diff --git a/Apple/iOS/NCSC_example_iOS_VPN_configuration.mobileconfig b/Apple/iOS/NCSC_example_iOS_VPN_configuration.mobileconfig
index ab8fb9b..f48e4bc 100644
--- a/Apple/iOS/NCSC_example_iOS_VPN_configuration.mobileconfig
+++ b/Apple/iOS/NCSC_example_iOS_VPN_configuration.mobileconfig
@@ -34,15 +34,15 @@
1440
DeadPeerDetectionRate
- High
+ Medium
DisableMOBIKE
0
DisableRedirect
0
EnableCertificateRevocationCheck
-
+ 0
EnableFallback
-
+ 0
EnablePFS
IKESecurityAssociationParameters
@@ -64,7 +64,7 @@
LocalIdentifier
device.example.com
NATKeepAliveInterval
- 60
+ 110
NATKeepAliveOffloadEnable
1
ProtocolType
@@ -77,8 +77,11 @@
0
- UIToggleEnabled
-
+
+ DNS
+
+ SupplementalMatchDomainsNoSearch
+ 0
IPv4
@@ -90,11 +93,11 @@
PayloadDisplayName
VPN
PayloadIdentifier
- com.apple.vpn.managed.C4180FAE-F129-408D-8F83-943BF92F94DA
+ com.apple.vpn.managed.16EA2765-3DDF-47FA-9251-920CBE3AAFF2
PayloadType
com.apple.vpn.managed
PayloadUUID
- C4180FAE-F129-408D-8F83-943BF92F94DA
+ 16EA2765-3DDF-47FA-9251-920CBE3AAFF2
PayloadVersion
1
Proxies
@@ -105,7 +108,7 @@
0
UserDefinedName
- NCSC Example VPN configuration
+ CTX VPN
VPNType
AlwaysOn
VendorConfig
diff --git a/Apple/iOS/NCSC_example_iOS_device_configuration.mobileconfig b/Apple/iOS/NCSC_example_iOS_device_configuration.mobileconfig
index 436a53b..f3e2b73 100644
--- a/Apple/iOS/NCSC_example_iOS_device_configuration.mobileconfig
+++ b/Apple/iOS/NCSC_example_iOS_device_configuration.mobileconfig
@@ -7,28 +7,77 @@
PayloadContent
+ PayloadDescription
+ Configures passcode settings
+ PayloadDisplayName
+ Passcode
+ PayloadIdentifier
+ com.apple.mobiledevice.passwordpolicy.4ED70A96-02CB-49D5-A46F-4E4C0868D917
+ PayloadType
+ com.apple.mobiledevice.passwordpolicy
+ PayloadUUID
+ 4ED70A96-02CB-49D5-A46F-4E4C0868D917
+ PayloadVersion
+ 1
+ allowSimple
+
+ forcePIN
+
+ minLength
+ 8
+ requireAlphanumeric
+
+
+
+ NotificationSettings
+
+
+ AlertType
+ 2
+ BundleIdentifier
+ com.apple.MobileSMS
+ GroupingType
+ 0
+ PreviewType
+ 1
+ ShowInNotificationCenter
+
+
+
+ PayloadDescription
+ Configures notifications settings for apps
+ PayloadDisplayName
+ Notifications
+ PayloadIdentifier
+ com.apple.notificationsettings.65A1B78B-251D-4025-9259-8FF3741962A4
+ PayloadType
+ com.apple.notificationsettings
+ PayloadUUID
+ 65A1B78B-251D-4025-9259-8FF3741962A4
+ PayloadVersion
+ 1
PayloadDescription
Configures restrictions
PayloadDisplayName
Restrictions
PayloadIdentifier
- com.apple.applicationaccess.56C35EC7-FFE3-483D-8AE8-58A6584A9ED7
+ com.apple.applicationaccess.0F425154-CEF8-4441-B6CF-B0F39B9A70CB
PayloadType
com.apple.applicationaccess
PayloadUUID
- 56C35EC7-FFE3-483D-8AE8-58A6584A9ED7
+ 0F425154-CEF8-4441-B6CF-B0F39B9A70CB
PayloadVersion
1
allowAccountModification
allowActivityContinuation
-
+
allowAddingGameCenterFriends
allowAirDrop
allowAirPlayIncomingRequests
-
+
allowAirPrint
allowAirPrintCredentialsStorage
@@ -37,10 +86,14 @@
allowAppCellularDataModification
+ allowAppClips
+
allowAppInstallation
allowAppRemoval
-
+
+ allowApplePersonalizedAdvertising
+
allowAssistant
allowAssistantWhileLocked
@@ -68,7 +121,7 @@
allowCloudKeychainSync
allowCloudPhotoLibrary
-
+
allowContinuousPathKeyboard
allowDefinitionLookup
@@ -76,7 +129,7 @@
allowDeviceNameModification
allowDeviceSleep
-
+
allowDiagnosticSubmission
allowDictation
@@ -88,27 +141,29 @@
allowEnterpriseAppTrust
allowEnterpriseBookBackup
-
+
allowEnterpriseBookMetadataSync
-
+
allowEraseContentAndSettings
-
+
allowExplicitContent
allowFilesNetworkDriveAccess
-
+
allowFilesUSBDriveAccess
-
+
allowFindMyDevice
allowFindMyFriends
-
+
+ allowFindMyFriendsModification
+
allowFingerprintForUnlock
allowFingerprintModification
allowGameCenter
-
+
allowGlobalBackgroundFetchWhenRoaming
allowHostPairing
@@ -130,53 +185,55 @@
allowMusicService
allowNews
-
+
allowNotificationsModification
-
+
allowOpenFromManagedToUnmanaged
allowOpenFromUnmanagedToManaged
allowPairedWatch
-
+
allowPassbookWhileLocked
-
+
allowPasscodeModification
allowPasswordAutoFill
allowPasswordProximityRequests
-
+
allowPasswordSharing
-
+
allowPersonalHotspotModification
allowPhotoStream
-
+
+ allowPodcasts
+
allowPredictiveKeyboard
allowProximitySetupToNewDevice
-
+
allowRadioService
allowRemoteAppPairing
-
+
allowRemoteScreenObservation
-
+
allowSafari
allowScreenShot
allowSharedStream
-
+
allowSpellCheck
allowSpotlightInternetResults
allowSystemAppRemoval
-
- allowUIAppInstallation
+ allowUIAppInstallation
+
allowUIConfigurationProfileInstallation
allowUSBRestrictedMode
@@ -192,19 +249,23 @@
allowWallpaperModification
allowiTunes
-
+
blacklistedAppBundleIDs
com.apple.shortcuts
forceAirDropUnmanaged
+ forceAirPlayIncomingRequestsPairingPassword
+
+ forceAirPlayOutgoingRequestsPairingPassword
+
forceAirPrintTrustedTLSRequirement
-
+
forceAssistantProfanityFilter
forceAuthenticationBeforeAutoFill
-
+
forceAutomaticDateAndTime
forceClassroomAutomaticallyJoinClasses
@@ -224,7 +285,7 @@
forceLimitAdTracking
forceWatchWristDetection
-
+
forceWiFiPowerOn
forceWiFiWhitelisting
@@ -238,41 +299,15 @@
ratingTVShows
1000
safariAcceptCookies
- 2
+ 1.5
safariAllowAutoFill
safariAllowJavaScript
safariAllowPopups
-
- safariForceFraudWarning
-
-
-
- PayloadDescription
- Configures passcode settings
- PayloadDisplayName
- Passcode
- PayloadIdentifier
- com.apple.mobiledevice.passwordpolicy.0EA2B977-1733-4B87-8B92-97EAC5957FF6
- PayloadType
- com.apple.mobiledevice.passwordpolicy
- PayloadUUID
- 0EA2B977-1733-4B87-8B92-97EAC5957FF6
- PayloadVersion
- 1
- allowSimple
- forcePIN
+ safariForceFraudWarning
- maxFailedAttempts
- 10
- maxInactivity
- 10
- minLength
- 6
- requireAlphanumeric
-
PayloadDescription
@@ -292,4 +327,4 @@
PayloadVersion
1
-
+
\ No newline at end of file
diff --git a/Apple/iOS/NCSC_iOS_configurations.csv b/Apple/iOS/NCSC_iOS_configurations.csv
index ea5683d..b422f34 100644
--- a/Apple/iOS/NCSC_iOS_configurations.csv
+++ b/Apple/iOS/NCSC_iOS_configurations.csv
@@ -1,60 +1,82 @@
-MDM settings,
----,---
-,
-General,
-Security (Controls when the profile can be removed),Never
-Automatically Remove Profile (Settings for automatic profile removal),Never
-,
-Restrictions - Functionality tab,
-Allow AirDrop (supervised devices only),No
-Allow Siri whilst device is locked,No
-Allow iCloud backup,No
-Allow iCloud documents & data,No
-Allow iCloud Keychain,No
-Allow managed apps to store data in iCloud,No
-Force encrypted backups,Yes
-Force limited ad tracking,Yes
-Allow users to accept untrusted TLS certificates,No
-Allow trusting new enterprise app authors,No
-Allow installing configuration profiles (supervised only),No
-Allow adding VPN Configurations (supervised only),No
-Allow modifying account settings (supervised only),No
-Allow USB accessories while device is locked (supervised only),No
-Allow pairing with non-Configurator hosts (supervised only),No
-Allow documents from managed sources in unmanaged destinations,No
-Allow documents from unmanaged sources in managed destinations,No
-Treat AirDrop as unmanaged destination,Yes
-Allow sending diagnostic and usage data to Apple,No
-Force Apple Watch wrist detection,Yes
-Show Control Centre in Lock screen,No
-Show Notification Centre in Lock screen,No
-Show Today view in Lock screen,No
-,
-Restrictions - Apps tab ,
-Restrict App Usage (supervised only),Do not allow some apps: com.apple.shortcuts
-,
-VPN configuration - IPsec PRIME profile,
-Connection type,IKEv2
-Always-on (supervised only),Yes
-Machine Authentication,Certificate
-Enable perfect forward secrecy,Yes
-Enable certificate revocation check,Yes
-Encryption algorithm (IKE & Child SA),AES-128-GCM
-Diffie-Hellman Group (IKE & Child SA),19
-Allow traffic from captive web sheet outside the VPN tunnel,Yes
-,
-Passcode,
-Allow simple value,Configure to organisation policy
-Require alphanumeric value,Configure to organisation policy
-Minimum passcode length,Configure to organisation policy
-Minimum number of complex characters,Configure to organisation policy
-Maximum passcode age,Configure to organisation policy
-Maximum Auto-Lock,Configure to organisation policy
-Passcode history,Configure to organisation policy
-Maximum grace period for device lock,Configure to organisation policy
-Maximum number of failed attempts,Configure to organisation policy
-,
-On-device settings,
-,
-Notifications,
-Show Previews,Never
+MDM settings,iOS 14,,,
+,* - Both options must be set as shown to remain secure,,,
+General,,,,
+Security (Controls when the profile can be removed),Never,,,
+Automatically Remove Profile (Settings for automatic profile removal),Never,,,
+,,,,
+Restrictions - Functionality tab,,,,
+Allow AirDrop (supervised devices only),No,,,
+Allow Siri whilst device is locked,No,,,
+Allow App Clips,Configure to organisation policy,,,
+Allow iCloud backup,No,,,
+Allow iCloud documents & data,No,,,
+Allow iCloud Keychain,No,,,
+Allow Shared Albums,No,,,
+Allow iCloud Photos,No,,,
+Allow apps to request to track,No,,,
+Allow Personalised Ads Delivered by Apple,No,,,
+Allow managed apps to store data in iCloud,No,,,
+Force encrypted backups,Yes,,,
+Force limited ad tracking,Yes,,,
+Allow users to accept untrusted TLS certificates,No,,,
+Allow trusting new enterprise app authors,No,,,
+Allow installing configuration profiles (supervised only),No,,,
+Allow adding VPN Configurations (supervised only),No,,,
+Allow modifying account settings (supervised only),No,,,
+Allow USB accessories while device is locked (supervised only),No,,,
+Allow pairing with non-Configurator hosts (supervised only),No,,,
+Allow documents from managed sources in unmanaged destinations,No,,,
+Allow documents from unmanaged sources in managed destinations,No,,,
+Treat AirDrop as unmanaged destination,Yes,,,
+Allow sending diagnostic and usage data to Apple,No,,,
+Allow password autofill,Yes*,,,
+Require Touch ID/ Face ID Authentication before AutoFill (supervised only),Yes*,,,
+Allow setting up new nearby devices,No,,,
+Allow Proximity based password sharing requests,No,,,
+Allow Password sharing (supervised only),No,,,
+Disallow AirPrint to destinations with untrusted certificates (Supervised only),No,,,
+Force Apple Watch wrist detection,No,,,
+Show Control Centre in Lock screen,No,,,
+Show Notification Centre in Lock screen,No,,,
+Show Today view in Lock screen,No,,,
+Defer Software updates for __ days (supervised only),Disabled,,,
+,,,,
+Restrictions - Apps tab ,,,,
+Restrict App Usage (supervised only),Do not allow some apps: (Example: com.apple.shortcuts) ,,,
+Force Fraud Warning,Yes,,,
+Block pop-ups,Yes,,,
+Accept cookies,"""From websites I visit""",,,
+,,,,
+VPN configuration - IPsec PRIME profile,,,,
+Connection type,IKEv2,,,
+Always-on (supervised only),Yes,,,
+Machine Authentication,Certificate,,,
+Enable perfect forward secrecy,Yes,,,
+Enable certificate revocation check,Yes,,,
+Encryption algorithm (IKE & Child SA),AES-128-GCM,,,
+Diffie-Hellman Group (IKE & Child SA),19,,,
+Service Exceptions -> Cellular Services,Configure to organisation policy (this setting can prevent tethered devices from communicating via the Always-on VPN if set to "Allow traffic outside tunnel"),,,
+Allow traffic from captive web sheet outside the VPN tunnel,Yes,,,
+,,,,
+Passcode,,,,
+Allow simple value,Configure to organisation policy,,,
+Require alphanumeric value,Configure to organisation policy,,,
+Minimum passcode length,Configure to organisation policy,,,
+Minimum number of complex characters,Configure to organisation policy,,,
+Maximum passcode age,Configure to organisation policy,,,
+Maximum Auto-Lock,Configure to organisation policy,,,
+Passcode history,Configure to organisation policy,,,
+Maximum grace period for device lock,Configure to organisation policy,,,
+Maximum number of failed attempts,Configure to organisation policy,,,
+,,,,
+On-device settings,,,,
+,,,,
+Notifications,,,,
+Show Previews,Never,,,
+,,,,
+FaceID & Passcode,,,,
+Require Attention for Face ID,Yes,,,
+Attention-Aware Features,No,,,
+,,,,
+Tracking,,,,
+Allow Apps to Request to Track,No,,,
diff --git a/Apple/iOS/NCSC_iOS_configurations.md b/Apple/iOS/NCSC_iOS_configurations.md
index b169c24..4814628 100644
--- a/Apple/iOS/NCSC_iOS_configurations.md
+++ b/Apple/iOS/NCSC_iOS_configurations.md
@@ -1,62 +1,83 @@
-## NCSC iOS configurations ##
-|MDM settings||
-|---|---|
-||
-|General||
-|Security (Controls when the profile can be removed)|Never|
-|Automatically Remove Profile (Settings for automatic profile removal)|Never|
-||
-|Restrictions - Functionality tab||
-|Allow AirDrop (supervised devices only)|No|
-|Allow Siri whilst device is locked|No|
