Endpoints

Last updated: Mar 25, 2026

---

Device management

At Fluid Attacks, in order to protect our clients' data, we administer our devices with a Mobile Device Management (MDM) tool.

This tool enables the following:

• Comprehensive visibility into macOS security tools, device compliance, overall fleet risk, and unified logging
• Applying hardening configurations by installing pre-configured security profiles
• Blocking malware, locking down command and control traffic, restricting removable media, and filtering malicious websites and content
• Real-time detection of phishing, malicious activity and threats through behavioral analytics and customizable threat hunting
• Swift investigation of issues and automation of remediation workflows

Each user account is associated with a device, and access to these is also monitored and controlled (see the article about device (re)enrollment).

The profiles are set up with different configurations following our criteria.

Self-service

The Self-Service function allows users to manage their own enterprise app store. This gives them the ability to install apps, update software and maintain their own device without a help desk ticket. All Self-Service-hosted applications are analyzed and approved/denied by our IT Manager and CTO. This applies to any additional application request.

Inventory management

The MDM tool automatically collects data from our IT assets, such as:

• Hardware:
  • Device type/model/name
  • Serial number
  • Unique Device Identifier (UDID)
  • Battery level
• Software:
  • OS version
  • Applications installed and versions
  • Storage capacity
• Security:
  • Encryption status
  • System configurations
  • Software restrictions
  • Jailbreak detection
• Management:
  • Managed status
  • Supervised status
  • IP address
  • Enrollment method

Requirements for laptops

Device policy

Since we use different configuration profiles for our laptops for users and admins, such profiles are configured with different policies:

Authorization

How the devices can be accessed only by their intended users and how permissions over said device are managed. We comply with the following criteria:

• Laptops' passwords and data are visible only to their users. The use of KeyChain is mandatory for all users for security purposes; to protect passwords saved in KeyChain, it automatically locks when the computer is locked or suspended.
• Only administrators have access to administration data. Admin users' permissions are limited to their tasks, meaning there are no root users or root accounts enabled.
• Automatic login is disabled to prevent data leaks; a password is required for system configuration and to access data.
• A minimum set of requirements must be followed for passwords: a minimum set of 16 characters including at least two non alphanumeric, not to have two consecutive nor three sequential characters, at least one number and one alphabetic, not to be the same as the previous 50 passwords.
• Passwords have an age limit established, and a history of passwords is saved for future password checking.

Requirements: 300, 185, 375, 096, 033, 341, 095, 186, 229, 227, 380, 310, 133, 130, 129, 141, and 369.

Updates

Keep devices and apps updated with their latest and secure versions.

Users

Control how login is made on the device and local accounts are created improving the security:

• The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely log in to the system, and all created files, caches, and passwords are deleted upon logging out.
• The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system.
• The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders' continued existence, it is best removed.

Requirements: 142, 264, 265, 266, and 319.

Preferences

What the user can accomplish with manual configurations on the devices, restrict access to unnecessary system configurations to devices depending on their use for the different roles.

Requirements: 265, 261, 266, 177, 045, 046, 339, 185, 273, 141, and 173.

Networking

How we handle insecure protocols and services, which can compromise the data stored on the devices:

HTTP Apache server and NFSD is part of the operating system and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.

Requirements:: 265 and 266.

Auditing

How we handle logs and monitor our devices for auditing purposes:

• The audit system writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth, the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. ACLs should not be used for these files.
• The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled.

Requirements: 080, 377, 378, 079, and 075.

Removable devices

All removable devices can be limited and controlled, including external disks, disk images, DVD-RAM, USB storage devices, and removable disc media, such as CDs, CD-ROMs, DVDs and recordable discs.

The status of the control can be mountable and not mountable. Our current policy is completely restrictive, none of these devices can be mounted.

Requirements: 265, 266, and 273.

Requirements for mobile devices

Our collaboration systems also provide security requirements that mobile devices must comply with before enrolling in the organization's systems. This is especially useful as personal mobile devices are common targets for malicious pentesters.

Some of the requirements are the following:

• Having a separate work profile to isolate the information from the rest of the phone
• Establishing a strong passphrase
• Setting biometric authentication in case the device supports it

References

• SOC2®-CC6_2. Logical and physical access controls
• MITRE ATT&CK®-M1043. Credential access protection
• SANS 25-14. Improper Authentication
• POPIA-3A_23. Access to personal information
• PDPO-S1_4. Security of personal data
• CMMC-IA_L1-3_5_2. Authentication
• HITRUST CSF-10_c. Control of internal processing
• OWASP MASVS-V8_10. Resilience requirements - Device binding
• OWASP ASVS-4_3_1. Other access control considerations

Requirements

• 033. Restrict administrative access
• 045. Remove metadata when sharing files
• 046. Manage the integrity of critical files
• 075. Record exceptional events in logs
• 079. Record exact occurrence time of events
• 080. Prevent log modification
• 095. Define users with privilege
• 096. Set user's required privileges
• 129. Validate previous passwords
• 130. Limit password lifespan
• 133. Password with at least 20 characters
• 141. Force re-authentication
• 142. Change system default credentials
• 173. Discard unsafe inputs
• 177. Avoid caching and temporary files
• 185. Encrypt sensitive information
• 186. Use the principle of less privilege
• 227. Display access notification
• 229. Request access credentials
• 231. Implement a biometric verification component
• 261. Avoid exposing sensitive information
• 264. Request authentication
• 265. Restrict access to critical processes
• 266. Disable insecure functionalities
• 273. Define a fixed security suite
• 300. Mask sensitive data
• 310. Request user consent
• 319. Make authentication options equally secure
• 326. Detect rooted devices
• 329. Keep client-side storage without sensitive data
• 341. Use the principle of deny by default
• 369. Set a maximum lifetime in sessions
• 375. Remove sensitive data from client-side applications
• 377. Store logs based on valid regulation
• 378. Use of log management system

Other secure authorization measures

• Access revocation
• Authorization for clients
• Authorization for Fluid Attacks staff
• Employee termination
• Secret rotation
• Session management