The Mac Admins Podcast team explain how to secure Apple devices at work and home

Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password chats with Tom Bridge, Marcus Ransom, and Charles Edge – three of the rotating cast of Apple expert hosts and consultants – on the Random but Memorable podcast. To learn more, read the interview highlights below or listen to the full podcast episode.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey: A lot of people believe that buying an Apple product or a device keeps them secure and safe from viruses, is that true?

Charles Edge: No. The first viruses were written – or the first viruses for personal computers at least – were written for the Mac, so I don’t think it was ever true.

Having said that, I do think Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure, comparably. That’s not to say I don’t think third-party products have a place. Take 1Password as an example. Keychain’s awesome. 1Password has all these things that make it even better. And the same can be said for endpoint detection and response solutions (EDR).

“Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure."

Tom Bridge: I don’t think that there’s a ton of need to go out and invest in EDR like a Carbon Black or a CrowdStrike for your personal individual machine. I don’t think that that’s a great use of money or time.

But there are some common-sense things that you can do to protect yourself. Some of the more consumer-friendly solutions are a good option. But business needs are a little bit different than say, an individual focus.

Marcus Ransom: The other way I like to look at it is, the computer itself is pretty safe. It’s a pretty robust platform. As Charles mentioned, Apple has done an awesome job of building something that has a level of protection and privacy and makes it really hard for third-party threat actors.

But one of the biggest problems is the person using the computer and their behavior. Once again, Apple has done a really awesome job of trying to encourage and promote good behavior, but there are still plenty of things you can get absolutely wrong if you’re not mindful of what you’re doing.

“One of the biggest problems is the person using the computer and their behavior."

It’s quite amazing to see what sort of paths people attacking Mac users will use compared to the typical Windows virus, which is a whole different kettle of fish.

MF: Apple consistently adds new security features and new privacy features to their products. What has recently come out from Apple that has got you excited as admins or changed the way that you do device management?

CE: Passkeys. We can start there since we’re on a podcast from a company that supports them!

TB: Passkeys and iCloud Keychain. As we pivot into the business for a second, the ability to put those in a managed Apple ID keychain is absolutely right.

Then we go one step further: being able to tie the authentication of your managed Apple ID to an external identity provider that isn’t just Google or Microsoft. That could be a JumpCloud, an Okta, or anybody else along those lines.

That’s a huge step forward for a lot of business organizations in terms of making managed Apple IDs more approachable, more familiar, more comfortable for the average end user. So that they can know: “Hey, look, I don’t have to remember a different password. I don’t have to get out an SMS-capable device to complete authentication.” To be able to do it the same way that I normally authenticate to do any of my other business tasks is so crucial.

I’m really excited to see Apple moving in that direction and supporting that kind of managed Apple ID federation.

CE: Some of these things are not things that users are even asking for. As an example, just last week, Apple introduced post-quantum encryption (PQ3) for iMessage. Now it’s like: “Oh, you don’t even need Signal or one of the other apps in order to have that same level of encryption to protect data, whether it’s at rest or in transit, on that device.

TB: While the texts I exchange with my friends aren’t something that I’m worried about, the fact that any messages I send are safe from quantum cryptography attacks… that’s a real good feeling. And it wasn’t something that I sought out to ask from Apple, but boy, are they out there looking out for the people that use their platforms in ways that other companies just aren’t.

MR: One of the things that I really love is Apple’s idea of containerization. On your personal device, you can have your work applications, but rather than having a portal that you go into for work or a different account that you sign into, the apps are all there, on your phone. If you use a work app, the company has responsibility for that work and can see what’s going on in there. If you’re using personal apps on the same phone, work can’t see it.

One of the details I really love is that they won’t even know the serial number of your device because that serial number can be used for narrowing down who you are or identifying you. The idea is making things secure for an organization and doing a really good job being able to prevent copy and paste and clipboard between personal and work – but at the same time giving the user privacy.

I remember back to the early days of MDM (mobile device management) when, if a personal device was enrolled in MDM, you were able to see what’s on it, like what apps they have installed in an iPad. From that, you could draw conclusions about a person.

Not having that available any more is really refreshing. We see so many organizations saying, “Oh, we need to be able to geolocate all of our users wherever they are.” Most of these ideas come from a good place. They’re thinking about the value that they can have.

“If a personal device was enrolled in MDM, you were able to see what’s on it. Not having that available any more is really refreshing."

