A design firm is editing a new campaign video on a MacBook Pro. The creative director opens a collaboration app that quietly requests microphone and camera permissions. MacOS is supposed to flag that, but in this case, the checks are loose. The app gets access anyway.
On another Mac in the same office, file sharing is enabled through an old protocol called SMB version one. It’s fast and convenient—but outdated and vulnerable. Attackers can exploit it in minutes if the endpoint is exposed to the internet.
These are the kinds of configuration oversights that happen every day, even in organizations that take security seriously. They’re not failures of hardware or antivirus software. They’re configuration gaps that open doors to attackers, and they often go unnoticed because nobody is looking for them.
That’s where Defense Against Configurations (DAC) comes in.
Misconfigurations are a gift to attackers: default settings left open, remote access that should be off (like outdated network protocols such as SMB v1), or encryption that never got enabled.
The goal of the latest release from ThreatLocker is simple. It makes those weak points visible on macOS so they can be fixed before they become incidents. Following the August 2025 release of DAC for Windows, ThreatLocker has launched DAC for macOS, which is currently in Beta.
The built-in ThreatLocker feature scans Macs as many as four times per day using the existing ThreatLocker agent, surfacing risky or noncompliant settings in the same dashboard you already use for Windows.
High value controls in the Beta
The agent runs a configuration scan and reports results to the console. On macOS, the initial Beta focuses on high value controls:
- Disk encryption status with FileVault
- Built in firewall status
- Sharing and remote access settings, including remote login
- Local administrator accounts and membership checks
- Automatic update settings
- Gatekeeper and app source controls
- Selected security and privacy preferences that reduce attack surface
Findings are grouped by endpoint and by category. Each item includes clear remediation guidance and mapping to major frameworks such as CIS, NIST, ISO 27001, and HIPAA. The intent is to shorten the path from discovery to fix, not to add another queue of alerts.
Why DAC matters
Design firms, media studios, and production teams often build their workflows around Macs for good reason. The M-series processors are powerful, quiet, and efficient for video and design software. But security visibility hasn’t always kept up.
Extending configuration scanning to macOS helps these teams find weak spots before they’re exploited, things like unencrypted drives, disabled firewalls, leftover admin accounts, or permissive sharing settings. It closes the gaps that attackers look for and gives administrators the same level of insight they already rely on for Windows.
This Beta isn’t just about macOS coverage. It’s about giving IT and security teams real insight into where they stand. When DAC shows a Mac out of compliance, it doesn’t stop there. It connects those findings to the ThreatLocker policies that can fix them. That visibility helps organizations align with their security frameworks, meet insurance requirements, and harden their environments without guesswork. Some users come to ThreatLocker specifically because of DAC and stay because it makes the other ThreatLocker controls make sense. Configuration visibility is the gateway to real control.
Note: This article was written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker.
