This DEXPack contains Endpoint Automation policy, rules and instructions to check the security applied on Mac devices in your environment. This DEXPack will help IT department to find devices that are non-compliant and might be vulnerable.

Key Features:


    • Retrieve the list of all the local accounts which are using the FileVault service on the end-user macOS devices.
    • Determine the FileVault encryption status.
    • Retrieve FileVault encryption personal recovery key (PRK).
    • Disable and defer enablement of FileVault.


    • List valid keychain identities (certificate + private key) with duplicates removed from default search list.
    • Retrieve and list all the system certificates currently present on the macOS devices.
    • Get the Keychain filesystem location for user, system and common keychains.
    • Search and retrieve a system certificate matching the specified name for the end-user macOS devices.

OS Updates:

    • Provides a list of devices that have Automatic OS updates enabled and recommended OS updates are installed.


  • Upload this DEXPack with the help of DEXPack Deployment Tool.
  • An Endpoint Automation Policy named macOS Security will be created.
  • 11 Endpoint Automation Rules will be created in this policy.
  • An Instruction set named macOS Security will be created containing the instructions.


Review the macOS Security rules and adjust as per your requirements. Precondition and trigger setup is similar for all macOS security rules.

  • The precondition ensures that the check is performed only on a macOS device.                                                                                                  
  • Adjust the IntervalHours for ex: - 8 hours to trigger rule every 8 Hours on the device.                                                                                                  
  • The check will be performed as per the Trigger applied in rule and report the File Vault status. Below are the different checks that can be performed:

macOS - Check FileVault is enabled

This rule will report if FileVault status once the rule is trigged on device.                                                                                                     

macOS - Check Find My Mac is enabled

This rule will report Find My Mac status once the rule is trigged on device.                                                                                                

macOS - Check Gatekeeper is enabled

This rule will report Gatekeeper status of the device once rule is triggered.                                                                                                 

macOS - Check admin password required to read system wide preferences

This rule will report if system wide preferences require admin authentication to access the settings window.                                                                                                 

macOS - Check automatic software update checks enabled

This rule will report the status of automatic software updates checks for a device.                                                                                                 

macOS - Check critical software updates are automatically applied

This rule will report the status of Automatically Install macOS Updates feature for a device.                                                                                                 

macOS - Check firewall is enabled

This rule will report the status of the firewall of a device.                                                                                                                                                                                                    

macOS - Check kernel extension user consent is enabled

This rule will report the status of kernel extension consent of the device.                                                                                                 

macOS - Check remote login disabled

This rule will report the status of remote login feature for a device.                                                                                                 

macOS - Check no recommended software updates are pending

This rule will report the status of recommended software updates installed on a device.                                                                                                 

macOS - Check that System Integration Protection (SIP) is enabled (macOS)

This rule will report the status of System Integrity Protection for a device.                                                                                                 


Reports will start generating a few days after policy is deployed and can be viewed in Endpoint Automation application portal. Below is the device state definition information as per their state:

  • Compliant state represents devices that have met security recommendation.
  • Non-Compliant state are devices that are not meeting the security recommendation.
  • Not applicable are non-macOS devices.
  • Unknown are devices yet to report their state.


  • “List system certificates (macOS)“ provides the results set which contains information of available system certificate.
  • “Find system certificate <certname> (macOS)” provides detailed information of a certificate using certificate name.           
  • “List certificate keychain of type <type> for <domain> (macOS)“ Provides location of the system keychain stored.     
  • “List valid keychain identities (macOS)” Provides results of valid keychain identifies available on device.                                           
  • “Deferred Enablement of FileVault for user <userName> maxCancelAttempts=<maxCancelAttempts> dontAskAtLogout=<dontAskAtLogout> (macOS)” enables Filevault on device if not enable with an option to logout the current user and enforce on next login with Deferred attempts up to 16.                                                                                                                                                                                                                                                                                                                                                                                                                
  • “Get FileVault enablement deferred info (macOS)” Provides configuration information of Filevault deferred enablement.   
  • “Get the FileVault disk encryption recovery key status (macOS)” Provides Filevault encryption recovery key status available on a device.                                                                                                                                         
  • “List FileVault encryption status (macOS)“ Provides status of FileVault encryption.                                                                               
  • “List FileVault users (macOS)“ Provides list of Filevault users on the device.                                                                                                   
  • “List filesystem personality for root partition (macOS)” Provides File System type information of the drive.                                         
  • “List pending updates of type <updateType> (macOS)“ Provides a list of pending OS updates.                                                                 


Join Our Newsletter

Copyright © 1E 2022 All Rights Reserved

This website is designed for desktop. If using a mobile browser please change to desktop view.