Incident Response
intermediate
incident-response
checklist
security
playbook
Mac Admin Incident Response Checklist
Step-by-step incident response checklist for Mac administrators — from initial detection through containment, eradication, and recovery
Published: Feb 14, 2026
12 min read
When a security incident strikes your Mac fleet, a structured response is the difference between a controlled recovery and organizational chaos. This checklist adapts the NIST SP 800-61 (Computer Security Incident Handling Guide) framework specifically for Mac administrators managing Apple device fleets with MDM.
Severity Classification
Before you begin any response, classify the incident so that the right people are engaged at the right time.
| Severity | Description | Examples | Response Time |
|---|---|---|---|
| Critical | Active data exfiltration or system compromise | Ransomware, confirmed APT activity, stolen MDM credentials | Immediate |
| High | Confirmed malware or unauthorized access | Trojan on executive device, compromised admin account | Within 1 hour |
| Medium | Suspicious activity requiring investigation | Unusual outbound connections, unexpected LaunchDaemon | Within 4 hours |
| Low | Policy violation or minor anomaly | Unauthorized software install, failed login attempts | Within 24 hours |
Escalation Matrix
| Severity | Notify |
|---|---|
| Critical | Security team, CISO, IT leadership, legal counsel, executive management |
| High | Security team, CISO, IT leadership |
| Medium | Security team lead, Mac admin team lead |
| Low | Mac admin team (handle within normal workflow) |
Phase 1: Preparation
Preparation happens before an incident occurs. If you are reading this during an active incident, skip to Phase 2 and circle back here afterward.
- Maintain an up-to-date asset inventory – Ensure your MDM (Jamf Pro, Kandji, Mosyle) has accurate records of every managed Mac, including hardware model, OS version, assigned user, and department.
- Document MDM admin credentials – Store emergency admin credentials in a secure vault (1Password, HashiCorp Vault) with break-glass access procedures.
- Prepare a forensic toolkit – Pre-install or stage collection tools:
osquery, Objective-See utilities (KnockKnock, BlockBlock, TaskExplorer), and a bootable external drive for disk imaging. - Establish an IR contact list – Include your security team, legal counsel, CISO, MDM vendor support, and relevant law enforcement contacts.
- Create documentation templates – Prepare incident report templates, chain of custody forms, and a communication plan.
- Test your MDM lock and wipe capabilities – Verify that remote lock and remote wipe commands work as expected on test devices before you need them in production.
Phase 2: Detection and Analysis
When an alert fires or a user reports something suspicious, your first job is to determine what is happening and how severe it is.
Initial Triage Commands
Run these on the suspect Mac (remotely via SSH or MDM script, or locally) to build an initial picture:
# Check running processes for anything unfamiliar
ps aux | sort -rk 3 | head -30
# List all network connections and listening ports
lsof -i -P -n
# Alternative network view
netstat -an | grep ESTABLISHED
# Review recently loaded LaunchDaemons and LaunchAgents
launchctl list
# Check for unsigned or suspicious code
codesign -vv /path/to/suspicious/binary
# Stream security-relevant logs
log show --predicate 'subsystem == "com.apple.securityd"' --last 1h
Detection Indicators
Look for these common signs of compromise on macOS:
- Unexpected LaunchDaemons or LaunchAgents in
/Library/LaunchDaemons/,/Library/LaunchAgents/, or~/Library/LaunchAgents/ - Unsigned binaries running from
/tmp,/var/tmp, or user-writable directories - Outbound connections to unfamiliar IP addresses or domains, especially on non-standard ports
- New or modified configuration profiles not deployed by your MDM
- Unusual
cronoratjobs that were not configured by IT - Elevated privilege usage – unexpected
sudoactivity in logs - Disabled security features – Gatekeeper, SIP, or FileVault found in unexpected states
Classification Decision
Based on your triage, assign a severity level from the table above and escalate per the matrix. Document your initial findings with timestamps before moving to containment.
Phase 3: Containment
The goal is to stop the damage from spreading while preserving evidence for investigation.
Critical: Do NOT power off the Mac unless absolutely necessary. A running system preserves volatile data (memory, network connections, running processes) that is lost on shutdown.
