Compliant by Default: How Smart MSPs Are Automating Apple Security
And, people are still joining. So, if you’re still if you just joined, everybody’s sharing where they’re based out of, where they’re from. If you wanna share something additional, feel free to share your World Cup team or if they’re eliminated, whoever you’re going for now. But, today’s agenda or today’s webinar is complaint that, by default, how smart MSPs are automating Apple security. And So let’s start with the introductions. My name is Nicholas Ponce. I work here at Addigy. I lead the operations and security team. And and, Brent, do you wanna share a little bit about yourself? Yeah. My name is Brent Porter. I work for MSP in Minneapolis called Master Switch IT. I actually just had my nine year anniversary there. So I’ve been working, yeah, in IT since about twenty ten and, working in MDM, since about twenty fourteen, I think Awesome. Or something like that. In twenty seventeen. So you’ve been at Master Switch for you since twenty seventeen? Yep. Yeah. Twenty sixteen, twenty seventeen. Yeah. Yeah. I’m about I think I’m on my nine year anniversary here. I added you this year too. So Yeah. Because I went to an event in Miami, and I think you spoke at and that must have been, like, just, like, twenty nineteen. Yeah. Yeah. That sounds like one of our first Addigy Summits. We did it. Yeah. It was really Yeah. We did Addigy Innovate virtually in twenty twenty two post COVID. That was fun. That was the last one we did. I may be spilling some beans here to other customers that are on the line, but we may be doing another virtual one pretty soon here. I’m not gonna share more than that. But Oh, cool. We’ll we’ll continue on with the agenda because I’m sure everybody here wants to wants to be, find out about compliance here. So, our agenda is three parts. Consumer ready is an enterprise ready, part two compliant by default, and a live demo, and then part three, turning the gap into growth and packaging of compliance and things like that. So let’s get started. So part one, consumer ready is an enterprise ready. We did a quick introduction, so we’re gonna spare you again with our details and go straight to business. Alright. So built for the person and not the business. Apple’s defaults are optimized for personal use and not necessarily our business usage. Right? So, you know, we see this a lot, but, by default, like, devices aren’t enrolled in MDM. Right? They’re not business managed, so why would they? There’s no there’s barely any password policy. I think by default, it’s four characters on, on any macOS. Right? So someone could put something pretty easy. I think most people put one, two, three, four, five, six. Brandon and I were talking about that on, like, test machines and things like that, which can bring its own risk. You know, they tend to sync everything like iCloud. I know a lot of people wanna use Apple devices so they could use their personal Apple ID in them or personal Apple account, and then they can message people at work all day and so on and so forth. But I think a lot of the concern from a business perspective is is company data and not being shared through their personal accounts. Right? ICloud Drive. Yep. That’s a big one. Yeah. AirDrop. Right? Like, why why do they need to AirDrop files to another device on their network or in their proximity? Right? Is that a business device? Where is that data going? Things like that. Yeah. And the myths versus reality. Right? Like, the myths that we hear a lot are Macs are more secure, and the reality is they’re secure for consumers. It’s not the same as compliant for business or secure for business. And one could argue right, Brent? We were talking about this earlier is that one could argue that they you know, probably some of those bells and whistles should be enabled for consumers. Yeah. I mean, definitely, they probably shouldn’t. They’re all they add a lot of stuff, but they usually make them for convenience and ease of use. You know? So, but it just has to be managed in our environment. One hundred percent. One hundred percent. Alright. So we’re gonna launch a poll here. And sorry. I’m we’re gonna do our best to pay attention to questions as they come on. Will the side decks, whether we get the side deck as PDF? I know we’ll get a recording. I’m not sure about the PDF as side side deck as a PDF exportable, but I will, I don’t see why not. So, only probably might be hosting it where we host it and so on and so forth. But following this webinar, there’s gonna be a recording usually, and we’ll send out that recording as soon as possible. I’ll double check about the PDF. So, while I’ve been talking here, plenty of people have been filling out the poll, which is great. And some people have a full compliance workflow. Some people say it depends. We some people say basic MDM profile enablement. Some people say we manually do it. We’re getting pretty good answers, so we’ll leave it up for a little bit more. But let’s move on to the next slide here. So the compliance gap, no one warned you about. Right? Because, again, the myth or mythos is you know, that these devices are secure by default. Like, you know, there’s a lot of marketing towards that. But they’re they’re, you know, they’re about half or about fifty percent on the way to business ready, compliance out of the box. So meaning about half the controls will fail, from a new Apple device shipped out of the box, if you apply even the most basic default benchmarks like CIS level one. Obviously, if you deploy, like, the SysTig or CMMC, those are gonna be even larger number of rule failures. So let’s so there’s several different frameworks, and the underlying gap is, right, that these are designed for personal use and not business use, so they don’t map to really any of the frameworks. And the CIS controls or the NIST controls don’t really immediately address that if you don’t have them applied. Right? You you need to apply them to actually achieve these compliance frameworks. So, like, SOC two, ISO twenty seven thousand one, we have Cyber Essentials in this two here for our friends across the pond. Right? These are all frameworks that auditors will attest you to. Right? You pay a third party auditor to or or your customers will pay a third party auditor to assess them. A lot of that comes back to what devices are you using and how are you securing them, or how are you hardening them and mitigating risk. Right? Brandon, what what you know, as a US based MSP, what would you say, like, the most common audit you see your customers go through? Yeah. The most common for us is for sure SOC two. Yeah. And we get a lot of clients that are required to do that. They either from their clients or insurance or something of that nature. And so that is for sure the most common one that we see. Yeah. Yeah. One hundred percent. And I think SOC two is more for the states. ISO is more for, you know, international. I know UK folks got Cyber Essentials, which we added a benchmark there. If you haven’t checked, like, we have a point and click Cyber Essentials benchmark. I’ll show that off when we get to the live section. That makes your lives easier so you can easily report and, attest to Cyber Essentials compliance. But there’s all a whole myriad of different, frameworks that people might comply with. Right? So, you know, there’s a lot not even mentioned here. Right? So what are these frameworks consist of? Basically, it’s a compilation of, macOS configurations. And what those what are they and what they do is basically a list of three hundred a little over three hundred rules. We built a database so that we can align them to whatever benchmarks they’re in so that it makes our lives easier for testing and so on and so forth because, you know, we’re before we push out those benchmarks to you guys, we test them. We validate them. We make sure they’re doing what they’re doing. And if it’s gonna cause any user experience, we try and change, which try and get that in front of you guys before we release them and make those changes. So if you didn’t use a tool like this, you know, all of this would have been manual. All of this would have had to been tested and validated, etcetera. But you can see here, like, a lot of these rules span multiple, compliance frameworks or benchmarks. So, like, OS gatekeeper enabled is in almost every single benchmark you’re gonna find. Right? You know, it’s a good security practice to have gatekeeper enabled, and that shows with it being a member of every single benchmark, whether that’s CIS level one, CMMC level one or two, etcetera. So some roles aren’t aren’t in every benchmark. Yeah. I’m sorry, Brandon. I cut you off. I was gonna say on the gatekeeper, that is one that just we just build custom ones for, like, onboarding purposes, and gatekeeper is definitely one in there Yeah. Because it is across all compliance. So Yeah. Yeah. And we’ll talk about, like, friction and and kinda refusal to to want to comply with some of these rules later on, but I know gatekeeper can sometimes do be cause friction for developers or things like that. So we’ll talk about the friction points with deploying these out and kind of outcomes and expectations. So alright. Poll