Cyber Essentials for Mac / macOS: configuration guide
Exactly what Cyber Essentials v3.3 requires on Mac - FileVault, Application Firewall, Gatekeeper, auto-updates, supported macOS, and the evidence assessors expect, with or without MDM.
Cyber Essentials for Mac / macOS: configuration guide
Cyber Essentials v3.3 applies to every Mac used for organisational work - MacBook Air, MacBook Pro, iMac, Mac mini, Mac Studio. The scheme requires FileVault 2 enabled, Application Firewall on, Gatekeeper enforcing "Mac App Store and identified developers", automatic updates on, supported macOS version (macOS 14 Sonoma or 15 Sequoia as of 2026), and a minimum 12-character password. Evidence is much easier with MDM (Jamf, Kandji, Mosyle, Intune, Addigy); without MDM you need a signed attestation per device from a trusted user - workable for micro businesses, not scalable.
1. What the scheme tests on macOS
| Control | macOS requirement |
|---|---|
| Firewall | Application Firewall on with stealth mode |
| Secure configuration | FileVault on, Gatekeeper enforcing identified developers, minimum 12-character password, auto-lock 10 min |
| Security update management | Automatic updates on, macOS 14 or later, Rapid Security Responses installed within 14 days |
| User access control | Standard user account for daily work; separate admin account; MFA on iCloud / IdP |
| Malware protection | XProtect (built-in) satisfies Option 3 whitelist; third-party EDR optional |
2. Without MDM (micro business, ≤ 10 Macs)
Viable for micro-tier organisations:
- Walk through each Mac once and enable the settings above
- Document per-device state in a spreadsheet
- Get a one-page signed attestation from the primary user each year confirming settings haven't changed
- Use Activation Lock + Find My Mac for theft recovery
Exact settings:
System Settings > Privacy & Security
- FileVault: On - save the recovery key in a password manager
- Gatekeeper (Allow applications from): Mac App Store and identified developers
- Firewall: On, stealth mode on, block all incoming connections
System Settings > General > Software Update
- Automatic Updates: All four toggles on (check, download, install macOS updates, install app updates)
- Install Security Responses & system files: On
System Settings > Lock Screen
- Require password immediately after sleep
- Start screen saver after 10 minutes
- Lock screen after 15 minutes
System Settings > Users & Groups
- Standard user for daily work
- Separate admin account with a unique 12-character password
- Disable automatic login
3. With MDM - much cleaner
Jamf Pro, Kandji, Mosyle, Addigy, Intune for Mac, or Workspace ONE. Each one can apply a Configuration Profile enforcing all of the above centrally. See the separate guides for:
MDM gives you two things assessors value: the ability to prove settings at scale, and the ability to re-apply settings automatically if they drift.
4. Supported macOS versions
As of 2026 Apple is actively patching:
- macOS 15 (Sequoia) - current
- macOS 14 (Sonoma) - N-1, still patched
- macOS 13 (Ventura) - receiving fewer security fixes; sliding out of the supported-OS clause
Devices running macOS 12 (Monterey) or older are outside the supported window and fail the security-update-management control. On Apple Silicon this is easy - upgrade. On older Intel Macs (2017–2019) some cannot upgrade to macOS 15 - check compatibility and plan replacements.
5. Antivirus / malware protection
macOS's built-in XProtect is accepted by Cyber Essentials under Option 3 (whitelist-based application control via Gatekeeper + App Store review). You do not need to install a third-party AV to pass.
If you do layer EDR (CrowdStrike, Jamf Protect, SentinelOne, Huntress):
- Install via MDM, not manually
- Pre-approve system extensions and Full Disk Access via Privacy Preferences Policy Control profile
- Ensure the dashboard shows agent health for every enrolled Mac
6. Evidence assessors expect
With MDM: a computer record export showing FileVault, firewall, Gatekeeper, password, and macOS version per device; configuration profile payload screenshots.
Without MDM: a per-device spreadsheet with the configured state and a signed user attestation. Viable up to ~10 Macs.
7. Common failure points
1. FileVault off on a MacBook handed to a new starter - usually because the onboarding checklist missed it. MDM fixes this structurally.
2. macOS 12 (Monterey) still on a couple of 2017 MacBook Airs - outside the supported-OS window. Replace.
3. Gatekeeper set to "anywhere" (actually this option is hidden on modern macOS; if you see it, it's because someone ran "sudo spctl --master-disable"). Reset via "sudo spctl --master-enable".
4. Users running as admin with no separate standard account. Create a standard account for daily work.
5. Automatic updates off because "they reboot at the wrong time." Re-enable and schedule via MDM.
What Fig checks
Our CE readiness scan reviews Mac fleets (via MDM integration or attested inventory) for every v3.3 macOS clause and flags the specific devices that fall short. Typical Mac-heavy SMEs pass first-time at >95% with MDM, ~88% without.
Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | CE Plus
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo