Business setup (user/admin) & security

[shubbanka]

Hi,
I'm a small-business owner (5 people). We had someone click on a phishing link on our (Windows) machines, and it started spamming all of our of contacts.
(This on Windows machines which were running as non-admin users, and already had heavy-handed anti-virus & anti-phishing software).
As no further trace of the malware could be found, we are uncertain whether it is gone or hiding (e.g. rootkit).
I've decided to throw out the SSD's and get new ones and install Linux Mint on those.

I've also gotten a Mac Mini, in order to get everyone accustomed to working with MacOS, and have more modern/stable/supported options rather than only Linux. (I have about 1 year of experience using a Macbook Air privately).
If everyone likes it, perhaps the next time we replace hardware then we can just get Macs.

Our computers are not allocated to 1 person, we all share them in function of where are at the time of day.
(Our work is mostly browser based, with the rest being basic document generation which can be done in MS Office or similar suites).
I also got a Magic Keyboard with the finger print reader, to make logins quicker.

What are the best practices for such an environment?
I already applied for the Apple Business Manager system and started to set up the Mini with a business account, but ran into problems.
(there are 2 local machine accounts, an admin and a regular, but they also need (do they though?) an Apple ID account, and the software in the App store doesn't want to update for the regular user.)
I thought being part of ABM might make it easier if we want to (at some unknown point in the future) configure Macbooks for mobile use, but perhaps it's rather overdoing things at this scale and is overall inconvenient for the limited number of users.

- I'll reset the Mini and start the install again. I'll create a local (non Apple Business Manager) admin user, and then an ordinary user, both with passwords?
What are the limits of an ordinary user?
Should both have Apple ID? Separate or the same ID?

- Given that there also exists (not much, but still) malware for MacOS, are there recommended (commercial) anti-malware software?
I see that BitDefender is recommended in some tests on MacOS.

- Are there other good practices, to avoid people causing security problems or screwing up the OS?

 

[picpicmac]

I'll create a local (non Apple Business Manager) admin user, and then an ordinary user, both with passwords?

Yes. You can create as many users as you want. All should have their own passwords.

What are the limits of an ordinary user?

Inherited long ago from the early multi-user UNIX ancestors, MacOS allows you to set permissions for files.

Open the "Get Info" window for a file or directory you have. You will see in the panel a section for sharing and permissions. The owner of a file or directory can set permissions to read or read+write, for other users to access said file/directory.

Are there other good practices, to avoid people causing security problems or screwing up the OS?

The latest versions of macOS strongly secure the operating system from tinkering, even by those with admin accounts. There are threads here about security but mostly I think you will learn more by playing with setting up user accounts on your own private Mac and see how they work, and then dive in with specific questions.

 

[hobowankenobi]

One challenge for Macs in SMB and shared machines is no directory service. It really depends if each user on each Mac needs their own desktop, preferences, mail, calendaring, etc.

If yes, managing passwords and access can be challenging,

If no, can folks use a shared desktop? Less to manage.

If users need to switch Macs often, or are traveling, you might consider a cloud-based directory server. Or, there are local options such as Synology.

As far as security, as mentioned, Macs are very secure out of the box. Adware and Malware are the most likely challenges. The free version (run manually) of Malwarebytes is often enough.

Each user does not need an Apple ID. One can be shared for free or company app purchases.

If you are going to end up with multiple Macs, you can use ABM and perhaps an MDM server or service to manage them all. There are many to choose from. They range from free to very pricey. Lots of reviews...almost too many choices.

Hopefully you have MS365 or Google for email, calendaring, cloud storage and collaboration.

 

[shubbanka]

- Our files are generally not kept locally, but used directly from a Synology NAS
- We share devices as the day goes along, there is no designated machine per person.
- So the admin user and other users can have the same Apple ID?
- Is there a recommended way to restrict execution of apps (limited to e.g. browser, finder, productivity suite?)

 

[hobowankenobi]

Yeah, multiple users can share an Apple ID, assuming you mean for access to the App Store. Not required for anything else. And even then, could be the policy that only an admin should/could be installing apps. Depends on your needs. In education, for example, typically lab and shared computers have Apple ID nags disabled.

No easy way via the local machine to limit running apps that I am aware of....without a third party solution or an MDM.

Centralized files are handy, as long as you have adequate access and redundancy. Do you only share them locally, or over a WAN too?

 

[hobowankenobi]

I don't think anybody answered your last question, about protecting the OS from users. Apple has done that for you with the last few OS and file system updates.

The safest thing would be to have typical uses NOT be admin users...but this setup is also the least convenient, as computers/users will get alot of nags for admin credentials to do much of anything. It really depends on the enviroment and how much you want to empower or restrict your users.

If security/restrictions are essential, an MDM solution is really the only way to go. Typically it is more work to setup and maintain an MDM for a small number of computers. How small is small? Hard to say. Some admins might say about 10, some may say more like 50. It might also depend on access...machines that are at remote locations or that travel really need an MDM to managed remotely.