Compliant by Default: How Smart MSPs Are Automating Apple Security

Compliant by Default: How Smart MSPs Are Automating Apple Security

Introductions

Nicolas Ponce (Addigy): My name is Nicolas Ponce. I work here at Addigy and I lead the operations and security team. Today’s webinar covers compliance by default: how smart MSPs are automating Apple security.

Brent Porter (Master Switch IT): My name is Brent Porter. I work for an MSP in Minneapolis called Master Switch IT. I just hit my nine-year anniversary. I’ve been working in IT since about 2010 and in MDM since about 2014.

Nicolas: The agenda has three parts: consumer-ready is not enterprise-ready, compliant by default with a live demo, and turning the gap into growth by packaging compliance as a service.

Consumer-Ready Is Not Enterprise-Ready

Nicolas: Apple’s defaults are optimized for personal use, not business use. By default, devices aren’t enrolled in MDM, the password policy is minimal (around four characters on macOS), and everything syncs to iCloud, including iCloud Drive. Features like AirDrop raise the question of where company data is going.

Nicolas: The myth is that Macs are more secure. The reality is they’re secure for consumers, which isn’t the same as compliant or secure for business.

Brent: They add a lot of features, but they’re built for convenience and ease of use. It just has to be managed in our environment.

The Compliance Gap

Nicolas: A new Apple device out of the box is only about halfway to business-ready compliance. Roughly half the controls will fail against even a basic benchmark like CIS Level 1. Stricter frameworks like STIG or CMMC produce even more rule failures, because these devices are designed for personal use and don’t map to any framework by default.

Nicolas: Frameworks like SOC 2, ISO 27001, and Cyber Essentials are attested by third-party auditors. What matters is which devices you’re using and how you’re hardening them to mitigate risk.

Brent: The most common one for us is SOC 2. A lot of our clients are required to do it, whether by their own clients, insurance, or something of that nature.

Nicolas: SOC 2 is more common in the States, ISO is more international, and UK folks have Cyber Essentials, which we’ve added as a benchmark. A framework is essentially a compilation of macOS configurations, a list of a little over 300 rules. We built a database that aligns each rule to the benchmarks it belongs to, and we test and validate every benchmark before pushing it out. A rule like “OS gatekeeper enabled” appears in almost every benchmark.

Brent: Gatekeeper is one we build custom rules around for onboarding, because it’s across all compliance frameworks.

Compliant by Default

Nicolas: Enterprise-ready shouldn’t be a manual project. With Addigy you get real-time visibility into where your devices stand. You can apply a benchmark in monitoring-only mode, which doesn’t remediate anything, it just shows you the compliance status. In one example, out of nearly 40 devices only 11 were compliant. That’s a great baseline to show stakeholders before starting the project. Automated enforcement then flips those devices to compliant with remediation, and it’s all reportable.

Live Demo: Deploying a Benchmark

Nicolas: Benchmarks are curated per operating system. Every year the NIST and CIS teams curate a unique benchmark for each macOS version, so macOS 14 and macOS 26 are not the same and have different settings. In the demo I assigned CIS Level 1 to a macOS 15 device and deployed it.

Nicolas: The catalog is where you build content and the policy is where you assign it. CIS Level 1 is a good industry-standard base, with 97 rules in macOS 26 and 87 in macOS 14. As Apple adds or changes controls in each OS, the rule count changes.

Brent: I’ve used CIS Level 1 a lot as a base to build custom benchmarks. It’s the one I use most frequently.

Nicolas: You can clone a benchmark, sort the rules, and disable the ones you don’t want before saving it as your own. Audit-log rules are easy wins because they don’t change the user experience, they just provide logging for a forensic team if something happens.

Nicolas: Some items are labeled benchmark and some baseline. A baseline is guidance rather than a prescriptive set you apply as-is. Some rules install a profile, some require manual remediation (for example, inserting a smart card for CMMC), and some run scripts. Doing all of that yourself, across profiles, scripts, and manual steps, is what makes this so challenging. CMMC Level 1 has 82 rules and Level 2 has 208.

Nicolas: When you clone a benchmark, it stays synced with the NIST and CIS rule changes. We review those changes, apply them, communicate them through our releases and status pages, and verify customer impact before release.

Brent: Even if you only want monitoring, you can use the scripts from the remediation to build your own remediation scripts.

Nicolas: Each rule includes the test, the remediation script, a description explaining the rationale, and a downloadable PDF write-up. That PDF maps each rule to the NIST 800-53 revision, CIS Controls v8, and CCE, which the compliance and audit teams need.

Brent: The PDF is really useful for clients to review.

Nicolas: We also launched Cyber Essentials a month or two ago and a brand-new AI Compliance Basics benchmark. You can build your own AI benchmark, for example allowing Claude and Google Gemini while blocking ChatGPT, Microsoft Edge Copilot, and DeepSeek. You can also tie compliance into Microsoft Intune conditional access to build a zero-trust environment, and there’s an option to exclude specific benchmarks from affecting a device’s ability to log in.

Brent: Clients really like being able to see their compliance in Self Service. It’s reassuring when they go in and everything’s green.

Turning the Gap Into Growth

Nicolas: The compliance gap is your opportunity to package and sell as a service. This becomes a repeatable, billable process once the first client is set up.

Brent: Instead of break-fix, we’ve evolved to managed service agreements based on the client’s needs, with different tiers. There’s always a base level of security, and more compliance requirements bill out at higher tiers.

Nicolas: Proactive versus reactive matters. If a client comes to you the week before a SOC 2 audit, that’s a friction point, because a SOC 2 Type 2 is a period-of-time audit, not point-in-time, so you have to prove you’ve been doing it for a while. Showing before-and-after reports is a powerful way to demonstrate the value and risk mitigation.