-|Allow iCloud backup|No|
-|Allow iCloud documents & data|No|
-|Allow iCloud Keychain|No|
-|Allow managed apps to store data in iCloud|No|
-|Force encrypted backups|Yes|
-|Force limited ad tracking|Yes|
-|Allow users to accept untrusted TLS certificates|No|
-|Allow trusting new enterprise app authors|No|
-|Allow installing configuration profiles (supervised only)|No|
-|Allow adding VPN Configurations (supervised only)|No|
-|Allow modifying account settings (supervised only)|No|
-|Allow USB accessories while device is locked (supervised only)|No|
-|Allow pairing with non-Configurator hosts (supervised only)|No|
-|Allow documents from managed sources in unmanaged destinations|No|
-|Allow documents from unmanaged sources in managed destinations|No|
-|Treat AirDrop as unmanaged destination|Yes|
-|Allow sending diagnostic and usage data to Apple|No|
-|Force Apple Watch wrist detection|Yes|
-|Show Control Centre in Lock screen|No|
-|Show Notification Centre in Lock screen|No|
-|Show Today view in Lock screen|No|
-||
-|Restrictions - Apps tab ||
-|Restrict App Usage (supervised only)|Do not allow some apps: com.apple.shortcuts|
-||
-|VPN configuration - IPsec PRIME profile||
-|Connection type|IKEv2|
-|Always-on (supervised only)|Yes|
-|Machine Authentication|Certificate|
-|Enable perfect forward secrecy|Yes|
-|Enable certificate revocation check|Yes|
-|Encryption algorithm (IKE & Child SA)|AES-128-GCM|
-|Diffie-Hellman Group (IKE & Child SA)|19|
-|Allow traffic from captive web sheet outside the VPN tunnel|Yes|
-||
-|Passcode||
-|Allow simple value|Configure to organisation policy|
-|Require alphanumeric value|Configure to organisation policy|
-|Minimum passcode length|Configure to organisation policy|
-|Minimum number of complex characters|Configure to organisation policy|
-|Maximum passcode age|Configure to organisation policy|
-|Maximum Auto-Lock|Configure to organisation policy|
-|Passcode history|Configure to organisation policy|
-|Maximum grace period for device lock|Configure to organisation policy|
-|Maximum number of failed attempts|Configure to organisation policy|
-||
-|On-device settings||
-||
-|Notifications||
-|Show Previews|Never|
-||
+|MDM settings |iOS 14 |
+|-------------------------------------------------------------------------------|-------------------------------------------------------|
+| |* - Both options must be set as shown to remain secure |
+|General | |
+|Security (Controls when the profile can be removed) |Never |
+|Automatically Remove Profile (Settings for automatic profile removal) |Never |
+| | |
+|Restrictions - Functionality tab | |
+|Allow AirDrop (supervised devices only) |No |
+|Allow Siri whilst device is locked |No |
+|Allow App Clips |Configure to organisation policy |
+|Allow iCloud backup |No |
+|Allow iCloud documents & data |No |
+|Allow iCloud Keychain |No |
+|Allow Shared Albums |No |
+|Allow iCloud Photos |No |
+|Allow apps to request to track |No |
+|Allow Personalised Ads Delivered by Apple |No |
+|Allow managed apps to store data in iCloud |No |
+|Force encrypted backups |Yes |
+|Force limited ad tracking |Yes |
+|Allow users to accept untrusted TLS certificates |No |
+|Allow trusting new enterprise app authors |No |
+|Allow installing configuration profiles (supervised only) |No |
+|Allow adding VPN Configurations (supervised only) |No |
+|Allow modifying account settings (supervised only) |No |
+|Allow USB accessories while device is locked (supervised only) |No |
+|Allow pairing with non-Configurator hosts (supervised only) |No |
+|Allow documents from managed sources in unmanaged destinations |No |
+|Allow documents from unmanaged sources in managed destinations |No |
+|Treat AirDrop as unmanaged destination |Yes |
+|Allow sending diagnostic and usage data to Apple |No |
+|Allow password autofill |Yes* |
+|Require Touch ID/ Face ID Authentication before AutoFill (supervised only) |Yes* |
+|Allow setting up new nearby devices |No |
+|Allow Proximity based password sharing requests |No |
+|Allow Password sharing (supervised only) |No |
+|Disallow AirPrint to destinations with untrusted certificates (Supervised only)|No |
+|Force Apple Watch wrist detection |No |
+|Show Control Centre in Lock screen |No |
+|Show Notification Centre in Lock screen |No |
+|Show Today view in Lock screen |No |
+|Defer Software updates for __ days (supervised only) |Disabled |
+| | |
+|Restrictions - Apps tab� | |
+|Restrict App Usage (supervised only) |Do not allow some apps: (Example: com.apple.shortcuts) |
+|Force Fraud Warning |Yes |
+|Block pop-ups |Yes |
+|Accept cookies |"From websites I visit" |
+| | |
+|VPN configuration - IPsec PRIME profile | |
+|Connection type |IKEv2 |
+|Always-on (supervised only) |Yes |
+|Machine Authentication |Certificate |
+|Enable perfect forward secrecy |Yes |
+|Enable certificate revocation check |Yes |
+|Encryption algorithm (IKE & Child SA) |AES-128-GCM |
+|Diffie-Hellman Group (IKE & Child SA) |19 |
+|Service Exceptions -> Cellular Services |Configure to organisation policy (this setting can prevent tethered devices from communicating via the Always-on VPN if set to "Allow traffic outside tunnel") |
+|Allow traffic from captive web sheet outside the VPN tunnel |Yes |
+| | |
+|Passcode | |
+|Allow simple value |Configure to organisation policy |
+|Require alphanumeric value |Configure to organisation policy |
+|Minimum passcode length |Configure to organisation policy |
+|Minimum number of complex characters |Configure to organisation policy |
+|Maximum passcode age |Configure to organisation policy |
+|Maximum Auto-Lock |Configure to organisation policy |
+|Passcode history |Configure to organisation policy |
+|Maximum grace period for device lock |Configure to organisation policy |
+|Maximum number of failed attempts |Configure to organisation policy |
+| | |
+|On-device settings | |
+| | |
+|Notifications | |
+|Show Previews |Never |
+| | |
+|FaceID & Passcode | |
+|Require Attention for Face ID |Yes |
+|Attention-Aware Features |No |
+| | |
+|Tracking | |
+|Allow Apps to Request to Track |No |
diff --git a/Apple/iOS/README.md b/Apple/iOS/README.md
index 272781f..c74d4ff 100644
--- a/Apple/iOS/README.md
+++ b/Apple/iOS/README.md
@@ -2,6 +2,6 @@ This archive contains important security policy settings which are recommended f
Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform.
-This configuration was last tested against iOS 13.1 in October 2019.
+This configuration was last tested against iOS 14.
-Crown Copyright (c) 2019
+Crown Copyright (c) 2021
diff --git a/Apple/macOS/NCSC_macOS_configurations.csv b/Apple/macOS/NCSC_macOS_configurations.csv
index 5c97d4c..e0d23ad 100644
--- a/Apple/macOS/NCSC_macOS_configurations.csv
+++ b/Apple/macOS/NCSC_macOS_configurations.csv
@@ -1,65 +1,165 @@
-MDM settings,As per Profile Manager MDM
----,---
-,
-General,
-Profile Distribution Type,Automatic Push
-Security (Controls when the profile can be removed),Never
-Automatically Remove Profile (Settings for automatic profile removal),Never
-,
-Passcode,
-Configure this section to organisation policy,
-,
-Restrictions - Preferences,
-Restrict items in System Preferences,Yes (disable selected items): iCloudProfilesSecurity & PrivacyStartup Disk
-,
-Restrictions - Apps,
-Restrict which apps are allowed to launch,YesAdd a list of approved applications permitted by the business
-,
-Restrictions - Media,
-Configure this section to organisation policy,
-,
-Restrictions - Sharing,
-Select services that should be available in the share menu,Disable:AirDrop Messages Twitter Facebook LinkedIn Video Services Sina Weibo
-,
-Restrictions - Functionality,
-Allow password sharing,No
-Allow proximity based password sharing requests,No
-Allow Classroom to lock the device without prompting,No
-Automatically join Classroom classes without prompting,No
-Require teacher permission to leave Classroom unmanaged classes,No
-Allow use of iCloud password for local accounts,No
-Allow iCloud Drive,No
-Allow iCloud Desktop & Documents,No
-Allow iCloud Keychain,No
-Allow iCloud Mail,No
-Allow iCloud Contacts,No
-Allow iCloud Calendars,No
-,
-Security & Privacy Payload - General,
-Configure Gatekeeper Settings,Mac App Store and identified developers
-Do not allow user to override Gatekeeper setting,Yes
-,
-Security & Privacy Payload - FileVault,
-Require FileVault,Yes
-Escrow Personal Recovery Key,Yes
-,
-Security & Privacy Payload - Firewall,
-Manage Firewall Settings,Yes
-Enable Firewall,Yes
-Block all incoming connections,Yes
-,
-Software Update Payload,
-Allow installation of macOS beta releases,No
-Allow non-admin users to purchase apps and install software updates,Yes
-Automatically install macOS updates,Yes
-Automatically install app updates from the App Store,Yes
-,
-VPN configuration - IPsec PRIME profile,
-Connection type,IKEv2
-Always-on (supervised only),Yes
-Machine Authentication,Certificate
-Enable perfect forward secrecy,Yes
-Enable certificate revocation check,Yes
-Encryption algorithm (IKE & Child SA),AES-128-GCM
-Diffie-Hellman Group (IKE & Child SA),19
-Allow traffic from captive web sheet outside the VPN tunnel,Yes
+,Old Status,Big Sur Updates,Comments
+MDM settings,As per Profile Manager MDM,,
+,,,
+General,,,
+Profile Distribution Type,Automatic Push,,
+Security (Controls when the profile can be removed),Never,Never,
+Automatically Remove Profile (Settings for automatic profile removal),Never,Never,
+,,,
+Certificate Transparency,,,
+Excluded Domains,,Exclude Internal Domains,"Enforces Certificate Transparency on the device. To exclude domains, you can specify the domain to exclude by following the instructions at:
+
+https://support.apple.com/en-gb/guide/mdm/mdmbafaa79ff/web "
+,,,
+Passcode,,,
+Configure this section to organisation policy,,(same as before),
+,,,
+Restrictions - Preferences,,,
+Restrict items in System Preferences,"Yes (disable selected items):
+iCloud
+Profiles
+Security & Privacy
+Startup Disk","Yes (disable selected items):
+iCloud
+Profiles
+Security & Privacy
+Startup Disk
+Sharing (enables remote management)
+Siri
+Xsan - If not in use
+FibreChannel - if not in use",
+,,,
+Restrictions - Apps,,,
+Restrict which apps are allowed to launch,"Yes
+
+Add a list of approved applications permitted by the business","Yes
+
+Add a list of approved applications permitted by the business",
+,,,
+Restrictions - Media,,,
+Configure this section to organisation policy,,(Same as before),
+,,,
+Restrictions - Sharing,,,
+Select services that should be available in the share menu,"Disable:
+AirDrop
+Messages
+Twitter
+Facebook
+LinkedIn
+Video Services
+Sina Weibo","Disable:
+AirDrop
+Messages
+Add to Aperture
+Twitter
+Facebook
+LinkedIn
+Video Services
+Sina Weibo",
+,,,
+Restrictions - Functionality,,,
+Allow use of Camera,,(Determine based off organisational policy),
+Allow Spotlight Suggestions,,No,
+Allow Touch ID to unlock device,,(Determine based off organisational policy),
+Allow password sharing,No,No,
+Allow proximity based password sharing requests,No,No,
+"Allow screenshots and recording - Allow Airplay, View Screen by classroom and Screen sharing",,(Determine based off organisational policy),
+Allow Classroom to lock the device without prompting,No,No,
+Automatically join Classroom classes without prompting,No,No,
+Require teacher permission to leave Classroom unmanaged classes,No,No,
+Allow use of iCloud password for local accounts,No,No,
+Allow iCloud Drive,No,No,
+Allow iCloud Desktop & Documents,No,No,
+Allow iCloud Keychain,No,No,
+Allow iCloud Mail,No,No,
+Allow iCloud Contacts,No,No,
+Allow iCloud Calendars,No,No,
+Allow Content Caching,,No,
+Defer macOS Updates,,No,
+Defer app updates,,No,
+,,,
+Security & Privacy Payload - General,,,
+Configure Gatekeeper Settings,Mac App Store and identified developers,Mac App Store and identified developers,
+Do not allow user to override Gatekeeper setting,Yes,Yes,
+Require password n after sleep or screen saver begins,,5 seconds,
+Allow user to set lock message,,No,
+Allow user to unlock Mac using an Apple Watch,,No,
+,,,
+Security & Privacy Payload - FileVault,,,
+Require FileVault,Yes,Yes,
+Escrow Personal Recovery Key,Yes,Yes,
+Require User to unlock FileVault after Hibernation,,Yes,
+,,,
+Security & Privacy Payload - Firewall,,,
+Manage Firewall Settings,Yes,Yes,
+Enable Firewall,Yes,Yes,
+Block all incoming connections,Yes,Yes,
+Enable stealth mode,,Yes,"Sets the firewall to block ICMP and other ""ping"" messages. Can be disabled if needed for network debugging."
