macOS Device Endpoint Management Baseline

This KB provides a summary of applications and configurations present on all Libraries-managed staff macOS devices.

Table of Contents

Overview

Users of Libraries-managed staff macOS devices can perform most admin-level functions on said devices.  However, several applications cannot be removed, as they are related to campus cybersecurity initiatives.  These applications automatically reinstall themselves if a user attempts to uninstall them so that the macOS device is kept in compliance with campus cybersecurity standards.


Installed Applications & Scripts

BigFix

This application is used for software deployment & profile management of both macOS & Windows devices.

Cisco Secure Endpoint

This application is used to protect devices from malware & alert technologists if malware is detected.

Palo Alto Networks GlobalProtect

This application is used to provide access to campus / GLS / LTG network resources via the corresponding VPN connection.

Post-Enrollment Script

This script is managed via Workspace ONE and is used to:

  • rename a macOS device to include the entirely of its serial number;
    • Example: GLS-A1B2C3D4E5F6
  • set the time zone of a macOS device to either Central Standard Time or Central Daylight Time; and
  • enable Remote Management.

Qualys

This application is used to ensure devices remain in compliance with campus cybersecurity standards.

Workspace ONE Intelligent Hub

This application is used for software deployment & profile management of macOS devices, specifically.


Default Configurations

  • An LTG Admin account is added during enrollment with Workspace ONE, the campus Unified Endpoint Manager (UEM) used to manage macOS devices.
    • The password for this account is unique for every macOS device (i.e., no two devices have LTG Admin accounts with matching passwords), and the password changes automatically.
  • The macOS firewall is enabled.
  • Certain kernel extensions, also known as "kexts," and system extensions are enabled to make deployed software operational.
    • Users are allowed to grant both kernel extensions and system extensions permissions for software they install manually.
  • The initial login window will prompt for both a username & password.
  • A password is required if the macOS device is awakened from sleep mode.


Keywords:
bigfix, cisco secure endpoint, cisco advanced malware protection, cisco amp, palo alto networks globalprotect, palo alto globalprotect, palo alto, globalprotect, pan, post-enrollment script, qualys, workspace one intelligent hub, workspace one, intelligent hub, ws1, cybersecurity, compliance, software deployment, deploy software, profile management, manage profile, windows, malware, campus vpn, gls vpn, ltg vpn, vpn, serial number, time zone, remote management, ltg admin account, ltg admin, unified endpoint management, uem, mobile device management, mdm, firewall, kernel extension, kext, system extension
Doc ID:
110296
Owned by:
Dylan R. in Libraries
Created:
2021-04-15
Updated:
2024-11-11
Sites:
UW-Madison Libraries