Mac OS X Security

I have a question related to increasing security on a Mac to prevent software being installed remotely.

For some reason some companies remotely install software onto devices as soon as they are connected to their network, including personal machines. I was wondering if there's a way to prevent that? The only possibility I can think of that made that happen is the certificate that must be trusted when connecting to wireless.

I've tried multiple things and they didn't work:

  • Enabling firewall and blocking all incoming traffic except web
  • Creating and using only a "Standard" user account and not using the administrator account

Let me know if anyone know anything about this.

Set your Mac to only accept installs from the App Store.

Tried that too actually, didn't help...

Are you talking about the login window that comes up when you connect to some networks?

Wait what , where do you work , the fracking NSA?

ipat8: no, not the login window

Dreki: just your normal corporation, but they inject software to the system (personal included) on their network, so i am trying to find a way around it...

When I hear stuff like this , I'm glad I work at the place I do. At the same time I'm shocked at what is viewed as the norm. This just seems so immoral in my view.

Sounds a little odd to me. Many corporations use System Center to manage their estates and that has clients for OSX and Linux that will automatically ensure they are patched and running end-point protection etc. It can also be used to
Install other software.

However to install the client sudo permissions are required, that means that somehow you would need to accept something.

Personally if I want to use my own kit on corporate networks I either accept their terms else I just use guest WiFi or a 3G connection. In my opinion companies are well within their rights to control what is on the main company network.

Fair point , I just think auto installs go too far.

So the only thing I can think of is the certificate they make you accept when connecting to the wireless network. Would that allow people to install software on the system though?

Interestingly enough, it only happens on Mac and not Windows. Cause I believe they only do it if the Windows machine is on a domain.

That's what I think is odd, I don't think they can push software to your mac without first installing the OSX client. Once that is on there then yes, when you accept the certificate and join the network they could then push updates and endpoint protection etc.

Slightly old now but a nice breakdown of System Center Configuration manager setup for OSX:

I could of course be wrong and they might be using something other than System Center...

What have you found on your Mac that makes you think they are installing software onto it?

People just need to be very carefully when reading T's & C's before they hit next.

Usually a machine needs to be a domain member or have client software installed before other software can be auto-installed onto it. If you let them in however...

Few software I notice include VPN Software and McAfee. I'll take a look at the System Center Configuration article, but the installation image is from the Apple App Store so I don't think there's an external software.

In that case I am not sure how they have permission to install onto your system but you are probably correct and it's through the certificate.

I suggest you check out Little Snitch. This is exactly the kind of thing it is designed for and can be used to block the Apple Push Notification service etc.

I will give that a try, but was wondering if there's a way to do it internally within the mac without having to install any software?