Mac Security Baselines: What NCSC and CIS Want UK Businesses to Configure

There's no shortage of Mac security guidance written for UK businesses. The problem is that most of it is either too vague to act on, too American to map to anything UK auditors care about, or so detailed it reads like a compliance audit log rather than a setup checklist.

Two baselines stand out. The NCSC's macOS device security guidance, written for UK government and medium-to-large business deployments. And the CIS Apple macOS Benchmark, used worldwide as a vendor-neutral configuration standard. They agree on most of what matters, disagree at the edges, and between them they cover what UK businesses need to lock down on Mac.

This post is the honest read on both. What they say, where they overlap, what's worth doing first, and how the macOS Tahoe changes from autumn 2025 changed the picture.

What a baseline is and why you want one

A security baseline is a list of configuration settings that a Mac should have, with the values it should have them set to. FileVault on. Screen lock after ten minutes. Gatekeeper enforcing signed apps. Software updates installing on a schedule. The list is longer, but that's the shape.

The point of using a published baseline rather than writing your own is two-fold. You get something you can defend in an audit, because a third party wrote it, and you avoid the trap of every IT person on the team configuring Macs slightly differently. Pick one, deploy it through MDM, and every new Mac that joins the fleet inherits the same posture.

For UK businesses, the practical question is which baseline to pick. The honest answer is both, layered.

What NCSC says about Mac

The NCSC's macOS platform guide is short by design. It was written for government departments and businesses big enough to have an IT team, and it focuses on the controls that block the most common attacks rather than a full hardening checklist.

The headline controls are familiar:

• Full-disk encryption with FileVault, escrowing the recovery key to your MDM
• Screen lock after ten minutes of inactivity
• Strong password policy enforced through MDM
• Gatekeeper set to hard enforcement, so only signed apps from identified developers or the App Store run
• Automatic OS and app updates
• iCloud restrictions, including disallowing personal Apple IDs on enterprise devices
• XProtect for built-in malware protection, optionally layered with third-party EDR
• VPN configured for any remote access, with always-on VPN through a third-party app where required

NCSC was last verified against macOS 14.6 (Sonoma) and 15.5 (Sequoia) in mid-2025 and the page was last reviewed May 2025. They've not yet published a Tahoe-specific update at the time of writing, though most of the underlying controls map cleanly across versions.

What sets NCSC apart for UK businesses is the Device Security Guidance Configuration Packs repository on GitHub. They publish actual .mobileconfig files you can deploy directly through any MDM, plus a CSV listing every setting and what it does. The macOS pack includes a provisioning script, a VPN configuration example, and the full configuration profile.

If you're running an Apple fleet for a UK business and you've never read the NCSC macOS pages, that GitHub repo is the single highest-value thing to look at. It's free, it's specific, and a UK auditor will recognise it.

What CIS says about Mac

The CIS Apple macOS Benchmark is broader. The current version for the OS most UK businesses are on is CIS Apple macOS 15.0 Sequoia v2.0.0, published in early March 2026.

CIS splits its recommendations into two levels:

Level 1 is what they call a sensible baseline. Around 80 rules covering FileVault, password policy, screen saver, audit logging, network configuration, Gatekeeper, software update behaviour, sharing services, and dozens of smaller controls. The intent is that Level 1 should be deployable to a standard Mac fleet without breaking common workflows.

Level 2 is for high-security environments. It adds rules that may interfere with day-to-day work, things like disabling AirDrop entirely, more aggressive logging retention, and stricter network restrictions. Useful in regulated industries, often overkill for a typical UK SME.

The big practical difference between NCSC and CIS is depth. NCSC tells you the dozen controls that matter most. CIS gives you the audit checklist with every setting numbered and explained. They overlap heavily on the priority controls. CIS adds dozens of smaller items that, individually, may not matter much but collectively close gaps NCSC doesn't explicitly cover.

