CIS Apple MacOS 14.0 Sonoma v1.0.0

CIS Apple macOS 14.
0
Sonoma
v1.0.0 - 10-16-2023
Terms of Use
Please see the below link for our current terms of use:
https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
Page 1
Table of Contents
Terms of Use ..................................................................................................................... 1
Table of Contents ............................................................................................................. 2
Overview ............................................................................................................................ 3
Intended Audience ..................................................................................................................... 4
Consensus Guidance................................................................................................................. 5
Typographical Conventions ...................................................................................................... 6
Recommendation Definitions ......................................................................................... 7
Title............................................................................................................................................... 7
Assessment Status .................................................................................................................... 7
Automated ............................................................................................................................................... 7
Manual...................................................................................................................................................... 7
Profile ........................................................................................................................................... 7
Description .................................................................................................................................. 7
Rationale Statement ................................................................................................................... 7
Impact Statement........................................................................................................................ 8
Audit Procedure.......................................................................................................................... 8
Remediation Procedure ............................................................................................................. 8
Default Value ............................................................................................................................... 8
References .................................................................................................................................. 8
CIS Critical Security Controls® (CIS Controls®) ...................................................................... 8
Additional Information ............................................................................................................... 8
Profile Definitions ....................................................................................................................... 9
Acknowledgements .................................................................................................................. 10
Recommendations ......................................................................................................... 11
Appendix: Summary Table .......................................................................................... 417
Appendix: Change History .......................................................................................... 457
Page 2
Overview
All CIS Benchmarks focus on technical configuration settings used to maintain and/or
increase the security of the addressed technology, and they should be used in
conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly updating with
the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with
the latest security patches
In the end, the CIS Benchmarks are designed as a key component of a comprehensive
cybersecurity program.
Page 3
This document, CIS Apple macOS 14.0 Sonoma Benchmark, provides prescriptive
guidance for establishing a secure configuration posture for Apple macOS 14.0
Sonoma. This guide was tested against Apple macOS 14.0 Sonoma. To obtain the
latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have
questions, comments, or have identified ways to improve this guide, please write us at
[email protected].
This Benchmark includes instructions for auditing and remediation containing three
different methods: Graphical User Interface (GUI), Command Line Interface using
Terminal (CLI), and Configuration Profiles. These may be used to evaluate current
configuration status and make changes as desired. In most cases, all methods are
supported by the Operating System and it is up to organizational implementation
personnel on how best to implement. There are some recommendations that can only
be managed through one of these methods. Each organization must decide if control
management outside their standard process is required if no solution is possible through
their organization's specific choice of implementation. It is best practice at this time for
Enterprise-managed devices to use profiles for management. A mix of both profile
device management and command line hardening scripts will be the most
comprehensive solution.
With the functionality of mobile configuration profiles, there has been an update to
several recommendations. Any recommendation that is user specific but has a profile
that sets a system-wide setting are compliant only with the profile installed. Any user
specific settings have been moved to the Additional Information section but will no
longer pass the audit.
More profile information
https://developer.apple.com/documentation/devicemanagement
https://developer.apple.com/documentation/devicemanagement/configuring_multiple_de
vices_using_profiles
Organizations that are using profiles should remember that a profile can limit what, if
any, settings can be changed based on the profile payload. Even authorized
organization technical personnel may not be able to change a setting with a profile in
place. If technical personnel are expected to make changes that are contrary to profile
settings, the profile may need to be reviewed in order to verify which accounts and what
conditions apply, or a process to temporarily remove the profile should be in place.
Intended Audience
This document is intended for system and application administrators, security
specialists, auditors, help desk, and platform deployment personnel who plan to
develop, deploy, assess, or secure solutions that incorporate Apple macOS 14.0
Sonoma.
Page 4
Consensus Guidance
This CIS Benchmark was created using a consensus review process comprised of a
global community of subject matter experts. The process combines real world
experience with data-based information to create technology specific guidance to assist
users to secure their environments. Consensus participants provide perspective from a
diverse set of backgrounds including consulting, software development, audit and
compliance, security research, operations, government, and legal.
Each CIS Benchmark undergoes two phases of consensus review. The first phase
occurs during initial Benchmark development. During this phase, subject matter experts
convene to discuss, create, and test working drafts of the Benchmark. This discussion
occurs until consensus has been reached on Benchmark recommendations. The
second phase begins after the Benchmark has been published. During this phase, all
feedback provided by the Internet community is reviewed by the consensus team for
incorporation in the Benchmark. If you are interested in participating in the consensus
process, please visit https://workbench.cisecurity.org/.
Page 5
Typographical Conventions
The following typographical conventions are used throughout this guide:
Convention Meaning
Used for blocks of code, command, and script

Stylized Monospace font examples. Text should be interpreted exactly as
presented.
Monospace font Used for inline code, commands, or examples.

Text should be interpreted exactly as presented.
Italic texts set in angle brackets denote a variable

<italic font in brackets> requiring substitution for a real value.
Used to denote the title of a book, article, or other

Italic font
publication.
Note Additional information or caveats
Page 6
Recommendation Definitions
The following defines the various components included in a CIS recommendation as
applicable. If any of the components are not applicable it will be noted or the
component will not be included in the recommendation.
Title
Concise description for the recommendation's intended configuration.
Assessment Status
An assessment status is included for every recommendation. The assessment status
indicates whether the given recommendation can be automated or requires manual
steps to implement. Both statuses are equally important and are determined and
supported as defined below:
Automated
Represents recommendations for which assessment of a technical control can be fully
automated and validated to a pass/fail state. Recommendations will include the
necessary information to implement automation.
Manual
Represents recommendations for which assessment of a technical control cannot be
fully automated and requires all or some manual steps to validate that the configured
state is set as expected. The expected state can vary depending on the environment.
Profile
A collection of recommendations for securing a technology or a supporting platform.
Most benchmarks include at least a Level 1 and Level 2 Profile. Level 2 extends Level 1
recommendations and is not a standalone profile. The Profile Definitions section in the
benchmark provides the definitions as they pertain to the recommendations included for
the technology.
Description
Detailed information pertaining to the setting with which the recommendation is
concerned. In some cases, the description will include the recommended value.
Rationale Statement
Detailed reasoning for the recommendation to provide the user a clear and concise
understanding on the importance of the recommendation.
Page 7
Impact Statement
Any security, functionality, or operational consequences that can result from following
the recommendation.
Audit Procedure
Systematic instructions for determining if the target system complies with the
recommendation
Remediation Procedure
Systematic instructions for applying recommendations to the target system to bring it
into compliance according to the recommendation.
Default Value
Default value for the given setting in this recommendation, if known. If not known, either
not configured or not defined will be applied.
References
Additional documentation relative to the recommendation.
CIS Critical Security Controls® (CIS Controls®)

The mapping between a recommendation and the CIS Controls is organized by CIS
Controls version, Safeguard, and Implementation Group (IG). The Benchmark in its
entirety addresses the CIS Controls safeguards of (v7) “5.1 - Establish Secure
Configurations” and (v8) '4.1 - Establish and Maintain a Secure Configuration Process”
so individual recommendations will not be mapped to these safeguards.
Additional Information
Supplementary information that does not correspond to any other field but may be
useful to the user.
Page 8
Profile Definitions
The following configuration profiles are defined by this Benchmark:
• Level 1
Items in this profile intend to:
o be practical and prudent;

o provide a clear security benefit; and
o not inhibit the utility of the technology beyond acceptable means.
• Level 2
This profile extends the "Level 1" profile. Items in this profile exhibit one or more
of the following characteristics:
o are intended for environments or use cases where security is paramount

