental guidance to avoid loss of access when enabling smart cards.
  18. Harden privacy and permissions (TCC) for apps — Audit and restrict applications' access to camera, microphone, and files.
  19. Enforce secure time sync and timezone settings — Configure NTP sources and lock timezone settings to prevent tampering.
  20. Document configurations and maintain STIG compliance records — Log changes, baselines, and evidence to demonstrate ongoing compliance.
Sign in to save
📝 My Notes