macOS Cyber Essentials Plus Checklist, the Per-Control Engineering Reference

Net Sec Group is an IASME and NCSC certification body. Across our 800-plus engagement history, macOS estates run from sole-trader single-device deployments to design agencies with multi-hundred-device fleets, and every CE Plus engagement on a Mac fleet runs the same five controls against the macOS configuration. This article is the engineering checklist for a CE Plus macOS engagement: each of the five controls mapped onto macOS configuration, with the configuration the assessor accepts, the evidence format the assessor expects, and the rejection patterns we see at audit.

For the broader CE Plus assessment-day reference, see the CE Plus Assessment Guide. For the BYOD Mac scoping question, see Cyber Essentials BYOD Device Classification on netsecgroup.io. For the Windows equivalent of this article, see Windows 11 hardening for CE Plus on this site.

The 5-row macOS hardening table

Each row names the CE Plus control, the macOS configuration the assessor accepts, and the evidence format the engineer captures.

| Control | Configuration the assessor accepts | Evidence format | |---|---|---| | Boundary Firewalls and Internet Gateways | Application firewall on (Block all incoming connections except for essential services or Block all incoming connections except for the apps allowed below with documented exception list); PF rules where used (typical for designer fleets running shared services) | Per-device screenshot of System Settings > Network > Firewall or output of socketfilterfw --getglobalstate; PF configuration file export (/etc/pf.conf) where customised | | Secure Configuration | macOS Security Configuration baseline applied via MDM (typically Jamf, Mosyle, Kandji, or Microsoft Intune for Mac), Guest user disabled, automatic login disabled, screensaver password requirement on, signed system volume integrity verified | MDM configuration profile export; system_profiler SPSoftwareDataType output showing macOS version and build; csrutil status showing System Integrity Protection enabled | | User Access Control | FileVault on with institutional recovery key escrow to MDM (Jamf, Intune, Mosyle); standard user accounts only on day-to-day work; admin account separate and used only for elevation prompts; iCloud personal accounts not signed in to in-scope devices for organisational data | MDM FileVault recovery key escrow report; dscl . list /Users filtered to admin role; per-device evidence of standard-user log-in flow | | Malware Protection | XProtect on (default, automatic) and updated; Gatekeeper on with developer-ID-or-Mac-App-Store policy; managed third-party AV (CrowdStrike Falcon, ESET, Sophos, Bitdefender) where the SAQ declares one, with the management console state evidenced | system_profiler SPInstallHistoryDataType | grep XProtect showing recent XProtect updates; spctl --status showing Gatekeeper enforcement; third-party AV management console export | | Security Update Management | Software Update policy delivering security updates within 14 days of vendor release; supported macOS version (currently macOS 15 Sequoia or 14 Sonoma; macOS 13 Ventura on the boundary as Apple's three-version support window typically covers it) | MDM compliance report showing per-device Software Update state; softwareupdate --history per device; supported-version inventory |

Per-control engineering detail

Boundary Firewalls

Accept: macOS Application Firewall on with Block all incoming connections except for essential services or with a documented exception list of allowed apps. PF rules where the firm runs services on the Mac (a designer hosting a local Adobe asset cache, a developer running a local web server) with the rules delivered via MDM and documented.

Reject: a Mac with the application firewall switched off because the user found it interfered with a screen-sharing app and toggled it; a Mac running PF with rules tested locally but not delivered through MDM; a Mac with Block all incoming connections enabled in a way that prevents enterprise management agents from connecting (over-blocking).

Secure Configuration

Accept: a macOS Security Configuration profile delivered via MDM, with the documented standard build referencing the Apple Platform Security Guide and the CIS macOS Benchmark. Guest user disabled (System Settings > Users & Groups > Guest user). Automatic login disabled. Screensaver lock at default 5-minute idle.

Reject: a documented standard build that exists as a Notion page but has not been delivered to devices via MDM; Guest user enabled on devices because the OEM image had it on and IT did not disable it during enrolment; automatic login on for "convenience" on a director's MacBook.

User Access Control

Accept: FileVault on with institutional recovery key escrow to the MDM (Jamf "FileVault Recovery Keys" report, Intune for Mac BitLocker recovery key escrow equivalent, Mosyle FileVault key management). Standard user accounts only on day-to-day work; the user provides admin credentials at elevation prompts. iCloud personal accounts not signed in to in-scope devices for organisational data; the device's iCloud configuration is either signed out or signed in to a managed Apple Business Manager account.

Reject: FileVault on but the recovery key printed and stored locally (no MDM escrow); a designer Mac with the user holding admin permissions because Adobe Creative Cloud installation needed it once and the privilege was never reduced; iCloud personal account signed in with the user's organisational mail in iCloud Mail or organisational documents in iCloud Drive (data exfiltration risk plus scope error).

Malware Protection

Accept: XProtect on with recent updates, Gatekeeper on enforcing developer-ID-or-Mac-App-Store policy, and where the SAQ declares a managed third-party AV (CrowdStrike Falcon, ESET, Sophos, Bitdefender), the management console showing every in-scope Mac reporting healthy.

