![]() ![]() Can disable automatic login following use of FV just fine though, and having it for system auth is still good. Makes it much more convenient to have a long good password, though unfortunately FileVault (and 1Password is also a shitty, glaring example here) remains an outlier. Most system authentication and sudo by default as well. Login becomes a matter of just plugging in the key and entering the PIN. Even for Macs with biometrics keys can still be useful in a multiuser environment or for the convenience of not needing to reach for the Touch ID (and be limited to an Apple keyboard). Mac OS has had pretty solid support for smartcards and tokens for a very long time now, improving significantly in the last 5 or so generations. ![]() I'm somewhat surprised that using an HSM like a YubiKey or NitroKey isn't on there. using Reflector 4).īasically I hate my mac that is hardened all the way so have a second machine (Mac Studio Ultra) in a more secure location that is less hardened and more pleasant to work with. But that is intense.Īlso disabling things like AirDrop and biometric unlock is a productivity inhibitor.ĭisabling Bonjour can cause strange problems for some people (e.g. To pass a full security review you might want to play with Google Santa. Only shit ones but workable like Jamf.Īlso the username does't get auto-populated on login so the typo can be in username but the user assumes it is with password. So you need a half-decent MDM to unlock quickly. Complex 15 character passwords with 3 retries from memory. įWIW, CIS level 1 will mean people get locked out of their machines very frequently. You can get most of the way to hardening to CIS level 1 picking more up-to-date fork of these. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |