This guide applies to Mac computers
Available Parameters
Iru Endpoint includes built-in Parameters for common device management tasks. Expand a category below to read more.User Accounts & Authentication
User Accounts & Authentication
- Create User Accounts
Create Administrator or Standard user accounts if they do not already exist. - Demote User Accounts to Standard
Demotes local accounts to Standard users. At least one administrator user account must be excluded from the demotion process. - Don’t Allow the Guest User to Log In
The Guest account is considered a security vulnerability because it has no password associated with it. It is recommended the Guest account be disabled on all macOS systems unless there is a clearly demonstrated need.
Filesystem
Filesystem
- Setting umask for All Users
Sets the umask value to 027. - Checking Library and System Folders for World-Writable Files
Verifies directories in /Library and /System aren’t set to be world writable.
Auditing & Logging
Auditing & Logging
- Monitor Encryption Status of Time Machine Volumes
Backup volumes should be encrypted like boot volumes, even when a portable drive holds only non-sensitive data or when encryption would make the drive harder to use with other systems. - Report User Accounts with FileVault Recovery Keys Escrowed to iCloud
It is recommended that FileVault Recovery Keys are not stored in a user’s personal iCloud account as there is a possibility that keys can be retrieved by an unknown party.
macOS Applications & Services
macOS Applications & Services
- Restart after X Number of Days of Continuous Uptime
Require devices to restart after a set number of days of uptime.
Security & Compliance (CIS)
Security & Compliance (CIS)
The following Parameters align with CIS benchmark recommendations (e.g., macOS 15 and macOS 26) and are available in Blueprints created from or updated with the CIS Level 1 and Level 2 templates. You can enable them for any Blueprint from the Parameters editor.
- Audit Touch ID settings Touch ID is integrated with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot, or when more than 48 hours has elapsed since the device was last unlocked. Touch ID is not a password replacement. The use of Touch ID can, however, make the use of passwords more secure for authorized users with physical access to a Mac.
- Ensure users’ accounts do not have a password hint Password hints that are closely related to the user’s password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user’s password if there is a password hint.
- Ensure logging is enabled for sudo In order to properly monitor the use of the sudo command, log events for any use of sudo should be captured in the unified log.
- Show location icon in Control Center when system services request your location When user applications access location an arrow is displayed next to the Control Center in the menu bar to give users an indication when their location is being accessed. By default system services like time zones, weather, travel times, geolocation, “Find my Mac,” and advertising services do not indicate the location is accessed. Enabling the “Show location icon in the menu bar when System Services request your location” setting will show an arrow in the control center when a system service accesses the location.
- Ensure Apple Mobile File Integrity (AMFI) is enabled AMFI uses launchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation. If disabled, applications could be compromised with malicious code.
- Audit that Signed System Volume (SSV) is enabled Running without Signed System Volume on a production system could run the risk of OS software that integrates directly with macOS being modified.
- Report Lockdown Mode status Lockdown Mode was introduced as a security feature in 2022 and provides additional extreme security protection. Users and organizations that suspect some users are targets of advanced attacks must consider using this control. This parameter will report the status of Lockdown Mode.
- Ensure XProtect is running and up to date XProtect is the macOS native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. No matter what other tools are being used, XProtect should have the latest signatures available.
Enable Parameters in Blueprints
Click Edit Parameters or Add Parameters
Click Edit Parameters or Add Parameters (first-time setup).
To bring in Parameters from another Blueprint instead, choose Import from existing Blueprint, select a Blueprint from the list (use Search Blueprints if needed), then click Import Parameters.
Search for Parameters
Type in the search field to find the Parameters you need. You can narrow results with the Compliance framework dropdown next to it.
Next Steps
After configuring Parameters:Set up enrollment for each platform
Once Blueprints and Parameters are configured, set up enrollment to manage devices: Apple Enrollment, Windows Enrollment, or Android Enrollment.