+,,,
+Software Update Payload,,,
+Allow installation of macOS beta releases,No,No,
+Allow non-admin users to purchase apps and install software updates,Yes,Yes,
+Automatically install macOS updates,Yes,Yes,
+Automatically install app updates from the App Store,Yes,Yes,
+,,,
+VPN configuration - IPsec PRIME profile,,,
+Connection type,IKEv2,,
+Always-on (supervised only),Yes,,
+Machine Authentication,Certificate,,
+Enable perfect forward secrecy,Yes,,
+Enable certificate revocation check,Yes,,
+Encryption algorithm (IKE & Child SA),AES-128-GCM,,
+Diffie-Hellman Group (IKE & Child SA),19,,
+Allow traffic from captive web sheet outside the VPN tunnel,Yes,,"Where captive portals are required to connect to the internet/protected networks, this option enables their usage. However, this introduces an attack path where a service on the local network could be used to bypass VPN enforcement"
+,,,
+AirPlay,,,
+Restrict Airplay destinations (supervised only),,Yes,
+,,,
+Kernel Extensions,,,
+Allow User Override,,No,
+,,,
+Login Items,,,
+User may press shift to keep items from opening,,No,
+,,,
+Login Window - Window,,,
+Login Prompt,,Name and Password Text fields,
+,,,
+Login Window - Options,,,
+Show password hints,,No,
+Disable automatic login,,Yes,
+Enable >console login,,No,
+Enable Fast User Switching,,No,
+Log out users after X minutes of inactivity,,3,
+Allow Guest user,,No,
+Setup Assistant Options,,"(Disable selected items):
+Privacy
+Apple ID
+iCloud Desktop and Documents
+Siri
+Screen Time",
+,,,
+Notifications,,,
+Allow Notifications,,Yes,
+Show in Notification Center,,Yes,
+Show in Lock Screen,,No,
+,,,
+Parental Controls,,,
+Content Filtering - Limit Access to websites by,,Configure to organisational acceptable use policy,"This policy has two options; ""trying to limit access to adult websites"" and ""allowing access to the following websites only"". In high-security environments, the ""allowing access to the following websites"" option should be used and the associated allow list populated with permitted URLs. Allow listing is more effective than deny listing in such environment. For networks not considered high-security, the ""trying to limit access to adult websites"" option should be enabled to limit the content end users can access, however this option is not hollistic and is susceptible to bypasses, such as via proxy websites"
+,,,
+Proxies,,,
+Configure to organisation monitoring policy,,,"Where organisations use content filtering/inspection, this payload should be suitably configured to use such services"
+,,,
+Time Machine,,,
+Configure to organisation disaster recovery policy,,,Time Machine should be used for backing up Macs. This should be configured according to organisational disaster recovery (DR) policies.
+Backup Server,,Set backup server URL,
+Backup all volumes,,Enabled,"If devices are configured with more than one volume (for example, macOS on one and Windows on another), ensure that ""Backup all volumes is selected""."
+Backup system files and folders,,Disabled,"To limit the size of backups and reduce storage costs, system files and folders should not be backed up. In the event of system destablisation, macOS Recovery can be used to restore these locations."
+Enable automatic backups,,Enabled,Ensure backups are performed regularly to minimise data loss in the event of a disaster.
+Enable local snapshots (10.8 and above only),,Enabled,"When devices are mobile and not connected to networks, snapshots should be enabled to prevent data loss until the next backup. Snapshots can be viewed as version control for files."
+Backup size Limit,,Configure to organisational storage requirements,
+,,,
+Additional Settings (refer to MDM documentation for configuration),,,
+Encrypted DNS,,Enabled,"Only enable encrypted DNS if internal, or external but selected by the organisation, name servers are to be used which support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). This allows organisations to continue to monitor DNS requests within the network to identify malicious activity and minimises risks of leaking internal hostnames.
+
+Organisations should refer to their MDM documentation for instructions on setting this up."
+Time Server,,Specify time server by device location,Organisations should refer to their MDM documentation for instructions on setting this up
diff --git a/Apple/macOS/NCSC_macOS_configurations.md b/Apple/macOS/NCSC_macOS_configurations.md
index a56b967..79531fa 100644
--- a/Apple/macOS/NCSC_macOS_configurations.md
+++ b/Apple/macOS/NCSC_macOS_configurations.md
@@ -1,67 +1,126 @@
-## NCSC macOS configurations ##
-|MDM settings|As per Profile Manager MDM|
-|---|---|
-||
-|General||
-|Profile Distribution Type|Automatic Push|
-|Security (Controls when the profile can be removed)|Never|
-|Automatically Remove Profile (Settings for automatic profile removal)|Never|
-||
-|Passcode||
-|Configure this section to organisation policy||
-||
-|Restrictions - Preferences||
-|Restrict items in System Preferences|Yes (disable selected items): iCloudProfilesSecurity & PrivacyStartup Disk|
-||
-|Restrictions - Apps||
-|Restrict which apps are allowed to launch|YesAdd a list of approved applications permitted by the business|
-||
-|Restrictions - Media||
-|Configure this section to organisation policy||
-||
-|Restrictions - Sharing||
-|Select services that should be available in the share menu|Disable:AirDrop Messages Twitter Facebook LinkedIn Video Services Sina Weibo|
-||
-|Restrictions - Functionality||
-|Allow password sharing|No|
-|Allow proximity based password sharing requests|No|
-|Allow Classroom to lock the device without prompting|No|
-|Automatically join Classroom classes without prompting|No|
-|Require teacher permission to leave Classroom unmanaged classes|No|
-|Allow use of iCloud password for local accounts|No|
-|Allow iCloud Drive|No|
-|Allow iCloud Desktop & Documents|No|
-|Allow iCloud Keychain|No|
-|Allow iCloud Mail|No|
-|Allow iCloud Contacts|No|
-|Allow iCloud Calendars|No|
-||
-|Security & Privacy Payload - General||
-|Configure Gatekeeper Settings|Mac App Store and identified developers|
-|Do not allow user to override Gatekeeper setting|Yes|
-||
-|Security & Privacy Payload - FileVault||
-|Require FileVault|Yes|
-|Escrow Personal Recovery Key|Yes|
-||
-|Security & Privacy Payload - Firewall||
-|Manage Firewall Settings|Yes|
-|Enable Firewall|Yes|
-|Block all incoming connections|Yes|
-||
-|Software Update Payload||
-|Allow installation of macOS beta releases|No|
-|Allow non-admin users to purchase apps and install software updates|Yes|
-|Automatically install macOS updates|Yes|
-|Automatically install app updates from the App Store|Yes|
-||
-|VPN configuration - IPsec PRIME profile||
-|Connection type|IKEv2|
-|Always-on (supervised only)|Yes|
-|Machine Authentication|Certificate|
-|Enable perfect forward secrecy|Yes|
-|Enable certificate revocation check|Yes|
-|Encryption algorithm (IKE & Child SA)|AES-128-GCM|
-|Diffie-Hellman Group (IKE & Child SA)|19|
-|Allow traffic from captive web sheet outside the VPN tunnel|Yes|
-||
+|Settings |Old Status |Big Sur Updates |Comments |
+|-------------------------------------------------------------------------------|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|MDM settings |As per Profile Manager MDM | | |
+| | | | |
+|General | | | |
+|Profile Distribution Type |Automatic Push | | |
+|Security (Controls when the profile can be removed) |Never |Never | |
+|Automatically Remove Profile (Settings for automatic profile removal) |Never |Never | |
+| | | | |
+|Certificate Transparency | | | |
+|Excluded Domains | |Exclude Internal Domains |Enforces Certificate Transparency on the device. To exclude domains, you can specify the domain to exclude by following the instructions at: https://support.apple.com/en-gb/guide/mdm/mdmbafaa79ff/web |
+| | | | |
+|Passcode | | | |
+|Configure this section to organisation policy | |(same as before) | |
+| | | | |
+|Restrictions - Preferences | | | |
+|Restrict items in System Preferences |Yes (disable selected items): iCloud Profiles Security & Privacy Startup Disk|Yes (disable selected items): iCloud Profiles Security & Privacy Startup Disk Sharing (enables remote management) Siri Xsan - If not in use FibreChannel - if not in use | |
+| | | | |
+|Restrictions - Apps | | | |
+|Restrict which apps are allowed to launch |Yes Add a list of approved applications permitted by the business|Yes Add a list of approved applications permitted by the business | |
+| | | | |
+|Restrictions - Media | | | |
+|Configure this section to organisation policy | |(Same as before) | |
+| | | | |
+|Restrictions - Sharing | | | |
+|Select services that should be available in the share menu |Disable: AirDrop Messages Twitter Facebook LinkedIn Video Services Sina Weibo|Disable: AirDrop Messages Add to Aperture Twitter Facebook LinkedIn Video Services Sina Weibo | |
+| | | | |
+|Restrictions - Functionality | | | |
+|Allow use of Camera | |(Determine based off organisational policy) | |
+|Allow Spotlight Suggestions | |No | |
+|Allow Touch ID to unlock device | |(Determine based off organisational policy) | |
+|Allow password sharing |No |No | |
+|Allow proximity based password sharing requests |No |No | |
+|Allow screenshots and recording - Allow Airplay, View Screen by classroom and Screen sharing| |(Determine based off organisational policy) | |
+|Allow Classroom to lock the device without prompting |No |No | |
+|Automatically join Classroom classes without prompting |No |No | |
+|Require teacher permission to leave Classroom unmanaged classes |No |No | |
+|Allow use of iCloud password for local accounts |No |No | |
+|Allow iCloud Drive |No |No | |
+|Allow iCloud Desktop & Documents |No |No | |
+|Allow iCloud Keychain |No |No | |
+|Allow iCloud Mail |No |No | |
+|Allow iCloud Contacts |No |No | |
+|Allow iCloud Calendars |No |No | |
+|Allow Content Caching | |No | |
+|Defer macOS Updates | |No | |
+|Defer app updates | |No | |
+| | | | |
+|Security & Privacy Payload - General | | | |
+|Configure Gatekeeper Settings |Mac App Store and identified developers |Mac App Store and identified developers | |
+|Do not allow user to override Gatekeeper setting |Yes |Yes | |
+|Require password n after sleep or screen saver begins | |5 seconds | |
+|Allow user to set lock message | |No | |
+|Allow user to unlock Mac using an Apple Watch | |No | |
+| | | | |
+|Security & Privacy Payload - FileVault | | | |
+|Require FileVault |Yes |Yes | |
+|Escrow Personal Recovery Key |Yes |Yes | |
+|Require User to unlock FileVault after Hibernation | |Yes | |
+| | | | |
+|Security & Privacy Payload - Firewall | | | |
+|Manage Firewall Settings |Yes |Yes | |
+|Enable Firewall |Yes |Yes | |
+|Block all incoming connections |Yes |Yes | |
+|Enable stealth mode | |Yes |Sets the firewall to block ICMP and other "ping" messages. Can be disabled if needed for network debugging. |
+| | | | |
+|Software Update Payload | | | |
+|Allow installation of macOS beta releases |No |No | |
+|Allow non-admin users to purchase apps and install software updates |Yes |Yes | |
+|Automatically install macOS updates |Yes |Yes | |
+|Automatically install app updates from the App Store |Yes |Yes | |
+| | | | |
+|VPN configuration - IPsec PRIME profile | | | |
+|Connection type |IKEv2 | | |
+|Always-on (supervised only) |Yes | | |
+|Machine Authentication |Certificate | | |
+|Enable perfect forward secrecy |Yes | | |
+|Enable certificate revocation check |Yes | | |
+|Encryption algorithm (IKE & Child SA) |AES-128-GCM | | |
+|Diffie-Hellman Group (IKE & Child SA) |19 | | |
+|Allow traffic from captive web sheet outside the VPN tunnel |Yes | |Where captive portals are required to connect to the internet/protected networks, this option enables their usage. However, this introduces an attack path where a service on the local network could be used to bypass VPN enforcement |
+| | | | |
+|AirPlay | | | |
+|Restrict Airplay destinations (supervised only) | |Yes | |
+| | | | |
+|Kernel Extensions | | | |
+|Allow User Override | |No | |
+| | | | |
+|Login Items | | | |
+|User may press shift to keep items from opening | |No | |
+| | | | |
+|Login Window - Window | | | |
+|Login Prompt | |Name and Password Text fields | |
+| | | | |
+|Login Window - Options | | | |
+|Show password hints | |No | |
+|Disable automatic login | |Yes | |
+|Enable >console login | |No | |
+|Enable Fast User Switching | |No | |
+|Log out users after X minutes of inactivity | |3 | |
+|Allow Guest user | |No | |
+|Setup Assistant Options | |(Disable selected items): Privacy Apple ID iCloud Desktop and Documents Siri Screen Time | |
+| | | | |
+|Notifications | | | |
+|Allow Notifications | |Yes | |
+|Show in Notification Center | |Yes | |
+|Show in Lock Screen | |No | |
+| | | | |
+|Parental Controls | | | |
+|Content Filtering - Limit Access to websites by | |Configure to organisational acceptable use policy |This policy has two options; "trying to limit access to adult websites" and "allowing access to the following websites only". In high-security environments, the "allowing access to the following websites" option should be used and the associated allow list populated with permitted URLs. Allow listing is more effective than deny listing in such environment. For networks not considered high-security, the "trying to limit access to adult websites" option should be enabled to limit the content end users can access, however this option is not hollistic and is susceptible to bypasses, such as via proxy websites|
+| | | | |
+|Proxies | | | |
+|Configure to organisation monitoring policy | | |Where organisations use content filtering/inspection, this payload should be suitably configured to use such services |
+| | | | |
+|Time Machine | | | |
+|Configure to organisation disaster recovery policy | | |Time Machine should be used for backing up Macs. This should be configured according to organisational disaster recovery (DR) policies. |
+|Backup Server | |Set backup server URL | |
+|Backup all volumes | |Enabled |If devices are configured with more than one volume (for example, macOS on one and Windows on another), ensure that "Backup all volumes is selected". |
+|Backup system files and folders | |Disabled |To limit the size of backups and reduce storage costs, system files and folders should not be backed up. In the event of system destablisation, macOS Recovery can be used to restore these locations. |
+|Enable automatic backups | |Enabled |Ensure backups are performed regularly to minimise data loss in the event of a disaster. |
+|Enable local snapshots (10.8 and above only) | |Enabled |When devices are mobile and not connected to networks, snapshots should be enabled to prevent data loss until the next backup. Snapshots can be viewed as version control for files. |
+|Backup size Limit | |Configure to organisational storage requirements | |
+| | | | |
+|Additional Settings (refer to MDM documentation for configuration) | | | |
+|Encrypted DNS | |Enabled |Only enable encrypted DNS if internal, or external but selected by the organisation, name servers are to be used which support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). This allows organisations to continue to monitor DNS requests within the network to identify malicious activity and minimises risks of leaking internal hostnames. Organisations should refer to their MDM documentation for instructions on setting this up. |
+|Time Server | |Specify time server by device location |Organisations should refer to their MDM documentation for instructions on setting this up |
diff --git a/Apple/macOS/README.md b/Apple/macOS/README.md
index e8ee654..b7ca54e 100644
--- a/Apple/macOS/README.md
+++ b/Apple/macOS/README.md
@@ -2,6 +2,6 @@ This archive contains important security policy settings which are recommended f
Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform.