two. We just talked about compliance benchmarks and kinda how they align to to the frameworks out there. Here are some frameworks. What are you guys seeing the most? Are you seeing SOC two, ISO twenty seven thousand one, Cyber Essentials in the UK? Right? FedRAMP, GovRAMP for government DOD compliance, and we don’t even have a bunch out there that are still out there. Like, you know, I’m sure people are thinking about HIPAA and some other you know, there’s an Australian privacy act, right, and things like that. So PCI, I think, is one. PCI compliance. Exactly. Okay. We’ll give some time. There’s already quite a bit of answers for the poll already, so we’ll keep it up for another minute or two to see if we can we’re at seventy five percent participation. So great guy. It’s great great participation, y’all. So keep filling out that poll. We’ll leave it running as we continue on the next slide here. Alright. So compliant by default. Right? From manual project to default state, right, like, you just compliant by default actually means right? Like, enterprise ready shouldn’t be a manual project. Brent, I know we’re gonna talk a lot about this, right, because you’ve tried to do this manually. I’ve tried to do this with our customers manually. It’s not a great experience when you try and do it without any sort of tool. In fact, probably shouldn’t even do it without any sort of tool because it’s it’s untenable. Right? It’s overwhelming. It is overwhelming. One hundred percent. And, right? Like, what does it take to close the gap? Right? Like, you’re gonna have with Addigy, you get real time visibility to know where your devices are right now. If you have the Addigy products, you can go to benchmarks and apply monitoring only. Is an example with monitoring only. Right? It’s not remediating devices. It’s not making them compliant. It’s just showing you what the status of the devices are. Out of the nearly forty devices, only eleven are compliant. Right? This is great to show your stakeholders, before starting the project, before offering them the services, or offering it as, like, an exploratory service of, hey. Let’s take a look at where you’re at today. Baseline, what your scorecard is. Right? Like, compliance scorecard on your macOS devices. Because right now, it probably isn’t that great if you’re not doing anything. Automated enforcement will help flip these, you know, twenty eight devices to, you know, to compliant and make thirty nine compliant devices with remediation. And that is all reportable and helps you reinforce that information to the customer. Alright. Okay. So we’re gonna take a look at a live demo here. So I’m gonna exit full screen for just a second. I’ve got a device here. It’s just a virtual machine. If you’re rolling this out or if you’re curious about it, if you haven’t tested it or better yet, Brent, right, like, if you’re rolling this to new customers, you can always put a VM in their policy and have it go through or a sub policy and have it go through the compliance status for the customer. So you can show them what the look and branding and feel will all be like when you deploy this out. So let me pull up the Addigy interface here. Alright. So this is a Mac OS fifteen device. This is something I like to call out. The benchmarks are curated for operating systems. Right? So I have Mac OS fourteen signed, but I don’t have fifteen assigned yet. So the device doesn’t have compliance. Reason why this flow is like this is because, every year, the team at NIST and CIS will curate the benchmark uniquely for each operating system. So they are not the same. So you can’t just assume Mac fourteen and Mac OS twenty six are the same because they’re not. Right? Like, there’s different settings. There’s different features. Twenty six has a whole bunch of AI stuff, whereas, like, fourteen didn’t. Right? So I’m just gonna while I’m blabbering here, I’m gonna add this one, CIS level one. Right? So this benchmark is CIS level one. I curated it beforehand just to save time. I didn’t assign it. Hopefully, I can get the whole status done before the end of the call. I’m gonna, if you ever if you ever done this before, just deploy now. And, yeah, that should, push out the benchmarks pretty quickly here. Let me make sure my device accepted. Quail is in the policy, and it should get that compliance settings very quickly here. Now I’m gonna quickly go over to where we build the content. Right? So the catalog’s where we build the content. The policy is usually where we assign it in compliance here. Here are all the benchmarks. So this is CIS level one. That’s pretty industry standard. Brent, do you use CIS level one, or that’s the one you kinda target the most? Yeah. I’ve used that a lot to even to build custom ones just to use it as a base. And Yeah. That is the one I use the most frequently. Yeah. No. That’s that’s a great point. It’s it it is a great base. Like, if you’re not sure where to start, has ninety seven rules in macOS twenty six. As you could see, it’s kinda changed over time. MacOS fourteen eighty seven rules. As Apple adds things or changes things in each operating system, they add new controls over it. And as you mentioned too, I’m preparing for Tahoe upgrades. I had to go through and, you know, create new ones and go through the changes and go through additions and stuff. Yep. Exactly. And as Brent mentioned, he uses that as a template. So what he does is presses clone And he’ll sort the rules and look at the rule names that he doesn’t wanna add or, you know, wants to start with. You know, I think the very easy ones are audit logs. Right? Like, that’s not gonna change any user experience. It’s just gonna have logs in case something happens. Right? Like You know, if, god forbid, something does happen, you have logging so that the forensic team can go and check. Otherwise, you know, the law sorry. The logs rolled over already, and we don’t have that information. Yeah. It’s a process too. You know? It’s a process going through it internally with the team, going through it with the client, what the requirements are, what their needs are, and, you know, making the decisions on what needs to stay and what what can isn’t necessary. Yeah. So you could very simply just say, like, I wanna do everything but disable a few settings here and then press save and create it as your own. That’s basically what we did already with these benchmarks. You could see they’re labeled with clones. And you could do that for any of these benchmarks or baselines. Some of them say benchmark. Some of them say baseline. That’s because the team that curated them, the CIS team members, they will basically, say a baseline is like guidance. Right? Like, it’s not a prescriptive benchmark you just apply as is. But there’s gonna be settings that aren’t actually controlled or things they recommend that nothing is actually done. It’s like, you have to go do it. So if you look at the view details here, you can try and see some of those things. Right? Like, this requires manual remediation. This is a profile, and that means we’re gonna install a profile. Manual remediation means that we’re going to ask like, you need to go do that. Right? Because, like, someone has to stick in a specific smart card. You have to have smart cards. Know, CMMC is geared for Department of Defense, US government type stuff, so you you wouldn’t need you would need to, you know, manually sort that out. And then some of them run scripts. Right? So that’s what makes, like, doing this yourself so challenging. Right? Because some of this is done through scripts. Some of it is done through profiles. Some of it is done through manual remediation. And having to do all this on your own for, you know, eighty two rules in the CMMC level one, but let’s say you need level two, guess what, two hundred and eight rules. So become not only do you have to curate the scripts and the profiles and add them to some environment to go deploy them out, you have to track whether they’re compliant or not after the fact, report it on it regularly, and then handle the revisions to these benchmarks. One of the questions that we just got out, probably gonna what’s your name? Asked was, if you clone something, is that gonna get updated automatically? Yes. It would get updated automatically. We keep those benchmark rules synced with what the actual Inist or CIS team, makes changes to. So if they make changes to the rules, we will review those changes and apply them. And, obviously, communicate that out through our releases page and our status page, before the release. And, we also try and verify if there’s gonna be, like, any customer impact on those releases. So, that’s a great question. One thing I would mention too is with the, the monitoring and remediation. Like, you know, in some instances, we I I I prefer using the remediation. But if you just wanna do monitoring, you can use the scripts from the remediation to actually build your own scripts to to remediate it if you have to also. So Oh, that’s a great point. That’s a great point. So, like, what Brandon is saying is, like, not only do we have the rule name there, we have the actual test. So you can grab this script and run it from Addigy from the devices page to