o acts as defense in depth measure
o may negatively inhibit the utility or performance of the technology.
Page 9
Acknowledgements
This Benchmark exemplifies the great things a community of users, vendors, and
subject matter experts can accomplish through consensus collaboration. The CIS
community thanks the entire consensus team with special recognition to the following
individuals who contributed greatly to the creation of this guide:
Author
Ron Colvin
Contributor
William Harrison
Mark Andersen
Ben Montour
Sara Archacki
Hao Shu
Jeffrey Compton
Jorge Escobar
Tim Harrison CISSP, ICP, KMP, Center for Internet Security, New York
Laura Gardner
Michael Scarborough
Mauro Faccenda
Jason Olsen BSCS, ACSP 10.9, ACMT 2015, Comerica Bank
Mischa van der Bent
Bob Gendler
Dan Brodjieski
Allen Golbig
Jason Blake
Isaac Ordonez , Mann Consulting
Joe Goerlich , Siemens AG
Kari Byrd
John Mahlman
Henry Stamerjohann CISSP, CCSP
Ron Colvin, Ron Colvin
Matt Durante
Editor
Eric Pinnell
Edward Byrd
Page 10
Recommendations
1 Install Updates, Patches and Additional Security Software
Install Updates, Patches and Additional Security Software
Page 11
1.1 Ensure All Apple-provided Software Is Current (Automated)
Profile Applicability:
• Level 1
Description:
Software vendors release security patches and software updates for their products
when security vulnerabilities are discovered. There is no simple way to complete this
action without a network connection to an Apple software repository. Please ensure
appropriate access for this control. This check is only for what Apple provides through
software update.
Software updates should be run at minimum every 30 days. Run the following command
to verify when software update was previously run:
$ /usr/bin/sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate |
grep -e LastFullSuccessfulDate.
The response should be in the last 30 days (Example): LastFullSuccessfulDate =

"2020-07-30 12:45:25 +0000";
Rationale:
It is important that these updates be applied in a timely manner to prevent unauthorized
persons from exploiting the identified vulnerabilities.
Impact:
Installation of updates can be disruptive to the users especially if an restart is required.

Major updates need to be applied after creating an organizational patch policy. It is also
advised to run updates and forced restarts during system downtime and not while in
active use.
Page 12
Audit:
Graphical Method:
Perform the following to ensure there are no available software updates:
1. Open System Settings

2. Select General
3. Select Software Update
4. Select Show Updates to verify that there are no software updates available
Terminal Method:
Run the following command to verify there are no software updates:
$ /usr/bin/sudo /usr/sbin/softwareupdate -l
Software Update Tool
Finding available software

No new software available.
Note: If you are running a previous version of macOS, the output will say that the
current version is available. As long as the system is on the current point release of
macOS, it is compliant. It is recommended that your organization moves to the current
version of macOS once a .1 version is released. Be aware that old macOS versions will
stop receiving any updates.
Note: Computers that have installed pre-release software in the past will fail this check
if there are pre-release software updates available when audited.
Remediation:
Graphical Method:
Perform the following to install all available software updates:

2. Select General
4. Select Update All
Page 13
Terminal Method:
Run the following command to verify what packages need to be installed:
The output will include the following:

Software Update found the following new or updated software:
Run the following command to install all the packages that need to be updated:
To install all updates run the command:
$ /usr/bin/sudo /usr/sbin/softwareupdate -i -a
Or run the following command to install individual packages:
$ /usr/bin/sudo /usr/sbin/softwareupdate -i '<package name>'
Note: If one of the software updates listed includes Action: restart, then you must
attach the -R flag to force a system restart. If the system update is complete but no
restart occurs, then the system is in an unknown state that requires a future restart. It is
advised to run updates and forced restarts during system downtime and not while in
active use.
example:

Software Update found the following new or updated software:
* Label: ProVideoFormats-2.2.7
Title: Pro Video Formats, Version: 2.2.7, Size: 9693KiB, Recommended:
YES,
* Label: Command Line Tools for Xcode-15.0
Title: Command Line Tools for Xcode, Version: 15.0, Size: 721962KiB,
Recommended: YES,
$ /usr/bin/sudo /usr/sbin/softwareupdate -i 'ProVideoFormats-2.2.7'

Attempting to quit apps: (
"com.apple.Compressor"
)
Waiting for user to quit any relevant apps
Successfully quit all apps
Downloaded Pro Video Formats

Installing Pro Video Formats
Done with Pro Video Formats
Done.
In the above example, if a restart was required, the command to remediate would be
/usr/bin/sudo /usr/sbin/softwareupdate -i 'ProVideoFormats-2.2.7' -R
Page 14
References:
1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
7.3 Perform Automated Operating System Patch

v8 Management
Perform operating system updates on enterprise assets through automated
● ● ●
patch management on a monthly, or more frequent, basis.
7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.
3.4 Deploy Automated Operating System Patch

Management Tools
v7 Deploy automated software update tools in order to ensure that the operating ● ● ●
systems are running the most recent security updates provided by the software
vendor.
3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.
Page 15
1.2 Ensure Auto Update Is Enabled (Automated)
• Level 1
Description:
Auto Update verifies that your system has the newest security patches and software
updates. If "Automatically check for updates" is not selected, background updates for
new malware definition files from Apple for XProtect and Gatekeeper will not occur.
http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-
mavericks-and-yosemite/
Rationale:
It is important that a system has the newest updates applied so as to prevent
unauthorized persons from exploiting identified vulnerabilities.
Impact:
Without automatic update, updates may not be made in a timely manner and the system
will be exposed to additional risk.
Audit:
Graphical Method:
Perform the following steps to ensure the system is automatically checking for updates:

2. Select General
4. Select the i
5. Verify that Check for updates is enabled
Terminal Method:
Run the following command to verify that software updates are automatically checked:
$ /usr/bin/sudo /usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('AutomaticCheckEnabled').js
EOS
true
Note: If automatic updates were selected during system setup, this setting may not
have left an auditable artifact. Please turn off the check and re-enable when the GUI
does not reflect the audited results.
Page 16
Remediation:
Graphical Method:
Perform the following steps to enable the system to automatically check for updates:

2. Select General
4. Select the i
5. Set Check for updates to enabled
6. Select Done
Terminal Method:
Run the following command to enable auto update:
$ /usr/bin/sudo /usr/bin/defaults write
/Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool
true
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.SoftwareUpdate

2. The key to include is AutomaticCheckEnabled
3. The key must be set to <true/>
Page 17
CIS Controls:
Controls
Version

v8 Management
● ● ●


Management Tools
vendor.

Tools
Page 18
1.3 Ensure Download New Updates When Available Is Enabled
(Automated)
• Level 1
Description:
In the GUI, both "Install macOS updates" and "Install app updates from the App Store"
are dependent on whether "Download new updates when available" is selected.
Rationale:
It is important that a system has the newest updates downloaded so that they can be
applied.
Impact:
If "Download new updates when available" is not selected, updates may not be made in
a timely manner and the system will be exposed to additional risk.
Audit:
Perform the following to ensure the system is automatically checking for updates:
Graphical Method:

2. Select General
4. Select the i
5. Verify that Download new updates when available is enabled
Terminal Method:
Run the following command to verify that software updates are automatically checked:
.objectForKey('AutomaticDownload').js
EOS
true
Page 19
Remediation:
Perform the following to enable the system to automatically check for updates:
Graphical Method:

2. Select General
4. Select the i
5. Set Download new updates when available to enabled
6. Select Done
Terminal Method:
Run the following command to enable auto update:
/Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
Profile Method:

2. The key to include is AutomaticDownload
CIS Controls:
Controls
Version

v8 Management
● ● ●


Management Tools
vendor.

