Assess macOS Security with cnspec

Rely on cnspec to ensure your macOS systems follow security best practices, such as verifying FileVault encryption, enforcing firewall settings, securing remote login and screen sharing, checking Gatekeeper status, managing software update policies, and auditing user account configurations.

Before you begin

• cnspec installed on your workstation
• Access to the target system (local or SSH)

Scan a macOS asset

Scan the local machine

To scan the machine cnspec is running on:

cnspec scan

Scan a remote machine over SSH

To scan a remote macOS machine using SSH:

cnspec scan ssh user@IP_ADDRESS

To use an SSH key for authentication:

cnspec scan ssh user@IP_ADDRESS -i /path/to/identity_key

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure FileVault encryption is enabled
✕ Fail:  Ensure the firewall is enabled
✓ Pass:  Ensure remote login (SSH) is disabled

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

By default, cnspec applies the Mondoo macOS Security policy, which covers FileVault, Gatekeeper, firewall, software updates, screen sharing, user accounts, and more. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Explore and test checks interactively

Run cnspec shell (or cnspec shell ssh user@IP_ADDRESS for remote systems) to discover resources on the system and test checks interactively. Use help macos to see macOS-specific resources.

Query the application layer firewall (ALF)

cnspec> macos.alf.globalState

Returns 0 (off), 1 (on for specific services), or 2 (block all incoming connections).

List users

cnspec> users { name group shell }

Filter users by group

cnspec> users.where(group.name == "nobody") { name uid home }

Get full details for all users

cnspec> users { * }

Example security checks

Ensure FileVault encryption is enabled

cnspec> command('fdesetup status').stdout.contains("FileVault is On")
[ok] value: true

Ensure the firewall is enabled

cnspec> command('/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate').stdout.contains("enabled")
[ok] value: true

Ensure remote login (SSH) is disabled

cnspec> command('systemsetup -getremotelogin').stdout.contains("Remote Login: Off")
[ok] value: true

Ensure no user has an empty password

cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: true

Ensure automatic software updates are enabled

cnspec> command('defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled').stdout.trim == "1"
[ok] value: true

List all listening ports and their processes

cnspec> ports.listening { port protocol address process.executable }

Continuously scan your fleet

To move beyond one-off scans, register cnspec with Mondoo Platform. You get continuous monitoring across your macOS fleet, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.

Learn more

• To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.

• For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.

• To learn more about how MQL works, read Write Effective MQL.