Update: Apple® releases macOS® High Sierra security fix for critical root vulnerability for macOS High Sierra 10.13.1 (not impacted: macOS Sierra 10.12.6 and earlier). Make sure to install this update on all macOS computers affected, as described at support.apple.com/en-us/HT208315
As reported on CNET on November 28, 2017, a major bug has been uncovered that allows root access to Mac computers running macOS High Sierra 10.13.1, leaving them fully vulnerable unless a root password is set. Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey, reported the security flaw and tweeted it publicly on Tuesday, creating a zero-day scenario. This was actually first discovered and reported in Apple forums by chethan177 on November 13, but I guess not that many people read the Apple forums. (Maybe Ergin did and couldn’t wait any longer?)
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Following guidance from Apple, here’s how to set a root password to regain protected root access. Disabling the Guest account is an additional suggested step along with setting a root password.
You can also take steps to further harden your Mac by delivering .mobileconfig files as SCCM Configuration Items against collections of Mac devices, adding policy-based protection. It’s simple to do this with Parallels® Mac Management for Microsoft® SCCM.
You can get a .mobileconfig file from the Apple Profile Manager, or create one by using a process created by Tim Sutton called mcxToProfile where .plist files are converted to fully crafted XML .mobileconfig files. An example given over at Github by J Björkäng for disabling the Guest account can be edited for UUID’s and your company name. This will give you a policy that can be imported into SCCM with the “Parallels Mac OS Configuration Profile from File” option. Simply copy and paste the XML example into a text-formatted TextEdit or Notepad file and save with a .mobileconfig extension.
After importing .mobileconfig files into a Parallels Configuration Item and using the SCCM workflow for Configuration Baselines, it is deployed to a collection of Mac computers to enforce the policy. For additional .mobileconfig files to consider, check out this curation at Github presented by Clayton Burlison.
Enforcing policy for Mac computers using Apple .mobileconfig files is one of many Mac management features that the Parallels Mac Management plugin adds to System Center Configuration Manager for full Mac management. For details including DEP support, Remote Wipe and Lock, and more, see Parallels website.