Tools
Page 20
1.4 Ensure Install of macOS Updates Is Enabled (Automated)
• Level 1
Description:
Ensure that macOS updates are installed after they are available from Apple. This
setting enables macOS updates to be automatically installed. Some environments will
want to approve and test updates before they are delivered. It is best practice to test
first where updates can and have caused disruptions to operations. Automatic updates
should be turned off where changes are tightly controlled and there are mature testing
and approval processes. Automatic updates should not be turned off simply to allow the
administrator to contact users in order to verify installation. A dependable, repeatable
process involving a patch agent or remote management tool should be in place before
auto-updates are turned off.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being
exploited.
Impact:
Unpatched software may be exploited.
Page 21
Audit:
Graphical Method:
Perform the following to ensure that macOS updates are set to auto update:

2. Select General
4. Select the i
5. Verify that Install macOS updates is enabled
or

2. Select Privacy & Security
3. Select Profiles
4. Verify that an installed profile has Automatically Install macOS Updates set to
True
Terminal Method:
Run the following command to verify that macOS updates are automatically checked
and installed:
.objectForKey('AutomaticallyInstallMacOSUpdates').js
EOS
true
Page 22
Remediation:
Graphical Method:
Perform the following steps to enable macOS updates to run automatically:

2. Select General
4. Select the i
5. Set Install macOS updates to enabled
6. Select Done
Terminal Method:
Run the following command to to enable automatic checking and installing of macOS
updates:
/Library/Preferences/com.apple.SoftwareUpdate
AutomaticallyInstallMacOSUpdates -bool TRUE
Profile Method:

2. The key to include is AutomaticallyInstallMacOSUpdates
Page 23
CIS Controls:
Controls
Version

v8 Management
● ● ●


Management Tools
vendor.

Tools
Page 24
1.5 Ensure Install Application Updates from the App Store Is
Enabled (Automated)
• Level 1
Description:
Ensure that application updates are installed after they are available from Apple. These
updates do not require reboots or administrator privileges for end users.
Rationale:
exploited.
Impact:
Page 25
Audit:
Graphical Method:
Perform the following steps to ensure that App Store updates install automatically:

2. Select General
4. Select the i
5. Verify that Install application updates from the App Store is enabled
or

3. Select Profiles
4. Verify that an installed profile has Automatically Install App Updates set to
True
Terminal Method:
Run the following command to verify that App Store updates are auto updating:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.commerce')\
.objectForKey('AutoUpdate'))
let pref2 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdat
e')\
.objectForKey('AutomaticallyInstallAppUpdates'))
if ( pref1 == 1 || pref2 == 1 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 26
Remediation:
Graphical Method:
Perform the following steps to enable App Store updates to install automatically:

2. Select General
4. Select the i
5. Set Install application updates from the App Store to enabled
6. Select Done
Terminal Method:
Run the following command to turn on App Store auto updating:
/Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
Note: This remediation requires a log out and log in to show in the GUI.
Profile Method:

2. The key to include is AutomaticallyInstallAppUpdates
Page 27
CIS Controls:
Controls
Version

v8 Management
● ● ●


Management Tools
vendor.

Tools
Page 28
1.6 Ensure Install Security Responses and System Files Is
Enabled (Automated)
• Level 1
Description:
Ensure that system and security updates are installed after they are available from
Apple. This setting enables definition updates for XProtect and Gatekeeper. With this
setting in place, new malware and adware that Apple has added to the list of malware or
untrusted software will not execute. These updates do not require reboots or end user
admin rights.
Apple has introduced a security feature that allows for smaller downloads and the
installation of security updates when a reboot is not required. This feature is only
available when the last regular update has already been applied. This feature
emphasizes that a Mac must be up-to-date on patches so that Apple's security tools can
be used to quickly patch when a rapid response is necessary.
Rationale:
exploited.
Impact:
Page 29
Audit:
Graphical Method:
Perform the following steps to ensure that system data files and security updates install
automatically:

2. Select General
4. Select the i
5. Verify that Install Security Responses and System files is enabled
Terminal Method:
Run the following commands to verify that system data files and security updates are
automatically checked:
function run() {
let pref1 =
e')\
.objectForKey('ConfigDataInstall'))
let pref2 =
e')\
.objectForKey('CriticalUpdateInstall'))
if ( pref1 == 1 && pref2 == 1 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 30
Remediation:
Graphical Method:
Perform the following steps to enable system data files and security updates to install
automatically:

2. Select General
4. Select the i
5. Set Install Security Responses and System files to enabled
6. Select Done
Terminal Method:
Run the following commands to enable automatic checking of system data files and
security updates:
/Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true

/Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool
true
Profile Method:

2. The key to include is ConfigDataInstall
4. The key to also include is CriticalUpdateInstall
References:
1. https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-
monterey/
2. https://support.apple.com/en-us/HT202491
3. https://support.apple.com/guide/security/protecting-against-malware-
sec469d47bd8/web
4. https://support.apple.com/guide/deployment/rapid-security-responses-
dep93ff7ea78/1/web/1.0
Page 31
CIS Controls:
Controls
Version

v8 Management
● ● ●

7.7 Remediate Detected Vulnerabilities

v8 Remediate detected vulnerabilities in software through processes and tooling ● ●
on a monthly, or more frequent, basis, based on the remediation process.

Management Tools
vendor.

Tools
Page 32
1.7 Ensure Software Update Deferment Is Less Than or Equal to
30 Days (Automated)
• Level 1
Description:
Apple provides the capability to manage software updates on Apple devices through
mobile device management. Part of those capabilities permit organizations to defer
software updates and allow for testing. Many organizations have specialized software
and configurations that may be negatively impacted by Apple updates. If software
updates are deferred, they should not be deferred for more than 30 days. This control
only verifies that deferred software updates are not deferred for more than 30 days.
Rationale:
Apple software updates almost always include security updates. Attackers evaluate
updates to create exploit code in order to attack unpatched systems. The longer a
system remains unpatched, the greater an exploit possibility exists in which there are
publicly reported vulnerabilities.
Impact:
Some organizations may need more than 30 days to evaluate the impact of software
updates.
Audit:
Perform the following to ensure that software updates are deferred at most 30 days:
Graphical Method:

3. Select Profiles
4. Verify that Deferred Software Update Delays (Days) is set to ≤ 30
Terminal Method:
Run the following command to verify that a profile is installed that defers software
updates to at most 30 days:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('enforcedSoftwareUpdateDelay').js
EOS
If there is an output, it should be ≤ 30.

Note: If your organization does not use a software deferment mobile configuration,
there will be no output and will pass the audit.
Page 33
Remediation:
Profile Method:
1. The PayloadType string is com.apple.applicationaccess

2. The key to include is enforcedSoftwareUpdateDelay
3. The key must be set to <integer><1-30></integer>
References:
1. https://support.apple.com/guide/deployment/manage-software-updates-
depc4c80847a/web
CIS Controls:
Controls
Version

v8 Management
● ● ●


Management Tools
vendor.