see what the test result is returning, and you can actually see the scripts that you want to, you know, run the script yourself manually through a manual remediation. Also, we provide a rule description explaining what the rule is going to do, why it’s enforced, what the rationale is to it. Along with all that, we provide a PDF download here that you can click. And That’s really useful for clients too, you know, the PDF to review and stuff. Exactly. So that gives you a PDF like this with every single rule. So to Brent’s point, it’s gonna give you a write up that you can provide the client. Like, here’s everything we’re doing. Not just that. Here’s how it maps to in this eight hundred fifty three revision file. Here’s how it maps to CIS controls v eight. Here’s how it matches maps to CCE. Right? So that’s also important for the compliance and audit team, like, to understand, like, what what do these rules apply for? Right? Like, authentication eight, authentication three. Right? Like, all these different controls from these different benchmarks. Okay. What’s going on? Okay. So where was I? Alright. So all these different benchmarks, these are monitor and remediate, but there’s also monitor only. So, again, start with monitor only if you’re not doing anything. Get a good grasp of the fleet and where it’s at. It won’t cause any changes to the end user experience. It’s just reading the status of those complaints. We also have the Cyber Essentials here that we launched a month or two ago, and we just launched AI Compliance Basics, which is a brand new benchmark. We’ll talk about that at the end. But, like, as an example, if you wanted to build your own, right, and let’s say you guys are allowing AI bench in your organization, maybe you’re only allowing, you know, maybe you’re only allowing Claude and maybe another one like Google Gemini if you’re a Google Gemini shop. So you’re gonna allow Claude and Google Gemini, but, like, OpenAI or ChatGPT, Microsoft Edge Copilot, DeepSeek, which is, like, the Chinese version, you know, you don’t want, and you don’t want your end users using it. So this is really point and click way. And I’m gonna create this one now with those rules in place and save it. And just like that, it created that benchmark, and then that also has a report as well. So you can see my device here already had the CIS level one benchmark, and that’s why it immediately went to pass. So you could quickly see you know, it’s I don’t know how long I’ve been blabbering away here about these benchmarks, but I signed this, what, Brent, like, maybe five, ten minutes ago on that. Five, ten minutes ago, Brian. And, you know, you you let’s see. You’ll also you can make this available to see for the end user if you wanted to so they could see all their compliance status. And better yet, which we didn’t really get into, Brandon, all that much in in the slide deck, but I like to talk about it is that you can tie this into conditional access with Microsoft. So we have a Oh, yeah. A Microsoft Intune integration so that you can sync the devices to Intune and then apply conditional access policies in Intune. And then once that’s set up, you basically can have a zero trust environment with compliance. So, like, if they don’t have all the rules passing, then they can log in to Microsoft resources on their work device. Right? Yeah. That’s the that’s the gist of it. And we actually recently added the option because the the ability to basically check box things that you don’t want to impact their compliance. So you can experiment with benchmarks, and and those benchmarks won’t actually impact their ability to log in to Intune, which is very cool. K. Yeah. I find I find the clients really like the, being able to see the compliance too in in self-service. We have a couple that really really like to be able to see that. You know? And I think it’s reassuring for them. You know, you go in there and you see all the checkboxes. Everything’s green. They know that they’re in good shape in there. Yeah. I I agree one hundred percent. Sometimes I’ve even had, like, internal employees ask me, hey. I’m failing, and I don’t understand why. Right? Yeah. And it could be something they’re doing. It could be something just, like, Mac changed or something like that. But, yeah, those compliance benchmarks are really easy to deploy, really easy to set up and manage. And then, you know, we give you compliance performance reports and things like that to show you. This this is a prebaked one. I don’t think I’ve changed it at all. It’s a default. So you can see this is a historical report, so it’s running from June seventh to July seventh yesterday. So my devices were not compliant as of yesterday. But that should change tomorrow. Right? Pedro asked, how do I get those in I have benchmarks? I’m gonna make you stay till the end, Pedro. If not, can ping me inside because I know you will, and to see where that is so that, everybody everybody hangs on here while we finish the presentation. Alright. Let’s go back to the slideshow. Alright. So from consumer baseline to enterprise ready, right, like, of the box, the starting point, it’s a consumer device, onboarding, close the gap, right, deploy the benchmark. We watch this you know, you can watch auto remediation, fix things. You get an auto report, within one click like I just did, and then, a multitenant view for every client. Right, Brent? So, like, how do you find this, deploying this out for, like, multiple clients? Yeah. I mean, it’s kind of different for every client. It’s it’s super useful because you can build onboarding policies and you know a device is ready for us internally too. We know it meets all the compliance before we even send it out to them. So it it’s useful in that aspect. And then just for, for everything from insurance to audits, all of that, you have it just right there. You know if something’s out of compliance, you you can remediate it immediately. You have auto remediation. It’s it’s incredibly useful. Yeah. I I couldn’t agree more. Alright. Another poll. So in your customers’ environments, is there something that you guys, you know, disable or, like, just set up by default? Right? Yes. For if you ask me, for us, like, we always do, like, FileVault by default. We do, like, firewall, obviously, gatekeeper, SIP, you know, things like that, built in in built in Apple protections. I think of some other ones that are just for across the board. Yeah. I think we even put together a get out of here. I think we put it we used to at least put a, like, a default, a base security with six rules. Oh, yeah. Yep. SIP firewall, remote desktop, gatekeeper. This doesn’t remediate errors. It just checks. Right? Like, these are, like, you know, the most basic of the basic things that, you know, you kinda expect. That’s basically what I built for every client. And then, of course, we’ll add in because each client for us is an MSP may have different tooling, different things. So I’ll add those in so we can visibly see them. And then on top of that, I’ll put the layer of more granular compliance, bill builds for them. You know? Yep. And we’ll log in to see him. Yeah. We got a bunch. We’ll talk about some of that. So we’ll leave that pulled up here and just turn the slideshow back on. Yep. What happened? Alright. So turning the gap into growth. Right? Packaging compliance as a revenue stream. Doing this from multiple clients, you know, m s packing this up as a MSP and and, you know, making it a service, a repeatable billable service. Right? I think that’s important. Right? Brett, why don’t you talk about how you do that, master switch and kinda Yeah. We we talked about that a little bit. You know, instead of more of a break fix, it’s kind of evolved the the, managed service agreements based on the client’s needs and also just different levels. So, you know, you have a base level of security. It always includes security, but you do have to bill out, you know, with the more compliance you need, things like that. So you have different tiers of of, managed service agreements that that’s kinda changed, I think, with security being more important and and just being, you know, an automatic protection for clients. Yeah. Yeah. And, you know, I I’ve I’ve always found this a challenge when working with other MSPs about, like, how do they package this up and convince an existing customer to subscribe to the service, right, or tier? You know? And we talked a lot about proactive versus reactive. Right? Like Yeah. If if they’re already paying for stuff like this, it becomes a hard sell. But if they’re not, you know, like, it’s it it you know, give them a sort of, like, a tier one or tier two of, like, different approaches that you can offer to them. This is, a very once you get the hang of it, it’s a very repeatable process, as you mentioned. And showing them the value and what you’re doing to mitigate the risk in that organization with these reports, especially, like, the before and after, I think, are are very powerful tools. Yeah. The communication’s so important. You know? Like, keeping that communication line open and updating and and, you know, reviewing things on a regular basis, documentation of it, and all that. Yeah. One of the