Apple has long been known for providing an exceptional user experience. But many might not realize that over the past few years, they've been pushing the infosec envelope, by making advanced security options accessible to everyday users. While not all of these features are new in El Capitan, here are 16 features that Apple has built into OS X that every user has simple access to:
System Integrity Protection, or SIP, is what Apple calls the ability to restrict things on a Mac that can be altered. This brings iOS functionality to OS X. By limiting how binaries can be used, and where you can write to on file systems, Apple is building an unprecedented level of security into OS X El Capitan and up.
FileVault. Apple's terminology for full disk encryption, FileVault is free and can be harnessed with a key escrowing service, including those provided by mobile device management vendors. FileVault is also used to protect removable media, providing an additional level of security. Best of all, FileVault can be managed with an MDM solution or simple scripts.
Mobile Device Management, or MDM for short, is an API from Apple that allows organizations to remotely manage Mac and iOS devices. Management on a Mac means that you can remotely control FileVault, Gatekeeper, certificates and other Apple security technologies. But you can also use MDM to automate the setup of a Mac (yes, zero touch configuration), deploy fonts, install printers, and control any setting you wish on a Mac.
Gatekeeper is technology that forces signed apps on your computer. Using Gatekeeper, you can restrict apps that are allowed to run on a Mac to only those obtained (and signed) by the Mac App Store, or those signed by legitimate developers. If an app is flawed, Apple can quickly revoke a certificate and disable the ability for the App to launch on any Mac with Gatekeeper enabled.
Application Sandboxing is technology brought in from Trusted BSD. By sandboxing an app, you can define the specific resources that the app is allowed to request access to, including network resources, memory, parts of the filesystem, etc.
ASLR, or Address Space Layout Randomization, is now included in Windows and Android, but when it was released, ASLR was the first large-scale distribution of randomizing where software runs in memory, making it harder for attackers to locate vulnerabilities and then exploit those vulnerabilities.
Remote lock and remote wipe is an extension of the MDM protocol. By building a recovery partition into every Mac and allowing you to boot to an Internet volume for restore, Apple essentially killed the costs of distributing its operating system using physical media, while opening the door to remotely boot to the recovery partition and lock the boot volume. Once locked, an MDM command must be sent to unlock, or a computer can be wiped remotely. Instantly.
XProtect is an anti-virus of sorts, built into every Mac. Xprotect is a signature-based scanner that looks for, and blocks, known services and applications trying to start on OS X. Protect is not a full anti-virus solution, but there are many third party anti-virus products on the market if one is required in any given enterprise.
Antiphishing built into Safari. Arguably, one of the most vulnerable parts of any modern operating system is the browser. Arguably, another of the more vulnerable parts of your security landscape is users. A key way people attempt to infiltrate environments is with phishing emails, meant to obtain credit cards, passwords, and other private data. When you visit a site on a Mac that is thought to be a phishing site you get warned, helping to provide an additional layer of security to the web browsing experience.
The Mac App Store provides a means for organizations to verify the integrity of apps they are purchasing. Apple reviews every app sold through the Mac App Store, so there are more options that have been vetted for security and bugs.
iCloud Keychain is a means of storing all of a user's passwords in an AES-256 encrypted keystore. By encrypting data and keeping it in a central location, the keychain can then be synchronized to iOS and Mac devices, along with certificates and notes.
Activation Lock is a technology that allows a user to tie an Apple device to their Apple ID and then if the device is erased, keep that device from being activated and put into use without the Apple ID. For devices owned by an organization, Activation Lock can be bypassed if either the proof of purchase of the device is presented to Apple, or by an MDM solution that the device is enrolled in, such as the Casper Suite. Some day, thieves will know that stealing Apple devices will net them nothing, thus protecting Apple users and not just their data.
The built-in Application Firewall of OS X went beyond the old firewall's port-blocking technology. If Gatekeeper forces every app launched to be signed, the Application Firewall can then restrict network resources that the app can access to only those signed apps that are allowed to access whatever resources required.
Time Machine is built-in backup software that comes with every Mac. As with the built-in backups for many vendors of operating systems, there are plenty of third party products that have more robust backup features, but Time Machine is simple to use, and free.
Access to legacy technologies that are run in many an enterprise, including Active Directory, VPNs and 802.1x. Because lots of organizations have existing security requirements that include these technologies.
Finally, the most substantial security feature that Apple brings to the table is a practical and privacy-first mindset. This may come from the success of the mobile devices that Apple sells, but with every new centrally managed feature of every Apple device, plenty of thought is put into how that new feature potentially impacts a user's privacy. By making security tools simple to use, while being robust enough for enterprises and protecting user privacy, Apple is helping to propagate good security practices.