-This configuration was last tested against macOS 10.15.1 in November 2019.
+This configuration was last tested against macOS 10.16.
-Crown Copyright (c) 2019
+Crown Copyright (c) 2021
diff --git a/Apple/macOS/macos_provisioning_script.sh b/Apple/macOS/macos_provisioning_script.sh
index 8bddd57..f9a2207 100644
--- a/Apple/macOS/macos_provisioning_script.sh
+++ b/Apple/macOS/macos_provisioning_script.sh
@@ -6,101 +6,335 @@
# which might include some of the commands in this file, or might
# use an entirely different mechanism for enforcement (e.g. MDM).
#
-# (C) Crown Copyright 2019
+# (C) Crown Copyright 2021
function get_user_pass {
- local MATCH=false
- while [ $MATCH == false ] ; do
- read -s -p "Password: " PASS_1
- echo ""
- read -s -p "Repeat Password: " PASS_2
- echo ""
- if [ $PASS_1 == $PASS_2 ] ; then
- PASS="$PASS_1"
- MATCH=true
- fi
- done
- return
+ local MATCH=false
+ while [ $MATCH == false ] ; do
+ read -s -p "Password: " PASS_1
+ echo ""
+ read -s -p "Repeat Password: " PASS_2
+ echo ""
+ if [ $PASS_1 == $PASS_2 ] ; then
+ PASS="$PASS_1"
+ MATCH=true
+ fi
+ done
+ return
+}
+
+#NEW: Determines if FileVault is enabled or not (returns string)
+function get_filevault_status {
+ FV_STATUS=$(fdesetup isactive)
+ case $FV_STATUS in
+ "true")
+ echo "enabled"
+ ;;
+ "false")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine FileVault status! Exiting"
+ exit 1
+ ;;
+ esac
}
-function get_encryption_pass {
- local MATCH=false
- while [ $MATCH == false ] ; do
- read -s -p "Passphrase: " PASS_1
- echo ""
- read -s -p "Repeat: " PASS_2
- echo ""
- if [ "$PASS_1" == "$PASS_2" ]; then
- DISKPASS="$PASS_1"
- MATCH=true
- fi
- done
- return
+#NEW: Determines if System Integrity Protection is enabled or not (returns string). Compatible with macOS 10.15 and later only
+function get_sip_status {
+ SIP_STATUS=$(csrutil status | sed 's/.$//' | awk '{print $NF}' )
+ case "$SIP_STATUS" in
+ "enabled")
+ echo "enabled"
+ ;;
+ "disabled.")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine System Integrity Protection status! Exiting"
+ exit 1
+ ;;
+ esac
+}
+
+#NEW: Determines if Signed System Volume is enabled or not (returns string). Compatible with macOS 11 only
+function get_ssv_status {
+ SSV_STATUS=$(csrutil authenticated-root status | awk '{print $NF}' )
+ case "$SSV_STATUS" in
+ "enabled")
+ echo "enabled"
+ ;;
+ "disabled")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine Signed System Volume status! Exiting"
+ exit 1
+ ;;
+ esac
+}
+
+#NEW: Determines if the device is a MacBook (returns string)
+function is_macbook {
+ PROFILER=$(system_profiler SPHardwareDataType | grep "Model Name" | sed 's/^ *//' | cut -d" " -f3)
+ if [ "$PROFILER" == "MacBook" ]; then
+ echo "true"
+ else
+ echo "false"
+ fi
}
if [[ $UID -ne 0 ]]; then
- echo "This script needs to be run as root (with sudo)"
- exit 1
+ echo "This script needs to be run as root (with sudo)"
+ exit 1
fi
+#NEW: Determines if a firmware password has been set
+function get_firmwarepasswd_status {
+ FRW_STATUS=$(firmwarepasswd -check | cut -d" " -f3)
+ case "$FRW_STATUS" in
+ "On")
+ echo "enabled"
+ ;;
+ "Off")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine firmware password status! Exiting"
+ exit 1
+ ;;
+ esac
+}
+
+#NEW: Determines the status of Gatekeeper policies
+function get_gatekeeper_status {
+ GATEKEEPER_STATUS=$(spctl --status 2>/dev/null | awk '{print $NF}')
+ case "$GATEKEEPER_STATUS" in
+ "enabled")
+ echo "enabled"
+ ;;
+ "disabled")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine Gatekeeper policy! Exiting"
+ exit 1
+ esac
+}
+
+#NEW: Determines if NTP is enabled
+function get_ntp_status {
+ NTP_STATUS=$(systemsetup -getusingnetworktime | awk '{print $NF}')
+ case "$NTP_STATUS" in
+ "On")
+ echo "enabled"
+ ;;
+ "Off")
+ echo "disabled"
+ ;;
+ *)
+ echo "[!] Could not determine time configuration! Exiting"
+ exit 1
+ ;;
+ esac
+}
+
+#NEW: Determine if Content Caching is enabled
+function get_content_caching_status {
+ CC_STATUC=$(defaults read /Library/Preferences/com.apple.AssetCache.plist Activated)
+ case "$CC_STATUS" in
+ "0")
+ echo "disabled"
+ ;;
+ "1")
+ echo "enabled"
+ ;;
+ *)
+ echo "[!] Could not determine Content Caching status! Exiting"
+ exit 1
+ esac
+}
+
DEBUG=false
if [[ "$1" == "--debug" ]]; then
DEBUG=true
fi
+#NEW: Breaks the version information into individual variables for later use
echo "[I] Determining macOS version"
-VERSION=$(system_profiler SPSoftwareDataType | grep macOS | awk {'print $4'} | cut -d. -f2)
+VERSION=$(system_profiler SPSoftwareDataType | grep macOS | awk {'print $4'})
+VERSION_MAJOR=$(echo $VERSION | cut -d. -f1)
+VERSION_MINOR=$(echo $VERSION | cut -d. -f2)
+VERSION_PATCH=$(echo $VERSION | cut -d. -f3)
+
+#NEW: Gets the architecture for later use
+ARCH=$(uname -a | awk -F" " '{print $NF}')
+
+#NEW: Get administators account name
+ADMIN=$(users)
+
+#NEW: Uses a switch statement to determine the major version and act accordingly
if [ -n "$VERSION" ]; then
- if [ "${VERSION:-0}" -ge 13 ]; then
+ case "$VERSION_MAJOR" in
+ "10")
+ if [ "$VERSION_MINOR" -ge "13" ]; then
+ if $DEBUG; then
+ echo "[I] You are running macOS $VERSION_MAJOR.$VERSION_MINOR, proceeding with provisioning"
+ fi
+ elif [ "$VERSION_MINOR" == "12" ]; then
+ echo "[I] Error, this script is only for macOS 10.13 (High Sierra) and above. You are running macOS 10.12 (Sierra), please run the following provisioning script: https://www.ncsc.gov.uk/guidance/macos-1012-provisioning-script"
+ exit 1
+ else
+ echo "[I] Error, this script is only for macOS 10.13 (High Sierra) and above."
+ exit 1
+ fi
+ ;;
+ "11")
if $DEBUG; then
- echo "[I] You are running macOS 10.$VERSION, proceeding with provisioning"
+ echo "[I] You are running macOS $VERSION_MAJOR.$VERSION_MINOR, proceeding with provisioning"
fi
- elif [ "$VERSION" == "12" ]; then
- echo "[I] Error, this script is only for macOS 10.13 (High Sierra) and above. You are running macOS 10.12 (Sierra), please run the following provisioning script: https://www.ncsc.gov.uk/guidance/macos-1012-provisioning-script"
+ ;;
+ *)
+ echo "[I] Error, couldn't determine macOS version!"
exit 1
+ ;;
+ esac
+else
+ echo "[I] Error, couldn't determine macOS version!"
+ exit 1
+fi
+
+echo "[I] Beginning local provisioning now"
+
+#NEW: Check if SIP is enabled
+if ([ $VERSION_MAJOR == "10" ] && [ $VERSION_MINOR -ge "15" ]) || [ $VERSION_MAJOR -ge "11" ]; then
+ echo "[I] Checking if System Integrity Protection (SIP) is enabled"
+ if [ "$(get_sip_status)" == "enabled" ]; then
+ echo "[I] System Integrity Protection (SIP) is enabled"
+ else
+ echo "[!] System Integrity Protection (SIP) is not enabled!"
+ echo "[I] To continue with provisioning, you need to enable SIP in macOS Recovery with the following command:"
+ echo "$ csrutil enable"
+ exit 1
+ fi
+fi
+
+#NEW: Check if SSV is enabled
+if [ $VERSION_MAJOR -ge "11" ]; then
+ echo "[I] Checking if Signed System Volume (SSV) is enabled"
+ if [ "$(get_ssv_status)" == "enabled" ]; then
+ echo "[I] Signed System Volume is enabled"
else
- echo "[I] Error, this script is only for macOS 10.13 (High Sierra) and above."
+ echo "[!] Signed System Volume is disabled!"
+ echo "[I] To continue with provisioning, you need to enable SSV in macOS Recovery with the following command:"
+ echo "$ csrutil authenticated-root enable"
exit 1
fi
+fi
+
+#NEW: Check the status of FileVault and enable it if it is not enabled
+echo "[I] Checking FileVault status"
+if [ "$(get_filevault_status)" == "enabled" ]; then
+ echo "[I] FileVault is enabled, continuing"
else
- echo "[I] Error, couldn't determine macOS version!"
- exit 1
+ echo "[I] FileVault is not enabled... enabling now"
+ echo "[ ] Enter your administrative account credentials when prompted"
+ RKEY=$(fdesetup enable)
+ RKEY_ONLY=$(echo $RKEY | cut -d"'" -f2)
+ echo "[I] Your recovery key is $RKEY_ONLY, keep this safe!"
