The best way to rile up any IT professional is to bring about the age-old debate of macOS vs Windows security. Many are ardent supporters of Apple while others tend to choose Windows over Mac. Windows is more affordable and practical for general use. You won’t find many people who stay loyal to both platforms.
Sure, macOS and Windows have their own weaknesses but when operated according to the latest recommendations and security practices, both these operating systems are good for enterprise use.
2019 shocked the Apple community when Macs faced more malware attacks than the average Windows PC. One of the most noteworthy one was a malware that allowed hackers to bypass Apple’s security defences.
Surprisingly, some of the vulnerabilities found within Macs were reported by Microsoft such as Shrootless and powerdir. Apple doesn’t usually disclose any issues they face to the public until they have patched it. Users can find a list of these in their release notes.
Similarly, 2021 was rough on Windows with the number of critical vulnerabilities being reported across the platform. Microsoft’s Security Response Center sets out a complete list of vulnerabilities, together with release notes and the date it was last updated. In spite of this, Windows continues to be the preferred OS among users holding 32% of the marketshare worldwide.
Security, in addition to affordability and productivity, is an important factor most enterprises take seriously. It’s quite difficult to point out which platform is more secure, let’s take a look at some of the major features provided by each OS and try to understand how secure they really are.
macOS vs Windows: a detailed look at its security
Mac devices with Apple’s T2 Security Chip comes with a security feature known as Startup Security Utility to ensure devices starts up with the right startup disk and operating system. It also has a Secure Boot which prevents unauthorized operating systems from running on the user’s computer and secures the system from malware.
Other security features include:
Some of the sources of Microsoft’s protection for pre-boot, boot and post boot can be found in open source initiatives. These initiatives are placed under Secure Boot, a security standard provided by Microsoft to ensure the device starts booting up only with a software which has been authorized and trusted by the OEM. The systems are required to have the latest Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM) installed within the motherboard.
The boot process requires a cryptographic approval, and no new action can be initiated unless it has been verified. If anything tries to modify the booting process, alerts will be sent to one of the two chips, where an action to either stop the boot process will be initiated or a warning would be sent to the user.
The TPM chip consists of cryptographic features. BIOS chips have now replaced UEFI. These chips are integral in ensuring the protection of both the operating system and applications during and after the reboot.
macOS comes with in-built security services to prevent malware from running on the system. This includes Gatekeeper, Notarisation and XProtect.
Notarisation is a malware scanning service where developers who want to publish their applications outside of the AppStore are required to submit their applications, which would then be scanned for malware. If no malware is found, Apple will issue a notarisation ticket. Developers can attach this to their app so that the Gatekeeper can verify it and launch the application.
If a notarised app is found to be malicious later, Apple would issue a revocation ticket. macOS constantly checks for revocation tickets in order to update the Gatekeeper and prevent the launch of corrupted files.
XProtect is an in-built anti-virus technology found within macOS. It keeps a check on malware infections by the means of a signature based detection. These signatures are updated automatically to ensure the Mac stays protected from newer malware infections.
Windows has its own real time anti-virus tool known as Windows Defender. It runs in the background and keeps a constant check on the system from malware infection and other malicious programs.
It was first released by Microsoft as Microsoft Security Essentials in Windows XP, Vista and 7. With the release of Windows 8, the software underwent a couple of revamps and renamed to Windows Defender.
Windows Security is a real time protection feature found in Windows 10 and 11. It scans the device for various security threats, malware and virus. Some of the features provided by Windows Security include virus and threat protection, account protection, firewall and network protection and device security.
macOS has a vigorous app screening process. Gatekeeper bars users from installing any harmful external application within the system by checking for a Developer ID certificate.
Apps published outside of the AppStore must be submitted for notarisation, this ensures that applications users use are free from malicious files.
App sandboxing is another feature that boosts the security of macOS applications. Sandboxing restricts applications from accessing data and other system resources. Although many in-built applications support sandboxing, not all applications have this feature.
The Defender Application Controls works in unison with Microsoft Edge. Edge together with its sites and applications run in an isolated virtual environment kept separate from the operating system.
Various restrictions are imposed on sessions opened within Application Guard to prevent the occurrence of any actions that could be of high risk.
The Windows Defender Application Control restrict applications which allow users to run and code in the system. It prevents users from running an application that could harbour a malicious code. Apps from the Store are automatically trusted as they are digitally signed to prove the code has not been altered in any way.
Safari the default browser in macOS has a couple of security features to protect data privacy and ensure a safe browsing experience. These include:
Microsoft levelled up the security of Edge, Windows default browser to include security indicators within website and malware protection. The website security indicator is a feature that displays HTTPS on the left corner of the address within the address bar.
