diff --git a/.github/workflows/ci-common.yml b/.github/workflows/ci-common.yml
index 3395e327c9..61f200423b 100644
--- a/.github/workflows/ci-common.yml
+++ b/.github/workflows/ci-common.yml
@@ -97,6 +97,9 @@ jobs:
       - name: Build unit-tests
         run: make -j$(($(nproc) + 1)) unit-test
 
+      - name: Check that address sanitizer is enabled
+        run: nm build-build/bin/test_cleanup | grep __asan_version_mismatch_check_v8
+
       - name: run unit-tests
         run: make run-unit-tests
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5205ef8e2a..2fe13fb661 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -46,7 +46,7 @@ endif()
 
 # This is ignored on platforms other than darwin. By default rust compiles for
 # 10.7 which doesn't link for us.
-set(CMAKE_OSX_DEPLOYMENT_TARGET "10.15" CACHE STRING "Minimum OS X deployment version")
+set(CMAKE_OSX_DEPLOYMENT_TARGET "11" CACHE STRING "Minimum OS X deployment version")
 
 project(bitbox02 C)
 
@@ -65,6 +65,7 @@ option(COVERAGE "Compile with test coverage flags." OFF)
 option(SANITIZE_ADDRESS "Compile with asan." OFF)
 option(SANITIZE_UNDEFINED "Compile with ubsan." OFF)
 option(CMAKE_VERBOSE_MAKEFILE "Verbose build." OFF)
+
 # Generate compile_command.json (for tidy and other tools)
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
@@ -343,6 +344,12 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
 string(LENGTH "${CMAKE_SOURCE_DIR}/" SOURCE_PATH_SIZE)
 add_definitions("-DSOURCE_PATH_SIZE=${SOURCE_PATH_SIZE}")
 
+if(SANITIZE_ADDRESS)
+    string(APPEND CMAKE_C_FLAGS " -fsanitize=address")
+endif()
+if(SANITIZE_UNDEFINED)
+    string(APPEND CMAKE_C_FLAGS " -fsanitize=undefined")
+endif()
 
 # protoc is used to generate API messages
 find_program(PROTOC protoc)
diff --git a/Makefile b/Makefile
index 9c62c08529..4e5dad74c9 100644
--- a/Makefile
+++ b/Makefile
@@ -17,12 +17,7 @@
 UNAME_S := $(shell uname -s)
 
 .DEFAULT_GOAL := firmware
-# asan/ubsan is not supported on darwin, default to off
-ifeq ($(UNAME_S),Darwin)
-  SANITIZE ?= OFF
-else
-  SANITIZE ?= ON
-endif
+SANITIZE ?= ON
 
 bootstrap:
 	git submodule update --init --recursive
diff --git a/external/CMakeLists.txt b/external/CMakeLists.txt
index cbf5c168ca..6caaa3d4ad 100644
--- a/external/CMakeLists.txt
+++ b/external/CMakeLists.txt
@@ -238,7 +238,7 @@ aux_source_directory(optiga-trust-m/src/comms/ifx_i2c SRC_COMMS_IFX_I2C_FILES)
 aux_source_directory(optiga-trust-m/src/crypt SRC_CRYPT_FILES)
 aux_source_directory(optiga-trust-m/src/util SRC_UTIL_FILES)
 set(PAL_FILES optiga-trust-m/extras/pal/pal_crypt_mbedtls.c)
-add_library(optiga
+add_library(optiga EXCLUDE_FROM_ALL
   ${SRC_CMD_FILES}
   ${SRC_COMMON_FILES}
   ${SRC_COMMS_IFX_I2C_FILES}
diff --git a/test/simulator/CMakeLists.txt b/test/simulator/CMakeLists.txt
index 49dbbd8344..62f0e12b34 100644
--- a/test/simulator/CMakeLists.txt
+++ b/test/simulator/CMakeLists.txt
@@ -16,7 +16,7 @@ add_executable(simulator EXCLUDE_FROM_ALL simulator.c)
 
 # asan must be first library in linking order
 target_link_libraries(simulator PRIVATE
-    $<$<BOOL:${SANITIZE_ADDRESS}>:asan>
+    $<$<BOOL:${SANITIZE_ADDRESS}>:-fsanitize=address>
     $<$<BOOL:${SANITIZE_UNDEFINED}>:-fsanitize=undefined>
     $<$<NOT:$<PLATFORM_ID:Darwin>>:-Wl,--start-group>
     c-unit-tests_rust_c
diff --git a/test/unit-test/CMakeLists.txt b/test/unit-test/CMakeLists.txt
index 6af60de227..efda070a3c 100644
--- a/test/unit-test/CMakeLists.txt
+++ b/test/unit-test/CMakeLists.txt
@@ -31,7 +31,7 @@ endif()
 
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unused-parameter -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-bad-function-cast")
 
-add_library(mocks STATIC
+add_library(mocks STATIC EXCLUDE_FROM_ALL
     framework/src/mock_gestures.c
     framework/src/mock_screen_stack.c
     framework/src/mock_memory.c
@@ -89,7 +89,7 @@ else()
     add_executable(${EXE} test_${TEST_NAME}.c)
     # asan must be first library in linking order
     target_link_libraries(${EXE} PRIVATE
-      $<$<BOOL:${SANITIZE_ADDRESS}>:asan>
+      $<$<BOOL:${SANITIZE_ADDRESS}>:-fsanitize=address>
       $<$<BOOL:${SANITIZE_UNDEFINED}>:-fsanitize=undefined>
       -Wl,--start-group
       c-unit-tests_rust_c
@@ -114,11 +114,13 @@ add_library(u2f-util
   u2f/u2f_util_t.c
 )
 target_include_directories(u2f-util
-  PUBLIC
-  ${CMAKE_CURRENT_SOURCE_DIR}
   SYSTEM PUBLIC
   ${HIDAPI_INCLUDE_DIRS}
 )
+target_include_directories(u2f-util
+  PUBLIC
+  ${CMAKE_CURRENT_SOURCE_DIR}
+)
 
 # NOTE: we only depend on include directories and definitions from c-unit-tests_rust_c
 target_link_libraries(u2f-util PUBLIC ${HIDAPI_LDFLAGS} c-unit-tests_rust_c)
@@ -136,7 +138,7 @@ foreach(TEST_NAME ${U2F_TESTS})
   # This tests link to our code
   add_executable(${EXE} test_${TEST_NAME}.c framework/src/mock_hidapi.c)
   target_link_libraries(${EXE} PRIVATE
-    $<$<BOOL:${SANITIZE_ADDRESS}>:asan>
+    $<$<BOOL:${SANITIZE_ADDRESS}>:-fsanitize=address>
     $<$<BOOL:${SANITIZE_UNDEFINED}>:-fsanitize=undefined>
     $<$<NOT:$<PLATFORM_ID:Darwin>>:-Wl,--start-group>
     c-unit-tests_rust_c
@@ -152,7 +154,7 @@ foreach(TEST_NAME ${U2F_TESTS})
   add_executable(${EXE} test_${TEST_NAME}.c)
   # asan must be first library in linking order
   target_link_libraries(${EXE} PRIVATE
-    $<$<BOOL:${SANITIZE_ADDRESS}>:asan>
+    $<$<BOOL:${SANITIZE_ADDRESS}>:-fsanitize=address>
     $<$<BOOL:${SANITIZE_UNDEFINED}>:-fsanitize=undefined>
     u2f-util
   )