A useful companion to both is the NIST macOS Security Compliance Project (mSCP). It's a US government project that publishes machine-readable baselines for Sonoma, Sequoia, and Tahoe, including CIS Level 1 and 2, CMMC, DISA STIG, and NIST 800-53 mappings. If you ever need to prove a Mac configuration maps to a specific compliance framework, mSCP is where the mapping work has already been done.

Where the baselines agree

Most of what matters is in both lists. If you do these eight things, you're past the point where most attacks succeed:

1. FileVault on, recovery key escrowed to MDM. A lost Mac with FileVault on is a hardware loss, not a data loss.
2. Strong passcode with screen lock after a short idle period. Ten minutes is the NCSC recommendation. Five is better if your users will tolerate it.
3. Gatekeeper on hard enforcement. Only App Store or signed developer apps run. No "Open Anyway" right-click escape.
4. Automatic OS and app updates. Apple ships security patches frequently. Anything you defer past a week is a window.
5. No personal Apple IDs on enterprise devices. Use Managed Apple Accounts through Apple Business.
6. MDM enrolment via Automated Device Enrolment. Devices enrolled out of the box, with profiles applied before the first user login.
7. XProtect plus, for compliance or higher-risk environments, a real EDR. XProtect is meaningfully better than its reputation, but it's reactive and signature-based. EDR closes the behavioural gap.
8. Audit logging enabled and forwarded. Macs generate good logs. They're useless if nothing reads them.

Doing those eight properly, and proving they stay done, is most of the work. The rest is edge cases and audit completeness.

Where they disagree, and what to do about it

NCSC and CIS diverge on a few things that matter to UK businesses.

Software update enforcement. CIS specifies particular settings around deferral periods, beta enrolment, and automatic install of system data files. NCSC just says "automatic updates on." If you're running Cyber Essentials Plus, the CIS-level specificity matters because the assessor will check that updates apply within 14 days of release.

Sharing services. CIS Level 1 wants you to disable file sharing, screen sharing, remote login, and remote management unless explicitly needed. NCSC leaves this to risk judgement. In practice, most UK SMEs should follow CIS here: disable everything by default, enable per-machine only where required.

Bluetooth and AirDrop. CIS Level 2 disables both. NCSC has no view. Reality is most creative agencies in London need AirDrop on for asset handoff. Keep it on, set the discoverable-by setting to Contacts Only, and don't pretend you've disabled it.

Logging retention. CIS specifies 30 days minimum. NCSC doesn't. If you're aiming at ISO 27001 or any contractual security obligation, follow CIS.

macOS Tahoe (macOS 26) changed the shape

Apple's enterprise release notes for macOS Tahoe shifted several things that both baselines are still catching up on.

Declarative app management. App Store apps, Custom Apps, and packages can now deploy through declarative device management rather than the older MDM commands. Faster, more reliable, and survives network blips that broke the old model. If you're choosing an MDM in 2026, declarative support is the first feature to check.

Apple Intelligence and Siri controls moved. The restrictions for Apple Intelligence, Siri, and keyboard settings now live in the com.apple.applicationaccess profile as declarative configurations. Old restriction-based profiles still work, but if you're writing new profiles you want the declarative versions.

Platform SSO during Setup Assistant. Platform SSO can now activate and enforce during Setup Assistant with Automated Device Enrolment. For Microsoft Entra ID or Okta shops, this means a user can authenticate with their corporate identity before they finish first-boot. No more "set up local user, then add SSO afterward."

FileVault over SSH. A Mac with Remote Login on can have its FileVault unlocked over SSH after a restart. Useful for headless Macs in racks. Be careful with this one. If you don't need it, don't enable Remote Login.

Authenticated guest mode with NFC. A new "Tap to Login" pattern with NFC accessories. Niche but interesting for shared-Mac workflows in retail or hot-desk environments.

The practical implication for baselines is that new deployments in 2026 should be on declarative configurations where possible. The NCSC config pack hasn't fully migrated, the CIS Tahoe benchmark is still maturing, but the mSCP Tahoe baseline is the closest thing to a current declarative-ready reference.