+ echo "[I] FileVault is now enabled"
fi
+#NEW: Get the status of firewall components (returns string)
+function get_firewall_status {
+ # on or off
+ FW_LOGGING_MODE=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | awk '{print $NF}')
+ # ENABLED or DISABLED
+ FW_ALLOW_SIGNED_BUILTIN=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned | head -n1 | awk '{print $NF}')
+ # ENABLED or DISABLED
+ FW_ALLOW_SIGNED_DOWNLOADED=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned | tail -n1 | awk '{print $NF}')
+ # enabled or disabled
+ FW_GLOBAL_STATE=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | cut -d" " -f3 | sed 's/\.$//')
+ # enabled or disabled
+ FW_STEALTH_MODE=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{print $NF}')
+ # throttled, brief, or detail
+ FW_LOGGING_OPT=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt | awk '{print $NF}')
+ RESULT=("$FW_LOGGING_MODE $FW_ALLOW_SIGNED_BUILTIN $FW_ALLOW_SIGNED_DOWNLOADED $FW_GLOBAL_STATE $FW_STEALTH_MODE $FW_LOGGING_OPT")
+ echo $RESULT
+}
+
+#NEW: Checks architecture to see if firmware passwords are supported. If so, uses the firmwarepasswd utility to set one
+if [ "$ARCH" == "x86_64" ]; then
+ if [ "$(get_firmwarepasswd_status)" == "disabled" ]; then
+ echo "[I] Setting a firmware password"
+ firmwarepasswd -setpasswd
+ else
+ echo "[I] Firmware password already set, skipping..."
+ fi
+else
+ echo "[I] Firmware passwords not supported on Apple Silicon, skipping..."
+fi
+
+#NEW: Checks if the Gatekeeper master policy is enabled. I not, enables it
+echo "[I] Checking Gatekeeper policy"
+if [ "$(get_gatekeeper_status)" == "disabled" ]; then
+ spctl --master-enable
+ echo "[ ] Gatekeeper enabled"
+else
+ echo "[ ] Gatekeeper already enabled, skipping..."
+fi
+
+#NEW: Check if the time is set via the network (NTP)
+echo "[I] Checking time configuration"
+if [ "$(get_ntp_status)" == "disabled" ]; then
+ systemsetup -setnetworktimeserver time.apple.com
+ sntp -sS time.apple.com
+else
+ echo "[ ] Time already configured to use network, skipping..."
+fi
+
+#NEW: Disable Fast User Switching
+echo "[I] Disabling Fast User Switching"
+defaults write /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -bool false
-echo "[I] Beginning local provisioning now"
read -p "[!] Enter a name for this device: " DEVNAME
systemsetup -setcomputername "$DEVNAME"
scutil --set HostName "$DEVNAME"
+
echo "[I] Creating a standard user account"
CONFIRM="n"
-while [ "$CONFIRM" != "y" ] ; do
- echo "[!] Enter username to create (e.g. jsmith):"
- read -p "Username: " USERNAME
- echo "[!] Enter user's full name (e.g. John Smith):"
- read -p "Real Name: " REALNAME
- echo "[!] Please provide a password for this account"
- get_user_pass
- echo "[!] Please provide a FileVault disk encryption passphrase"
- echo "[ ] This could include a second-factor password entry token component"
- get_encryption_pass
- echo " "
- echo "[?] Are the following details correct?"
- echo " Username: $USERNAME"
- echo " Real Name: $REALNAME"
- read -p "[y/n]: " CONFIRM
+while [ "$CONFIRM" != "y" ]; do
+ echo "[!] Enter username to create (e.g. jsmith):"
+ read -p "Username: " USERNAME
+ echo "[!] Enter user's full name (e.g. Alex Smith):"
+ read -p "Real Name: " REALNAME
+ echo "[!] Please provide a password for this account"
+ get_user_pass
+
+ echo " "
+ echo "[?] Are the following details correct?"
+ echo " Username: $USERNAME"
+ echo " Real Name: $REALNAME"
+ read -p "[y/n]: " CONFIRM
done
+#NEW: Check to see if Content Caching is disabled
+echo "[I] Checking Content Caching status"
+if [ "$(get_content_caching_status)" == "enabled" ]; then
+ AssetCacheManagerUtil deactivate
+ echo "[ ] Content Caching disabled"
+else
+ echo "[ ] Content Caching already disabled... skipping"
+fi
echo "[I] Turning off iCloud login prompt"
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
-defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.12"
-
+defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "$VERSION"
echo "[I] Creating user $USERNAME"
-if [ $VERSION -ge "14" ]; then
+if ([ $VERSION_MAJOR == "10" ] && [ $VERSION_MINOR -ge "14" ]) || [ $VERSION_MAJOR -ge "11" ]; then
echo "[ ] Click 'OK' to allow Terminal to make system changes"
fi
@@ -110,6 +344,9 @@ else
sysadminctl -addUser "$USERNAME" -fullName "$REALNAME" -password "$PASS" &>/dev/null
fi
+echo "[I] Allowing user $USERNAME to access the FileVault protected volume"
+echo "[ ] Enter administrative credentials when prompted"
+sysadminctl interactive -secureTokenOn $USERNAME -password "$PASS"
echo "[I] Locking down Terminal/Shell access"
mkdir /Users/"$USERNAME"/Bash
@@ -126,62 +363,133 @@ ln -s /usr/bin/rvim /Users/"$USERNAME"/Bash
ln -s /usr/bin/sudo /Users/"$USERNAME"/Bash
ln -s /usr/bin/tail /Users/"$USERNAME"/Bash
ln -s /usr/bin/wc /Users/"$USERNAME"/Library/Bash
+#NEW: Enable SecureKeyboardEntry on Terminal
+defaults write -app Terminal SecureKeyboardEntry -bool true
+sudo -u $USERNAME defaults write -app Terminal SecureKeyboardEntry -bool true
+#NEW: Secure the login Keychain with an inactivity timeout
+echo "[I] Configurating Keychain inactivity lock "
+security set-keychain-settings -l -t 21600 /Users/$ADMIN/Library/Keychains/login.keychain
+sudo -u $USERNAME security set-keychain-settings -l -t 21600 /Users/$USERNAME/Library/Keychains/login.keychain
-echo "[I] Enabling FileVault2 full disk encryption"
-if $DEBUG; then
- sysadminctl -addUser filevault -fullName "Disk Encryption Password" -shell /usr/bin/false
-else
- sysadminctl -addUser filevault -fullName "Disk Encryption Password" -shell /usr/bin/false &>/dev/null
-fi
-sysadminctl -resetPasswordFor filevault -newPassword "$DISKPASS" -adminUser "$SUDO_USER" -adminPassword - &>/dev/null
-while [ $(fdesetup isactive) == "false" ]; do
- fdesetup enable -user filevault
-done
-defaults write com.apple.loginwindow HiddenUsersList -array-add filevault
+echo "[I] Configuring Login Window"
+defaults write /Library/Preferences/com.apple.loginwindow com.apple.login.mcx.DisableAutoLoginClient -int 1
+defaults write /Library/Preferences/com.apple.loginwindow DisableConsoleAccess -int 1
+defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -int 1
+defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers -int 1
+defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers -int 1
+defaults write /Library/Preferences/com.apple.loginwindow HideMobileAccounts -int 1
+defaults write /Library/Preferences/com.apple.loginwindow IncludeNetworkUser -int 0
+defaults write /Library/Preferences/com.apple.loginwindow LocalUserLoginEnabled -int 1
+defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText -string "Authorised use only. Unauthorised usage will be subject to disciplinary and/or legal action."
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -int 1
+defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -int 1
+defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled -int 1
+defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled -int 1
+defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled -int 1
+defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
+defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
+
+echo "[I] Configuring FileVault key lifetime"
pmset destroyfvkeyonstandby 1 hibernatemode 25
-if $DEBUG; then
- echo "[!] SecureToken status on account 'filevault'"
- sysadminctl -secureTokenStatus filevault
- echo "[!] fdesetup list"
- fdesetup list
-fi
+#NEW: Prevents guests from accessing shared folders
+echo "[I] Disallowing guests from accessing shared folders"
+defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false
+defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false
+#NEW: Disables Siri and makes it so she doesn't ask for permission again
+echo "[I] Disabling Siri"
+defaults write com.apple.assistant.support.plist 'Assistant Enabled' -int 0
+sudo -u $USERNAME defaults write /Users/$USERNAME/Library/Preferences/com.apple.assistant.support.plist 'Assistant Enabled' -int 0
+defaults write com.apple.Siri.plist StatusMenuVisible -bool false
+sudo -u $USERNAME defaults write /Users/$USERNAME/Library/Preferences/com.apple.Siri.plist StatusMenuVisible -bool false
+defaults write com.apple.Siri UserHasDeclinedEnabled -bool true
+sudo -u $USERNAME defaults write /Users/$USERNAME/Library/Preferences/com.apple.Siri.plist UserHasDeclinedEnable -bool true
echo "[I] Disabling IPv6"
networksetup -setv6off Wi-Fi >/dev/null
networksetup -setv6off Ethernet >/dev/null
+
echo "[I] Disabling infrared receiver"
-defaults write com.apple.driver.AppleIRController DeviceEnabled -bool FALSE
+defaults write com.apple.driver.AppleIRController DeviceEnabled -bool false
+
echo "[I] Disabling Bluetooth"
defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
-echo "[I] Turning off WiFi"
-networksetup -setairportpower airport off > /dev/null
+defaults write /Users/$USERNAME/Library/Preferences/com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
+
+#NEW: Only disable Wi-Fi if the device is not a MacBook
+if [ "$(is_macbook)" == "false" ]; then
+ echo "[I] Turning off Wi-Fi"
+ networksetup -setairportpower airport off > /dev/null
+fi
+
+#NEW: Disable's wake on network access
+echo "[I] Disabling wake on network access"
+pmset -a womp 0
+
echo "[I] Enabling scheduled updates"
softwareupdate --schedule on
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
+defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true
+defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool true
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true
-echo "[I] Disabling password hints on lock screen"
-defaults write com.apple.loginwindow RetriesUntilHint -int 0
+
echo "[I] Enabling password-protected screen lock after 5 minutes"
systemsetup -setdisplaysleep 5
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
+defaults write com.apple.screensaver idleTime -int 600
+
+#NEW: Check the status of firewall components and act according to what is already set
echo "[I] Enabling firewall"
-/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
-/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
-/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
-echo "[I] Launching firmware password utility (this may take a moment)"
-diskutil mount Recovery
-ID_RECOVERY=$(ls -alh /Volumes/Recovery | tail -n1 | cut -d " " -f 13)
-RECOVERY=$(hdiutil attach /Volumes/Recovery/"$ID_RECOVERY"/BaseSystem.dmg | grep -i Base | cut -f 3)
-open "$RECOVERY/Applications/Utilities/Startup Security Utility.app"
-echo "[!] Follow the prompts on the utility to set a strong unique firmware password"
-echo "[!] Provisioning complete. Press enter when done"
-read DONE
+FW_STATUS_STR=$(get_firewall_status)
+IFS=" " read -r -a FW_STATUS <<< "$FW_STATUS_STR"
+if [[ "${FW_STATUS[0]}" == "off" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
+else
+ echo "[ ] Firewall: Logging mode already enabled"
+fi
+if [[ "${FW_STATUS[1]}" == "DISABLED" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
+else
+ echo "[ ] Firewall: Builtin signed applications already allowed"
+fi
+if [[ "${FW_STATUS[2]}" == "DISABLED" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
+else
+ echo "[ ] Firewall: Downloaded signed applications already allowed"
+fi
+if [[ "${FW_STATUS[3]}" == "disabled" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
+else
+ echo "[ ] Firewall: Global state already enabled"
+fi
+if [[ "${FW_STATUS[4]}" == "disabled" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
+else
+ echo "[ ] Firewall: Stealth mode already enabled"
+fi
+if [[ "${FW_STATUS[5]}" == "throttled" ]] || [[ "${FW_STATUS[5]}" == "brief" ]]; then
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
+else
+ echo "[ ] Firewall: Logging options already det to detailed"
+fi
+
+#NEW: Set Finder to show all extensions to help identify potential malware
+echo "[I] Setting Finder to show all file extensions"
+defaults write /Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
+#NEW: Ensure telemetry/data sharing is disabled
+echo "[I] Disabling sending of diagnostics data"
+defaults write /Library/Application\ Support/CrashReporter/DiagnosticsMessagesHistory.plist AutoSubmit -bool false
+defaults write /Library/Application\ Support/CrashReporter/DiagnosticsMessagesHistory.plist ThirdPartyDataSubmit -bool false
+#NEW: Disable Bonjour advertismenets
+echo "[I] Disabling Bonjour Advertising"
+defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
+
+echo "[!] Provisioning complete. Press enter when done"
+read DONE
\ No newline at end of file
diff --git a/Google/Android/NCSC_Android_configurations.csv b/Google/Android/NCSC_Android_configurations.csv
index e4900d9..e780942 100644
--- a/Google/Android/NCSC_Android_configurations.csv
+++ b/Google/Android/NCSC_Android_configurations.csv
@@ -1,62 +1,70 @@
-MDM settings,
-,
-General Settings,
-Enable application auditing in personal space. ,Disabled
-Wipe if device isn’t synced within a set time period. ,Disabled
-Allow users to wipe their devices from Find My Device.,Disabled
-,
-Work Profile,
-Work Profile in Android for Work supported devices running Google Apps Device Policy,Enforce
-"Apply password settings only for the Work Profile. (supported from Android 7.0+, for older devices, password applies to the entire device)",Disabled
-,
-Apps and Data Sharing,
-Allow controlling installed applications. ,Enabled
-Allow application verification to be turned off. ,Disabled
-Allow USB file transfer. (company owned only) ,Disabled*
-Allow non-Play Store apps from unknown sources installation. ,Disabled
-Allow developer options to be turned on. ,Disabled
-Allow location sharing with apps. ,Disabled*
-Allow screen capture. ,Disabled*
-Allow content sharing from Work Profile to personal space. (Work Profile only) ,Disabled*
-Allow copy and paste between Work Profile and personal space. (Work Profile only) ,Disabled*
-Allow outgoing Beam. ,Disabled*
-Set the default option for runtime permission requests from apps.,Prompt User*
-,
-Users and Accounts,
-Allow user addition. (company owned only) ,Disabled
-Allow user removal. (company owned only) ,Disabled
-Allow account addition and removal. ,Disabled*
-Allow Google Accounts addition. (Only allowed if the Accounts section above is enabled),Disabled
-,
-Networks,
-Allow network settings modification. ,Enabled
-Allow Bluetooth configuration.,Disabled
-Allow VPN access configuration. ,Enabled
-Allow tethering and portable hotspot setup. ,Disabled
-Allow mobile network settings modification. ,Enabled
-Allow cell broadcast settings modifications.,Enabled
-,
-Device Features ,
-Allow external SD card. ,Enabled**
-Allow trusted credentials modification. ,Enabled
-Allow microphone. ,Enabled
-Allow speaker. ,Enabled
-Enable remote management of administrator restriction PIN. ,Disabled
-Allow users to do factory reset ,Disabled
-Enter up to 10 admins who can sign in to a device after factory reset. ,Null
-Allow user to edit the date and time. ,Disabled
-Allow user to connect to data services when roaming. ,Enabled
-Allow user to reboot device in safe mode.,Disabled
-,
-Lock Screen Sharing ,
-Allow lock screen features and enable unlisted lock screen features (e.g. facial recognition).,Disabled*
-Allow notification details. ,Disabled
-Allow notifications.,Enabled
-Allow trust agents. ,Enabled
-Allow camera. ,Disabled*
-Allow fingerprint unlock.,Enabled
-,
-* Should be assesed against business need and risk ,
-** Either secured by Android 10 or not applicable for Android 10,
-,
-,
+Page,Category,Setting,Description,State,Comments
+Android Settings,General,,,,
+,,Auto wipe,Wipe if a device isn’t synced within a set time,ON,Configure to organisational policy. Default value is 20 days.
