Checks that password is required to wake the computer from sleep or screen saver is enabled.

Checks that the system is configured via MDM to automatically install updates.

Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.

Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.

Checks to make sure that the System Integrity Protection feature is enabled.

Checks that a mobile device management (MDM) solution configures the Mac to prevent login in without a password. Note: This policy will not report a value if FileVault is disabled.

Checks that a mobile device management (MDM) solution configures the Mac to enabled secure keyboard entry for the Terminal application.

Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly.

Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM.

Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications.

Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present.

Checks if the firewall is enabled.

Checks that a mobile device management (MDM) solution configures the Mac to enable screen lock.

Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer.

Checks that the operating system is up to date.

Checks that a mobile device management (MDM) solution configures the Mac to automatically check for updates.

Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates.

Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications.

Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates to built-in macOS security tools such as malware removal tools.

Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates.

Checks that a mobile device management (MDM) solution configures the Mac to automatically update the time and date.

Checks that a mobile device management (MDM) solution configures the Mac to lock the screen after 20 minutes or less.

Checks that a mobile device management (MDM) solution configures the Mac to prevent Internet sharing.

Checks that a mobile device management (MDM) solution configures the Mac to disable content caching.

Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking.

Checks that a mobile device management (MDM) solution configures the Mac to prevent iCloud Desktop and Documents sync.

Checks that a mobile device management (MDM) solution configures the Mac to log firewall activity.

Checks that a mobile device management (MDM) solution configures the Mac to prevent the use of a guest account.

Checks that a mobile device management (MDM) solution configures the Mac to prevent guest access to shared folders.

Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.