Reject: a Mac with Gatekeeper switched off so the user could install a third-party app the IT team had not approved; a SAQ declaring CrowdStrike but a subset of the fleet not enrolled in Falcon (orphan Macs the assessor finds via the management console); a "managed XProtect" claim where the firm has not declared a third-party AV but treats XProtect as the managed AV without configuration evidence (XProtect is automatic; the assessor accepts XProtect as the AV but the firm should declare it explicitly).

Security Update Management

Accept: Software Update policy delivered via MDM enforcing the IASME 14-day window for security updates. macOS version on a supported branch (typically macOS 15 Sequoia for current; macOS 14 Sonoma as the previous version still receiving security updates; macOS 13 Ventura on the boundary depending on Apple's current support window).

Reject: macOS 12 Monterey or older still in active in-scope use without a documented upgrade plan; security updates deferred beyond 14 days; a Mac on a beta release of macOS where the firm has not justified the beta channel.

For the patching window mechanics, see the Cyber Essentials 14-day Patching Guide on netsecgroup.io.

The three macOS-specific scope errors at audit

Across our engagement history, three patterns recur as macOS-specific failures.

Error 1, unsupported macOS version still in active fleet

The applicant has macOS 15 deployed on the bulk of the fleet but a designer or developer is running macOS 12 Monterey because a legacy plugin only works on it. Apple is no longer issuing security updates for that macOS version; the device fails Security Update Management. The fix is either an OS upgrade (with the legacy plugin's vendor confirming compatibility on the supported macOS version) or scope reduction (move the device out of in-scope use, document the exclusion).

Error 2, BYOD Mac with no MDM enrolment

The applicant has a fleet of company-issued Macs all in MDM, plus the founder's personal MacBook used for day-to-day work that has never been enrolled. The personal Mac is in scope by the BYOD rules; the assessor sees no MDM evidence for it. The fix is either to enrol the personal Mac in MDM (with a personal/work split if needed) or to issue a company Mac and remove organisational use from the personal device. See the BYOD Device Classification reference on netsecgroup.io for the scope detail.

Error 3, designer's Mac running iCloud-synced admin account

The applicant has a designer who signs into their Mac with the same Apple ID they use personally, and that Apple ID is in the local administrator group via the macOS "First Account" pattern from the original setup. iCloud personal data syncs to a device that handles organisational data; admin privilege is held by an unmanaged personal Apple ID. Both surface at audit. The fix is to demote the personal Apple ID to a standard user, create a separate managed admin account (typically held by IT), and clear the iCloud personal data sync from in-scope folders.

Practitioner observations

Three observations from the engagement history.

1. MDM is non-optional for evidence-grade Mac CE Plus engagements. A fleet without MDM produces evidence packs that take 3 to 5 times longer to assemble (per-device manual screenshots and audit-by-hand). The cleanest path is Jamf, Mosyle, or Intune for Mac before the engagement, even for fleets of 10 to 20 devices. Jamf Now is a reasonable starting point for cost-conscious fleets; Jamf Pro for fleets above 50.

2. Apple Business Manager + Automated Device Enrollment closes the personal-Apple-ID gap. When devices enrol via ADE into Apple Business Manager, the device's "First Account" can be a managed Apple ID, eliminating the personal-Apple-ID admin pattern. ADE-enrolled devices also accept MDM configuration without user dismissal options.

3. The CrowdStrike Falcon + macOS combination is the audit-cleanest third-party AV pattern we see. ESET, Sophos, and Bitdefender all pass; CrowdStrike Falcon's management-console reporting and per-device tamper protection produce the cleanest evidence pack. For firms running Defender for Endpoint on macOS (now supported), the Defender XDR console produces equivalent evidence; XProtect-only is acceptable for SAQs that do not declare a third-party AV.

Common questions

Does macOS Home or Pro distinction apply to CE Plus?

macOS does not have a Home/Pro distinction the way Windows 11 does. Every macOS install is the full operating system. The variation is between macOS branch (current major version, previous, two-back) and architecture (Apple Silicon ARM, Intel x86 for legacy hardware). The assessor accepts any supported branch on any architecture; legacy Intel hardware on supported macOS is fine.

What about iPad and iPhone in the in-scope fleet?

iOS and iPadOS are out of scope for the laptop-equivalent CE Plus tests; they go through the BYOD evaluation if used to access in-scope data. See the BYOD decisions article on the .io sister site for the per-device-class treatment.

Does the assessor accept a Mac fleet without any third-party AV?

Yes when the SAQ declares XProtect plus Gatekeeper as the AV. XProtect is Apple's built-in malware protection; Gatekeeper enforces the application-source policy. Both are evidenced via system commands. A SAQ that declares a third-party AV must produce evidence that AV is on every device.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the macOS fleet topology and MDM in use; the assessor confirms the engagement timeline.

Reference material

Where this fits on this site

This article is the macOS spoke under the platform-specific pillar. The other platform-specific spokes are Windows 11 hardening for CE Plus, Intune for CE Plus configuration, and Google Workspace for CE Plus. For per-control foundation references on this site, see Secure Configuration, User Access Control, Malware Protection, Patching and Updates, and Firewalls and Gateways.