graphgrc

Endpoint Security Standard

Baseline security requirements for employee endpoints (macOS laptops).

Scope

All company-issued and BYOD laptops used to access company resources.

Requirements

Device Management

• All endpoints enrolled in MDM (Jamf, Kandji, Fleet)
• Company-owned devices provisioned with standard image
• BYOD devices must meet minimum security requirements

Operating System

• macOS only (no Windows, Linux, or ChromeOS without exception)
• Latest stable macOS version or previous major version (N-1)
• Automatic updates enabled for security patches
• Critical security updates installed within 7 days

Encryption

• FileVault full-disk encryption enabled
• Recovery key escrowed in MDM
• No unencrypted external drives containing Confidential data

Authentication

• Strong password required (12+ characters)
• Password changes on macOS user account trigger company password reset
• Screen lock after 5 minutes of inactivity
• Biometric unlock (Touch ID) permitted

Endpoint Protection

• Endpoint Detection and Response (EDR) agent installed (CrowdStrike, SentinelOne, or similar)
• Real-time malware scanning enabled
• No unauthorized system extensions or kernel modifications
• Firewall enabled

Software Management

• Approved software list maintained by IT
• Software installation requires admin approval (standard users non-admin)
• Homebrew allowed for engineering team with restrictions on casks
• Quarterly software inventory and cleanup

Network Security

• Default deny untrusted networks
• VPN required for accessing internal resources from untrusted networks
• No direct connection to production systems from public WiFi without VPN

Data Loss Prevention

• No Confidential or Restricted data stored on local disk (use cloud storage)
• USB device restrictions (read-only or blocked)
• Screenshot/recording tools monitored in sensitive applications

BYOD Requirements

If allowing BYOD (approved by security team):

• Separate user profile for work apps
• Work email/Slack/GitHub in containerized apps only
• Remote wipe capability for work data
• No access to production systems

Lost/Stolen Device Response

• Report to IT immediately
• Remote lock initiated within 1 hour
• Remote wipe after 24 hours if not recovered
• Password reset on all company accounts

References

• Related controls: END-01, END-02, END-03, DAT-01
• Related process: device-provisioning-process.md (if exists)

Control Mapping

• END-01: Device Management (macOS MDM) ^[All endpoints enrolled in MDM (Jamf, Kandji, Fleet) with FileVault and configuration management]
• END-02: Endpoint Protection ^[EDR agent installed (CrowdStrike, SentinelOne) with real-time malware scanning]
• END-03: Software Updates ^[Automatic macOS security updates, critical patches within 7 days]
• DAT-02: Encryption ^[FileVault full-disk encryption with recovery key escrowed in MDM]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.