macOS Device Endpoint Management Baseline
Table of Contents
Overview
Users of Libraries-managed staff macOS devices can perform most admin-level functions on said devices. However, several applications cannot be removed, as they are related to campus cybersecurity initiatives. These applications automatically reinstall themselves if a user attempts to uninstall them so that the macOS device is kept in compliance with campus cybersecurity standards.
Installed Applications & Scripts
BigFix
This application is used for software deployment & profile management of both macOS & Windows devices.
Cisco Secure Endpoint
This application is used to protect devices from malware & alert technologists if malware is detected.
Palo Alto Networks GlobalProtect
This application is used to provide access to campus / GLS / LTG network resources via the corresponding VPN connection.
Post-Enrollment Script
This script is managed via Workspace ONE and is used to:
- rename a macOS device to include the entirely of its serial number;
- Example: GLS-A1B2C3D4E5F6
- set the time zone of a macOS device to either Central Standard Time or Central Daylight Time; and
- enable Remote Management.
Qualys
This application is used to ensure devices remain in compliance with campus cybersecurity standards.
Workspace ONE Intelligent Hub
This application is used for software deployment & profile management of macOS devices, specifically.
Default Configurations
- An LTG Admin account is added during enrollment with Workspace ONE, the campus Unified Endpoint Manager (UEM) used to manage macOS devices.
- The password for this account is unique for every macOS device (i.e., no two devices have LTG Admin accounts with matching passwords), and the password changes automatically.
- The macOS firewall is enabled.
- Certain kernel extensions, also known as "kexts," and system extensions are enabled to make deployed software operational.
- Users are allowed to grant both kernel extensions and system extensions permissions for software they install manually.
- The initial login window will prompt for both a username & password.
- A password is required if the macOS device is awakened from sleep mode.