Tools
Page 34
1.8 Ensure the System is Managed by a Mobile Device
Management (MDM) Software (Manual)
• Level 1
Description:
Apple provides the capability to manage macOS, iOS and iPadOS using Mobile Device
Management (MDM). Profiles are used to configure devices to enforce security controls
as well as to configure the devices for authorized access. Many security controls
available on Apple devices are only available through the use of profile settings using
MDM. This capability is also misused by attackers who have added rogue profiles to the
list of unwanted software and fake software updates to induce users to approve the
installation of malicious content. Organizations should have Mobile Device management
software in place to harden organizationally managed devices and take advantage of
additional Apple controls as well as to make the devices more resistant to attackers
enticing users to install unwanted content from rogue MDMs.
Rationale:
Mobile Device Management is the preferred Apple method to manage Apple devices.
Some capability in this technology is a requirement for the enforcement of some
controls. Users with managed devices should be trained and familiar with authrized
content provided through the organizations' MDM.
Impact:
An MDM is yet another additional tool that requires technically adept personnel to
manage correctly. In theory proper use of an MDM can make services provisioning
simpler with configuration profiles to reach authorized services.
Audit:
Terminal Method:
Run the following to verify the system is enrolled in a Mobile Device Management
software:
$ sudo /usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM
enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"
Page 35
Remediation:
Enroll the system in a Mobile Device Management software.
References:
1. https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
2. https://controlfreak.risk-redux.io/controls/CM-06
3. https://support.apple.com/guide/deployment/intro-to-mdm-profiles-
depc0aadd3fe/web#:~:text=iOS%2C%20iPadOS%2C%20macOS%2C%20and,t
he%20user%20or%20your%20organization.
4. http://lockboxx.blogspot.com/2019/03/macos-red-teaming-202-profiles.html
5. https://simplemdm.com/blog/mdm-migration/
Additional Information:
Apple first announced Declarative Device Management at WWDC 2021 and has since
confirmed that future management capabilities will specifically focus on the declarative
management feature set.
Per Apple, "Declarative Device Management is an update to the existing protocol for
device management that can be used in combination with the existing MDM protocol
capabilities. It allows the device to asynchronously apply settings and report status back
to the MDM solution without constant polling."
Organizations must ensure that their MDM solution supports this feature to utilize
Declarative Device Management. Organizations interested in leveraging Declarative
Device Management (DDM) must become familiar with its capabilities and how it will
interact with other tools.
The Center of Internet Security does not endorse any particular MDM vendor or
methodology for managing macOS devices. However, we aim to provide information for
administrators, security specialists, auditors, help desk personnel, and platform
deployment personnel involved in developing, deploying, assessing, or securing
solutions incorporating Apple macOS 14.0 Sonoma.
A feature of Declarative Device Management is the ability to deploy "Legacy Declarative
Configurations." You can use this configuration to download and install profiles with
payloads unavailable as declarative configurations. In addition, Declarative Device
Management now supports managing already installed MDM profiles without needing to
remove them. An MDM server must send and activate a configuration containing the
same profile as one already installed by MDM. The Declarative Device Management
system will then take over the management of that profile without reinstalling or
updating it. At that point, Declarative Device Management owns the profile. Using
Legacy Declarative Configurations will result in the configuration data being written out
to PLIST files, the same as a configuration profile. With Declarative Management taking
over a configuration profile with Legacy Declarative Configurations, MDM will not be
able to make changes to it.
Page 36
When implementing Declarative Device Management, MDM servers will write
configuration data into an encrypted data container inaccessible to the device. The
current state of a device's Declarative configuration and emitted status items will only be
accessible by the MDM. Monitoring and auditing of the settings should be done on the
local system against the state of the device.
Only the MDM solution can subscribe to the declarative status channel and reports of
devices to be aware of the state of the configurations applied to the system. As a result,
security and auditing solutions may have to query the MDM server directly for the state
of configurations and compliance instead of scanning the local macOS system for this
information. Because Configuration Profiles and Declarative Configurations may live
side by side while Declarative Device Management becomes more widely adopted,
organizations must decide which is best for the business and be mindful when utilizing
both management features.
For macOS 14.0 Sonoma, implementing certain Declarative Configurations may affect
the ability to perform auditing or remediation outlined within this benchmark.
Organizations may be required to defer to their MDM solution for audit and validation. 1:
Using Declarative Configuration Services: Utilizing this allows for managing System
Integrity Protected (SIP) Services, including sshd, sudo, PAM, CUPS, Apache httpd,
bash, and z-shell. *Affects (as labeled in Ventura Benchmark): CIS 2.3.3.4, CIS 2.3.3.5,
CIS 4.2, CIS 5.4 2: Passcode/Password Policies. *Affects the entire 5.2 Password
Management section (as labeled in Ventura Benchmark).
Supportive Links:
Apple Platform Deployment: https://support.apple.com/guide/deployment/welcome/web
Meet Declarative Device Management (WWDC21):
https://developer.apple.com/wwdc21/10131 Review declarative configurations for Apple
devices: https://support.apple.com/guide/deployment/review-declarative-configurations-
depf858becef/web
CIS Controls:
Controls
Version
4.1 Establish and Maintain a Secure Configuration Process

Establish and maintain a secure configuration process for enterprise assets
v8 (end-user devices, including portable and mobile, non-computing/IoT devices, and
servers) and software (operating systems and applications). Review and update
● ● ●
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.
Page 37
2 System Settings
This section contains recommendations related to configurable options in the System
Settings application.
Page 38
2.1 Apple ID
Apple is a hardware manufacturer that develops operating systems for the hardware it
creates. Apple is also a cloud service provider and those services include applications,
music, books, television, cloud storage, etc. Apple simplifies the process to ensure that
all user devices are entitled to content where the user has purchased access, or is part
of an Apple basic level of entitlement (BLE) for purchasing an Apple device. The use of
an Apple ID allows for a consistent access and experience across all Apple devices. An
Apple ID functions as Single Sign-On access to all Apple provided services. It is critical
that each user's account is protected appropriately so that unauthorized access risk is
heavily mitigated.
https://support.apple.com/en-us/HT203993
https://en.wikipedia.org/wiki/Apple_ID
https://www.lifewire.com/what-is-an-apple-id-1994330
https://support.apple.com/en-us/HT201303
Page 39
2.1.1 iCloud
iCloud is Apple's service for synchronizing, storing, and backing up data from Apple
applications in both macOS and iOS.
macOS controls for iCloud are part of the Apple ID settings in macOS. The configuration
options in macOS resemble the options in iOS.
Apple's iCloud is a consumer-oriented service that allows a user to store data as well as
find, control, and back up devices that are associated with their Apple ID (Apple
account). The use of iCloud on Enterprise devices should align with the acceptable use
policy for devices that are managed, as well as confidentiality requirements for data
handled by the user. If iCloud is allowed, the data that is copied to Apple servers will
likely be duplicated on both personal as well as Enterprise devices.
For many users, the Enterprise email system may replace many of the available
features in iCloud. Calendars, notes, and contacts can sync to the official Enterprise
repository and be available through multiple devices if using either an Exchange or
Google environment email.
Depending on workplace requirements, it may not be appropriate to intermingle
Enterprise and personal bookmarks, photos, and documents. Since the service allows
every device associated with the user's ID to synchronize and have access to the cloud
storage, the concern is not just about having sensitive data on Apple's servers, but also
having that same data on the phone of the teenage son or daughter of an employee.
The use of family sharing options can reduce the risk.
Apple's iCloud is just one of many cloud-based solutions being used for data
synchronization across multiple platforms, and it should be controlled consistently with
other cloud services in your environment. Work with your employees and configure the
access to best enable data protection for your mission.
Page 40
2.1.1.1 Audit iCloud Keychain (Manual)
• Level 2
Description:
The iCloud keychain is Apple's password manager that works with macOS and iOS.
The capability allows users to store passwords in either iOS or macOS for use in Safari
on both platforms and other iOS-integrated applications. The most pervasive use is
driven by iOS use rather than macOS. The passwords stored in a macOS keychain on
an Enterprise-managed computer could be stored in Apple's cloud and then be
available on a personal computer using the same account. The stored passwords could
be for organizational as well as for personal accounts.
If passwords are no longer being used as organizational tokens, they are not in scope
for iCloud keychain storage.
Rationale:
Ensure that the iCloud keychain is used consistently with organizational requirements.
Page 41
Audit:
Graphical Method:
Perform the following steps to verify the iCloud keychain sync service:

2. Select Apple ID
3. Select iCloud
4. Verify that Keychain is set to your organization's requirements
or

3. Select Profiles
4. Verify that an installed profile has Disallow iCloud Keychain Sync set to your
organization's requirements
Terminal Method:
For each user, run this command to verify the iCloud keychain sync services:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read
/Users/<username>/Library/Preferences/MobileMeAccounts | grep -B 1
KEYCHAIN_SYNC
Enabled = <0,1>;
Name = "KEYCHAIN_SYNC";
The output will be either a 0, disabled, or 1, enabled. Verify if the setting meets your
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read
/Users/seconduser/Library/Preferences/MobileMeAccounts | grep -B 1
KEYCHAIN_SYNC
Enabled = 0;
Name = "KEYCHAIN_SYNC";
or
Run the following command to verify that a profile is installed that sets iCloud Keychain
sync to your organizations settings:
.objectForKey('allowCloudKeychainSync').js
EOS
If the output is false, iCloud Keychain Sync is disabled. If the output is true, iCloud
Keychain sync is enabled.
Page 42
Remediation:
Graphical Method:
Perform the following steps to set iCloud keychain sync based on your organization's
requirements:

2. Select Apple ID
3. Select iCloud
4. Set Keychain to meet your organization's requirements
Profile Method:

2. The key to include is allowCloudKeychainSync
3. The key should be set <true/>, to allow iCloud keychain syncing, or <false/>, to
disable it, based on your organization's requirements
Note: Since the profile method sets a system-wide setting and not a user-level one, the
profile method is the preferred method. It is always better to set system-wide than per
user.
Page 43
CIS Controls:
Controls
Version

