Forum Discussion
Secure Score - Secure Home Folders in macOS
- I finally got it working. The issue is stupidity on Microsoft's part in their testing of the home folders. Apparently, their Department of Infinite Wisdom feels that the "Shared" folder should be locked down as well! The CIS benchmark specifically excludes the "Shared" folder because...you know....it's SUPPOSED to be available to all users! I first tested by manually setting the permissions for shared on my own Mac and waited until the next day to see if it was reflected. Sure enough, it is. In my case, I had to leave "execute" permissions available on "Shared" due to the software for my docking station having its config file stored there. It appears the Secure Score test finds that acceptable.
Can help me with to share article you follow to Secure Home Folders in macOS
I don't have any specific article links but I can share the shell scripts that I have used. First you need to decide if you're more concerned with "checking the box" to get credit on Microsoft's Secure Score, which requires locking down the "Shared" folder and could break stuff. If you are simply interested in better security and don't care about the score, and want to avoid breaking some poorly written apps, then you need to NOT alter the "Shared" folder.
The only examples of apps I know that get broken if you mess with "Shared" are Logi Tune and Logitech Options+.
As far as how you deploy a shell script to macOS, just do a search for doing that with Intune, JAMF, or whatever MDM you use.
This script will lock things down and give you credit on Secure Score:
#!/bin/bash # Script to secure home folders according to CIS benchmark 5.1.1 # Define variables appname="SecureUsersHomeFolders" logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname" log="$logandmetadir/$appname.log" # Check if the log directory has been created if [ -d $logandmetadir ]; then # Already created echo "$(date) | Log directory already exists - $logandmetadir" else # Creating Metadirectory echo "$(date) | creating log directory - $logandmetadir" mkdir -p $logandmetadir fi # Function to Secure User's Home Folders SecureUsersHomeFolders () { IFS=$'\n' for userDirs in $(/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! -perm 700 | /usr/bin/grep -v "Shared"); do /bin/chmod -R og-rwx "$userDirs" done unset IFS /bin/chmod -R og-rw /System/Volumes/Data/Users/Shared echo "$(date) | User's Home Folders are now secured or already secured." | tee -a "$log" } # Call the function SecureUsersHomeFolders # Exit status exit 0This script will make you equally secure, without breaking certain apps, but will NOT get you credit for in Secure Score:
#!/bin/bash # Script to secure home folders according to CIS benchmark 5.1.1 # Define variables appname="SecureUsersHomeFolders" logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname" log="$logandmetadir/$appname.log" # Check if the log directory has been created if [ -d $logandmetadir ]; then # Already created echo "$(date) | Log directory already exists - $logandmetadir" else # Creating Metadirectory echo "$(date) | creating log directory - $logandmetadir" mkdir -p $logandmetadir fi # Function to Secure User's Home Folders SecureUsersHomeFolders () { IFS=$'\n' for userDirs in $(/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! -perm 700 | /usr/bin/grep -v "Shared"); do /bin/chmod -R og-rwx "$userDirs" done unset IFS echo "$(date) | User's Home Folders are now secured or already secured." | tee -a "$log" } # Call the function SecureUsersHomeFolders # Exit status exit 0
Wow, that sounds insane! Thank you for going through all that, I'm in the same boat here. Tbh, I don't know how viable this is in a school setting like mine, however I have been trying my hand at this and seem to be getting an issue with "shared folders", especially cloud-synced folders. I might just accept the risk on this one and move on, not really worth the time.