one of the questions in the chat guys, if you it’s easier for us to address them in the q and a box if you can answer them in q and a box. We’ll try and hit the chat up as well as much as we can. But one of the questions Thomas asked was, what would the add on pricing be for managed compliance service per device? Do you have any indications for this? Like, how how do you guys usually sell it, yourselves? Like, you you charge them, I imagine, per device, on a different subscription tier depending on what the requirements are? Yeah. No. I think it’s mostly you know, I don’t I don’t have direct insight into, like, all the billing and stuff, but I am I’m pretty sure it’s, like, on a per device type basis because I know, like, each client, you know, has different services, so those that changes the per device bay cost a little bit. Yeah. Yeah. Like, the premium tier was as an example. Right? Like, I would say, like, you shouldn’t be doing the premium tier for free. Right? Like No. No. Yeah. That’s a lot of work. Yeah. Yeah. You have to make your money as a as a managed service provider, so you you do definitely have to charge for all those services. Yeah. And and having that conversation, I think, is important, especially, like, beforehand when they’re up against an audit, and now they come to you saying, hey. I have a SOC two audit or I have a ISO audit that starts next week. I need you guys to make sure my devices are compliant. Right? I I I know you probably I looking at your face, I I know you probably gotten that often. I know our customers have gotten that often. And it’s like, well, you know, we can, but what you know, that’s gonna cost extra, which is sometimes a friction point. But, you know, if they need to get that done, you know, that’s that’s gonna cost, and it’s gonna take time. And on top of that, this is not something that should have just been done right before they’re about to do an audit. Right? Like, this is stuff that should have already been in place. It’s odd as a period of time audit, like a SOC two type two versus a SOC two type one. Not a point in time period of time, right, you have to prove that you’ve been doing it for x amount of time, right, which becomes more challenging when they come to you with the audit requirement the week before they start the audit. Yeah. So I’ve seen a lot of Luckily luckily, I don’t have to have those conversations about the cost, but but I know that internally the people that here that do, and, it, is probably a challenge. It sounds like a challenge. Yeah. But Yeah. I mean, you know, nobody wants to pay more. Right? Yeah. That’s always That’s the That’s always the conversation. Nate said, forward your customers to possibly explain how business at Fort Sight works. I think we all understand this dilemma, right, where it’s like, someone comes to us with a deliverable that’s due immediately, and it’s like, well, something had to be delivered before this. Yeah. So Yeah. You know, I I think it’s a great conversation starter if they’re not doing it. Right? It’s like, hey. What are you doing for compliance? Are you following any frameworks? What frameworks are you following? And how like, you know, do you do you have anything doing that today, or do you need us to, you know, do this for you at, you know, for the with this service offering? Yeah. I think that’s where the proactive approach makes it easier. You know? Like, if there is a proactive approach and some of this has been done, you know, they sometimes they come to you and and there isn’t gonna gonna be a lot that has to be done, but, you know and then sometimes it does require additional add ons. But Yeah. Exactly. So the retention and scale then is right. Like, we’re giving you PDF reports that give them clear, distinct guidance on what we’re gonna do to the device and how and why it makes them, you know, less risk averse. Right? Clients who understand this will probably not be will probably be less likely to to leave. Right? You get them more sticky. Right? Like, you can do this repeatable for many customers as easy as the first one will it takes a while for the first one. But after the first one’s set up, you gotta get to understand the process how to, you know, bake this for the rest of your clients. Yeah. We’re in an instance where an audit was done, and and they want us to expand managing devices. You know? We only we only manage a certain amount, and now there’s conversations about maybe expanding that because they had an audit, and and we did well in it. So Yeah. A great example. And we handled it well. Great example. Another use case here is AI. It’s like, hey. Yeah. We can expand. What are you doing for AI? Right? Like, do you have any compliance requirements over AI? And then when you have benchmark can help you maybe with another offering of, like, you know, compliance, and then there’s AI management. Right? Because that’s a whole another beast. Right? And I think AI is just getting started and, you know, everybody’s looking ways to make sure that, like, you know, all their all their data doesn’t belong to Skynet or whoever. Yep. Alright. Alright. Things holding MSPs back. Right? Like, I think we talked about this a lot because, you know, you you mentioned this to the organization, and they’re gonna say my Macs are already secure. This is gonna frustrate my users because they’re not gonna be able to do certain things, and we’ve been getting by without this. What are some of the what are some of the things that you approach these kind of pushbacks with, Brent? Yeah. I mean, you hear a lot of these. One one that I always hear is is people are worried that, like, you’re spying on them or something. Some of these security things are but, you know, just from the individual, employees and stuff and reassure them that that’s not the intent at all. You know? The always the intent is to, to make their business secure, to protect them from, outside harm and and and to keep the them productive in doing what they do best. So, yeah. And the reassurances you know, there’s just examples you can show, like removing admin rights. It actually didn’t cause a bunch of headaches. It actually helped because people’s software, you know, is all aligned. There’s not random software everywhere. There’s not people getting files that they can’t open or something, and and, and they don’t have a problem with submitting a ticket then. And and they’ll work with you on it, and you can resolve it. And it becomes actually less of a of a headache where they might not know how to do something and try and actually cause more of a problem than anything. Yeah. And and even Addigy has the feature where you elevate, you know, admin rights. And so, yeah, there’s just it’s a lot of conversations, though, you know, just to to to get the points across to them. Like, yeah, you know, the you know, you might think it’ll it’ll slow down your employees, but, actually, in the long run, it’ll probably be more productive for your employees, you know, and things like that. Yeah. So I I’ve seen all sorts of objections, and I think the best way to approach any concern around it is, approaching the deployment gracefully. Right? Like and with empathy. Meaning, you know, these guys have concerns. Right? Yeah. You mentioned, like, no not just about their privacy. Right? Like, in fact, like, these controls usually eliminate most of the privacy concerns where people actually can’t spy on you with these controls. Right? Like, you’re hardening the device. So remote login, that’s how that came up in the chat. Remote login, remote management, all these things by default get disabled in these benchmarks. Right? So, like, it’s not letting people spy on you. It’s quite the opposite. We’re trying to prevent Yeah. Foreign adversaries, you know, malicious actors, whoever, from spying on you or accessing your devices remotely through remote access means that shouldn’t be enabled or so on and so forth. Right? So, you know, sometimes they are legitimate concerns. Like, we’re developers. Like, I need to build apps that are on sign because I’m developing an app, and I can’t go to the Apple Yeah. Developer. Developers are usually kind of the exception to all users. You know? Like, you try and update the things you can that you know won’t affect them, and and then the things that they need to control, you let them control it. But Yeah. Exactly. It’s like, I need to disable SIP to be able to access this. Well, it’s like, well, don’t worry. The benchmarks can’t control SIP anyways. Nobody can control SIP, but you do need to Yeah. Yeah. Admin access to do that, right, and so on and so forth. So it’s nice to know it’s enabled. It is nice. Security integrity protection seems like a pretty important feature. Yeah. You definitely like to see that one on. Yeah. Exactly. Exactly. So what we usually suggest is like, okay. Let’s do monitor only. Let’s get that fleet visibility. Let’s get that baseline so understand where things are. Show the stakeholders, hey. You know, by default, half these devices are, no. Like, half the settings on these devices are not in compliance. So let’s look at, you know, which ones are gonna change, and it’s usually, like, half the benchmark or so. And, you know, are