● ● ●
4.8 Uninstall or Disable Unnecessary Services on

v8 Enterprise Assets and Software ● ●
Uninstall or disable unnecessary services on enterprise assets and software,
such as an unused file sharing service, web application module, or service function.
15.3 Classify Service Providers

Classify service providers. Classification consideration may include one or more
v8 characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
● ●
classifications annually, or when significant enterprise changes occur that could

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.
Page 44
2.1.1.2 Audit iCloud Drive (Manual)
• Level 2
Description:
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use
the same files that are resident in Apple's cloud storage. The iCloud Drive folder is
available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be
inappropriately stored in an end user's personal repository. Organizations that need
specific controls on information should ensure that this service is turned off or the user
knows what information must be stored on services that are approved for storage of
controlled information.
Rationale:
Organizations should review third party storage solutions pertaining to existing data
confidentiality and integrity requirements.
Impact:
Users will not be able to use continuity on macOS to resume the use of newly
composed but unsaved files.
Page 45
Audit:
Graphical Method:
Perform the following steps to verify if iCloud Drive is enabled:

2. Select Apple ID
3. Select iCloud
4. Verify that iCloud Drive is set to your organization's requirements
or

3. Select Profiles
4. Verify that an installed profile has Disallow iCloud Drive set to your
Terminal Method:
Run the following command to verify that iCloud Drive is set to your organizations
specifications:
/Users/<username>/Library/Preferences/MobileMeAccounts | /usr/bin/grep -B 1
MOBILE_DOCUMENTS
The output will include Enabled = and iCloud Drive is either enabled, 1, or disabled, 0.
Verify that the service is set to your organization's requirements.
example:
/Users/seconduser/Library/Preferences/MobileMeAccounts | /usr/bin/grep -B 1
MOBILE_DOCUMENTS
Enabled = 0;
Name = "MOBILE_DOCUMENTS";
or
Run the following command to verify that a profile is installed that sets iCloud Drive sync
to your organization's settings:
.objectForKey('allowCloudDocumentSync').js
EOS
If the output is false, iCloud Drive Sync is disabled. If the output is true, iCloud Drive
sync is enabled.
Page 46
Remediation:
Graphical Method:
Perform the following to set iCloud Drive to your organization's requirements:

2. Select Apple ID
3. Select iCloud
4. Set iCloud Drive to meet your organization's requirements
Profile Method:

2. The key to include is allowCloudDocumentSync
3. The key should be set <true/>, to allow iCloud Drive, or <false/>, to disable it,
based on your organization's requirements
user.
References:
1. https://developer.apple.com/documentation/devicemanagement/restrictions
Perform the following to verify what applications are syncing with iCloud Drive:

2. Select Apple ID
3. Select iCloud
4. Select iCloud Drive
5. Select Apps syncing to iCloud Drive
6. Verify the applications that are syncing to iCloud Drive are set to your
Page 47
CIS Controls:
Controls
Version

● ● ●


● ●

Page 48
2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is
Disabled (Automated)
• Level 2
Description:
With macOS 10.12, Apple introduced the capability to have a user's Desktop and
Documents folders automatically synchronize to the user's iCloud Drive, provided they
have enough room purchased through Apple on their iCloud Drive. This capability
mirrors what Microsoft is doing with the use of OneDrive and Office 365. There are
concerns with using this capability.
The storage space that Apple provides for free is used by users with iCloud mail, all of a
user's Photo Library created with the ever larger Multi-Pixel iPhone cameras, and all
iOS Backups. Adding a synchronization capability for users who have files going back a
decade or more, storage may be tight using the free 5GB provided without purchasing
much larger storage capacity from Apple. Users with multiple computers running 10.12
and above with unique content on each will have issues as well.
Enterprise users may not be allowed to store Enterprise information in a third-party
public cloud. In previous implementations, such as iCloud Drive or DropBox, the user
selected what files were synchronized even if there were no other controls. The new
feature synchronizes all files in a folder widely used to put working files.
The automatic synchronization of all files in a user's Desktop and Documents folders
should be disabled.
https://derflounder.wordpress.com/2016/09/23/icloud-desktop-and-documents-in-
macos-sierra-the-good-the-bad-and-the-ugly/
Rationale:
Automated Document synchronization should be planned and controlled to approved
storage.
Impact:
Users will not be able to use iCloud for the automatic sync of the Desktop and
Documents folders.
Page 49
Audit:
Graphical Method:
Perform the following steps to verify if Desktop and Documents in iCloud Drive is
enabled:

3. Select Profiles
4. Verify that an installed profile has Disallow iCloud Desktop & Documents Sync
set to True
Terminal Method:
Run the following command to verify that a profile is installed that disables iCloud
Document and Desktop Sync:
.objectForKey('allowCloudDesktopAndDocuments').js
EOS
false
Note: Since the profile method sets a system-wide setting, the individual user audit
and/or remediation has been removed. To be complaint, a profile must be installed for
this recommendation. We have included the individual user information in the additional
information section for reference only.
Remediation:
Profile Method:

2. The key to include is allowCloudDesktopAndDocuments
3. The key must be set to <false/>
References:
Page 50
To verify individual users:
Audit:
Graphical Method:
enabled:

2. Select Apple ID
3. Select iCloud
4. Verify that iCloud Drive is disabled
5. If iCloud Drive is enabled, select Options
6. Verify that 'Desktop & Documents Folders` is disabled
Terminal Method:
For each user, run the following command to verify that the Documents and Desktop
folders are not syncing to iCloud:
$ /usr/bin/sudo -u <username> /bin/ls -l /Users/<username>/Library/Mobile\
Documents/com~apple~CloudDocs/Documents/ | /usr/bin/grep total
$ /usr/bin/sudo -u <username> /bin/ls -l /Users/<username>/Library/Mobile\

Documents/com~apple~CloudDocs/Desktop/ | /usr/bin/grep total
example:
$ /usr/bin/sudo -u seconduser /bin/ls -l /Users/seconduser/Library/Mobile\
Documents/com~apple~CloudDocs/Documents/ | /usr/bin/grep total
$ /usr/bin/sudo -u seconduser /bin/ls -l /Users/seconduser/Library/Mobile\

Documents/com~apple~CloudDocs/Desktop/ | /usr/bin/grep total
total 8
In the above example, there is an output so the machine is not compliant.
Remediation:
Graphical Method:
Perform the following steps to disable iCloud Desktop and Document syncing:

2. Select Apple ID
3. Select iCloud
4. Select Options on iCloud Drive
5. Disable Desktop & Documents Folders
Page 51
CIS Controls:
Controls
Version

● ● ●


● ●

Page 52
2.1.1.4 Audit Security Keys Used With AppleIDs (Manual)
• Level 2
Description:
Apple has introduced the capability of using security keys to protect AppleIDs using two-
factor authentication in macOS Ventura 13.2 and in iOS 16.3 and iPadOS 16.3. This
feature along with the purchase of two hardware tokens (a backup device is required)
protects against the compromise of AppleIDs. This feature requires all devices using an
enrolled Apple ID to meet the minimum OS standard.
Rationale:
Users of Apple devices are supported across their devices by using the same Apple ID
to support shard data in both iCloud and across devices. Compromising an AppleID has
become a very attractive target for attackers to gain unauthorized access to iCloud
storage and user devices. Two-factor authentication reduces the risk.
Impact:
Legacy devices and test machines will be challenging to ensure that they are all running
recent Operating Systems that can utilize Security Keys. It is best practice not to use
AppleIDs with access to current user data on legacy and test machines. Technical staff
that use legacy devices are encouraged to create additional Apple IDs that do not need
two-factor protection and can be used for testing on legacy devices when required.
Audit:
Graphical Method:
Perform the following steps to verify if Security Keys is set to your organization's
requirements:

2. Select Apple ID
3. Select Password & Security
4. Verify that Security Keys is set to your organization's requirements
Page 53
Remediation:
Graphical Method:
Perform the following steps to set Security Keys is set to your organization's
requirements:

2. Select Apple ID
3. Select Password & Security
4. Select Add.. to add a security key, or Remove All Security Keys ro remove
security keys, to meet your organization's requirements
References:
2. https://9to5mac.com/2023/02/03/ios-16-3-hardware-security-keys-explained-
video/
3. https://hcsonline.com/images/Security_Key_Apple_ID.pdf
CIS Controls:
Controls
Version
5.2 Use Unique Passwords

v8 Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a
● ● ●
14-character password for accounts not using MFA.

