Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL

Category filter

Frequently Asked Questions: Enforcing Hexnode macOS CIS Compliance

Jump To

Technical Summary

Securing your macOS fleet to meet industry standards can feel overwhelming. To make this process smoother, Hexnode offers pre-configured templates aligned with the Center for Internet Security (CIS) Benchmarks.

This FAQ is designed to answer your most pressing questions as you implement, deploy, and troubleshoot these security configurations.

Getting Started & Prerequisites

Q1: What exactly is the CIS Benchmark template for macOS?

The CIS Benchmarks are globally recognized best practices for securing operating systems and reducing vulnerability to cyber-attacks. Hexnode provides two pre-configured policy templates specifically for Mac: CIS Benchmark Compliance Level 1 – macOS and CIS Benchmark Compliance Level 2 – macOS. Applying these templates automatically configures your devices with settings that align with these strict security frameworks.

Q2: Will applying this template make my Mac fleet 100% CIS compliant?

It will get you significantly closer, but it will not make you 100% compliant on its own. Hexnode UEM supports making devices partially CIS Benchmark compliant. This is because not all rules mentioned in the CIS Benchmark are configurable via Hexnode.

To achieve full compliance for rules unsupported by standard configuration profiles (such as modifying system-level /etc/ files or running custom telemetry checks), you can combine this CIS policy with Hexnode’s Shell Scripting Engine to execute root-level commands silently.

Q3: Should I use Level 1 or Level 2 for my deployment?

It depends on your organization’s security needs:

  • Level 1: Highly recommended for most standard enterprise environments. It enforces strong security baselines—such as requiring a 15-character passcode, enabling FileVault encryption, and turning on Firewalls—without severely impacting daily user productivity. For example, under Level 1, users are still allowed to auto-upload files in Desktop and Documents, choose their own content caching settings, and use keyboard entry for the Terminal app.
  • Level 2: Intended for environments requiring highly restricted security. It includes the baseline protections of Level 1 but locks down the device further. For instance, it requires at least one complex character in the passcode. It also enforces stricter restrictions, such as disabling the auto-upload of files to Desktop and Documents, restricting content caching, disabling keyboard entry for the Terminal app, preventing users from modifying Media Sharing settings, and hiding the Wi-Fi and Bluetooth statuses from the menu bar.

Implementation & Configuration Steps

Q1: How do I deploy the CIS template to my macOS devices?

You can associate a template directly to your targets while creating a new policy. Here is the quickest way to do it:

To deploy the template:

  1. In your Hexnode UEM portal, navigate to Policies > Device Polices.
  2. Click on New Policy > Select from templates and select either the macOS CIS Level 1 or Level 2 template.
  3. Go to Policy Targets > +Add Devices and choose the Macs you want to secure.
  4. Click Ok, then Save.

Q2: I want to use the template as a baseline, but I need to tweak a few settings. How do I modify a template?

You cannot edit the master template directly. Instead, you need to copy it to your own workspace first.

To modify a template:

  1. In the Hexnode UEM portal, go to Policies > Templates.
  2. Select the macOS CIS template you want to use and click on Manage.
  3. Click on Copy to My Policies.
  4. The copied template will now be found under the Device Policies section, where it is not yet associated with any device.
  5. Click on the newly copied policy, click on Manage, and select Modify.
  6. You can now adjust the policy configurations (such as tweaking a specific restriction).
  7. Go to Policy Targets > +Add Devices to choose the devices you want to associate the policy with, then click Save.

Q3: Do I have to apply this to all my devices at once? Can I test it on a specific department first?

Absolutely. You have granular control over deployment. When selecting your Policy Targets, you are not limited to just individual “Devices”. You can also associate the template with specific Device Groups, Users, User Groups, and Domains/OUs.

Understanding the Compliance Settings

Q1: What kind of Passcode rules will my users experience once this is applied?

Both Level 1 and Level 2 templates enforce strict password hygiene. Users will be required to have an alphanumeric passcode with a minimum length of 15 characters. The templates also enforce a passcode history of 15 (preventing the reuse of old passwords). Furthermore, the policy allows a maximum of 5 failed login attempts before the user’s account gets disabled. Once disabled, the password must be reset using an admin account, Apple ID credentials, or a FileVault recovery key.

Q2: Does this policy automatically encrypt the Mac hard drives?

Yes. Both templates enable FileVault encryption. They are configured to encrypt using an Institutional and Personal Recovery Key.

Once the policy encrypts the disk, the unique Personal Recovery Key is securely escrowed and can be retrieved by an authorized administrator by navigating to Manage > Devices > [Click Target Mac] > Device Info > Security Info.

Q3: How does this template handle macOS Software Updates?

The templates enforce an automated update environment. They are configured to automatically check for, download, and install macOS updates, app updates, critical updates, and configuration data.

Q4: Will deploying this CIS template block my users from sharing files with one another?

Yes, in order to maintain data security, the templates disable AirDrop. However, standard features like Handoff and Universal Control remain enabled.

Troubleshooting & Common Concerns

Q1: My users are complaining that their screen locks too quickly. Why is this happening?

The CIS templates configure the Energy Saver and Screensaver settings to ensure unattended Macs aren’t left vulnerable. By default, the policy enables the screensaver and sets the idle time to 20 minutes. Furthermore, it requires a password to unlock the screen after a 5-second delay. If you need to adjust this, copy the template to “Device Policies” and modify the Screensaver configurations.

Q2: I deployed the policy, but I don’t see an option to configure some of the advanced CIS rules I read about online. Where are they?

As noted in the prerequisites, not all rules mentioned in the CIS Benchmark are configurable via Hexnode. If a specific CIS rule is not visible in the template’s configuration list, it means that particular rule is not currently configurable via Hexnode UEM.

Q3: Can I create multiple different policies from the same CIS template?

Yes. A single template can be reproduced into as many policies as required. You just need to create copies of the template in “Device Policies” and adjust the targets or minor settings as needed for different departments.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
FAQ