But then you think about what happens if somebody with either bad intentions or sloppy digital hygiene gets access to that information. The next thing you know, your company is in the news! And as a user, something very personal of yours is now public, and you can’t walk that back.

I love the way Apple makes decisions on behalf of Mac admins, about what they can and can’t do, really, to protect us from ourselves in a way.

MF: What do you think is the perception of Apple devices in corporate environments these days? Do you see it shifting? There was a time where Apple was pushing out ad campaigns like, oh, you can do that on a Mac, too, like Microsoft Office and things like that. But obviously, there’s a lot more than just running Office to bring a Mac into a corporate environment.

TB: I see it shifting and that it’s shifted a lot over the last five years. If we think about how businesses have traditionally seen Apple – in the “before times” and the “long ago” – we certainly saw Apple devices as “less than”. A lot of corporate IT departments were like: “Oh, that one Mac over there, I was made to support it by my evil boss.”

If you want to put one person’s name out there – and I don’t like putting one person’s name because there was a whole team that was working with this person – but go look at Fletcher Previn. He was at one point CIO of IBM, and he’s now, SVP and CIO of Cisco. If you look at the programs that he helped build, he basically said: “Hey, it’s okay to use a Mac at work. If you want to use a Mac, you should be able to.”

That approach has paid such dividends for IBM, Cisco, and other organizations throughout the Fortune 500. Now there isn’t anybody any more without some plan for supporting Macs in the enterprise.

CE: The one thing I would add is that I do see an almost overcorrection in some organizations. They equate the Mac with the “digital transformation” buzzword. They’re like: “Well, if we allow a thousand Macs here, then we have completed the digital transformation.”

In my experience, digital transformation is about things like automation, cost-cutting, and getting to market faster with new product development. Just allowing a Mac and treating it like Windows is not synonymous with digital transformation unless you’re looking to also automate things and get things to market faster.

MF: Let’s talk about the cybersecurity landscape, which is constantly evolving. How do you stay informed about emerging threats and vulnerabilities that are specific to Apple products? What steps can admins and users take to stay ahead of these potential security risks?

CE: I can speak to what I do. I watch every video from Objective by the Sea (Mac security conference). It’s a wonderful conference that talks in depth – it might be too in-depth for the average user. I also typically look for everything about iOS, Mac, iPad, vision OS, passkeys even, that pop up at DEF CON and Black Hat conferences. Again, that’s pretty deep for regular people who are just trying to protect their machine at home.

TB: Well, I’m a little bit of an outlier too because my next-door neighbor is one of the program managers for CISA, which is the cybersecurity and infrastructure security agency here in Washington DC. I just go across the fence and ask Dave what happened!

But really what I do is I read a lot of things. I will call out Objective See Foundation. As Charles mentioned, they have a conference, but Patrick Wardle also has a Patreon and a blog, and that’s a great place to go look. I love the threat labs research topics from the folks at Jamf, and from Kandji.

And Malwarebytes. They’re doing great work out there, and that is a great place to go see what the cutting edge of threats is. I also want to caution you, if you read all this and you get scared, take a deep breath. It’s going to be okay. A lot of it’s theoretical.

CE: Or been addressed in a point release or a security update.

TB: The number one thing that anybody can do to protect their own security is keep their machine up to date. Period. Full stop. Apple patches the latest version of the operating system for all of the security bugs. And keep your third-party software up to date too. I know that it’s fun to click the box that says “not now” or “ask me again tomorrow”, but don’t get in the habit of doing that for three and a half years!

“The number one thing that anybody can do to protect their own security is keep their machine up to date. Period."

CE: Don’t enable sharing. Read the dialogue boxes. Ask questions like, “Why do you want access to my Camera Roll?”

MR: There’s also some basic digital hygiene as well. There’s this great auto login functionality in macOS, so when you turn on your machine, it just logs in, which is a great convenience. Unfortunately, it’s also a really good way to give somebody else access to what’s on your machine if they have physical access to that machine. So use a good password manager. Use passkeys when you can.

CE: Don’t reuse the same password.

MF: Where can folks go to find out more about you?

TB: You can find the podcast at podcast.macadmins.org. You can join us in a 65,000-person-strong Slack for people who manage Apple devices at scale. Check that out, read the code of conduct. We really like to keep it a safe place for people to participate and to be themselves, so please give that a look and come join us.

1Password