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.
Page 54
2.1.1.5 Audit Freeform Sync to iCloud (Manual)
• Level 2
Description:
Starting with macOS 13.1 (Ventura) Apple has made a collaboration tool (Freeform)
available on macOS, iOS and iPadOS. This application allows for extensive whiteboard
creation and sharing using iCloud. Organizations may want to audit the use of Freeform
iCloud sharing of internally created boards.
Rationale:
Internally created whiteboards may not be authorized to share to external contact
through iCloud.
Audit:
Graphical Method:
enabled:

3. Select Profiles
4. Verify that an installed profile has Disallow iCloud Freeform Sync set to your
organization's requirement
Terminal Method:
Run the following command to verify that a profile is installed that disables iCloud
Document and Desktop Sync:
.objectForKey('allowCloudFreeform').js
EOS
The output should match your organization's requirement
Remediation:
Profile Method:

2. The key to include is allowCloudFreeform
3. The key must be set to <<true/false>/>
Page 55
References:
1. https://www.apple.com/newsroom/2022/12/apple-launches-freeform-a-powerful-
new-app-designed-for-creative-collaboration/
2. https://support.apple.com/guide/freeform/share-a-board-frfma5307056b/mac
3. https://support.apple.com/guide/icloud/set-up-freeform-mmd1b86048ac/icloud
CIS Controls:
Controls
Version

● ● ●


● ●

Page 56
2.1.2 Audit App Store Password Settings (Manual)
• Level 2
Description:
With OS X 10.11, Apple added settings for password storage for the App Store in
macOS. These settings parallel the settings in iOS. As with iOS, the choices are a
requirement to provide a password after every purchase or to have a 15-minute grace
period, and whether or not to require a password for free purchases. The response to
this setting is stored in a cookie and processed by iCloud.
There is plenty of risk information on the wisdom of this setting for parents with children
buying games on iPhones and iPads. The most relevant information here is the
likelihood that users who are not authorized to download software may have physical
access to an unlocked computer where someone who is authorized recently made a
purchase. If that is a concern, a password should be required at all times for App Store
access in the Password Settings controls.
Rationale:
Audit:
Graphical Method:
Perform the following steps to verify that App Store Passwords are set to your
organization's requirements:

2. Select Apple ID
3. Select Media & Purchases
4. Verify that Free Downloads is set to your organization's requirements
5. Verify that Purchases and In-App Purchases is set to your organization's
requirements
Remediation:
Graphical Method:
Perform the following steps to set App Store Passwords to your organization's
requirements:

2. Select Apple ID
3. Select Media & Purchases
4. Set Free Downloads to your organization's requirements
5. Set Purchases and In-App Purchases to your organization's requirements
Page 57
CIS Controls:
Controls
Version

● ● ●


Page 58
2.2 Network
The Network System Settings pane includes the firewall settings. macOS has a built-in
firewall that has two main configuration aspects. Both the Application Layer Firewall
(ALF) and the Packet Filter Firewall (PF) can be used to secure running ports and
services on a Mac. The Application Firewall is the one accessible in System
Preferences under Security. The PF firewall contains many more capabilities than ALF,
but also requires a greater understanding of firewall recipes and rule configurations. For
standard use cases on a Mac, the PF firewall is not necessary. macOS may expose
server services that are reachable remotely, but that is not the primary use case or
design. If custom use cases are required, the PF firewall can provide additional security.
Macs that are used as mobile desktops do not need to use the PF firewall capabilities
unless permanently open ports need to be protected with more granular IP access
controls.
Additional information
https://www.muo.com/tag/mac-really-need-firewall/
https://blog.neilsabol.site/post/quickly-easily-adding-pf-packet-filter-firewall-rules-macos-
osx/
http://marckerr.com/a-simple-guild-to-the-mac-pf-firewall/
https://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/
Page 59
2.2.1 Ensure Firewall Is Enabled (Automated)
• Level 1
Description:
A firewall is a piece of software that blocks unwanted incoming connections to a system.
Apple has posted general documentation about the application firewall:
Rationale:
A firewall minimizes the threat of unauthorized users gaining access to your system
while connected to a network or the Internet.
Impact:
The firewall may block legitimate traffic. Applications that are unsigned will require
special handling.
Page 60
Audit:
Graphical Method:
Perform the following steps to ensure the firewall is enabled:

2. Select Network
3. Verify that the Firewall is Active
or

3. Select Profiles
4. Verify that an installed profile has Firewall set to Enabled
Terminal Method:
Run the following command to verify that the firewall is enabled:
function run() {
app = Application.currentApplication()
app.includeStandardAdditions = true;
let pref1 = app.doShellScript('/usr/bin/defaults read

/Library/Preferences/com.apple.alf globalstate')
let pref2 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.fire
wall')\
.objectForKey('EnableFirewall'))
if ( ( ( pref1 == 1 ) || ( pref1 == 2 ) || ( pref2 == "true" ) ) &&

(pref1 != 0 ) ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 61
Remediation:
Graphical Method:
Perform the following steps to turn the firewall on:

2. Select Network
3. Select Firewall
4. Set Firewall to enabled
Terminal Method:
Run the following command to enable the firewall:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf
globalstate -int <value>
For the <value>, use either 1, specific services, or 2, essential services only.
Profile Method:
1. The PayloadType string is com.apple.security.firewall

2. The key to include is EnableFirewall
References:
1. https://support.apple.com/en-us/guide/security/seca0e83763f/web
2. http://support.apple.com/en-us/HT201642
Page 62
Note: After some testing, it was discovered that setting globalstate to 0 in the plist
/Library/Preferences/com.apple.alf disables the firewall even if the profile is
installed. We are now auditing for '0' in that plist even if the profile is installed to give as
much information as possible to administrators.
Your organization might want to verify and limit specific applications that allow incoming
connectivity.
To verify those applications:
Graphical Method:
Perform the following steps to ensure the system is configured as prescribed:

2. Select Network
3. Select Firewall
4. Select Options...
5. Verify that your organizations necessary rules are set
Terminal Method:
Run the following command to verify what applications are allowing incoming
connections:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
The output will show any applications, and their path, and their associated rule.
example:
ALF: total number of apps = 3
1 : /System/Library/CoreServices/RemoteManagement/ARDAgent.app
( Allow incoming connections )
2 : /Applications/Chess.app
3 : /Applications/Contacts.app
( Block incoming connections )
Page 63
To remove unnecessary firewall rules:
Graphical Method:
Perform the following steps to remove unnecessary firewall rules:

2. Select Network
3. Select Firewall
5. Select unneeded rule(s)
6. Select the - below to delete them
Terminal Method:
Run the following command to remove specific applications:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove
</path/application name>
Application at path ( </path/application name> ) removed from firewall
The </path/application name> is the one to be removed from the previous listing.
example:
ALF: total number of apps = 3
1 : /System/Library/CoreServices/RemoteManagement/ARDAgent.app
2 : /Applications/Chess.app
3 : /Applications/Contacts.app
( Block incoming connections )
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove

/Applications/Chess.app
Application at path ( /Applications/Chess.app ) removed from firewall
Page 64
CIS Controls:
Controls
Version

● ● ●
4.5 Implement and Manage a Firewall on End-User

Devices
v8 Implement and manage a host-based firewall or port-filtering tool on end-user ● ● ●
devices, with a default-deny rule that drops all traffic except those services and
ports that are explicitly allowed.
13.1 Centralize Security Event Alerting

Centralize security event alerting across enterprise assets for log correlation and
v8 analysis. Best practice implementation requires the use of a SIEM, which includes ● ●
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