- Isolate the Mac from the network – Use MDM to push a configuration profile that disables Wi-Fi and restricts network access via the firewall payload. If MDM is unavailable, instruct on-site personnel to disconnect Ethernet and disable Wi-Fi manually. See Isolating a Compromised Mac for detailed procedures.
- Disable the user account – If the compromise involves a user account, disable it in your identity provider (Okta, Azure AD, Google Workspace) and revoke SSO sessions.
- Revoke certificates and tokens – Rotate any API keys, VPN certificates, or OAuth tokens associated with the compromised device.
- Quarantine in MDM – Move the device to a quarantine Smart Group in Jamf Pro (or equivalent) to prevent it from receiving production policies.
- Preserve evidence – Before making any changes, capture the current state. See Collecting Forensic Evidence on macOS.
Phase 4: Eradication
Once the device is contained and evidence is preserved, remove the threat.
- Identify the root cause – Determine how the compromise occurred (phishing, malware, exploited vulnerability, insider threat).
- Remove malware or unauthorized software – Use your EDR tool or manually remove malicious binaries, LaunchDaemons/LaunchAgents, and configuration profiles.
- Reset all credentials – Force password resets for the affected user(s), including local macOS accounts, directory service passwords, and application-specific credentials.
- Deploy hardened configuration profiles – Push updated security profiles via MDM to close the vector that was exploited.
- Patch the vulnerability – If the compromise exploited a known vulnerability, deploy the relevant macOS or application update fleet-wide immediately.
- Scan the broader fleet – Use
osqueryor your EDR to search for the same indicators of compromise across all managed Macs.
# Example: search fleet-wide for a suspicious LaunchDaemon
# (run via MDM policy or osquery distributed query)
ls -la /Library/LaunchDaemons/ | grep -i "suspicious_name"
Phase 5: Recovery
Bring the device (and affected user) back to a trusted state.
- Restore from known-good backup – If the device cannot be cleaned with confidence, erase and re-provision it using Apple Business Manager and your MDM zero-touch workflow. If restoring from Time Machine, verify the backup predates the compromise.
- Verify system integrity – Confirm SIP is enabled, FileVault is active, Gatekeeper is enforcing, and all MDM profiles are installed.
# Verify SIP status
csrutil status
# Verify FileVault
fdesetup status
# Verify Gatekeeper
spctl --status
# List installed profiles
profiles list -verbose
- Re-enable network access – Remove the quarantine profile and restore the device to its standard network VLAN.
- Monitor for recurrence – Place the device under enhanced monitoring for 30 days. Configure additional logging or EDR alerting rules.
- Restore user access – Re-enable the user’s account and issue new credentials.
Phase 6: Post-Incident Review
Conduct a post-incident review (blameless postmortem) within 5 business days of resolution.
Lessons Learned Template
| Question | Response |
|---|---|
| What happened? | (Timeline summary) |
| How was it detected? | (Alert, user report, routine audit) |
| How long was the dwell time? | (Time from compromise to detection) |
| What worked well? | (Effective controls, fast response) |
| What needs improvement? | (Gaps, delays, missing tools) |
| What changes will we make? | (Policy updates, new controls, training) |
- Update IR documentation – Revise this checklist and related playbooks based on findings.
- Update detection rules – Add new indicators of compromise to your SIEM, EDR, and
osquerypacks. - Communicate results – Share a summary (appropriately scoped) with stakeholders per your communication plan.
- File the incident report – Archive the complete report with evidence per your retention policy. See Reporting Security Incidents for reporting obligations.
Quick Reference: IR Toolkit for Mac Admins
| Tool | Purpose |
|---|---|
ps aux | List running processes |
lsof -i -P | Show network connections |
log show / log stream | Query Unified Logging |
launchctl list | List loaded services |
profiles list | Show installed MDM profiles |
fdesetup status | Check FileVault status |
csrutil status | Check SIP status |
kextstat | List loaded kernel extensions |
sysdiagnose | Comprehensive system snapshot |
| KnockKnock (Objective-See) | Enumerate persistent software |
| osquery | Fleet-wide endpoint querying |
| Santa (Google) | Binary allow/deny-listing |
Next Steps
- Learn isolation procedures: Isolating a Compromised Mac
- Build your evidence collection skills: Collecting Forensic Evidence on macOS
- Understand your reporting obligations: Reporting Security Incidents