these problems for your users? In most cases, they’re not. Right? Like, in most cases, they wouldn’t know the difference. Right? Like, a lot of it was audit logging and and, things like that. Yeah. We talked about it too. You can kind of tell by the ticketing. You know? Like, if you you’d see these changes in ticketing. And even though we’ve added more security over the years and we’ve been able to automate everything and do everything proactively, we’ve actually seen a reduction in ticketing. And then when you do see something show up in ticketing, oftentimes, it’s something that you can resolve a lot faster, you know, based on the compliance benchmarks or the remediations or the you know? Definitely, Addigy is the tool that helps us get that done. But Yeah. Yeah. And I think the key point is getting getting the visibility where they stand today and then having a a tool like Addigy that can quickly close those gaps, like, you know, thirty minutes or less. But I think that’s that’s the easier part. Right? The harder part is informing the user base, you know, getting buy in by the stakeholders of the organization, and then curating some of those rules. We’re gonna talk about some of those rules that are problematic. I saw some something in the chat saying, like, can you guys highlight that? So I put together just a quick table of some of that. I think one of them was mentioned in there in the chat. So let’s see if, Alright. So before and after the compliance snapshot. So, right, like, that’s what we just talked about. Like, before you deploy monitoring only. Like, there’s no harm in it. There’s no remediation applied. You can get the gaps and share it with the stakeholders. And then after, once you do deploy it, within thirty minutes or so, you’re gonna see the status, and it should be getting near a hundred percent. You’ll get a full picture for your stakeholders and reporting to give them. And, you know, it will probably make you help at least sleep a little bit better at night. I I don’t know how much it will make you entirely there’s all sorts of problems out there. Right? But, you know, I think it’s kinda like an antivirus or an EDR solution. Right? Like, having that in place, it just gives both the the user and the admin a little bit more, you know, little bit better feelings about the status of the device and its, you know, risk out there in the wild. Definitely. It’s amazing. It’s pretty amazing for you, especially if you consider how long it would take to manually do all that stuff, and then you can just see it happen in that, you know, thirty minutes, like you said, maximum probably for seeing the results of of everything that’s configured. Yeah. So, like, it should turn from, like, a concern that compliance benchmarks are coming to, like, you know, this isn’t, you know, something I was worried about something and stressing about change when, really, you know, there was not a big concern. Or, you know, I think a lot of it’s so what we were talking about earlier, Bren, is the developer concern, right, like, that, you know, our the goal here is not to disrupt their jobs. It’s to make sure that we’re all in agreement about how these devices are secured, how we’re managing risk, and how we’re making exceptions where maybe the developers do need exceptions. We comply with them, and I think that’s the beauty of the Addigy benchmarks. It lets you kinda, curate them for maybe the developers, but also curate the rest, benchmarks for the rest of the organization in a, you know, a very unique fashion. Yeah. That’s a good point. Oftentimes, it’s it’s separate based on you know, like, developers are being their own policy, and then other different users are being different policies. And you can sometimes we do curate those for for different groups of people based on their policy. And so one client may have more than one compliance or different compliances. That’s right. Alright. So, again, this will be provided after, but here’s, like, a list of ones we’ve seen that are problematic. The first one, eight, disable login to other users’ active lock sessions. By default, like, if you were just doing this on your own or with any other MDM solution, if they pull the benchmarks directly from the repo or the in this CIS repo, it breaks Touch ID. So Yeah. I think that’s that’s, like, something that’s not really known. There’s a note in that PDF that I showed that this breaks Touch ID, by the way, and here’s a custom command. So and and certain components, we curate that for you guys and in the benchmarks. So this is when we felt like there’s a rule to disable touch ID. This should not disable touch ID. If you wanna disable touch ID, use that rule. So we run that customer mediation automatically as part of our benchmarks and fix that guys fix that for you guys. And, again, we try and do that where possible, but, obviously, we don’t wanna make any, you know, assumptions for you guys. Limit consecutive failed login attempts to five. I I don’t know how many times I see this internally and with other customers where this rule is applied. And after five attempts of failed logins, their account is locked. They have to come to IT, you guys, and ask them to unlock your account. Combine that with the configure login window to prompt for username and password rule. This becomes kinda problematic because and I see Thomas man made this same rule and said it has a medium impact on users. Right? The reason why we’re saying this has impact on users is because it changes the user experience. And there’s some there’s a balance we have to draw between security and usability. Right now, the Macs out of the box are designed for usability and consumer consumer level usage. Right? Not business level usage. The security is kinda to the wayside to in favor of UX. Problem is when you chain when you add this rule, it shows two blank input boxes instead of the username. A lot of people don’t know their username. That’s that’s what you find out. So they’ll type their password in. The password will be right. They’ll get upset and frustrated that, hey. My password’s right. My device won’t let me log in. They’re using the wrong username. I don’t know how many times I’ve seen this. And those two rules in tandem, so maybe bumping up the number of attempts or, you know, after a while, they they don’t you know, they they may not have that problem anymore. They know their username. But, Brandon, I think we talked about this, and you had a great, like, what you guys do with with wanna share? Yeah. Like, yeah, like, using Azure Identity helps a lot with some of the the password and everything and the login window because then you’re getting to your IDP portal window, and they all know that stuff, and they can get in. But it also utilizes oftentimes the MFA. So when MFA is on, they require MFA. So you can kind of eliminate that, you know, rolling passwords, when it’s, you know, aligned with the, identity provider. So Yeah. Yeah. I couldn’t recommend that more. Identity helps sync the passwords together so they don’t have confusion. Then, usually, their username will be their identity credentials that they log in with Google without the domain in the email. You know? And a big ticket reducer for key chain. Yeah. Key chain too. If they do change, they’ve asked for it and log in. It prompts for key chain so you don’t have to, fix the key chain every time. Yeah. And then it like, I usually tell people to turn off this three hundred and sixty five day max password lifetime rule if they’re enforcing things in Google or Microsoft or Okta, whatever their IDP is. Yeah. We ran into that before. It really causes conflict. Yeah. And then they might you might have been changing it twice a year, and this doesn’t even recommend this anymore. It’s bypassed for hygiene. People just put, like, a one, two, three, four at the end, and next year, five, and next year, six, next year, seven. Yeah. You know? We’re both at nine years in our organization, so it’ll be like, Brent, one, two, three, four, five, six, seven, eight, nine. You know? Stopped doing that. But yeah. I have seen that and experienced that. Yeah. And and some of them, they actually removed. Right? So, like, enable time sync daemon, like, the NIST and CIS team removed this rule. Why? Because it was causing time drift. If you’re familiar with, like, when the devices aren’t on the right time, nothing works. Like, the Internet doesn’t work. Nothing works. Like, SSL certificates won’t validate because, you know, nothing works. Right? So they try and curate these benchmarks and rules and then validate them. But sometimes, like, Apple, you know, those things that causes them to break and they remove them or, you know, the operating system changes and some of these rules will go away. Okay. Last last conflicting thing there is passcode settings. Like, if like, my my strong recommendation is if you’re using identity, don’t use passcode settings. Right? Like, the passcode settings are being, or if you do, but, like, very limited ones because the passcode settings are being set by the identity provider. Apple’s passcode payload doesn’t actually match the identity providers exactly. Some of the settings are kinda weird just in general. Like, allow