9.4 Apply Host-based Firewalls or Port Filtering

v7 Apply host-based firewalls or port filtering tools on end systems, with a default-
deny rule that drops all traffic except those services and ports that are explicitly
● ● ●
allowed.
9.5 Implement Application Firewalls

v7 Place application firewalls in front of any critical servers to verify and validate the ●
traffic going to the server. Any unauthorized traffic should be blocked and logged.
Page 65
2.2.2 Ensure Firewall Stealth Mode Is Enabled (Automated)
• Level 1
Description:
While in Stealth mode, the computer will not respond to unsolicited probes, dropping
that traffic.
Rationale:
Stealth mode on the firewall minimizes the threat of system discovery tools while
connected to a network or the Internet.
Impact:
Traditional network discovery tools like ping will not succeed. Other network tools that
measure activity and approved applications will work as expected.
This control aligns with the primary macOS use case of a laptop that is often connected
to untrusted networks where host segregation may be non-existent. In that use case,
hiding from the other inmates is likely more than desirable. In use cases where use is
only on trusted LANs with static IP addresses, stealth mode may not be desirable.
Page 66
Audit:
Graphical Method:
Perform the following steps to verify the firewall has stealth mode enabled:

2. Select Network
3. Select Firewall
4. Select Option
5. Verify that Enable stealth mode is enabled
or

3. Select Profiles
4. Verify that an installed profile has Stealth Mode set to Enabled
Terminal Method:
Run the following command to verify that stealth mode is enabled:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.alf')\
.objectForKey('stealthenabled'))
let pref2 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.fire
wall')\
.objectForKey('EnableStealthMode'))
if ( ( pref1 == 1 ) || ( pref2 == "true" ) ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 67
Remediation:
Graphical Method:
Perform the following steps to enable firewall stealth mode:

2. Select Network
3. Select Firewall
5. Set Enabled stealth mode to enabled
Terminal Method:
Run the following command to enable stealth mode:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --
setstealthmode on
Stealth mode enabled

Profile Method:

2. The key to include is EnableStealthMode
Note: This key must be set in the same configuration profile with EnableFirewall set to
<true/>. If it is set in its own configuration profile, it will fail.
References:
1. http://support.apple.com/en-us/HT201642
Page 68
CIS Controls:
Controls
Version

● ● ●

Devices

v8 Enterprise Assets and Software
● ●

9.4 Apply Host-based Firewalls or Port Filtering

v7 Apply host-based firewalls or port filtering tools on end systems, with a default-
deny rule that drops all traffic except those services and ports that are explicitly
● ● ●
allowed.
Page 69
2.3 General
Page 70
2.3.1 AirDrop & Handoff
Page 71
2.3.1.1 Ensure AirDrop Is Disabled When Not Actively
Transferring Files (Automated)
• Level 1
Description:
AirDrop is Apple's built-in, on-demand, ad hoc file exchange system that is compatible
with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to
Mac or iOS users that are in close proximity. Depending on the setting, it allows
everyone or only Contacts to share files when they are near each other.
In many ways, this technology is far superior to the alternatives. The file transfer is done
over a TLS encrypted session, does not require any open ports that are required for file
sharing, does not leave file copies on email servers or within cloud storage, and allows
for the service to be mitigated so that only people already trusted and added to contacts
can interact with you.
While there are positives to AirDrop, there are privacy concerns that could expose
personal information. For that reason, AirDrop should be disabled, and should only be
enabled when needed and disabled afterwards. The recommendation against enabling
the sharing is not based on any known lack of security in the protocol, but for specific
user operational concerns.
• If AirDrop is enabled, the Mac is advertising that a Mac is addressable on the

local network and open to either unwanted AirDrop upload requests or for a
negotiation on whether the remote user is in the user's contacts list. Neither
process is desirable.
• In most known use cases, AirDrop use qualifies as ad hoc networking when it
involves Apple device users deciding to exchange a file using the service.
AirDrop can thus be enabled on the fly for that exchange.
For organizations concerned about any use of AirDrop because of Digital Loss
Prevention (DLP) monitoring on other protocols, JAMF has an article on reviewing
AirDrop logs.
Detecting outbound AirDrop transfers and logging them
Rationale:
AirDrop can allow malicious files to be downloaded from unknown sources. Contacts
Only limits may expose personal information to devices in the same area.
Impact:
Disabling AirDrop can limit the ability to move files quickly over the network without
using file shares.
Page 72
Audit:
Graphical Method:
Perform the following steps to ensure that AirDrop is disabled:

3. Select Profiles
4. Verify that an installed profile has Allow AirDrop set to False
Terminal Method:
Run the following command to verify that a profile is installed that disabled AirDrop:
.objectForKey('allowAirDrop').js
EOS
false
and/or remediation has been removed. To be compliant, a profile must be installed for
Remediation:
Profile Method:

2. The key to include is allowAirDrop
Note: AirDrop can only be enabled or disabled through configuration profiles. If your
organization wants to use AirDrop, it would need to be set through Terminal or the GUI.
Please see the Additional Information for assistance with those options, but those
system will not technically be in compliance.
References:
1. https://www.techrepublic.com/article/apple-airdrop-users-reportedly-vulnerable-
to-security-flaw/
2. https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure
3. https://en.wikipedia.org/wiki/AirDrop
4. https://macmost.com/10-reasons-you-should-be-using-airdrop-to-transfer-
files.html
Page 73
Audit:
Graphical Method:
Perform the following steps to ensure that AirDrop is disabled:
1. Open System Settings in the Menu Bar

2. Select General
3. Select AirDrop & Handoff
4. Verify that AirDrop is set to No One
6. Select Control Center
7. Select AirDrop
8. Verify that Don't show in Menu Bar is not selected
Terminal Method:
For all users, run the following commands to verify whether AirDrop is disabled:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.NetworkBrowser
DisableAirDrop
1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read com.apple.NetworkBrowser
DisableAirDrop
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.NetworkBrowser

DisableAirDrop
$ /usr/bin/sudo -u thirduser /usr/bin/defaults read com.apple.NetworkBrowser

DisableAirDrop
The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does

not exist
Page 74
Remediation:
Graphical Method:
Perform the following steps to disable AirDrop:
1. Open System Settings in the Menu Bar

2. Select General
4. Set AirDrop to No One
7. Set AirDrop to Don't show in Menu Bar
Terminal Method:
Run the following commands to disable AirDrop:
$ /usr/bin/sudo -u <username> defaults write com.apple.NetworkBrowser
DisableAirDrop -bool true
example:
$ /usr/bin/sudo -u seconduser defaults write com.apple.NetworkBrowser
DisableAirDrop -bool true
Page 75
CIS Controls:
Controls
Version

● ● ●

6.7 Centralize Access Control

v8 Centralize access control for all enterprise assets through a directory service or ● ●
SSO provider, where supported.

15.4 Disable Wireless Access on Devices if Not Required

v7 Disable wireless access on devices that do not have a business purpose for ●
wireless access.
Page 76
2.3.1.2 Ensure AirPlay Receiver Is Disabled (Automated)
• Level 1
Description:
In macOS Monterey (12.0), Apple has added the capability to share content from
another Apple device to the screen of a host Mac. While there are many valuable uses
of this capability, such sharing on a standard Mac user workstation should be enabled
ad hoc as required rather than allowing a continuous sharing service. The feature can
be restricted by Apple ID or network and is configured to use by accepting the
connection on the Mac. Part of the concern is frequent connection requests may
function as a denial-of-service and access control limits may provide too much
information to an attacker.
https://macmost.com/how-to-use-a-mac-as-an-airplay-receiver.html
https://support.apple.com/guide/mac-pro-rack/use-airplay-apdf1417128d/mac
Rationale:
This capability appears very useful for kiosk and shared work spaces. The ability to
allow by network could be especially useful on segregated guest networks where
visitors could share their screens on computers with bigger monitors, including
computers connected to projectors.
Impact:
Turning off AirPlay sharing by default will not allow users to share without turning the
service on. The service should be enable as needed rather than left on.
Page 77
Audit:
Graphical Method:
Perform the following steps to ensure that AirPlay Receiver is Disbaled:

