Pro ACSPBlog

Apple Device Security: ACSP Exam Preparation Guide

Pro ACSP Team11 min read
Photo of solar system
Photo by Jacub Gomez on Pexels

Why Security Is Critical for the ACSP Exam

Security is one of the most important domains on the Apple Device Support exam, and it is also one of the areas where candidates most frequently lose marks. Apple's security architecture is multi-layered, with each feature serving a specific purpose. The exam tests not only your knowledge of what each feature does, but also how they work together, how to configure them, and how to troubleshoot security-related issues.

Understanding Apple device security is also one of the most directly career-relevant parts of the ACSP certification. Organisations deploying Apple devices need IT professionals who can ensure those devices meet security compliance requirements, protect sensitive data, and resist modern threats.

Gatekeeper

Gatekeeper is macOS's first line of defence against malicious software. It controls which applications are allowed to run based on their source and signing status.

How Gatekeeper Works

When a user attempts to open an application downloaded from the internet, Gatekeeper checks:

  1. Is the app from the App Store? App Store apps have been reviewed by Apple and are always allowed.
  2. Is the app signed by an identified developer? Developers can register with Apple and digitally sign their apps with a Developer ID certificate. Gatekeeper verifies this signature.
  3. Has the app been notarised? Since macOS Catalina, Apple requires developers to submit apps for notarisation, an automated security check that scans for malicious content. Notarised apps receive a ticket that Gatekeeper verifies.

Gatekeeper Settings

In System Settings > Privacy & Security, Gatekeeper offers two options:

  • App Store - Only apps downloaded from the Mac App Store are allowed
  • App Store and identified developers - Apps from the App Store and those signed with a valid Developer ID are allowed

There is no longer a graphical option to allow apps from "anywhere" (this was removed in macOS Sierra). However, the restriction can be overridden on a per-app basis: if a user tries to open a blocked app, they can go to System Settings > Privacy & Security and click "Open Anyway."

Exam Points

  • Gatekeeper checks are performed only on first launch of a downloaded application
  • Gatekeeper relies on quarantine attributes set by the browser or application that downloaded the file
  • If the quarantine attribute is removed (for example, by using xattr -d com.apple.quarantine in Terminal), Gatekeeper will not check the application
  • MDM can enforce Gatekeeper settings via configuration profiles, preventing users from overriding them

System Integrity Protection (SIP)

System Integrity Protection is a security feature that restricts the root user account's ability to modify protected parts of the macOS file system and system processes. Even if malware gains root access, SIP prevents it from modifying critical system files.

What SIP Protects

SIP protects several key areas:

  • /System - The core macOS operating system files
  • /usr (except /usr/local) - System binaries and libraries
  • /bin and /sbin - Essential system commands
  • System-signed applications (Safari, Mail, Finder, etc.)
  • Kernel extensions - Only properly signed kexts can load

How SIP Works

SIP is enforced at the kernel level, which means no process running within macOS, including processes with root privileges, can override it. The only way to disable SIP is to boot into macOS Recovery and use the csrutil disable command from Terminal.

Exam Points

  • SIP is enabled by default on all modern Macs
  • SIP cannot be disabled while macOS is running normally; it requires booting into Recovery
  • Disabling SIP is generally not recommended and is only appropriate for specific development or troubleshooting scenarios
  • On Apple silicon Macs, changing SIP settings requires authentication with an administrator account that has a Secure Token
  • SIP status can be checked with csrutil status in Terminal

FileVault

FileVault is macOS's full-disk encryption feature. When enabled, it encrypts the entire contents of the startup volume using XTS-AES-128 encryption with a 256-bit key, protecting data at rest from unauthorised access.

How FileVault Works

When FileVault is enabled:

  1. The entire startup volume is encrypted
  2. Users must authenticate at the pre-boot login screen before the disk is decrypted and macOS loads
  3. Only users enabled for FileVault can unlock the disk at startup
  4. A recovery key is generated that can decrypt the disk if the user's password is forgotten

FileVault Recovery Options

FileVault provides two recovery mechanisms:

  • Personal recovery key - A 24-character alphanumeric key generated during FileVault setup. This can be stored by the user, by the organisation's IT department, or escrowed to an MDM solution.
  • Institutional recovery key - A certificate-based recovery key that allows an organisation to unlock any Mac encrypted with their institutional key. This is typically deployed via MDM.

Managing FileVault with MDM

MDM solutions can:

  • Enforce FileVault encryption via configuration profiles
  • Automatically escrow recovery keys so they are stored securely on the MDM server
  • Rotate recovery keys on a schedule for security compliance
  • Verify FileVault status on managed devices

Exam Points

  • FileVault encrypts the entire startup volume, not individual files
  • On Apple silicon Macs, the storage is always encrypted at the hardware level; FileVault adds an additional layer that ties decryption to user authentication
  • The first user account enabled for FileVault can unlock the disk at startup; additional users must be explicitly enabled
  • FileVault does not significantly impact system performance on modern hardware
  • If both the user password and recovery key are lost, the data on the encrypted disk is permanently inaccessible

XProtect

XProtect is macOS's built-in anti-malware system. It operates silently in the background, scanning for known malware signatures when applications are launched, files are downloaded, or the system detects suspicious behaviour.

How XProtect Works

XProtect uses two main components:

  • XProtect signature database - A regularly updated database of known malware signatures. When a file matches a known signature, macOS blocks it and notifies the user.
  • XProtect Remediator - A tool that scans for and removes known malware that has already been installed. It runs periodically in the background and can remediate infections without user interaction.

