Copyright 2021 Crown Copyright
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License.
Unless required by applicable law or agreed to in writing, software distributed under the License is released on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations.
- Device Security Guidance Configuration Packs
This repository contains policy packs which can be used by system management software to configure device platforms (such as Windows 10 and iOS) in accordance with NCSC device security guidance. These configurations are aimed primarily at government and other medium/large organisations.
Small businesses may find the NCSC's Small Business Guide a better place to start, but feel free to make use of what is provided here.
These policies contain the NCSC’s recommended settings for the deployment of new devices across your enterprise estate. The NCSC does not mandate the use of these policies, or even require that they are used exactly as provided.
These setting are offered as guidance, so it is up to you how you implement and use them. In any case, they can provide a starting point for developing a compliance benchmark, or to expedite the configuration of devices to meet our recommendations.
These three principles have guided the settings encapsulated in the policies.
- Balance Security and Usability: "Security for security's sake" is not the motto for these policies and settings. The aim is to keep a balance between security and usability. While each setting will have an underlying security purpose, it is perfectly reasonable for you to choose differently in your deployment.
- Counter threats at OFFICIAL: The policies provided in this repository aim to help organisations counter "commodity threats". This means those within the UK Government's OFFICIAL Threat Model. Despite this, they can provide a starting point for considering how to configure devices that you need to protect against higher capability threat actors and the associated risks.
- Applicable to the UK: This guidance primarily targets UK government organisations, and UK businesses. If you would like installation instructions for device management software not covered in the installation section, please submit a request via Issues, using the required template, including details on how the product is being used in the UK.
The configuration packs are ordered by vendor (or operating system, then distribution, in the case of Linux), and then vendor platform. For example, Chrome OS is contained within the top-level Google folder.
Device-Security-Guidance-Configuration-Packs
│ CODE_OF_CONDUCT.md
│ LICENSE
│ README.md
│ SECURITY.md
│
├───.github
│ └───ISSUE_TEMPLATE
│ add-new-mdm-provider.md
│ add-new-platform.md
│ change-to-configuration.md
│ change-to-text.md
│
├───Apple
│ ├───iOS
│ │ NCSC_example_iOS_device_configuration.mobileconfig
│ │ NCSC_example_iOS_VPN_configuration.mobileconfig
│ │ NCSC_iOS_configurations.csv
│ │ NCSC_iOS_configurations.md
│ │ README.md
│ │
│ └───macOS
│ macos_provisioning_script.sh
│ NCSC_example_macOS_VPN_configuration.mobileconfig
│ NCSC_macOS_configurations.csv
│ NCSC_macOS_configurations.md
│ README.md
│
├───Google
│ ├───Android
│ │ NCSC_Android_configurations.csv
│ │ NCSC_Android_configurations.md
│ │ README.md
│ │
│ └───ChromeOS
│ NCSC_Chrome_OS_configuration.csv
│ NCSC_Chrome_OS_configurations.md
│ README.md
│
├───Linux
│ └───UbuntuLTS
│ README.md
│ Ubuntu-LTS-post-install.sh
│ Ubuntu-LTS-seed.txt
│
└───Microsoft
└───Windows
│ README.md
│
├───GPO
│ NCSC+MSFT_Windows_10_2004_GPO.zip
│
└───MDM
└───Configurations
│ Configurations_-_NCSC.csv
│ Configurations_-_NCSC.md
│ NCSC_-_Application_Control.json
│ NCSC_-_AppLocker.json
│ NCSC_-_Attack_Surface_Reduction_Rules.json
│ NCSC_-_BitLocker.json
│ NCSC_-_Credential_Guard.json
│ NCSC_-_Custom_Settings.json
│ NCSC_-_Defender_AV.json
│ NCSC_-_Defender_AV_Exclusions.json
│ NCSC_-_Defender_AV_Security_Experience.json
│ NCSC_-_Device_Control.json
│ NCSC_-_Device_Restriction.json
│ NCSC_-_Edge.json
│ NCSC_-_Firewall.json
│ NCSC_-_Firewall_Rules.json
│ NCSC_-_Google_Chrome_Settings.json
│ NCSC_-_Identity_Protections.json
│ NCSC_-_Internet_Explorer.json
│ NCSC_-_Local_Security.json
│ NCSC_-_Password.json
│ NCSC_-_Web_Protections_(DR).json
│ NCSC_-_Web_Protections_(EP).json
│ NCSC_-_Xbox_Services.json
│
└───AppLocker
AppLocker_appx.xml
AppLocker_dll.xml
AppLocker_exe.xml
AppLocker_msi.xml
AppLocker_script.xml
README.md
The policies can be installed in several ways, importing directly to management software, manually added in the management software and in some cases applied directly to the device.
Follow these instructions for
- Chrome OS devices
- Windows devices
- Android mobile devices
- iOS mobile devices
- Universal settings for macOS and Linux devices
Manually apply the settings, as specified in the policy file.
Using scripts available in Microsoft's Graph repository. You can import these configurations directly into your Azure tenancy by following these steps:
- Locate
DeviceConfiguration_Import_FromJSON.ps1, this is the script that is required to import JSON-format configurations into Endpoint Manager - Run this script in PowerShell on the device you use for administration of Azure and Endpoint Manager (such as a PAW), it will prompt for your AAD credentials
- On sucessful authentication, the script will then prompt for a location for the JSON file you want to upload
- So long as the file is found, and the AAD account provided has the correct privileges, the configuration will be imported into Endpoint Manager. Policy and Profile Manager is a Built-in RBAC role which will allow configuration importing.
Follow the instructions on the Endpoint Manager pages for configurating macOS, iOS and Android and apply the configurations in the corresponding file.
Currently, it is not possible to manage Chrome OS or Linux using Microsoft Endpoint Manager.
Follow the instructions on how to apply settings for custom configurations for macOS and iOS mobile devices and apply the .mobileconfigs, or develop your own configurations using the policy pack as a guide.
Currently, it is not possible to manage Windows, Android, Ubuntu LTS or Chrome OS using Jamf Pro.
Follow the instructions on Windows desktop profiles, iOS device profiles, macOS device profiles, Android device profiles or Chrome OS device profiles and apply configurations to profiles as required
The provided scripts in the Ubuntu folder are expected to be deployed through a Software Configuration Manager but can also be manually deployed onto a device.
Before suggesting a change via a pull request, please first discuss the change you wish to make via an issue within this GitHub repository.
Any changes must (to prevent rejection of a pull request):
-
be done with consideration of the three guiding principles of this project, and any contribution that just adds or removes configurations without a clearly stated reason will likely be rejected.
-
be presented alongside evidence (in the pull request or the initial issue) that you have tested the proposed changes, including details of devices and versions of the platform.
The NCSC reserves the right to refuse pull requests if they do not meet the aims of the project, or if they do not align with current NCSC guidance.
The NCSC's Policy Packs are released under the Apache 2.0 Licence and are covered by Crown Copyright.