Skip to main content

E8 – MacOS – All Macros Disabled

Configuration Policy Summary

E8 – MacOS – All Macros Disabled


Platform: macOS
Settings: 5
Technologies: MDM, Apple Remote Management
Version: 1

🎯 Purpose

This policy enforces Essential Eight – User Application Hardening by completely disabling all Visual Basic for Applications (VBA) and macro functionality in Microsoft Office apps on macOS.

It effectively eliminates macro-based malware vectors on macOS, which remains one of the most common enterprise compromise pathways.

This is a strong E8 Maturity Level 3 control applied as part of your broader IBP baseline.

🧭 Assignments

Target

  • All devices (allDevicesAssignmentTarget)

Role Scope Tags

  • Tags: 2, 3, 4

🔧 Macro Hardening Settings (All Set to Block/Disable)

Below is what each of the five settings does.

1. Disable Visual Basic Entirely

Setting: visualbasicentirelydisabled_true
Effect:
✔ Complete deactivation of VBA
✔ No macro execution, no creation, no editing
✔ Fully eliminates Office macro attack surface

2. Block External Dynamic Libraries (Dylibs)

Setting: disablevisualbasicexternaldylibs_true
Effect:
✔ Prevents VBA from loading external libraries
✔ Stops advanced macro‑based payloads
✔ Hardens against lateral file dependency attacks

3. Disable MacScript Execution

Setting: disablevisualbasicmacscript_true
Effect:
✔ Blocks VBA→AppleScript bridging
✔ Prevents scripts from launching system commands
✔ Eliminates cross‑environment automation attacks

4. Disable VBA “open for binding” Operations

Setting: disablevisualbasictobindtopopen_true
Effect:
✔ Stops VBA from binding external references during Open events
✔ Prevents automatically executed payloads
✔ Addresses attacker techniques relying on malicious document lifecycle hooks

5. Macro Execution State – Fully Blocked

Setting: visualbasicmacroexecutionstate_1
This value maps to*:
✔ "Disable macro execution without notification"

Effect:
✔ Users cannot enable macros
✔ Users are not prompted
✔ No bypass allowed
✔ This is the strictest possible control

Related Articles
E8‑User Application Hardening – Edge Hardening
E8‑Office Macros – All Macros Disabled
E8-User Application Hardening- OLE Package Block
E8‑User Application Hardening – PDF Hardening
E8‑User Application Hardening – Office ASR
Did this answer your question?