simple passwords is a lot what a lot of people uncheck and or check, I should say. And as surprisingly, as weird as that sounds, you should allow simple passwords in my opinion because it prevents any sort of repeating, repeating, ascending, descending character number. Meaning, you know, if they’re using real words, nine nine times out of ten, the real word will have a repeating or ascending character. And then it won’t work when they try and set the password that they’re using in their identity provider on their device causing frustration. So, try and keep that, aligned with your identity provider settings on storage. Okay. Alright. So, with Addigy, you can do this in minutes and not months. Right? The remediation should go pretty quickly. Curating your benchmarks should be pretty easy, you know, with that table, you know, removing those rules and then finding what the customers might need should be pretty straightforward. And then, you know, if you don’t use an automation tool, you know, like like Rose here, it’s gonna be eighty four years or whatever for You know, I think both Brandon and I have tried to do this without the benchmarks, and it’s a long and windy road with no, you know, clear path. Meaning, you you have to curate all the rules yourself. You have to deploy the rules yourself, make sure they work yourself, update them yourself, report on them yourselves, check compliance drift together, you know, like, somehow make sure that, you know, all this is working. And then guess what? You have to do it every year with a new benchmark. So it’s a lot. We’ve taken a lot internally to support these as well. So I’ve I’ve done this with one of our customers beforehand, and we took weeks or months just to get, like, everything deployed, for one benchmark, which was not fun. Okay. So what happens next? You know, this is important. Right? Compliance isn’t a checkbox. Right? Like, I talked about, I’ll talk to type one versus type two. Right? Period of time, point in time. Right? It’s continuous. It’s automated. You’re continuously monitoring the compliance status and automating it and documenting it. Right? So Charging all the time. Updating all the time. So the you know, the Apple’s building for the person. Addigy is building for the business. The gap that gap is your opportunity to package and sell as a service. Right? Because, again, you know, it’s not a one and done thing. Like, I and when you talk to your customers and position on that service, it’s not something you just deploy once and never look back because when auditors come, they’re gonna make sure are those devices even compliant still? Right? Like, I I you know, there’s a new benchmark. Did you apply the new benchmark? Did you curate the rules? Did you test it out? And, Brent, right, like, said you know, talk about how you’re winning with these with this as, like, a a problem solving solution that turns into a revenue stream. Yeah. Yeah. I mean, like, if you get audited and you just sweat it out. I mean, for a couple weeks, I was sweating out, and then it but then it’s not nothing like that feeling when they come back and say, no. We found nothing on here. You know? And the ability to be able to present them with all the data and information they need, like, really quickly when you get an audit. And it’s just helped us out tremendously, and and I think the Addigy’s approach to everything is so proactive, and and just the the access to questions and the help is so much appreciated, Naimi. You guys do so much for customer service when it comes to us being able to implement these things and and execute everything. So yeah. I It really it really helps a lot. Yeah. It’s a journey. Right? And Yeah. And, you know, we work together on it. So AI. Right? Like, we’ve you know, you probably hear about AI in every webinar at this point. I know I do. Every product has its own AI. This isn’t so much selling an AI feature, but AI it’s in a public beta. So to answer Pedro, I know he’s probably been waiting, for me to answer that. But if you go into account settings, under the public beta options, we have a bunch of public betas. If you didn’t know, we love, releasing them early and getting feedback from you guys. So, that’s very important to us. Like Brent said, like, we’re we’re very customer oriented. Like, you know, I’m in Mac. I’m in Slack. A bunch of us are in Mac. I’m in Slack. Whether they’re our team is responding or not, we all listen very close to you to what you guys are saying. And a a lot of what we heard is I have no idea what’s going on with my AI controls. I have no idea what AI tools are people are people are using out there. I have no way to control it or gate it or monitor it or anything like that. So guess what? We released this compliance benchmark I showed earlier that will help you, track some of this. Right? I think the team’s working on more than just this. So if you’re interested in it, try it out. Give feedback. Tell us what you wanna see and what you don’t like. That’s how we iterate and improve the product. But, obviously, AI is here to stay as much as, like, you know, there’s an Internet bubble, there’s AI bubble, but the Internet is still here. AI will still be here. And it’s gonna condition continue to, you know, reshape the digital frontier if you want. I’m a big Tron fan. So, alright. All I think is, this section here. So if you’re interested in learning more, contact sales at Addigy dot com or answer the poll. I think there’s gonna be a poll that launches right now. And then q and a. So if there’s more questions, let us know. I’m gonna go through the chat. I saw a couple questions in the chat that come through that maybe that we didn’t directly answer. Brian, what Chris asked, well, how do you handle apps that wanna auto update, but they can’t without calling us for things that this is more in line with your standard user question. I don’t know if you have apps in your fleet that have, like, update helpers is basically the gist of it, and how do they approve the update helper. It sounds like you use, like, some sort of temp admin the Addigy temp admin feature to maybe allow them to have temporary updates. Yeah. You could use that temp admin feature in the standard user environment, and it works really well. They’ll submit a ticket, and you can just schedule it, or you can just work with them live off the ticket and just enable it and monitor what they’re doing, check on it still. You know, there’s nothing else was done. But and then sometimes just to say, like, there’s some things where it’s just best to deploy something that disables an auto updater and as long as it’s a prebuilt app or it’s, you know, something else, you just allow Addigy to do that updating and not, the auto updater built in. Yeah. Yeah. Exactly. Yeah. So there’s but sometimes apps will have, like, a profile or sometimes you have to script out, like, disabling the auto update function. That can be Yeah. Awareness. Slack was an example where it was kinda breaking it. And and same with, I think, Firefox at one point, so I just had to disable that and and only use Addigy for the updating. And Yeah. And, well, I usually do both in self-service and, you know, prebuilt apps now. And prebuilt prebuilt apps have been just incredible. I mean, that’s just been incredible additions. So Yeah. I know the team has been working on adding a feature like this or looking into adding a feature like to help you manage update helpers or giving you the option to do it and then doing it for you. But I’m not gonna go too far into that. Yeah. Talking about features here. I will say you can also make Addigy temp admin available in self-service. It’s not like a native feature, but you can put it as a script. If you’re interested, I think we might have a KB article. If not, create a support ticket, the support ticket team can give you an example script that you guys can use. But I guess I didn’t even know that. That’s what I love about these. You can always learn something new. You know? Everyone you attend, you learn new things. That’s me. Yeah. I know our I know a couple of our teams have worked on stuff like that. I know I have as well. And, you know, that that goes to the point of, like, do you wanna give your admin your standard users ability to temp admin anytime they want, or do you want them to contact you so that, you know, you’re kinda gaining that. Right? Yeah. One of the things we didn’t get into was, like and apparently, I’m overtime here. But one of the things we didn’t get into is, like, know, there’s a context of, like, can they still be admins? Right? Like, I know we all are pretty confident with having our fleet of standard users. Sometimes users need to be admins. Right? Like, the benchmarks themselves, a lot of them don’t say, like, they need to be a standard user versus an admin because a lot of the stuff we’re doing kinda overrides their ability to admin. Right? So, like, profiles, you can’t really modify settings on profile that are enforced via profiles. Scripts, you can, but they’ll get reverted back within five minutes. Is that enough time for you to cause any damage? I think with declarative device management, right, like, that’s gonna be even a new option to do stuff where, like, it’s