Updates

XProtect signatures are updated automatically by Apple through the macOS software update mechanism. These updates happen silently in the background and do not require a system restart. This means macOS can receive protection against new threats without requiring the user to install a full macOS update.

Exam Points

  • XProtect is always active and cannot be disabled by the user
  • XProtect signature updates are delivered independently of macOS updates
  • XProtect works alongside Gatekeeper and notarisation as part of macOS's layered security
  • XProtect Remediator can remove certain known malware automatically
  • XProtect is not a replacement for enterprise endpoint security solutions but provides a baseline level of protection

The macOS Firewall

macOS includes a built-in application-level firewall that controls incoming network connections to the Mac. It is configured in System Settings > Network > Firewall.

Firewall Options

  • Enable/disable the firewall - The firewall is disabled by default on macOS
  • Block all incoming connections - Blocks all incoming connections except those required for basic network services (DHCP, Bonjour, IPSec)
  • Per-application rules - Allow or block incoming connections for specific applications
  • Stealth Mode - When enabled, the Mac does not respond to ICMP ping requests or connection attempts from closed TCP and UDP ports, making it less visible on the network

What the Firewall Does and Does Not Do

The macOS firewall is an incoming connection firewall. It controls traffic coming into the Mac from other devices on the network. It does not filter outgoing connections (traffic from the Mac to other devices or the internet). This is an important distinction for the exam.

For more comprehensive network filtering, including outgoing traffic control, organisations typically use third-party firewall solutions or network-level firewalls.

Exam Points

  • The macOS firewall is disabled by default
  • It controls incoming connections only, not outgoing traffic
  • Signed applications from identified developers are automatically trusted unless specifically blocked
  • MDM can configure and enforce firewall settings via configuration profiles
  • The firewall can also be managed via the socketfilterfw command in Terminal

Lockdown Mode

Lockdown Mode is a security feature introduced in macOS Ventura, iOS 16, and iPadOS 16 that provides an extreme level of protection for users who may be targeted by sophisticated, state-sponsored cyberattacks. It is designed for a very small number of high-risk individuals, such as journalists, activists, and diplomats.

What Lockdown Mode Restricts

When enabled, Lockdown Mode significantly restricts device functionality to reduce the attack surface:

  • Messages: Most attachment types are blocked; link previews are disabled
  • Web browsing: Certain web technologies (JIT JavaScript compilation, some fonts, some media codecs) are disabled in Safari and WebKit-based browsers
  • FaceTime: Incoming FaceTime calls from unknown contacts are blocked
  • Apple services: Incoming invitations for Apple services (Home, etc.) from unknown contacts are blocked
  • Wired connections: When the device is locked, wired connections to computers and accessories are blocked
  • Configuration profiles: Configuration profiles cannot be installed, and the device cannot be enrolled in MDM while Lockdown Mode is active
  • Shared albums: Removed from Photos; new shared album invitations are blocked

Exam Points

  • Lockdown Mode is intended for high-risk users, not general deployment
  • It significantly reduces device functionality and usability
  • Users must explicitly enable it in Settings; it is not enabled by default
  • Lockdown Mode affects all apps and services on the device, not just Apple apps
  • On macOS, some web technologies and shared features are restricted
  • MDM cannot install profiles on a device with Lockdown Mode enabled

Activation Lock

Activation Lock is an anti-theft feature tied to the Find My service. When enabled, the device requires the owner's Apple ID and password (or device passcode) before it can be erased and set up as a new device.

How Activation Lock Works

Activation Lock is automatically enabled when Find My is turned on. If a device is lost or stolen:

  • The device cannot be reactivated without the owner's Apple ID credentials
  • Even a factory reset does not remove Activation Lock
  • The device is essentially useless to a thief

MDM and Activation Lock

Organisations can manage Activation Lock through MDM:

  • MDM can bypass Activation Lock on supervised devices using a bypass code stored on the MDM server
  • This is essential for organisations that need to repurpose or redeploy devices without requiring the previous user's Apple ID credentials
  • The bypass code is generated when the device is enrolled and supervised through MDM

Exam Points

  • Activation Lock requires Find My to be enabled
  • It cannot be removed without the Apple ID password or an MDM bypass code
  • MDM bypass only works on supervised devices
  • Activation Lock applies to Macs, iPhones, and iPads

Bringing It All Together

Apple's security architecture is designed as a series of overlapping layers. For the exam, understand how these features complement each other:

  • Gatekeeper prevents untrusted software from running in the first place
  • XProtect catches known malware that gets past Gatekeeper
  • SIP protects the operating system even if malware gains root access
  • FileVault protects data at rest if the physical device is stolen
  • The firewall controls incoming network access to reduce the attack surface
  • Activation Lock prevents stolen devices from being reused
  • Lockdown Mode provides extreme hardening for high-risk users

No single feature provides complete protection. The strength of Apple's approach lies in the combination of all these layers working together. The exam tests your understanding of each individual feature and how they function as part of this broader security architecture.

When answering exam questions about security, always consider which layer of protection is relevant to the scenario described. A question about preventing malware installation points to Gatekeeper and XProtect. A question about protecting data on a stolen Mac points to FileVault. A question about preventing system file modification points to SIP. Matching the threat to the correct security layer is the key to answering these questions correctly.