Checks that password is required to wake the computer from sleep or screen saver is enabled.

Checks that the system is configured via MDM to automatically install updates.

Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.

Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.

Checks to make sure that the System Integrity Protection feature is enabled.

Checks that a mobile device management (MDM) solution configures the Mac to prevent login in without a password. Note: This policy will not report a value if FileVault is disabled.

Checks that a mobile device management (MDM) solution configures the Mac to enabled secure keyboard entry for the Terminal application.

Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly.

Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM.

Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications.

Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present.

Checks if the firewall is enabled.

Checks that a mobile device management (MDM) solution configures the Mac to enable screen lock.

Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer.

Checks that the operating system is up to date.

Checks that a mobile device management (MDM) solution configures the Mac to automatically check for updates.

Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates.

Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications.

Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates to built-in macOS security tools such as malware removal tools.

Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates.

Checks that a mobile device management (MDM) solution configures the Mac to lock the screen after 20 minutes or less.

Checks that a mobile device management (MDM) solution configures the Mac to prevent Internet sharing.

Checks that a mobile device management (MDM) solution configures the Mac to disable content caching.

Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking.

Checks that a mobile device management (MDM) solution configures the Mac to prevent iCloud Desktop and Documents sync.

Checks that a mobile device management (MDM) solution configures the Mac to log firewall activity.

Checks that a mobile device management (MDM) solution configures the Mac to prevent the use of a guest account.

Checks that a mobile device management (MDM) solution configures the Mac to prevent guest access to shared folders.

Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.

This policy detects if Apple Intelligence is disabled.

Checks if the root drive is encrypted. There are many ways to encrypt Linux systems. This is the default on distributions such as Ubuntu.

Checks that both ClamAV's daemon and its updater service (freshclam) are running.

Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present.

This policy setting determines the least number of characters that make up a password for a user account.

Checks to make sure that full disk encryption is enabled on Windows devices.

Checks the status of antivirus and signature updates from the Windows Security Center.

Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present.

Checks for an autostart that is attempting to load a dynamic link library (DLL) from the internet.

Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less.

Checks if a Group Policy configures the computer to enable the domain profile for Windows Firewall. The domain profile applies to networks where the host system can authenticate to a domain controller. Some auditors requires that this setting is configured by a Group Policy.

Checks if a Group Policy configures the computer to enable the private profile for Windows Firewall. The private profile applies to networks where the host system is connected to a private or home network. Some auditors requires that this setting is configured by a Group Policy.

Checks if a Group Policy configures the computer to enable the public profile for Windows Firewall. The public profile applies to networks where the host system is connected to public networks such as Wi-Fi hotspots at coffee shops and airports. Some auditors requires that this setting is configured by a Group Policy.

Checks that the SMBv1 client is disabled.

Checks that the SMBv1 server is disabled.

Checks if a Group Policy configures the computer to disable LLMNR. Disabling LLMNR can prevent malicious actors from gaining access to the computer's credentials. Some auditors require that this setting is configured by a Group Policy.

Checks if a Group Policy configures the computer to enable Automatic Updates. When enabled, the computer downloads and installs security and other important updates automatically. Some auditors require that this setting is configured by a Group Policy.