a persistent change, meaning, like, they’re not even gonna be able to turn that stuff off with declarative. It’s declared on the device and cannot be modified in any form or fashion, which is pretty cool. Alright. Alright. I think we answered all the questions live that were in the q and a. Are there any more in the chat? Let me take a look. Yeah. I feel like, like you said, admin rights isn’t really as important anymore because you can control so much. But removing it does kind of, I guess, unify, like, the applications installed. That’s one nice thing about having, admin rights removed. You know? They have to submit a request, so then you know you’re managing all the applications rather than just discovering, oh, wait. There’s these apps in here that aren’t being updated on this on this client’s certain machines or something. You know? Yeah. Yeah. Yeah. And that kinda eliminates some of the AI sprawl too. Right? Like, if they can’t install, like, random AI tools, you know Yeah. Mitigates that to an extent too. It can be reviewed at whoever maybe does that for the client, you know, or you can bring it to their attention. Hey. This has been requested. Yeah. A question just came in. Does the declarative management require supervision, or does that work with managed devices that aren’t fully supervised? I will say it has to be enrolled into MDM. Supervision’s so blurry and gray at this point over the time over the course of Apple changing everything all the time. So, like depend on devices on. Yeah. So dependent devices too. Yeah. Like, it doesn’t need to be automated. Does it need to be enrolled through ADE or formerly known as DEP? No. Does it need to be enrolled in MDM? Yes. Does it will it work with BYOD devices to an extent, I believe? Right? Like, it depends on if that declaration is, supported there or not. BYOD is a whole can of worms about what what they can do versus what they can’t do and Apple gating a lot of that stuff. Do you think supervision for macOS is kinda moving in that same direction as iOS where there will be a point where you can’t do much? I know Apple wants to go there. Right? Like, the the I, you know, I think Craig, the VP of engineering there, said, like, you know, there’s an unacceptable amount of risk on macOS as opposed to iOS because I can you know, iOS is completely gated. Right? Like, there’s a lot you can’t do. It’s not like an Android device where you can jailbreak it into things or used to jailbreak them more regularly on Apple. So, you know, I think macOS, like, the interior, you know, is lot more aligned with Linux still, and it’s gonna take a long time to migrate that over. Right? Like, they want us and to switch that over is not easy. Right? If anybody who’s familiar with software development knows, like, any sort of migration on existing code, especially a platform that’s been around for twenty years, it’s like moving the Titanic. Going back to my Rose reference, you know, eighty four years on I’ll just show I’ll just show her again. It’s been eighty four years since we started that migration. It’s probably what Apple’s gonna say. And, you know, Mac OS eighty four or whatever will be maybe like an iPhone. Maybe not. You know? It’s hard to predict the future, but I know they wouldn’t love to do that because it it, you you know, it it mitigates risk for their operating system. I think in the Yeah. At the end of the day, like, we’re having this conversation to mitigate risk for their operating system and devices. Right? So How can we all work together to mitigate risk? Well, at this point in time, the compliance benchmarks help mitigate that risk tremendously, and they’re point and click and very little friction involved from the admin side and, like, deploying that out and making it reportable to customers. Yep. Alright. And we’re a little over, so thank you everybody for joining. I see, some people may have dropped off already. If you guys have any other feedback, comments, questions, drop them in the chat. Otherwise, thank you. Have a great Wednesday and the rest of the week. It’s been a great conversation. I really appreciate you guys inviting me. It’s been a good experience. It’s just really fun. Happy to to get together and talk about it. Really important. Thank you, Brent. You know, your insight is extremely valuable, and I think it it really helps to hear how others like to win in it, you know, from an MSP lens scale. I can’t I can’t thank you guys enough at Addigy for all you do. I mean, you guys are always there, help all along the way, and it’s just a great platform. So Thank you. Thank you. Yeah. We work hard to try and make that happen. So if you guys have any feedback, you know, I’m in my cabin. Brent, I think you are there too. So if I probably don’t go there very much. But I’m sure you do when you need something. So, yeah, you guys know where to find us and how to reach us. I just reach out to support, and it’s always there. It’s always helpful. So Yeah. They’re rock stars. Our support team, you know Yeah. Always help. Real rock stars. Awesome. Alright, guys. We’ll call it, and let’s see you on the next one. Alright. Thanks, Thank you, Brent. Thanks, Eddie. Bye, Eddie.
Compliant by Default: How Smart MSPs Are Automating Apple Security
Introductions
Nicolas Ponce (Addigy): My name is Nicolas Ponce. I work here at Addigy and I lead the operations and security team. Today’s webinar covers compliance by default: how smart MSPs are automating Apple security.
Brent Porter (Master Switch IT): My name is Brent Porter. I work for an MSP in Minneapolis called Master Switch IT. I just hit my nine-year anniversary. I’ve been working in IT since about 2010 and in MDM since about 2014.
Nicolas: The agenda has three parts: consumer-ready is not enterprise-ready, compliant by default with a live demo, and turning the gap into growth by packaging compliance as a service.
Consumer-Ready Is Not Enterprise-Ready
Nicolas: Apple’s defaults are optimized for personal use, not business use. By default, devices aren’t enrolled in MDM, the password policy is minimal (around four characters on macOS), and everything syncs to iCloud, including iCloud Drive. Features like AirDrop raise the question of where company data is going.
Nicolas: The myth is that Macs are more secure. The reality is they’re secure for consumers, which isn’t the same as compliant or secure for business.
Brent: They add a lot of features, but they’re built for convenience and ease of use. It just has to be managed in our environment.
The Compliance Gap
Nicolas: A new Apple device out of the box is only about halfway to business-ready compliance. Roughly half the controls will fail against even a basic benchmark like CIS Level 1. Stricter frameworks like STIG or CMMC produce even more rule failures, because these devices are designed for personal use and don’t map to any framework by default.
Nicolas: Frameworks like SOC 2, ISO 27001, and Cyber Essentials are attested by third-party auditors. What matters is which devices you’re using and how you’re hardening them to mitigate risk.
Brent: The most common one for us is SOC 2. A lot of our clients are required to do it, whether by their own clients, insurance, or something of that nature.
Nicolas: SOC 2 is more common in the States, ISO is more international, and UK folks have Cyber Essentials, which we’ve added as a benchmark. A framework is essentially a compilation of macOS configurations, a list of a little over 300 rules. We built a database that aligns each rule to the benchmarks it belongs to, and we test and validate every benchmark before pushing it out. A rule like “OS gatekeeper enabled” appears in almost every benchmark.
Brent: Gatekeeper is one we build custom rules around for onboarding, because it’s across all compliance frameworks.
Compliant by Default
Nicolas: Enterprise-ready shouldn’t be a manual project. With Addigy you get real-time visibility into where your devices stand. You can apply a benchmark in monitoring-only mode, which doesn’t remediate anything, it just shows you the compliance status. In one example, out of nearly 40 devices only 11 were compliant. That’s a great baseline to show stakeholders before starting the project. Automated enforcement then flips those devices to compliant with remediation, and it’s all reportable.
Live Demo: Deploying a Benchmark
Nicolas: Benchmarks are curated per operating system. Every year the NIST and CIS teams curate a unique benchmark for each macOS version, so macOS 14 and macOS 26 are not the same and have different settings. In the demo I assigned CIS Level 1 to a macOS 15 device and deployed it.
Nicolas: The catalog is where you build content and the policy is where you assign it. CIS Level 1 is a good industry-standard base, with 97 rules in macOS 26 and 87 in macOS 14. As Apple adds or changes controls in each OS, the rule count changes.
Brent: I’ve used CIS Level 1 a lot as a base to build custom benchmarks. It’s the one I use most frequently.
Nicolas: You can clone a benchmark, sort the rules, and disable the ones you don’t want before saving it as your own. Audit-log rules are easy wins because they don’t change the user experience, they just provide logging for a forensic team if something happens.