Brent: We had an instance where a client did well in an audit, and now they’re expanding the number of devices they want us to manage. Clear communication and regular review are so important.

Overcoming Pushback

Nicolas: Common objections are “my Macs are already secure,” “this will frustrate my users,” and “we’ve gotten by without this.”

Brent: People worry you’re spying on them, so you reassure them the intent is to secure the business and keep them productive. Removing admin rights actually helped, because software stays aligned and there’s no random software everywhere. Addigy also has a feature to elevate admin rights temporarily.

Nicolas: These controls actually eliminate most privacy concerns. Benchmarks disable remote login and remote management by default, so they prevent malicious actors from accessing devices remotely rather than enabling spying. Developers are usually the exception, and you can curate a separate policy for them. Nobody can control SIP through benchmarks, but it’s good to confirm it’s enabled.

Brent: We’ve actually seen a reduction in ticketing as we’ve added more security and automated it proactively, and the tickets we do see resolve faster.

Problematic Rules to Watch For

Nicolas: Some rules cause friction and should be curated carefully. “Disable login to other users’ active and locked sessions” breaks Touch ID if pulled straight from the CIS repo. Addigy runs a custom remediation automatically so it doesn’t break Touch ID.

Nicolas: “Limit consecutive failed login attempts to five” locks users out after five failures, and when combined with the rule to prompt for username and password, users see two blank fields, don’t know their username, and get frustrated. Consider raising the attempt limit or pairing it with an identity provider.

Brent: Using an identity provider helps a lot with the login window, because users reach a familiar IdP portal and often get MFA. It also eliminates rolling passwords and reduces keychain tickets.

Nicolas: An IdP syncs passwords so there’s no confusion, and the username becomes their identity credential. I’d also turn off the 365-day max password lifetime rule if you’re enforcing it in your IdP, since it causes conflict. The time-sync daemon rule was removed by NIST and CIS because it caused time drift, which breaks SSL validation and connectivity. Finally, if you use an identity provider, avoid or limit passcode settings, because Apple’s passcode payload doesn’t exactly match the IdP. Allowing simple passwords can actually prevent conflicts with real-word passwords set in the IdP.

Continuous Compliance and AI

Nicolas: With Addigy you can do this in minutes, not months. Compliance isn’t a checkbox, it’s continuous: you monitor status, automate remediation, and document it over time, and you repeat it every year with each new benchmark. Apple builds for the person; Addigy builds for the business.

Brent: When you get audited and they come back and say they found nothing, there’s no feeling like it. Being able to present all the data quickly during an audit has helped us tremendously.

Nicolas: On AI, the AI Compliance Basics benchmark is in public beta, available under account settings in the public beta options. We heard from customers that they had no visibility or control over which AI tools their users were using, so this benchmark helps track that. AI is here to stay and will keep reshaping the digital frontier.

Q&A Highlights

Brent: For apps that want to auto-update but can’t without admin, you can use Addigy’s temp admin feature in a standard user environment. Sometimes it’s best to disable the app’s built-in auto-updater and let Addigy handle updating instead, as we’ve done with Slack and Firefox.

Nicolas: Declarative Device Management doesn’t require automated enrollment through ADE, but it does require the device to be enrolled in MDM. With declarative management, changes are persistent and can’t be turned off by the user.

Frequently Asked Questions

Are Apple devices secure by default for business use?

No. Apple’s defaults are optimized for personal use, so a new device out of the box is only about halfway to business-ready compliance. Roughly half the controls will fail against even a basic benchmark like CIS Level 1 until you apply and enforce a framework.

What compliance frameworks do MSPs use for Apple devices?

Common frameworks include SOC 2, ISO 27001, Cyber Essentials, CMMC, and STIG. SOC 2 is the most common in the US, ISO 27001 is more international, and Cyber Essentials applies in the UK. Each is essentially a compilation of macOS configurations attested by a third-party auditor.

What is a compliance benchmark in Addigy?

A benchmark is a curated set of macOS configuration rules aligned to a framework, drawn from a database of over 300 rules. Addigy tests and validates each benchmark before release and keeps cloned benchmarks synced with NIST and CIS rule changes.

What is the difference between monitoring-only and remediation mode?

Monitoring-only applies a benchmark to read and report device compliance status without changing anything or affecting the user experience. Remediation mode automatically enforces the rules to bring devices into compliance.

Why are benchmarks curated per macOS version?

Every year the NIST and CIS teams curate a unique benchmark for each macOS version, because Apple adds and changes controls in each release. For example, CIS Level 1 has 97 rules in macOS 26 versus 87 in macOS 14, so macOS 14 and macOS 26 benchmarks are not interchangeable.

How can MSPs package compliance as a service?

MSPs can offer compliance as a repeatable, billable managed service in tiers, with a base level of security and higher tiers for more demanding frameworks. Before-and-after compliance reports demonstrate the value and risk mitigation, and the process becomes repeatable across clients once the first one is set up.

Which benchmark rules commonly cause user friction?

Rules that break Touch ID, lock accounts after five failed logins, prompt for username and password with blank fields, enforce a 365-day password lifetime, or conflict with an identity provider’s passcode payload are the most problematic. Addigy curates some of these automatically, and pairing benchmarks with an identity provider reduces login and keychain issues.

Does Declarative Device Management require supervision?

No. Declarative Device Management does not require supervision or automated enrollment through ADE, but the device must be enrolled in MDM. Declarative changes are persistent and cannot be turned off by the end user.