Good policy for MAC Laptop OS X - Antivirus programs and procedures

We have several users using their personal MAC Laptops for work purposes.

I have never had a problem yet with viruses on a a MAC; but, that does not mean it will never happen.  My question is what are some good policies and procedures on how to protect MAC laptops and the company network from Viruses and Spyware (from infecting MAC OSX devices).

Regarding Windows devices I do the following:

- We have commercial AV program installed to help prevent and clean any malware.
- We have a secondary AV program to double-check if the initial virus scan program (Hitman Pro.)

I think that having a secondary anti-virus program, such as Hitman Pro would be the most cost effective solution.  I am getting this concern from a previous question,
PkafkasNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Commercial AV vendors will try to convince you that you need AV on your Macs. They of course have an interest to sell you something so their opinion is not unbiased.

It is not well known, but Mac OS x has several defenses built-in.

Xprotect is the equivalent of an anti-malware soft and it gets regular updates.
Gatekeeper prevents running software from unapproved developers.

So it is untrue that your Macs are unprotected. Thus far there's no way to prove  that the commercial AVs can provide additional protection beyond the protection that is built-in Mac OS.
I agree with everything robocat said. Obviously your first line of defense should be your corporate firewall, email and web filtering and the like.  The type of business you have, may help determine your approach to protecting MAC laptops. If you're a financial or medical company, you may want to just consider not allowing a BYOD approach.  We don't allow that in the company where I work. The potential problems and financial costs can be great.  If you do have a BYOD policy then you should treat all devices the same. If you'e putting program X on your Windows machine, then to the same for the Macs. Even if it's somewhat a waste of time, you're doing a CYA that will at least protect you and your company should something happen.
Install AVAST! or BitDefender.

Macs are actually more vulnerable than people think.  They're only mainly safe because they're mostly ignored.

Install an adblocker in Safari, Firefox, and/or Chrome.  You can still get pop-up scams, same as on Windows.

You should turn on the built-in Firewall and turn off all sharing that's not needed.  I've seen rootkits for Linux partially work on a Mac.  They only mainly misbehave because it's OS X, not Linux, so some of the Python or Perl scripts call up non-existent binaries, but the IRC bot still runs partly and you see weird errors, making it more easily detectable.

Because they haven't been inoculated heavily like Windows has, someone that really knows Macs scripting can more easily overcome a Mac's defenses than a Window hacker can overcome Microsoft Windows.  The built in Mac defenses are equivalent to early Windows 7.

Commercial AV vendors also mainly scan for Windows Viruses on the Mac.  That's just to prevent it from spreading to Windows users.  If you have a mixed environment or deal with Windows users too, you do need to install AV.  If your shop is all Mac, you may be able to forego AV, but that's only until the next Mac Virus appears.  There have been a handful of Mac viruses out there, that have all, fortunately, been taken down.  They're still spending time attacking Microsoft Windows because it reaches many more users and gives them the greatest cost benefit ratio.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eoin OSullivanConsultantCommented:
I'd second and agree with serialband.
If only to protect your Windows users install a commercial AV solution either a high-grade Free one like Avast Security or paid for like Bitdefender or ESET.  
You don't mention what your AV for Windows is .. but if there is a MAC version and it is rated well (see here -  then maybe you can buy some addional licenses.

If your Mac users own their computers then you've little control stopping them turning off firewall, enabling sharing etc. so while you can ADVISE them how to increase the security of OSX .. it would be best to have an AV and anti-malware solution installed and ideally you could track if it was disabled/uninstalled by the users.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.