How this maps to Cyber Essentials Plus

UK businesses pursuing Cyber Essentials Plus get most of what they need from a properly applied baseline plus MDM.

The five CE+ technical controls map to Mac baseline controls cleanly:

• Firewalls. Application Layer Firewall on. NCSC and CIS both require it.
• Secure configuration. This is what a baseline is. NCSC pack or CIS L1, either works.
• User access control. Standard user accounts for daily work, separate admin accounts, screen lock, strong password policy.
• Malware protection. XProtect plus, for the v3.3 update, evidence of how you patch and detect.
• Security update management. Automatic updates within 14 days. CIS L1 enforces this explicitly.

Where Macs trip CE+ assessors is rarely the baseline itself. It's the gap between "we have a baseline" and "we can prove every Mac in the fleet matches it on the day of the assessment." That's an MDM and reporting problem, not a configuration problem.

For mixed fleets, the same baseline thinking applies to Windows and Linux, just with different sources (Microsoft Security Baselines for Windows, CIS Linux benchmarks for whichever distribution).

A pragmatic implementation order

If you're starting from a fleet that's been unmanaged or loosely managed:

1. Get every Mac into MDM via Automated Device Enrolment. Without this, nothing else sticks. Apple Business gives you free built-in MDM if you don't already have one. Jamf, Intune, or Iru if you need more.
2. Deploy the NCSC macOS configuration pack as your baseline. It's free, UK-aligned, and covers the priority controls.
3. Audit against CIS Level 1. Use a tool like Jamf Pro's built-in CIS benchmarks, Addigy's compliance dashboard, or the mSCP scripts directly. Identify gaps.
4. Close the L1 gaps that matter. Logging, sharing services, software update deferral, audit retention.
5. Add EDR if you have any compliance obligation or high-risk users. Apple's XProtect is solid baseline malware protection. It's not threat detection.
6. Set a quarterly drift review. Use your MDM's compliance reporting. Flag any device that's drifted from baseline and either bring it back or document why it's exempt.
7. Move new deployments to declarative configurations as your MDM catches up. This is the direction of travel for the rest of the decade.

Step 1 takes a few days. Steps 2-6 take a few weeks if you've not done them before, less if you have. Step 7 is ongoing.

What baselines don't cover

A baseline is a starting line, not a destination. It does not cover:

• Identity. Who can sign into this Mac, with what credentials, with what conditional access? Baselines assume this is handled separately by Entra ID, Okta, Jamf Connect, or Platform SSO.
• Backup. Time Machine to an encrypted external is a personal-Mac answer. Fleet backup wants iCloud Drive for documents plus a separate backup of any local-only data.
• Application allowlisting. Gatekeeper blocks unsigned apps. It doesn't stop a signed app you don't want users running. For that you need MDM app restrictions or a third-party tool.
• Network segmentation. Macs sit on whatever network they're plugged into. That's a firewall and VLAN problem, not a Mac problem.
• User training. No baseline saves you from a user who pastes their password into a phishing site. The eight controls above raise the floor. They don't replace human judgement.

These belong in a broader security plan that the Mac baseline supports rather than replaces.

The honest summary

Two baselines, both worth knowing, neither sufficient on its own:

• NCSC's macOS guidance is the right starting point for UK businesses. Short, specific, UK-aligned, and ships with deployable profiles. Pair it with MDM and you're past most of what matters.
• CIS Apple macOS Benchmark is the right second layer for anything requiring formal compliance or audit. Deeper, more prescriptive, and the lingua franca of security assessors worldwide.
• NIST mSCP is where you go when you need to map to a specific compliance framework. Free, machine-readable, and covers Tahoe.
• Apple Business plus a real MDM is the delivery vehicle. Baselines are useless if they're not enforced and re-checked.

For UK SMEs starting from zero, the order is MDM first, NCSC pack second, CIS L1 audit third, EDR for anything regulated. Most teams can be at a defensible baseline in a fortnight if they commit to the work.

If you'd like a hand applying these baselines to your fleet, get in touch. We do this for a living.