CIS Benchmarks for macOS
Implementing CIS Benchmarks on your Mac fleet — key settings, automated assessment, and deployment via MDM
The CIS (Center for Internet Security) Benchmarks for macOS are detailed, consensus-driven configuration guides that define exactly how a Mac should be hardened for enterprise use. Where the CIS Controls describe what security priorities to address, the Benchmarks specify how to configure each setting on a specific platform. For Mac administrators, the CIS macOS Benchmark is one of the most practical compliance tools available.
What Are CIS Benchmarks?
CIS Benchmarks are configuration baselines developed by a global community of security practitioners, vendors, and subject matter experts. They exist for operating systems, cloud platforms, databases, network devices, and more. The macOS Benchmark covers hundreds of individual settings organized into categories like system preferences, network configuration, logging, and access control.
Each recommendation includes:
- A description of the setting and why it matters
- The audit procedure (how to check the current state)
- The remediation procedure (how to apply the setting)
- The CIS Controls mapping (which strategic control this satisfies)
Benchmarks are updated with each major macOS release. Always use the version that matches your fleet’s OS.
Level 1 vs. Level 2 Profiles
The Benchmark defines two hardening levels:
| Profile | Intended For | Impact |
|---|---|---|
| Level 1 | Every Mac in the fleet | Minimal impact on usability; practical defaults that should not break standard workflows |
| Level 2 | High-security environments | May restrict functionality; intended for devices handling sensitive data or operating in regulated environments |
Tip: Start with Level 1 across your entire fleet. Apply Level 2 selectively to devices in high-risk roles (finance, executive, engineering with source code access) after testing the impact on user workflows.
Key macOS Benchmark Settings
The following table highlights the most impactful settings from the CIS macOS Benchmark. These cover the areas most commonly required for compliance audits.
System Updates and Gatekeeper
| Setting | Recommendation | Check Command |
|---|---|---|
| Automatic software updates | Enable all auto-update options | defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled |
| Gatekeeper enabled | Must be active | spctl --status |
| Allow apps from App Store and identified developers | Restrict to signed software | spctl --status --verbose |
Encryption and Firewall
| Setting | Recommendation | Check Command |
|---|---|---|
| FileVault enabled | Required on all devices | fdesetup status |
| macOS Firewall enabled | Must be active | /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate |
| Firewall stealth mode | Enable (Level 2) | /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode |
Screen Lock and Password Policy
| Setting | Recommendation | Check Command |
|---|---|---|
| Screen saver timeout | 20 minutes or less | defaults -currentHost read com.apple.screensaver idleTime |
| Require password after sleep/screensaver | Immediately or within 5 seconds | sysadminctl -screenLock status 2>&1 |
| Password minimum length | 15 characters (Level 2: 20) | Check via configuration profile |
| Password history | Remember at least 15 passwords | Check via configuration profile |
Remote Access and Sharing
| Setting | Recommendation | Check Command |
|---|---|---|
| Remote Login (SSH) disabled | Disable unless required | sudo systemsetup -getremotelogin |
| Screen Sharing disabled | Disable unless required | sudo launchctl list com.apple.screensharing 2>&1 |
| Bluetooth Sharing disabled | Disable | Check in System Settings or via profile |
| AirDrop restricted | Disable or restrict to Contacts Only | defaults read com.apple.NetworkBrowser DisableAirDrop |
| Content Caching disabled | Disable on endpoints | sudo AssetCacheManagerUtil status 2>&1 |
Logging and Auditing
| Setting | Recommendation | Check Command |
|---|---|---|
| Security auditing enabled | Required | sudo launchctl list com.apple.auditd |
| Firewall logging enabled | Required | /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode |
| Install.log retention | 365 days | grep -i "ttl" /etc/asl/com.apple.install |
Automating Assessment with CIS-CAT Pro
Manually checking hundreds of settings is not scalable. CIS offers CIS-CAT Pro, an automated assessment tool that scans a Mac against the Benchmark and produces a compliance report.
How CIS-CAT Pro Works
- Download CIS-CAT Pro from the CIS WorkBench (requires a CIS SecureSuite membership)
- Run the assessor against the macOS Benchmark
- Review the HTML or XML report showing pass/fail for each recommendation
- Export results to your GRC (Governance, Risk, and Compliance) platform
# Example: Run CIS-CAT Pro assessment from the command line
sudo ./Assessor-CLI.sh -b benchmarks/CIS_Apple_macOS_Benchmark_v*.xml \
-p "Level 1" \
-r /tmp/cis_report
Note: CIS-CAT Pro requires a CIS SecureSuite membership (paid). The Benchmark document itself is available for free download with a CIS WorkBench account.
Deploying via MDM Configuration Profiles
The most effective way to enforce CIS Benchmark settings across your fleet is through MDM configuration profiles. Most Benchmark recommendations map directly to MDM payload keys.
Mapping Benchmarks to MDM Payloads
| Benchmark Category | MDM Payload |
|---|---|
| Password policy | com.apple.mobiledevice.passwordpolicy |
| FileVault enforcement | com.apple.MCX.FileVault2 |
| Firewall settings | com.apple.security.firewall |
| Screen lock / screensaver | com.apple.screensaver |
| Software update policy | com.apple.SoftwareUpdate |
| AirDrop restriction | com.apple.applicationaccess (restrictions payload) |
| Remote Login (SSH) | Managed via com.apple.MCX or script |
| Sharing services | com.apple.MCX preferences |
Example: Deploying Key Settings via Jamf Pro
- FileVault – Use the Disk Encryption configuration profile payload to enforce FileVault and escrow recovery keys to Jamf Pro.
- Firewall – Deploy a Security & Privacy payload enabling the application firewall.
- Password policy – Deploy a Passcode payload setting minimum length, complexity, and history requirements.
- Restrictions – Deploy a Restrictions payload to disable AirDrop, Bluetooth Sharing, and other sharing services.
# After deploying profiles, verify on a target Mac:
profiles list -verbose | grep -A 5 "com.apple.security.firewall"
Continuous Compliance Monitoring
Deploying profiles once is not enough. Devices drift out of compliance when users modify settings, profiles fail to install, or new Macs are enrolled without the correct profile scope.
Strategies for continuous monitoring:
- Jamf Pro Smart Groups – Create Smart Groups based on compliance criteria (e.g., FileVault enabled, firewall active, OS version current). Devices that fall out of compliance automatically enter the group and can trigger remediation policies.
- osquery scheduled queries – Write queries that check for each critical Benchmark setting and report results to your logging platform.
- CIS-CAT Pro scheduled scans – Run assessments on a recurring schedule (weekly or monthly) and track compliance scores over time.
- NIST mSCP compliance scripts – The NIST macOS Security Compliance Project can generate compliance check scripts that map to CIS Benchmarks.
Where to Download the Benchmark
- Create a free account at CIS WorkBench
- Navigate to the Benchmarks section and search for “Apple macOS”
- Download the PDF for your target macOS version
- Optionally, subscribe to CIS SecureSuite for access to CIS-CAT Pro and machine-readable Benchmark content
Next Steps
- Understand the strategic framework: The CIS Controls: A Mac Admin’s Guide
- Generate automated compliance baselines: NIST macOS Security Compliance Project (mSCP)
- Meet DoD hardening requirements: DISA STIGs for Apple Platforms