Endpoints

Last updated: Jun 16, 2026


Device management

In order to protect our clients' data, we administer our devices with a Mobile Device Management (MDM) tool.

This tool enables the following:

  • Comprehensive visibility into macOS security tools, device compliance, overall fleet risk, and unified logging
  • Applying hardening configurations by installing pre-configured security profiles
  • Blocking malware, locking down command and control traffic, restricting removable media, and filtering malicious websites and content
  • Real-time detection of phishing, malicious activity, and threats through behavioral analytics and customizable threat hunting
  • Swift investigation of issues and automation of remediation workflows

Each user account is associated with a device, and access to these is also monitored and controlled (see the article about device enrollment).

The profiles are set up with different configurations following our criteria.

MDM Profile reference in machines used by Fluid Attacks

Self-Service

The Self-Service function allows users to access the enterprise app store, install apps, update software, and maintain their own device without a help desk ticket. All Self-Service-hosted applications are analyzed and approved/denied by our IT Manager and CTO. This applies to any additional application request employees send.

Inventory management

The MDM tool automatically collects data from our IT assets, such as:

  • Hardware:
    • Device type/model/name
    • Serial number
    • Unique Device Identifier (UDID)
    • Battery level
  • Software:
    • OS version
    • Applications installed and versions
    • Storage capacity
  • Security:
    • Encryption status
    • System configurations
    • Software restrictions
    • Jailbreak detection
  • Management:
    • Managed status
    • Supervised status
    • IP address
    • Enrollment method

Requirements for laptops

Device policy

Since we use different configuration profiles for our laptops for users and admins, such profiles are configured with different policies:

Authorization

We control how devices can be accessed only by their intended users and how permissions over those devices are managed. We comply with the following criteria:

  • Laptops' passwords and data are visible only to their users. The use of KeyChain is mandatory for all users for security purposes; to protect passwords saved in KeyChain, it automatically locks when the computer is locked or suspended.
  • Only administrators have access to administration data. Admin users' permissions are limited to their tasks, meaning there are no root users or root accounts enabled.
  • Automatic login is disabled to prevent data leaks; a password is required for system configuration and to access data.
  • A minimum set of requirements must be followed for passwords: a minimum set of 16 characters including at least two non alphanumeric, not to have two consecutive nor three sequential characters, at least one number and one alphabetic, not to be the same as the previous 50 passwords.
  • Passwords have an age limit established, and a history of passwords is saved for future password checking.

Requirements:

Updates

We keep devices and apps updated with their latest and secure versions.

Users

We control how login is made on devices and create local accounts improving security:

  • The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely log in to the system, and all created files, caches, and passwords are deleted upon logging out.
  • The login window prompts a user for their credentials, verifies their authorization level, and then allows or denies the user access to the system.
  • The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders' continued existence, it is best removed.

Requirements:

Preferences

We control what the user can accomplish with manual configurations on the devices, restricting access to unnecessary system configurations to devices depending on their use for the different roles.

Requirements:

Networking

We control how we handle insecure protocols and services, which can compromise the data stored on the devices:

HTTP Apache server and NFSD is part of the operating system and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.

Requirements:

Auditing

We handle logs and monitor our devices for auditing purposes as follows:

  • The audit system writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth, the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. ACLs should not be used for these files.
  • The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled.

Requirements:

Removable devices

All removable devices are limited and controlled, including external disks, disk images, DVD-RAM, USB storage devices, and removable disc media, such as CDs, CD-ROMs, DVDs, and recordable discs.

The status of the control can be mountable and not mountable. Our current policy is completely restrictive, none of these devices can be mounted.

Requirements:

Requirements for mobile devices

Our collaboration systems also provide security requirements that mobile devices must comply with before enrolling in the organization's systems. This is especially useful as personal mobile devices are common targets for malicious pentesters.

Some of the requirements are the following:

  • Having a separate work profile to isolate the information from the rest of the phone
  • Establishing a strong passphrase
  • Setting biometric authentication in case the device supports it

References

Requirements

The following Fluid Attacks requirements apply to the controls described on this page:

Other secure authorization measures

On this page