Cyber Essentials for Kandji: Mac configuration guide

Cyber Essentials for Kandji: Mac configuration guide

Kandji maps cleanly to Cyber Essentials v3.3 because its Library Items are structured around the exact controls the scheme tests - FileVault, Gatekeeper, Application Firewall, Software Update, password policy, and supported macOS version. The common failure is a Blueprint scoped to most of the fleet but with a handful of devices on a "dev" Blueprint that relaxes a specific clause.

1. Assignment scope via Blueprints

Before touching policies, get enrolment coverage right:

• Automated Device Enrolment via Apple Business Manager - new devices land enrolled, users cannot skip
• Single production Blueprint covering ≥95% of the Mac fleet
• Any exceptions (developer Blueprints, executive Blueprints) narrowly scoped and documented

Kandji's inventory count should match your identity provider's active user count to within 2–3%. Reconcile monthly.

2. Library Items - mandatory set for CE v3.3

FileVault

• Action: Enable at next login
• Recovery key: escrow to Kandji
• Prevent user disable: on

Passcode

• Minimum length 12
• Require alphanumeric
• Max age 365 days
• Auto-lock grace period: 0
• Max failed attempts before wipe: 10 (corporate) / not set (BYOD)

Firewall

• Enable on
• Stealth mode on
• Block all incoming connections (or allow only signed built-in services)

Gatekeeper

• Enable Gatekeeper
• Mac App Store and identified developers
• Disallow user override

Software Update

• Automatic checking on
• Automatic download on
• Automatic install macOS updates on
• Automatic install app updates on
• Maximum deferral 7 days for Rapid Security Responses

Screen Saver

• Require password after sleep/screensaver
• Delay: 0 seconds

Minimum OS

• macOS 14 (Sonoma) or later. Anything below is outside Apple's N-1 security-update window and the Cyber Essentials supported-OS clause.

3. Patching with Managed OS

Use Managed OS (Kandji's DDM-based software update enforcement):

• Enforce macOS version within 14 days of each high/critical release
• Quiet prompts → forced prompts → forced restart cadence
• Exempt only devices with a tightly scoped business reason

This single Library Item is often the strongest single piece of evidence assessors see for patching on Mac.

4. Malware protection

Apple's XProtect (built into macOS) satisfies Cyber Essentials's malware-protection control out of the box. If you deploy Kandji EDR, CrowdStrike, or similar:

• Deploy via Custom Apps Library Item
• Pre-approve Full Disk Access + System Extensions via Privacy Preferences Policy Control Library Item
• Dashboard showing agent health on all enrolled devices

5. User access control

• No local admin for the standard user account
• Managed admin account per device, password rotated by Kandji (Passport or local admin rotation)
• Federated identity via Kandji Passport / Platform SSO with MFA on the IdP

6. Evidence assessors expect

• Library Item screenshots for each mandatory payload
• Blueprint assignment report showing 100% coverage
• Computer Records export showing FileVault status, macOS version, agent health
• Activity log showing Managed OS enforcement running
• Threat report showing zero active malware findings

7. Common failure points

1. A "dev" Blueprint that disables Gatekeeper for the whole engineering team. Narrow to one Library Item override, document business need.

2. Managed OS set to "Notify" only - users click-through and stay on old OS. Move to Enforce with a 7-day window.

3. A couple of macOS 13 (Ventura) devices outside the supported-OS window. Smart-assign upgrade, or replace.

4. BYOD Macs enrolled in Kandji but without FileVault - FileVault requires an existing local admin, and BYOD machines often don't have one owned by IT. Either bring into full management or move to MAM-only patterns for BYOD email access.

What Fig checks

Our CE readiness scan reviews Kandji computer records and Library Item assignments against each v3.3 clause. Kandji-managed Mac fleets pass first-time at >97% when Managed OS is enforced and FileVault coverage ≥99%.

Start Cyber Essentials - from £299.99 + VAT | Pricing | CE Plus booking