This shows the site has a secure connection. In terms of malware protection, if Edge suspects the user is accessing a website prone to malware, it’ll display a warning page dissuading users from further accessing that particular site. Other security features include:
One of the important features both operating systems offer is the capability for users to locate their lost devices. Mac users can locate their lost device through the Find My app. The process is quite simple. The user has to install the Find My app and click on the device list to select the device they wish to locate.
You can set notification if the location does not appear below the device to receive a notification as soon as the device is located. Users can also mark the device as lost and initiate a remote lock to ensure data security. Directions to the lost device can be obtained via Apple Maps.
Users can even set a remote ring if the device is nearby. Notification can be sent to the user end even when the lost device is offline. Other features include disabling Apple Pay, initiating a device wipe and displaying a customized message on the screen.
Microsoft’s Find My Device feature permits users to locate lost Windows 10 devices. They need to first login to their account and gain admin rights to it. When activated, a notification will pop up on the screen of the lost device. Find My Device too comes with the functionality of remotely locking the device.
How to track your lost devices with Hexnode’s lost mode for Windows
FileVault is a disk encryption program found in Mac devices running from version macOS X 10.3 and above. It is an in-built security feature to protect all information stored within the device. Encryption offers more security than password protection as it encrypts the sensitive information.
This information can later be deciphered only with the help of an algorithm and a key. FileVault can be enabled from System Preferences > Security & Privacy. It makes use of XTS AES 128 encryption with a 256-bit key.
BitLocker is a full volume encryption program native to Windows devices. Once encrypted, the files and other information cannot be decrypted unless the user enters the right encryption key. It makes use of a Trusted Platform Module (TPM) a hardware component used to authenticate the device.
The authentication is done by the means of various artifacts such as passwords, encryption keys and certificates. BitLocker creates a recovery key on the hard drive, every time a user logs in to their computer, they would have to enter their secret pin to use it.
Data harvesting and user privacy
Since the software and hardware components of Macs are fully managed by Apple, it maintains stricter controls when it come user privacy.
Data is collected by both platforms for telemetry purposes, but Apple offers more security since the company oversees the production of its own hardware and thus can set better restrictions on app developers. Apple shares personal data only with a very limited number of third parties.
While no OS can give one complete privacy, macOS has more advantage over Windows at this point. When your Mac device sends out private data to Apple servers, measures are taken to ensure the privacy of the information being sent out. The data will always be tied with a random identifier, thus the identity of the user can never be linked with their data.
Ensuring data privacy in Macs using the Privacy Preferences Policy Control
Windows on the other hand is used across different hardware, each having its own specifications and configurations. Windows 10 has received a fair amount of backlash for the data they collect from users such as their search history in browser and location history, just to name a few.
Despite Microsoft levelling up its security measures by enabling multiple privacy settings, it continues to collect personal data from users and still has to come a long way in ensuring enough privacy of users to satisfy various regulatory bodies.
File Integrity Protection
The System Integrity Protection (SIP) protects the integrity of important files and directories even if the action is performed by a user with root level access. The protection measures include:
Windows has over the years introduced multiple features to enhance the integrity of files pertaining to the OS and user. These include:
Azure Security Center and Azure Defender have now been rebranded to Microsoft Defender for Cloud. File Integrity Monitoring (FIM), an important part of Microsoft Defender for Cloud monitors and detects any changes made to systems files, applications and registries. This is used to secure your network.
The changes are identified using Azure’s Change Tracking solution. According to Microsoft, FIM notifies the user if any file and registry key is created or removed and if any of the files or registries are modified. Some of the limitations of this include:
macOS vs Windows security: summing it up
macOS at a glance
|Has more built-in security features in default browser||Increased cyberattacks|
|Stricter app approval process||Does not offer updates for older devices|
|Protected app store||Limited number of applications|
|Ensures more user privacy||Lacks hardware customization|
Windows at a glance
|Provides customization||Does not offer enough application security|
|Offers hardware support||More prone to malware infections and cyberattacks|
|Website security indicator and malware protection||Increased data harvesting and tracking|
|More affordable||Lacks enough privacy features|
Both platforms harbour flaws and strengths of their own. The main point is to choose an OS that works well for your business and addresses everything your organization needs to get done.
For instance, Windows are mostly used by businesses who require different hardware configurations while macOS is mostly preferred by creative professionals. But this could change in the future.
No matter what your business requirements maybe, a UEM solution offers complete management of both Windows and Mac devices in terms of data protection, device security, network security and more.
Securely manage endpoints with Hexnode
Satisfy various regulatory compliance requirements and manage endpoints with a UEM solution.Sign up for a free trial
Share your thoughts