+,,CTS Compliance,Block devices that are not Android CTS compliant,OFF,Configure to organisational policy - Requires CTS deployed.
+,,Application auditing,Audit apps on personal devices with no work profile. ,OFF,Default is off as 'Work Only' devices are recommended.
+,,User device wipe,Allow users to wipe their devices from My Devices,ON,
+,,Older Android devices,Only enforce available policies on old versions of Android.,OFF,Default is off. Use of legacy devices (Android 6 or lower) is not recommended.
+,Work Profile,,,,
+,,Work Profile Setup,Enable work profile creation,OFF,Automatically applied on corporate-supplied devices.
+,,Work profile password,Apply password requirements only on work profile apps,OFF,Automatically applied on corporate-supplied devices.
+,Apps and data sharing,,,,
+,,Available apps,Set which apps users can install from the Play Store,Only allowed apps,Configure to organisational policy - Additional apps can be added or removed as necessary.
+,,System apps,Disable all (except whitelisted or some system apps),OFF,Configure to organisational policy - Apps to be disallowed can be added by package name.
+,,Screen capture,Allow screen capture,OFF,Configure to organisational policy.
+,,Sharing to other profiles,Allow content sharing from the work profile to the personal space (work profile devices only),OFF,Recommended is off as dual-profile devices aren't recommended.
+,,Allow content sharing from the work profile to the personal space (work profile devices only),,OFF,Recommended is off as dual-profile devices aren't recommended.
+,,Allow pasting between the work profile and personal space (work profile devices only),,OFF,Recommended is off as dual-profile devices aren't recommended.
+,,Location Sharing,Allow location sharing,OFF,Configure to organisational policy.
+,,Google Play private apps,Allow users to access Google Play private apps. ,OFF,
+,,,Allow users to publish and update Google Play private apps.,OFF,
+,,Runtime permissions,Set the default option for runtime permission requests from apps.,Prompt user,"""Prompt user"" is recommended. Application specific permissions can be granted or revoked via the App Management functionality."
+,,Apps settings,Allow users to change app settings (company-owned devices only),ON,Configure to organisational policy.
+,,Verify Apps,Allow users to turn off Google Play Protect (company-owned devices only),OFF,
+,,USB file transfer,Allow USB file transfer (company-owned devices only),OFF,Configure to organisational policy.
+,,Unknown Sources,Block app installation from unknown sources,ON,
+,,Developer Options,Allow developer options,OFF,
+,Networks,,,,
+,,VPN access,Allow VPN configuration,OFF,"Configure to organisational policy. Recommended to ""OFF"" if native VPN client is not being used."
+,,Tethering,Allow tethering and Wi-Fi hotspots,ON,Configure to organisational policy.
+,,Mobile networks,Allow changes to mobile network settings,ON,
+,,Cell broadcasts,Allow changes to cell broadcast settings,ON,
+,,Bluetooth,Allow changes to Bluetooth settings,ON,Configure to organisational policy.
+,,Wi-Fi,Allow changes to Wi-Fi network settings,ON,Configure to organisational policy.
+,Device Features,,,,
+,,Physical media,Allow external SD cards,ON,Configure to organisational policy.
+,,Trusted credentials,Allow changes to trusted credentials,ON,Configure to organisational policy.
+,,Microphone,Allow microphone,ON,
+,,Speaker,Allow speakers,ON,
+,,Administrator Restriction PIN settings,Enable remote management of administrator restriction PIN. ,OFF,Configure to organisational policy.
+,,Factory reset,Allow users to factory reset a device,OFF,
+,,Factory Reset Protection Setting,Admins who can sign on to a device after factory reset.,,Addition of a user account or group capable of accessing a reset device (Google require authentication of previous user if the device is encrypted which may not be possible).
+,,Edit time,Allow user to edit the date and time,OFF,
+,,Data roaming,Allow user to connect to data services when roaming.,ON,
+,,Safeboot,Allow user to reboot their device in safe mode.,OFF,
+,User and Accounts,,,,
+,,Add users,Allow user to add user profiles. (company-owned Android 6.0 devices only),OFF,Recommended is off. Use of legacy devices (Android 6 or lower) is not recommended.
+,,Remove users,Allow user to remove user profiles. (company-owned Android 6.0 devices only),OFF,
+,,Accounts,Allow user to add and remove accounts,OFF,
+,,Google Accounts,Allow user to add their Google Account.,OFF,
+,Lock Screen Features,,,,
+,,Lock screen features,Allow all lock screen features,ON,
+,,Camera,Allow camera,OFF,Configure to organisational policy - camera is still available after user has authenticated.
+,,Fingerprint unlock,Allow fingerprint unlock,ON,
+,,Lock screen widgets,Allow lock screen widgets (Android 5 and earlier),OFF,Recommended is off. Use of legacy devices (Android 6 or lower) is not recommended.
+,,Notifications,Allow notifications on the lock screen,ON,
+,,Notification details,Allow notification details,OFF,Configure to organisational policy.
+,,Trust agents,Allow Smart Lock to keep a device unlocked,ON,Configure to organisational policy.
+Universal Settings,General,,,,
+,,Mobile management,"Apply basic or advanced management to all devices, or choose Custom to apply management by device platform",Advanced (Requires the Device Policy app),Set to 'Advanced' - Allows for setting of additional options as detailed.
+,,Password Requirements,Require users to set a password,ON,
+,,,Choose a password strength,"Strong (At least one character, number and symbol)",Recommended. Additional password options can be set under the setting 'Custom'. Biometric unlock is unaffected by this option.
+,Data Access,,,,
+,,Endpoint Verification,Monitor which devices access organization data,ON,
+,,Android Sync,Allow work data to sync on Android devices.,ON,
+,,Google Sync,Allow work data to sync via ActiveSync.,ON,
+,,,Google Sync IP Whitelist (a list of IP addresses where user can access Google Sync):,,
+,,,"Automatically enable ""Delete Email as Trash"" setting on Google Sync devices.",OFF,
+,,,Turn on automatic sync when roaming.,ON,
+,,iOS Sync,Allow work data to sync on iOS devices.,OFF,
+,,Google Assistant,Allow Google Assistant for iOS and Android.,ON,Configure to organisational policy - Kept on for accessibility benefits.
diff --git a/Google/Android/NCSC_Android_configurations.md b/Google/Android/NCSC_Android_configurations.md
index b13e1c2..b36c2f6 100644
--- a/Google/Android/NCSC_Android_configurations.md
+++ b/Google/Android/NCSC_Android_configurations.md
@@ -1,63 +1,71 @@
-## NCSC Android configurations ##
-|MDM settings||
-|---|---|
-||
-|General Settings||
-|Enable application auditing in personal space. |Disabled|
-|Wipe if device isn’t synced within a set time period. |Disabled|
-|Allow users to wipe their devices from Find My Device.|Disabled|
-||
-|Work Profile||
-|Work Profile in Android for Work supported devices running Google Apps Device Policy|Enforce|
-|Apply password settings only for the Work Profile. (supported from Android 7.0+, for older devices, password applies to the entire device)|Disabled |
-||
-|Apps and Data Sharing||
-|Allow controlling installed applications. |Enabled|
-|Allow application verification to be turned off. |Disabled|
-|Allow USB file transfer. (company owned only) |Disabled*|
-|Allow non-Play Store apps from unknown sources installation. |Disabled|
-|Allow developer options to be turned on. |Disabled|
-|Allow location sharing with apps. |Disabled*|
-|Allow screen capture. |Disabled*|
-|Allow content sharing from Work Profile to personal space. (Work Profile only) |Disabled*|
-|Allow copy and paste between Work Profile and personal space. (Work Profile only) |Disabled*|
-|Allow outgoing Beam. |Disabled*|
-|Set the default option for runtime permission requests from apps.|Prompt User*|
-||
-|Users and Accounts||
-|Allow user addition. (company owned only) |Disabled|
-|Allow user removal. (company owned only) |Disabled|
-|Allow account addition and removal. |Disabled*|
-|Allow Google Accounts addition. (Only allowed if the Accounts section above is enabled)|Disabled|
-||
-|Networks||
-|Allow network settings modification. |Enabled  |
-|Allow Bluetooth configuration.|Disabled|
-|Allow VPN access configuration. |Enabled|
-|Allow tethering and portable hotspot setup. |Disabled|
-|Allow mobile network settings modification. |Enabled|
-|Allow cell broadcast settings modifications.|Enabled|
-||
-|Device Features ||
-|Allow external SD card. |Enabled**|
-|Allow trusted credentials modification. |Enabled|
-|Allow microphone. |Enabled|
-|Allow speaker. |Enabled|
-|Enable remote management of administrator restriction PIN. |Disabled|
-|Allow users to do factory reset |Disabled|
-|Enter up to 10 admins who can sign in to a device after factory reset. |Null|
-|Allow user to edit the date and time. |Disabled|
-|Allow user to connect to data services when roaming. |Enabled|
-|Allow user to reboot device in safe mode.|Disabled|
-||
-|Lock Screen Sharing ||
-|Allow lock screen features and enable unlisted lock screen features (e.g. facial recognition).|Disabled*|
-|Allow notification details. |Disabled |
-|Allow notifications.|Enabled|
-|Allow trust agents. |Enabled|
-|Allow camera. |Disabled*|
-|Allow fingerprint unlock.|Enabled  |
-||
-|* Should be assesed against business need and risk ||
-|** Either secured by Android 10 or not applicable for Android 10||
-||
+|Page |Category |Setting |Description |State |Comments |
+|-------------------------------------------------------------------------------|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|Android Settings |General | | | | |
+| | |Auto wipe |Wipe if a device isn�t synced within a set time |ON |Configure to organisational policy. Default value is 20 days. |
+| | |CTS Compliance |Block devices that are not Android CTS compliant |OFF |Configure to organisational policy - Requires CTS deployed. |
+| | |Application auditing |Audit apps on personal devices with no work profile. |OFF |Default is off as 'Work Only' devices are recommended. |
+| | |User device wipe |Allow users to wipe their devices from My Devices |ON | |
+| | |Older Android devices |Only enforce available policies on old versions of Android. |OFF |Default is off. Use of legacy devices (Android 6 or lower) is not recommended. |
+| |Work Profile | | | | |
+| | |Work Profile Setup |Enable work profile creation |OFF |Automatically applied on corporate-supplied devices. |
+| | |Work profile password |Apply password requirements only on work profile apps |OFF |Automatically applied on corporate-supplied devices. |
+| |Apps and data sharing | | | | |
+| | |Available apps |Set which apps users can install from the Play Store |Only allowed apps |Configure to organisational policy - Additional apps can be added or removed as necessary. |
+| | |System apps |Disable all (except whitelisted or some system apps) |OFF |Configure to organisational policy - Apps to be disallowed can be added by package name. |
+| | |Screen capture |Allow screen capture |OFF |Configure to organisational policy. |
+| | |Sharing to other profiles |Allow content sharing from the work profile to the personal space (work profile devices only) |OFF |Recommended is off as dual-profile devices aren't recommended. |
+| | |Allow content sharing from the work profile to the personal space (work profile devices only) | |OFF |Recommended is off as dual-profile devices aren't recommended. |
+| | |Allow pasting between the work profile and personal space (work profile devices only) | |OFF |Recommended is off as dual-profile devices aren't recommended. |
+| | |Location Sharing |Allow location sharing |OFF |Configure to organisational policy. |
+| | |Google Play private apps |Allow users to access Google Play private apps. |OFF | |
+| | | |Allow users to publish and update Google Play private apps. |OFF | |
+| | |Runtime permissions |Set the default option for runtime permission requests from apps. |Prompt user |"Prompt user" is recommended. Application specific permissions can be granted or revoked via the App Management functionality. |
+| | |Apps settings |Allow users to change app settings (company-owned devices only) |ON |Configure to organisational policy. |
+| | |Verify Apps |Allow users to turn off Google Play Protect (company-owned devices only) |OFF | |
+| | |USB file transfer |Allow USB file transfer (company-owned devices only) |OFF |Configure to organisational policy. |
+| | |Unknown Sources |Block app installation from unknown sources |ON | |
+| | |Developer Options |Allow developer options |OFF | |
+| |Networks | | | | |
+| | |VPN access |Allow VPN configuration |OFF |Configure to organisational policy. Recommended to "OFF" if native VPN client is not being used. |
+| | |Tethering |Allow tethering and Wi-Fi hotspots |ON |Configure to organisational policy. |
+| | |Mobile networks |Allow changes to mobile network settings |ON | |
+| | |Cell broadcasts |Allow changes to cell broadcast settings |ON | |
+| | |Bluetooth |Allow changes to Bluetooth settings |ON |Configure to organisational policy. |
+| | |Wi-Fi |Allow changes to Wi-Fi network settings |ON |Configure to organisational policy. |
+| |Device Features | | | | |
+| | |Physical media |Allow external SD cards |ON |Configure to organisational policy. |
+| | |Trusted credentials |Allow changes to trusted credentials |ON |Configure to organisational policy. |
+| | |Microphone |Allow microphone |ON | |
+| | |Speaker |Allow speakers |ON | |
+| | |Administrator Restriction PIN settings |Enable remote management of administrator restriction PIN. |OFF |Configure to organisational policy. |
+| | |Factory reset |Allow users to factory reset a device |OFF | |
