(imported topic written by SystemAdmin)
We’ve started to look at the process of tightening up the security on our OS X workstations. We’ve got a mix of 10.5.8 and 10.6.7. We were curious to see if anyone has done anything in terms creating TEM content (fixlets, tasks) that either perform the changes natively or somehow run a tool to perform the changes. We’re not OS X guys, so our scripting skills are limited and so is our time.
We are initially looking at the following items:
Add AD Domain Admins to local Admins
Enable SSH for Admins
Enabled password lock when screensaver runs (TEM has this one - yay!)
Set screen saver timeout
Set screen saver
Set proxy server (.pac file) for nics
Disable automatic (scheduled) system updates
Disable system updates
John
(imported comment written by lloydjobe91)
Hi … I’m in the BigFix services group and as a result have been around lots of the security configuration work… We’ve done a lot over the years and have some OS-X folks on the team…
Unfortunately we have never done any OS-X SCM work and my guess is the cost for us to do custom content dev is not worth it for the average customer … unless you have a very large number of endpoints and a very strong mandate…
I have heard that the product team really wants to get this inserted into our roadmap but doesn’t currently have a concrete schedule/funding…
I wonder if it’s viable to find other OS-X enthusiasts to dig into this? My experience is that 5-10 core controls capture a large portion of the value so possibly the hurdle isn’t as high compared to a complete compliance framework like DISA - STIGS where there sometimes >100-200 controls…