Nicolas: Some items are labeled benchmark and some baseline. A baseline is guidance rather than a prescriptive set you apply as-is. Some rules install a profile, some require manual remediation (for example, inserting a smart card for CMMC), and some run scripts. Doing all of that yourself, across profiles, scripts, and manual steps, is what makes this so challenging. CMMC Level 1 has 82 rules and Level 2 has 208.
Nicolas: When you clone a benchmark, it stays synced with the NIST and CIS rule changes. We review those changes, apply them, communicate them through our releases and status pages, and verify customer impact before release.
Brent: Even if you only want monitoring, you can use the scripts from the remediation to build your own remediation scripts.
Nicolas: Each rule includes the test, the remediation script, a description explaining the rationale, and a downloadable PDF write-up. That PDF maps each rule to the NIST 800-53 revision, CIS Controls v8, and CCE, which the compliance and audit teams need.
Brent: The PDF is really useful for clients to review.
Nicolas: We also launched Cyber Essentials a month or two ago and a brand-new AI Compliance Basics benchmark. You can build your own AI benchmark, for example allowing Claude and Google Gemini while blocking ChatGPT, Microsoft Edge Copilot, and DeepSeek. You can also tie compliance into Microsoft Intune conditional access to build a zero-trust environment, and there’s an option to exclude specific benchmarks from affecting a device’s ability to log in.
Brent: Clients really like being able to see their compliance in Self Service. It’s reassuring when they go in and everything’s green.
Turning the Gap Into Growth
Nicolas: The compliance gap is your opportunity to package and sell as a service. This becomes a repeatable, billable process once the first client is set up.
Brent: Instead of break-fix, we’ve evolved to managed service agreements based on the client’s needs, with different tiers. There’s always a base level of security, and more compliance requirements bill out at higher tiers.
Nicolas: Proactive versus reactive matters. If a client comes to you the week before a SOC 2 audit, that’s a friction point, because a SOC 2 Type 2 is a period-of-time audit, not point-in-time, so you have to prove you’ve been doing it for a while. Showing before-and-after reports is a powerful way to demonstrate the value and risk mitigation.
Brent: We had an instance where a client did well in an audit, and now they’re expanding the number of devices they want us to manage. Clear communication and regular review are so important.
Overcoming Pushback
Nicolas: Common objections are “my Macs are already secure,” “this will frustrate my users,” and “we’ve gotten by without this.”
Brent: People worry you’re spying on them, so you reassure them the intent is to secure the business and keep them productive. Removing admin rights actually helped, because software stays aligned and there’s no random software everywhere. Addigy also has a feature to elevate admin rights temporarily.
Nicolas: These controls actually eliminate most privacy concerns. Benchmarks disable remote login and remote management by default, so they prevent malicious actors from accessing devices remotely rather than enabling spying. Developers are usually the exception, and you can curate a separate policy for them. Nobody can control SIP through benchmarks, but it’s good to confirm it’s enabled.
Brent: We’ve actually seen a reduction in ticketing as we’ve added more security and automated it proactively, and the tickets we do see resolve faster.
Problematic Rules to Watch For
Nicolas: Some rules cause friction and should be curated carefully. “Disable login to other users’ active and locked sessions” breaks Touch ID if pulled straight from the CIS repo. Addigy runs a custom remediation automatically so it doesn’t break Touch ID.
Nicolas: “Limit consecutive failed login attempts to five” locks users out after five failures, and when combined with the rule to prompt for username and password, users see two blank fields, don’t know their username, and get frustrated. Consider raising the attempt limit or pairing it with an identity provider.
Brent: Using an identity provider helps a lot with the login window, because users reach a familiar IdP portal and often get MFA. It also eliminates rolling passwords and reduces keychain tickets.
Nicolas: An IdP syncs passwords so there’s no confusion, and the username becomes their identity credential. I’d also turn off the 365-day max password lifetime rule if you’re enforcing it in your IdP, since it causes conflict. The time-sync daemon rule was removed by NIST and CIS because it caused time drift, which breaks SSL validation and connectivity. Finally, if you use an identity provider, avoid or limit passcode settings, because Apple’s passcode payload doesn’t exactly match the IdP. Allowing simple passwords can actually prevent conflicts with real-word passwords set in the IdP.
Continuous Compliance and AI
Nicolas: With Addigy you can do this in minutes, not months. Compliance isn’t a checkbox, it’s continuous: you monitor status, automate remediation, and document it over time, and you repeat it every year with each new benchmark. Apple builds for the person; Addigy builds for the business.
Brent: When you get audited and they come back and say they found nothing, there’s no feeling like it. Being able to present all the data quickly during an audit has helped us tremendously.
Nicolas: On AI, the AI Compliance Basics benchmark is in public beta, available under account settings in the public beta options. We heard from customers that they had no visibility or control over which AI tools their users were using, so this benchmark helps track that. AI is here to stay and will keep reshaping the digital frontier.
Q&A Highlights
Brent: For apps that want to auto-update but can’t without admin, you can use Addigy’s temp admin feature in a standard user environment. Sometimes it’s best to disable the app’s built-in auto-updater and let Addigy handle updating instead, as we’ve done with Slack and Firefox.
Nicolas: Declarative Device Management doesn’t require automated enrollment through ADE, but it does require the device to be enrolled in MDM. With declarative management, changes are persistent and can’t be turned off by the user.
Frequently Asked Questions
Are Apple devices secure by default for business use?
No. Apple’s defaults are optimized for personal use, so a new device out of the box is only about halfway to business-ready compliance. Roughly half the controls will fail against even a basic benchmark like CIS Level 1 until you apply and enforce a framework.
What compliance frameworks do MSPs use for Apple devices?
Common frameworks include SOC 2, ISO 27001, Cyber Essentials, CMMC, and STIG. SOC 2 is the most common in the US, ISO 27001 is more international, and Cyber Essentials applies in the UK. Each is essentially a compilation of macOS configurations attested by a third-party auditor.
What is a compliance benchmark in Addigy?
A benchmark is a curated set of macOS configuration rules aligned to a framework, drawn from a database of over 300 rules. Addigy tests and validates each benchmark before release and keeps cloned benchmarks synced with NIST and CIS rule changes.
What is the difference between monitoring-only and remediation mode?
Monitoring-only applies a benchmark to read and report device compliance status without changing anything or affecting the user experience. Remediation mode automatically enforces the rules to bring devices into compliance.
Why are benchmarks curated per macOS version?
Every year the NIST and CIS teams curate a unique benchmark for each macOS version, because Apple adds and changes controls in each release. For example, CIS Level 1 has 97 rules in macOS 26 versus 87 in macOS 14, so macOS 14 and macOS 26 benchmarks are not interchangeable.
How can MSPs package compliance as a service?
MSPs can offer compliance as a repeatable, billable managed service in tiers, with a base level of security and higher tiers for more demanding frameworks. Before-and-after compliance reports demonstrate the value and risk mitigation, and the process becomes repeatable across clients once the first one is set up.
Which benchmark rules commonly cause user friction?
Rules that break Touch ID, lock accounts after five failed logins, prompt for username and password with blank fields, enforce a 365-day password lifetime, or conflict with an identity provider’s passcode payload are the most problematic. Addigy curates some of these automatically, and pairing benchmarks with an identity provider reduces login and keychain issues.
Does Declarative Device Management require supervision?
No. Declarative Device Management does not require supervision or automated enrollment through ADE, but the device must be enrolled in MDM. Declarative changes are persistent and cannot be turned off by the end user.