The Secureframe Agent checks for the following device configuration settings:
- Hard Drive Encryption
- The Secureframe agent currently uses the osquery disk_encryption table to check if a device is encrypted.
- In order to pass this check, ensure that FileVault is enabled (instructions here).
- For Macs with the M1 chip or the T2 chip, currently the agent will mark these as "encrypted" even if Filevault is not enabled. We will update the agent to account for this in the near future.
- For all other Macs, this check will only pass if FileVault is enabled.
- Native Anti-Virus
- Ensure Gatekeeper is enabled, this is usually turned on by default (more information).
- Password Policy
- Create a passcode profile with Require Alphanumeric true and Minimum Password Length is 8 or more.
- An MDM such as Jamf or Fleetsmith can create and enforce a password and screen lock policy to pass this test.
- If not using an MDM, you can view the additional resources link below to create a configuration profile or you can use the profile created here!
- Profile resources:
- Screen Lock
- Create a passcode profile with Auto-Lock minutes is ≤ 15 minutes and Ask For Password true (more information).
- Firewall
- Ensure that Firewall is enabled (instructions here).