The CIS Controls: A Mac Admin's Guide
Understanding the 18 CIS Controls and how they map to Mac fleet management
The CIS Controls (formerly the SANS Top 20) are a prioritized set of cybersecurity best practices maintained by the Center for Internet Security. For Mac administrators, they provide an actionable framework that translates directly to the tools and workflows you already use – Jamf, Munki, MDM profiles, and built-in macOS security features.
What Are the CIS Controls?
The CIS Controls are 18 control families organized by priority, each containing specific safeguards (sub-controls). Unlike broad frameworks such as NIST 800-53, the CIS Controls are designed to be practical and implementable. They answer the question: “What should we do first?”
The current version (CIS Controls v8.1) organizes the 18 controls into three activity categories:
| # | Control Family | Category |
|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | Identify |
| 2 | Inventory and Control of Software Assets | Identify |
| 3 | Data Protection | Protect |
| 4 | Secure Configuration of Enterprise Assets and Software | Protect |
| 5 | Account Management | Protect |
| 6 | Access Control Management | Protect |
| 7 | Continuous Vulnerability Management | Protect |
| 8 | Audit Log Management | Detect |
| 9 | Email and Web Browser Protections | Protect |
| 10 | Malware Defenses | Protect |
| 11 | Data Recovery | Recover |
| 12 | Network Infrastructure Management | Protect |
| 13 | Network Monitoring and Defense | Detect |
| 14 | Security Awareness and Skills Training | Protect |
| 15 | Service Provider Management | Protect |
| 16 | Application Software Security | Protect |
| 17 | Incident Response Management | Respond |
| 18 | Penetration Testing | Identify |
Implementation Groups: Start Where You Are
Not every organization needs to implement all safeguards. CIS defines three Implementation Groups (IGs) based on organizational size and risk profile:
IG1 – Essential Cyber Hygiene
The minimum set of safeguards every organization should implement. IG1 covers 56 safeguards and is designed for small to medium organizations with limited cybersecurity resources. For a Mac fleet, this means having device inventory, basic patch management, and endpoint protection in place.
IG2 – Expanded Controls
Builds on IG1 with 74 additional safeguards (130 total). Appropriate for organizations with dedicated IT staff managing moderate-complexity environments. This is where most Mac admin teams with a proper MDM deployment will land.
IG3 – Comprehensive Security
All 153 safeguards, intended for organizations handling sensitive data or facing sophisticated threats. This includes advanced logging, penetration testing, and formal incident response capabilities.
Tip: Most Mac admin teams should aim for full IG1 compliance first, then incrementally adopt IG2 safeguards. Do not jump to IG3 without solid IG1 and IG2 foundations.
Mapping CIS Controls to Mac Admin Tools
The practical value of CIS Controls becomes clear when you map them to the tools and features already in your Mac management stack.
| CIS Control | Mac Admin Implementation |
|---|---|
| 1. Asset Inventory | Jamf Pro inventory, Kandji device list, Mosyle asset management, system_profiler reports |
| 2. Software Inventory | Munki catalogs, Jamf Application Inventory, osquery scheduled queries |
| 3. Data Protection | FileVault encryption, Jamf Data Policy, managed pasteboard restrictions |
| 4. Secure Configuration | MDM Configuration Profiles, CIS Benchmark profiles, mobileconfig payloads |
| 5. Account Management | Jamf Connect, managed Apple IDs, local admin account policies |
| 6. Access Control | macOS TCC framework, PPPC profiles, managed login items, Smart Card enforcement |
| 7. Vulnerability Management | Nudge for OS updates, Munki forced installs, softwareupdate automation, KEV monitoring |
| 8. Audit Logging | Unified Logging (log command), osquery log forwarding, Jamf Pro audit logs |
| 9. Browser Protections | Managed Safari settings, Chrome Enterprise policies, browser extension allow-lists |
| 10. Malware Defenses | XProtect, Gatekeeper, MRT (Malware Removal Tool), third-party EDR (CrowdStrike, SentinelOne) |
| 11. Data Recovery | Time Machine policies, cloud backup solutions, managed iCloud settings |
| 12. Network Management | Wi-Fi profiles via MDM, VPN configurations, 802.1X certificate deployment |
| 13. Network Monitoring | macOS Firewall (/usr/libexec/ApplicationFirewall/socketfilterfw), network extension framework, EDR network visibility |
| 14. Security Training | Phishing simulation platforms, onboarding security modules |
| 15. Service Provider Mgmt | Vendor security review for MDM, cloud storage, and SaaS tools |
| 16. Application Security | Gatekeeper enforcement, notarization requirements, Jamf App Installers |
| 17. Incident Response | Documented IR playbooks, device isolation via MDM lock, remote wipe capabilities |
| 18. Penetration Testing | macOS-focused pen testing, MDM escape testing, privilege escalation auditing |
Getting Started with CIS for Your Fleet
Step 1: Establish Your Asset Inventory (Control 1)
You cannot secure what you do not know about. Start by ensuring your MDM has complete coverage of your fleet.
# On a managed Mac, verify MDM enrollment
profiles status -type enrollment
# List all installed configuration profiles
profiles list -verbose
Step 2: Enforce Secure Baselines (Control 4)
Deploy configuration profiles that align with the CIS macOS Benchmark. Key settings include:
- Enable FileVault (Control 3 – Data Protection)
- Set a screen lock timeout of 15 minutes or less
- Disable guest accounts
- Enable the macOS firewall
- Require password after sleep or screensaver
# Verify FileVault status
fdesetup status
# Check firewall state
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Step 3: Automate Vulnerability Management (Control 7)
Ensure your fleet stays patched. Configure your MDM to enforce minimum OS versions and deploy updates within a defined SLA. Cross-reference your patching priority with CISA KEV entries and CVSS scores.
Step 4: Enable Logging and Detection (Control 8)
macOS generates extensive telemetry through the Unified Logging system. Forward logs to a SIEM or use osquery to query endpoint state at scale.
# Stream security-relevant log entries in real time
log stream --predicate 'subsystem == "com.apple.securityd"' --level info
Step 5: Document and Test (Controls 17-18)
Write incident response procedures specific to your Mac fleet. Include steps for MDM-based device isolation, FileVault recovery key retrieval, and remote wipe authorization chains.
CIS Controls vs CIS Benchmarks
It is important to distinguish between the two main CIS resources:
- CIS Controls are what you should do – the strategic framework of 18 security priorities.
- CIS Benchmarks are how to do it – detailed, platform-specific configuration guides (e.g., the CIS Apple macOS Benchmark provides hundreds of specific settings).
The Benchmarks are the implementation detail; the Controls are the organizing framework. Both are freely available from the CIS website (account required for downloads).
Next Steps
- Understand the building blocks: What Is a Security Control?
- Apply CIS benchmarks to your fleet: CIS Benchmarks for macOS
- Prioritize patching with threat intelligence: Understanding CISA KEVs