+| | |Factory Reset Protection Setting |Admins who can sign on to a device after factory reset. | |Addition of a user account or group capable of accessing a reset device (Google require authentication of previous user if the device is encrypted which may not be possible).|
+| | |Edit time |Allow user to edit the date and time |OFF | |
+| | |Data roaming |Allow user to connect to data services when roaming. |ON | |
+| | |Safeboot |Allow user to reboot their device in safe mode. |OFF | |
+| |User and Accounts | | | | |
+| | |Add users |Allow user to add user profiles. (company-owned Android 6.0 devices only) |OFF |Recommended is off. Use of legacy devices (Android 6 or lower) is not recommended. |
+| | |Remove users |Allow user to remove user profiles. (company-owned Android 6.0 devices only) |OFF | |
+| | |Accounts |Allow user to add and remove accounts |OFF | |
+| | |Google Accounts |Allow user to add their Google Account. |OFF | |
+| |Lock Screen Features | | | | |
+| | |Lock screen features |Allow all lock screen features |ON | |
+| | |Camera |Allow camera |OFF |Configure to organisational policy - camera is still available after user has authenticated. |
+| | |Fingerprint unlock |Allow fingerprint unlock |ON | |
+| | |Lock screen widgets |Allow lock screen widgets (Android 5 and earlier) |OFF |Recommended is off. Use of legacy devices (Android 6 or lower) is not recommended. |
+| | |Notifications |Allow notifications on the lock screen |ON | |
+| | |Notification details |Allow notification details |OFF |Configure to organisational policy. |
+| | |Trust agents |Allow Smart Lock to keep a device unlocked |ON |Configure to organisational policy. |
+|Universal Settings |General | | | | |
+| | |Mobile management |Apply basic or advanced management to all devices, or choose Custom to apply management by device platform |Advanced (Requires the Device Policy app) |Set to 'Advanced' - Allows for setting of additional options as detailed. |
+| | |Password Requirements |Require users to set a password |ON | |
+| | | |Choose a password strength |Strong (At least one character, number and symbol)|Recommended. Additional password options can be set under the setting 'Custom'. Biometric unlock is unaffected by this option. |
+| |Data Access | | | | |
+| | |Endpoint Verification |Monitor which devices access organization data |ON | |
+| | |Android Sync |Allow work data to sync on Android devices. |ON | |
+| | |Google Sync |Allow work data to sync via ActiveSync. |ON | |
+| | | |Google Sync IP Whitelist (a list of IP addresses where user can access Google Sync): | | |
+| | | |Automatically enable "Delete Email as Trash" setting on Google Sync devices. |OFF | |
+| | | |Turn on automatic sync when roaming. |ON | |
+| | |iOS Sync |Allow work data to sync on iOS devices. |OFF | |
+| | |Google Assistant |Allow Google Assistant for iOS and Android. |ON |Configure to organisational policy - Kept on for accessibility benefits. |
diff --git a/Google/Android/README.md b/Google/Android/README.md
index cea2259..2279b26 100644
--- a/Google/Android/README.md
+++ b/Google/Android/README.md
@@ -2,6 +2,6 @@ This archive contains important security policy settings which are recommended f
Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform.
-This configuration was last tested against Android 10 in June 2020.
+This configuration was last tested against Android 11.
-Crown Copyright (c) 2020
+Crown Copyright (c) 2021
diff --git a/Google/ChromeOS/NCSC_Chrome_OS_configuration.csv b/Google/ChromeOS/NCSC_Chrome_OS_configurations.csv
similarity index 100%
rename from Google/ChromeOS/NCSC_Chrome_OS_configuration.csv
rename to Google/ChromeOS/NCSC_Chrome_OS_configurations.csv
diff --git a/Google/ChromeOS/NCSC_Chrome_OS_configurations.md b/Google/ChromeOS/NCSC_Chrome_OS_configurations.md
index c5dabf7..fc22f6f 100644
--- a/Google/ChromeOS/NCSC_Chrome_OS_configurations.md
+++ b/Google/ChromeOS/NCSC_Chrome_OS_configurations.md
@@ -1,88 +1,153 @@
-## NCSC Chrome OS configurations ##
-|MDM settings|As per Profile Manager MDM|
-|---|---|
-||
-|Chrome management ||
-|User & Browser settings||
-|Smart Lock for Chrome|Do not allow Smart Lock for Chrome |
-|Browser sign-in settings|Consider blocking users from signing in or out of Google Accounts within the browser. This will prevent users from signing into their personal Google Accounts on an Enterprise device. If this has been set to blocked, also ensure that Guest Mode and Incognito Mode are blocked, and that Sign-in Restriction is enabled. If allowing users to sign into their personal Google Accounts, Guest Mode and Incognito Mode can be enabled.|
-|Restrict sign-in to pattern|Restrict Sign-in to list of users. Enter all domains used by your organisation, with the wildcard as the username, such as:*@example.com*@sales.example.comWildcards should not be used in the domain portion of the entries to ensure only users from managed domains and not unmanaged subdomains or third-party domains are allowed to sign in.|
-|Enrolment Permissions|Create a separate 'enrolment users' OU and ensure that users in this OU are the only ones able to enrol new devices. These accounts should not have access to any other data or applications. Allow users to re-enroll their existing devices.|
-|Site Isolation |Turn on site isolation for all websites|
-|Site Isolation (Chrome on Android) |Turn on site isolation for all websites|
-|Password Manager|Always allow use of password manager|
-|Lock Screen|Allow locking screen|
-|Idle Settings|Set an appropriate idle time. Around 5 minutes is recommended.Lock screen on sleep|
-|Incognito Mode|If you are blocking users from signing into personal Google Accounts via "Browser sign-in settings", set this to Block, otherwise set to allow incognito mode |
-|Force Ephemeral Mode|Erase all local user data |
-|Online Revocation Checks|Perform online OCSP/CRL checks|
-|RC4 cipher suites in TLS|Disable RC4|
-|Local Trust Anchors Certificates|Follow the publicly announced SHA-1 depreciation schedule for Local Anchors Sha1Block Local Anchors Common Name FallbackBlock Symantec Corporation’s Legacy PKI Infrastructure|
-|Enable leak detection for entered credentials|Enable leak detection for entered credentials|
-|Remote access clients|Remote access clients should not be configured unless absolutely necessary|
-|Elevated UI access for remote support|If any remote access clients have been defined, this should be set to ‘prevent’.|
-|Proxy mode|Force the use of a specific proxy if a proxy is used. Otherwise, select 'never use a proxy'. This can be set per-network if required.|
-|SSL Record Splitting|Enable SSL record splitting|
-|Data Compression Proxy|Always disable data compression proxy|
-|CORS legacy mode|Disable legacy mode|
-|CORS mitigations|Enable CORS mitigations|
-|Google location services|Disable location services for Android apps in Chrome OS, or allow users to choose to enable.|
-|Account Management|Disable users adding any accounts|
-|Plugin Finder|Disable automatic search and installation of missing plugins|
-|Plugin Authorization|Ask for user permission before running plugins that require authorization|
-|Outdated Plugins|Disallow outdated plugins. This reduces the chance an attacker can exploit a plugin using a known and patched vulnerability.|
-|Strict treatment for mixed content|User strict treatment for mixed content|
-|Control use of insecure content exceptions|Do not allow any site to load blockable mixed content|
-|Developer Tools|Never allow the use of built-in developer tools. There are some legitimate use-cases for developer tools but these should be permitted on an individual basis. Note that this setting controls the browser’s web developer tools and not Chrome OS Developer mode.|
-|Multiple Sign-in Access|Block multiple sign-in access for users in this organization, as otherwise, policies may not apply to a secondary user logged-into the device.|
-|Sign-in to secondary accounts|Block users from signing in to or out of secondary Google accounts|
-|External Storage Devices|Configure this in line with corporate policy on the use of external storage devices.|
-|Verified Mode|Require verified mode boot for Verified Access.|
-|Safe Browsing|Always enable Safe Browsing|
-|Download restrictions|Block dangerous downloads|
-|Disable bypassing Safe Browsing warnings|Do not allow users to bypass Safe Browsing warnings|
-|Password alert|Trigger on password reused on phishing page.|
-|Legacy Browser support|Disable legacy browser support|
-|Chrome Management for Signed-in Users |Apply all user policies when users sign into Chrome, and provide a managed Chrome experience|
-||
-|Device settings||
-|Forced Re-enrolment|Force device to re-enrol into this domain after wiping. This will also prevent users from enabling Developer mode on the device and enforce secure boot.|
-|Verified Access|Enable for Enterprise Extensions (this option is not available in the UI)Enable for Content Protection|
-|Verified Mode|Require verified mode boot for Verified Access|
-|Guest Mode|Do not allow guest mode. This is discussed further in the Other Considerations section.|
-|Sign-in Restriction|Restrict Sign-in to list of users. Enter all domains used by Google Admin with the wildcard as the username, such as:*@example.com*@sales.example.comWildcards should not be used in the domain portion of the entries to ensure only users from managed domains and not unmanaged subdomains or third-party domains are allowed to sign in.|
-|Autocomplete Domain|Do not display an autocomplete domain on the sign-in screen.|
-|Auto Update Settings|Allow auto-updatesNo restriction on Google Chrome version|
-|Release Channel|Move to Stable Channel|
-|Managed guest session|Do not allow managed guest sessions.|
-|Device Reporting|Enable device state reporting |
-|Device User Tracking|Enable tracking recent device users |
-|Inactive Device Notifications|Enable inactive device notificationsSet inactive range, notification cadence and email addresses as appropriate for the organisation. This recommendation aims to reduce the number of unused but available devices that have access to business data.|
-|Anonymous Metric Reporting|Never send metrics to Google|
-|Bluetooth|Disable Bluetooth unless required|
-|TPM Firmware Update|Allow users to perform TPM firmware updates. Users should follow the guidance on how to update their TPM and ensure that any local documents are backed up prior to updating their device.|
-|Virtual Machines |Block Chrome OS from running virtual machines|
-|Allow EMM partners access to device management|Disable Chrome management - partner access|
-||
-|Managed guest session settings||
-|Managed guest session|Do not allow managed guest sessions. If it needs to be enabled, configure in line with 'user and browser settings'.|
-||
-|Android application settings||
-|Allow users to install other apps & extensions|Block all other apps & extensions|
-|Android applications on Chrome Devices|If this functionality is required and an Android application whitelist is in place, allow. Otherwise, do not allow|
-|App and extension install sources|Only trusted sources should be defined, as required.|
-|Allow insecure extension packaging |Do not allow insecurely packaged extensions|
-||
-|Security||
-|Configure this section to organisation policy||
-|Basic settings: Enforce 2SV|Consider enforcing two step verification (2SV) for all users. On Chrome OS, two step verification is enforced only at first login.One 2SV is enabled, it must be allowed and configured by each user individually.|
-|Alert center: Rules|The following rules should be set to active, at a minimum: • Device compromised • Domain data export initiated • Government-backed attacks • Leaked password • Malware message detected post-delivery • Phishing in inboxes due to bad whitelist • Phishing message detected post-delivery • Suspicious device activity • Suspicious login • Suspicious message reported • Suspicious programmatic login • User granted Admin privilegeConsider setting others as appropriate for you organisation.|
-|Data protection: Data protection rules and detectors|Refer to https://support.google.com/a/answer/6321530?hl=en|
-|Password management |Configure a strong password policy in line with company policy requirements.|
-|Less secure apps|Disable access to less secure apps for all users. This can be modified if a business case is available for allowing a less secure app.|
-|Login Challenges|Consider implementing Login challenges as an additional security measure to verify the identity of users if suspicious login attempts are detected|
-|Set up Single Sign On (SSO)|When selecting a non-Google SSO provider, ensure that their security guidance is followed.|
-|Advanced Protection Program: Enrolment|Enable user enrolment|
-|Advanced settings: Authentication |Remove any unnecessary entries from this list, to reduce the number of applications able to directly access your organisation’s data.|
-| API Permissions: API Access|Enable API access.|
-||
+|MDM settings |As per Profile Manager MDM. Default Google values apply to any settings not present.|
+|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------|
+| | |
+|Chrome management | |
+|User & Browser settings | |
+| | |
+|Browser sign-in settings |Consider blocking users from signing in or out of Google Accounts within the browser. This will prevent users from signing into their personal Google Accounts on an Enterprise device. If this has been set to blocked, also ensure that Guest Mode and Incognito Mode are blocked, and that Sign-in Restriction is enabled. If allowing users to sign into their personal Google Accounts, Guest Mode and Incognito Mode can be enabled.|
+|Restrict sign-in to pattern |Restrict Sign-in to list of users. Enter all domains used by your organisation, with the regex pattern as below: .*@example\.com .*@sales.example\.com Wildcards should not be used in the domain portion of the entries to ensure only users from managed domains and not unmanaged subdomains or third-party domains are allowed to sign in.|
