HomeCyber EssentialsCE PlusArticlesFAQPricingAboutContact
Free Consultation

Cyber Essentials Plus Platform-Specific Configuration, the Hub

Net Sec Group is an IASME and NCSC certification body. The five Cyber Essentials Plus controls apply identically across platforms; the configuration that evidences each control changes per platform. This hub indexes the four platform-specific spokes on this site, drawn from our 800-plus engagement history. Each spoke maps each CE Plus control onto the platform's native configuration with the assessor's accept/reject criteria per setting.

Articles in this hub

Windows 11 Hardening for CE Plus, the Per-Control Engineering Reference

The 5-row Windows 11 hardening table mapped per CE Plus control: Windows Defender Firewall profiles, Microsoft Security Baseline plus AppLocker / Smart App Control, BitLocker plus Conditional Access, Microsoft Defender Antivirus with Tamper Protection plus ASR rules, Windows Update for Business policy. Plus the three Windows 11-specific scope errors (unsupported feature update version, third-party AV in conflict with Defender, local admin granted via UAC bypass).

macOS Cyber Essentials Plus Checklist, the Per-Control Engineering Reference

The 5-row macOS hardening table: application firewall and PF rules, macOS Security Configuration baseline via MDM, FileVault with institutional recovery key escrow, XProtect plus Gatekeeper plus managed third-party AV, Software Update policy on a supported macOS version. Plus the three macOS-specific scope errors (unsupported macOS version still in active fleet, BYOD Mac with no MDM enrolment, designer's Mac running iCloud-synced admin account).

Microsoft Intune for CE Plus, the Per-Control Policy Mapping

The 5-row CE-control-to-Intune-policy table: Endpoint Security Firewall, Configuration profile plus Microsoft Security Baseline, Compliance policy plus Conditional Access, Endpoint Security Antivirus plus ASR, Windows Update for Business rings. Plus the three Intune-specific evidence rejects (deployment scope set to a pilot group, compliance policy created but not assigned, configuration profile in conflict with security baseline).

Google Workspace for CE Plus, the Per-Control Admin Mapping

The 5-row CE-control-to-Workspace-admin table: Context-Aware Access for boundary, OAuth app trust list plus sharing settings for secure configuration, 2-Step Verification enforcement plus Advanced Protection Program for user access control, Gmail and Drive scanning plus Security Center for malware protection, vendor-managed platform updates plus per-laptop patching for security update management. Plus the three Workspace-specific rejects (2SV "encouraged" not enforced, OAuth trust list with broad default trust, super admin role over-allocated).

When to read which article

| Where you are | Read this | |---|---| | Windows 11 fleet, preparing for CE Plus | Windows 11 hardening for CE Plus | | macOS fleet, preparing for CE Plus | macOS Cyber Essentials Plus checklist | | Microsoft 365 estate using Intune for device management | Microsoft Intune for CE Plus (alongside the Windows 11 or macOS spoke) | | Google Workspace estate | Google Workspace for CE Plus (alongside the Windows 11 or macOS spoke for the laptop fleet) | | Mixed Windows + macOS estate on Intune | Read all three: Intune (policy mapping), Windows 11 (per-device evidence), macOS (per-device evidence) |

How this hub relates to the other three

The platform-specific hub is one of four on this site. The other three:

  • Vulnerability scanning: scanner choice and methodology that runs against the platform-specific configurations
  • Audit evidence: how to package the platform-specific evidence into the audit pack the assessor reads
  • Technical controls: foundation references for each Cyber Essentials control the platform-specific articles configure

The platform-specific articles produce the configuration; the vulnerability-scanning articles validate it; the audit-evidence articles package it; the technical-controls articles explain it.

Common questions

Can I run CE Plus on a fleet split between Windows 11 and macOS?

Yes. Mixed-platform estates are common. Each platform's evidence comes from the relevant spoke's per-control table. The audit pack indexes per-platform sub-folders; the assessor reads each platform's evidence against the same five controls.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group.

Reference material

Ready to get certified?

Get CECall Us