You'll need MDM, installed anti-virus/anti-malware, and reasonable update policies, as with any endpoint. But have passed multiple years' audits with mostly-macOS fleet.