Secure Home folders in macOS using Intune

-

If you have onboarded your macOS devices onto Defender for Endpoint, then more often than not, you will see the vulnerability recommendation flagging for 'Secure Home folders in macOS' affecting the secure score.



The potential risk here being is that allowing all users to view the top level of all networked user's home folder may not be desirable since it may lead to the revelation of sensitive information. This is because by default macOS allows all valid users into the top level of every networked user's home folder, with the ability to view the folder content and this can be a security risk.

The remediation steps involves running commands in Terminal for each user account with a local home folder to modify the permissions. In my honest opinion, if the macOS devices are meant for single user use, then this recommendation may not really apply. But in case of multiple users, it is a whole different story. Regardless of the device use, if you are looking to address this recommendation to improve the secure score, then please keeping reading. :-)

While the recommendation requires modifying permissions for each user account to Read & Write, I noticed during my testing that even after configuring the desired permissions against the user account, the recommendation didn't go away. This is when I realized that permissions needed to be modified for the Shared folder located under Users/Shared as well. Honestly, I am not sure why Microsoft requires setting the permissions for the Shared folder as it is normally required to be accessible by all users, but for some reason the recommendation doesn't like it being set with default permissions. What makes this super weird is that, hardening the permissions of the Shared folder is not flagged in the recommendation steps either. Be it as it may, the permissions need to be modified, so let's get into it.

I prepared a bash script to modify the permissions which will allow execution against both the current user and Shared folder. 

#!/bin/bash
currentuser=$(/bin/ls -la /dev/console | /usr/bin/cut -d ' ' -f 4)
sudo chmod -R og-rw /Users/$currentuser
sudo chmod -R og-rw /Users/Shared

Let's import it in Intune.

2. Go to Devices>Scripts & remediations>Platform scripts>Add>macOS.
3. Give a name & description.
4. Select the .sh script and set the execution settings as shown below or matching your requirements.

Note: Since the script is pulling the information of the current user in the variable and one might think that the script should run as signed-in user. However, changing permissions of the folder requires elevated permissions and so the script needs to run as superuser.

5. Assign script to group of devices or users.

Validation Results

The permissions will modify on the targeted macOS device for the targeted folders.



The device timeline on the Defender portal captures the actions and the events reflecting the modification of the permissions. You can see the script pulled the folder of the currently logged on user.


The timeline shows the permissions of the Shared folder getting modified as well.


And lastly, the recommendation will update the statistics around remediated devices.


You can create a remediation task against the remediation and that should update as well.




Final thoughts..

I will still like to do things for macOS the same way as one is able to do for Windows in Intune. Using built-in policies is my preferred way, but in absence of that you have to make use of what is available to you. Luckily bash scripts are super useful and surely a .sh script did the trick this time as well. It will be nice if the recommendation was clearer on setting the permissions of the Shared folder, but it is what it is. Speaking of which, if your users have a business requirement for using the Shared folder then maybe it will be a good idea to set the permissions to allow Execute as well.

You can do so by running the following - sudo chmod -R og-rwx /Users/Shared

It should then reflect as below -


That's it for now. Until next time..

Comments

  1. AnonymousSeptember 5, 2024 at 8:29 PM

    Question. To get the remediation points, does every account on the mac need to have the Home Folder secured? Let's say we have the main user account, an it admin account, and sometimes a third account. Your script would only secure the current user correct?

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more