+|Display password Button |Do not show the display password button on the login screen |
+|Chrome Mobile (BETA) |Do not apply supported user settings to Chrome on Android |
+|Enrolment Controls |Create a separate 'enrolment users' OU and ensure that users in this OU are the only ones able to enrol new devices. These accounts should not have access to any other data or applications. Allow users to re-enroll their existing devices.|
+|Enrolment Controls: Device enrollment |Place Chrome device in user organisation |
+|Enrolment Controls: Enrollment Permissions |Allow users in organisation to enroll new or re-enroll existing devices |
+| | |
+|Apps and extensions page |Add applications to allow list and push to devices. |
+|Allow users to install other apps and extensions |Block all other apps & extensions |
+| | |
+|Application Settings page | |
+|Android applications on Chrome devices |If this functionality is required and an Android application allow-list is in place, allow. Otherwise, do not allow|
+|App and extension install sources |Only trusted sources should be defined, as required. |
+|Allow insecure extension packaging |Do not allow insecurely packaged extensions |
+|External extensions |Block external extensions from being installed (unless specifically required) |
+|Permissions and URL�s |If external extensions are allowed, this allows the setting of extension blocking on a granular level.|
+|Chrome Web Store permissions |Do not allow users to publish private apps that are restricted to your domain on Chrome Web Store|
+|Android reporting for users and devices |Enable Android reporting |
+|User & Browser settings (cont) | |
+|Site Isolation� |Turn on site isolation for all websites |
+|Site Isolation (Chrome on Android)� |Turn on site isolation for all websites |
+|Password Manager |Always allow use of password manager |
+|Lock Screen |Allow locking screen |
+|Quick unlock |Allow fingerprint and disallow the use of a PIN |
+|PIN auto-submit |Disable PIN auto-submit on lock and login screen |
+|Idle Settings |Set an appropriate idle time. Around 5 minutes is recommended. Lock screen on sleep |
+|Incognito Mode |If you are blocking users from signing into personal Google Accounts via "Browser sign-in settings", set this to Block, otherwise set to allow incognito mode�|
+|Force Ephemeral Mode |Erase all local user data� |
+|Online Revocation Checks |Perform online OCSP/CRL checks |
+|RC4 cipher suites in TLS |Disable RC4 |
+|Local Trust Anchors Certificates |Follow the publicly announced SHA-1 depreciation schedule for Local Anchors Sha1 Block Local Anchors Common Name Fallback Block Symantec Corporation�s Legacy PKI Infrastructure |
+|User management of installed CA certificates |Disallow users from managing certificates |
+|User management of installed client certificates |Disallow users from managing certificates |
+|Enable renderer code integrity |Renderer code integrity enabled |
+|Enable leak detection for entered credentials |Enable leak detection for entered credentials |
+|Chrome Cleanup |Allow Chrome Cleanup to periodically scan the system and allow manual scans. Users may choose to share results from Chrome Cleanup run with Google.|
+|Third Party Code |Prevent third party code from being injected into Chrome |
+|Audio Sandbox |Always sandbox the audio process |
+|Unsupported System Warning |Allow Chrome to display warnings when running on an unsupported system |
+|Advanced Protection program |Users enrolled in the Advanced Protection program will receive extra protections |
+|Command-line flags |Show security warnings when potentially dangerous command line flags are used. |
+|Popup interactions |Block pop-ups opened with a target of _blank from interacting with the page that opened the pop-up.|
+|Remote access clients |Remote access clients should not be configured unless absolutely necessary |
+|Firewall traversal |Disable firewall traversal |
+|Proxy mode |Force the use of a specific proxy if a proxy is used. Otherwise, select�'never use a proxy'. This can be set per-network if required.|
+|Ignore proxy on captive portals |Ignore policies for captive portal pages |
+|SSL Record Splitting |Enable SSL record splitting |
+|Minimum SSL version enabled |TLS 1.2 |
+|SSL error override |Block users from clicking through SSL warnings |
+|Data Compression Proxy |Always disable data compression proxy |
+|DNS over HTTPS |Enable DNS over HTTPS mode with insecure fallback |
+|Built-in DNS client |Always use the built in DNS client if available |
+|CORS legacy mode |Disable legacy mode |
+|CORS mitigations |Enable CORS mitigations |
+|Always on VPN |Enabled, if an appropriately configured Android application is deployed Do not allow user to disconnect from a VPN manually|
+|Cross-origin authentication |Block cross origin authentication |
+|Signed HTTP Exchange (SXG) support |Accept web content served as Signed HTTP Exchanges |
+|Globally scoped HTTP authentication cache |HTTP authentication credentials are scoped to top-level sites |
+|Require online OCSP/CRL checks for local trust anchors |Use existing online revocation-checking settings |
+|DNS interception checks |Perform DNS interception checks |
+|Legacy TLS/DTLS downgrade in WebRTC |Disable WebRTC peer connections downgrading to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols|
+|Control Android backup and restore service |Backup and restore disabled |
+|Login credentials for network authentication |Dont use login credentials for network authentication |
+|Account Management |Disable�users adding any account types |
+|Certificate synchronization |Enable usage of Chrome OS CA Certificates in Android apps |
+|Screenshot |Allow users to take screenshots and video recordings. If device accesses sensitive material this should be set to Do not allow.|
+|Screen video capture |Allow sites to prompt the user to share a video stream of their screen. If device accesses sensitive material this should be set to Do not allow.|
+|Default legacy SameSite cookie behavior |Use SameSite-by-default behaviour for all cookies on all sites |
+|Flash |Block sites from running flash and do not allow the user to enable it |
+|Outdated Flash |Disallow outdated flash |
+|Popups during unloading |Prevent pages from showing popups while they are being unloaded |
+|Strict treatment for mixed content |Use strict treatment for mixed content |
+|Control use of insecure content exceptions |Do not allow any site to load blockable mixed content |
+|Insecure forms |Show warnings and disable autofill on insecure forms |
+|Occluded window rendering |Allow detection of window occlusion |
+|Enable URL-keyed anonymized data collection |Data collection is never active |
+|Developer Tools |Never allow the use of built-in developer tools |
+|Multiple sign-in access |Block multiple sign-in access for users in this organisation |
+|Sign-in to secondary accounts |Block multiple sign-in access for users in this organization |
+|Browser guest mode |Prevent guest browser logins |
+|WebRTC event log collection |Do not allow WebRTC event log collection |
+|URLs in the address bar |Display the full URL |
+|Shared clipboard |Disable the shared clipboard feature |
+|Smart Lock for Chrome |Do not allow Smart Lock for Chrome� |
+|Messages |Do not allow users to sync SMS messages between their phone and Chromebook |
+|Phone Hub |Do not allow Phone Hub notifications to be enabled |
+|External Storage Devices |Configure this in line with corporate policy on the use of external storage devices.|
+|WebUSB API |Do not allow any site to request access |
+|Serial Port API |Do not allow any site to request access to serial ports via the Serial Port API |
+|Privacy screen |Always enable the privacy screen |
+|Verified Mode |Require verified mode boot for Verified Access. |
+|Allow EMM partners access to device management |Disable Chrome management -partner access |
+|Reporting |Enable managed browser cloud reporting |
+|Safe Browsing |Always enable Safe Browsing |
+|Help improve Safe Browsing |Disable sending extra information to help improve Safe Browsing |
+|Safe Browsing for trusted sources |Perform safe browsing checks on all downloaded files |
+|Download restrictions |Block dangerous downloads |
+|Disable bypassing Safe Browsing warnings |Do not allow users to bypass Safe Browsing warnings |
+|Password alert |Trigger on password reused on phishing page |
+|Sites with intrusive ads |Block ads on sites with intrusive ads |
+|Abusive Experience Intervention |Prevents sites with abusive experiences from opening new windows or tabs. |
+|Legacy Browser support |Disable legacy browser support |
+|Command line access |Disable VM command line access |
+|Port forwarding |Do not allow users to enable and configure port forwarding into the VM container |
+|Android apps from untrusted sources |Prevent the user from using Android apps from untrusted sources |
+|Parallels� Desktop |Do not allow Parallels Desktop |
+|Metrics reporting |Do not send anonymous reports of usage and crash-related data to Google |
+|Wi-Fi network configurations sync |Do not allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone|
+|Chrome Management for Signed-in Users� |Apply all user policies when users sign into Chrome, and provide a managed Chrome experience|
+| | |
+|Device settings | |
+|Forced Re-enrolment |Force device to re-enrol into this domain after wiping. This will also prevent users from enabling Developer mode on the device and enforce secure boot.|
+|Powerwash |Allow Powerwash to be be triggered |
+|Verified Access |Enable for Content Protection |
+|Verified Mode |Require verified mode boot for Verified Access |
+|Disabled device return instructions |Create custom text should the device become lost |
+|Integrated FIDO second factor |Enable 2FA if Titan M security chip is in use. |
+|Guest Mode |Do not allow guest mode |
+|Sign-in Restriction |Restrict Sign-in to list of users. Enter all domains used by Google Admin with the wildcard as the username, such as: *@example.com *@sales.example.com Wildcards should not be used in the domain portion of the entries to ensure only users from managed domains and not unmanaged subdomains or third-party domains are allowed to sign in. |
+|Autocomplete Domain |Do not display an autocomplete domain on the sign-in screen. |
+|Sign-in screen |Never show user names and photos |
+|Single sign-on cookie behavior |Enable transfer of SAML SSO Cookies into user session during sign-in (if in use) |
+|System info on sign-in screen |Do not allow users to display system information on the sign-in screen |
+|Privacy screen on sign-in screen |Always enable the privacy screen on sign-in screen |
+|Auto Update Settings |Allow auto-updates No restriction on Google Chrome version |
+|Device Reporting |Enable device state reporting,�Enable tracking recent device users� |
+|Inactive Device Notifications |Enable inactive device notifications Set inactive range, notification cadence and email addresses as appropriate for the organisation. This recommendation aims to reduce the number of unused but available devices that have access to business data.|
+|Anonymous Metric Reporting |Never send metrics to Google |
+|Device system log upload |Enable device system log upload |
+|Bluetooth |Disable Bluetooth�unless required |
+|TPM Firmware Update |Allow users to perform TPM firmware updates. Users should follow the guidance on how to�update their TPM�and ensure that any local documents are backed up prior to updating their device.|
+|Virtual Machines� |Block usage for virtual machines needed to support Linux apps, unless specifically required for a sub-set of users (which are placed in a separate OU)|
+|Allow EMM partners access to device management |Disable Chrome management - partner access |
+| | |
+|Managed guest session settings | |
+|Managed guest session |Do not allow managed guest sessions. If it needs to be enabled, configure in line with 'user and browser settings'.|
+| | |
+|Security | |
+|Configure this section to organisation policy | |
+|Alert center: Rules |The following rules should be set to active, at a minimum: � Device compromised � Domain data export initiated � Government-backed attacks � Leaked password � Malware message detected post-delivery � Phishing in inboxes due to bad whitelist � Phishing message detected post-delivery � Suspicious device activity � Suspicious login � Suspicious message reported � Suspicious programmatic login � User granted Admin privilege Consider setting others as appropriate for you organisation. |
+|Data protection: Data protection rules and detectors |Refer to https://support.google.com/a/answer/6321530?hl=en |
+|Password management� |Configure a strong password policy in line with company policy requirements. |
+|Less secure apps |Disable access to less secure apps for all users. This can be modified if a business case is available for allowing a less secure app.|
+|2-Step Verification |Consider enforcing two step verification (2SV) for all users. On Chrome OS, two step verification is enforced only at first login. Once 2SV is enabled, it must be allowed and configured by each user individually. |
+|Login Challenges |Consider implementing Login challenges as an additional security measure to verify the identity of users if suspicious login attempts are detected|
+|Advanced Protection Program |Enable user enrollment |
diff --git a/Google/ChromeOS/README.md b/Google/ChromeOS/README.md
index e05efb1..3457296 100644
--- a/Google/ChromeOS/README.md
+++ b/Google/ChromeOS/README.md
@@ -2,6 +2,7 @@ This archive contains important security policy settings which are recommended f
Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform.
-This configuration was last tested against Chrome OS in August 2020.
+This configuration was last tested against Chrome OS 89.
+
+Crown Copyright (c) 2021
-Crown Copyright (c) 2020