3. Select Profiles
4. Verify that an installed profile has Allow AirPlay Incoming Requests set to
False
Terminal Method:
For each user, run the following command to verify that AirPlay Receiver is disabled:
Run the following command to verify that a profile is installed that disables the ability to
use the computer as an AirPlay Receiver:
.objectForKey('allowAirPlayIncomingRequests').js
EOS
false
Remediation:
Profile Method:

2. The key to include is allowAirPlayIncomingRequests
user.
Default Value:
AirPlay Receiver is enabled by default.
Page 78
Audit:
Graphical Method:
Perform the following steps to ensure that AirPlay Receiver is Disbaled:

2. Select General
4. Verify that AirPlay Receiver is disabled
Terminal Method:
For each user, run the following command to verify that AirPlay Receiver is disabled:
$ /usr/bin/sudo -u <username> /usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\
.objectForKey('AirplayRecieverEnabled').js
EOS
true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/osascript -l JavaScript << EOS
.objectForKey('AirplayRecieverEnabled').js
EOS
true
Page 79
Remediation:
Graphical Method:
Perform the following steps to disable AirPlay Receiver:

2. Select General
4. Set AirPlay Receiver to disabled
Terminal Method:
For each user, run the following command to disable AirPlay Receiver:
$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost write
com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write
com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
CIS Controls:
Controls
Version

● ● ●

● ●


v7 Are Running
● ●
Page 80
2.3.2 Date & Time
This section contains recommendations related to the configurable items under the Date
& Time panel.
Page 81
2.3.2.1 Ensure Set Time and Date Automatically Is Enabled
(Automated)
• Level 1
Description:
Correct date and time settings are required for authentication protocols, file creation,
modification dates, and log entries.
Note: If your organization has internal time servers, enter them here. Enterprise mobile
devices may need to use a mix of internal and external time servers. If multiple servers
are required, use the Date & Time System Preference with each server separated by a
space.
Additional Note: The default Apple time server is time.apple.com. Variations include
time.euro.apple.com. While it is certainly more efficient to use internal time servers,
there is no reason to block access to global Apple time servers or to add a
time.apple.com alias to internal DNS records. There are no reports that Apple gathers
any information from NTP synchronization, as the computers already phone home to
Apple for Apple services including iCloud use and software updates. Best practice is to
allow DNS resolution to an authoritative time service for time.apple.com, preferably to
connect to Apple servers, but local servers are acceptable as well.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.
This in turn can affect Apple's single sign-on feature, Active Directory logons, and other
features.
Impact:
The timed service will periodically synchronize with named time servers and will make
the computer time more accurate.
Page 82
Audit:
Graphical Method:
Perform the following steps to ensure that the system's date and time are set
automatically:

2. Select General
3. Select Date & Time
4. Verify that Set time and date automatically is enabled
Terminal Method:
Run the following command to ensure that date and time are automatically set:
$ /usr/bin/sudo /usr/sbin/systemsetup -getusingnetworktime
Network Time: On
Page 83
Remediation:
Graphical Method:
Perform the following to enable the date and time to be set automatically:

2. Select General
3. Select Date & Time
4. Set Set time and date automatically to enabled
Note: By default, the operating system will use time.apple.com as the time server. You
can change to any time server that meets your organization's requirements.
Terminal Method:
Run the following commands to enable the date and time setting automatically:
$ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver
<your.time.server>
setNetworkTimeServer: <your.time.server>
$ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on
setUsingNetworkTime: On
example:
$ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver time.apple.com
setNetworkTimeServer: time.apple.com
$ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on
setUsingNetworkTime: On
Run the following commands if you have not set, or need to set, a new time zone:
$ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones
$ /usr/bin/sudo /usr/sbin/systemsetup -settimezone <selected time zone>
example:
$ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones
Time Zones:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...
$ /usr/bin/sudo /usr/sbin/systemsetup -settimezone America/New_York
Set TimeZone: America/New_York
Page 84
To learn more about timed, read: Has anyone got the time? How High Sierra has
changed time synchronisation
Note: The profile configuration has been removed since it requires a specific time
server to be set.
CIS Controls:
Controls
Version
8.4 Standardize Time Synchronization

v8 Standardize time synchronization. Configure at least two synchronized time ● ●
sources across enterprise assets, where supported.
6.1 Utilize Three Synchronized Time Sources

v7 Use at least three synchronized time sources from which all servers and
network devices retrieve time information on a regular basis so that timestamps
● ●
in logs are consistent.
Page 85
2.3.2.2 Ensure Time Is Set Within Appropriate Limits (Automated)
• Level 1
Description:
Correct date and time settings are required for authentication protocols, file creation,
modification dates and log entries. Ensure that time on the computer is within
acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a
drift under four and a half minutes passes the control check. Since Kerberos is one of
the important features of macOS integration into Directory systems, the guidance here
is to warn you before there could be an impact to operations. From the perspective of
accurate time, this check is not strict, so it may be too great for your organization. Your
organization can adjust to a smaller offset value as needed.
If there are consistent drift issues on the OS, some of the most common drift issues
should be investigated:
• The chosen time server is not reachable based on network firewall rules on the
current network
• The computer is offline often and the battery drains, and the network is not
immediately available
• The chosen time server is a special internal or non-public time server that does
not provide a reliable time source
Note: ntpdate has been deprecated with 10.14. sntp replaces that command.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.
This in turn can affect Apple's single sign-on feature, Active Directory logons, and other
features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.
Impact:
Accurate time is required for many computer functions.
Page 86
Audit:
Terminal Method:
Run the following commands to verify the time is set within an appropriate limit:
$ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver
The output will include Network Time Server: and the name of your time server.
example: Network Time Server: time.apple.com
$ /usr/bin/sudo /usr/bin/sntp <your.time.server>
Ensure that the offset result(s) are between -270.x and 270.x seconds.
example:
Network Time Server: time.apple.com
$ /usr/bin/sudo /usr/bin/sntp time.apple.com
+0.003399 +/- 0.058059 time.apple.com 17.253.24.253
Remediation:
Terminal Method:
Run the following commands to ensure your time is set within an appropriate limit:
The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com.
$ /usr/bin/sudo /usr/bin/sntp -sS <your.time.server>
example:
Network Time Server: time.apple.com
$ /usr/bin/sudo /usr/bin/sntp -sS time.apple.com
The associated check will fail if no network connection is available.
Page 87
CIS Controls:
Controls
Version
8.4 Standardize Time Synchronization

v8 Standardize time synchronization. Configure at least two synchronized time ● ●
sources across enterprise assets, where supported.
6.1 Utilize Three Synchronized Time Sources

v7 Use at least three synchronized time sources from which all servers and
network devices retrieve time information on a regular basis so that timestamps
● ●
in logs are consistent.
Page 88
2.3.3 Sharing
This section contains recommendations related to the configurable items under the
Sharing panel.
With the release of macOS 14.0 Sonoma, Apple has added configuration profile options
in the payloadtype com.apple.applicationaccess for the following sharing settings:
• Remote Management allowARDRemoteManagementModification

• Bluetooth Sharing allowBluetoothSharingModification
• File Sharing allowFileSharingModification
• Internet Sharing allowInternetSharingModification
• Printer Sharing allowPrinterSharingModification
• Remote Apple Events allowRemoteAppleEventsModification
This keys will disable the ability to modify these sharing settings in the GUI only. They
do not modify or disable modification through the binary or the disable the service.
These keys are not being included in the benchmark beyond this note for that reason as
well as the fact that it can make an administrator's job more difficult to properly access
and remediate the security posture of the system.
Page 89
2.3.3.1 Ensure DVD or CD Sharing Is Disabled (Automated)
• Level 1
Description:
DVD or CD Sharing allows users to remotely access the system's optical drive. While
Apple does not ship Macs with built-in optical drives any longer, external optical drives
are still recognized when they are connected. In testing, the sharing of an external
optical drive persists when a drive is reconnected.
Rationale:
Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as
a vector for attack and exposure of sensitive data.
Impact:
Many Apple devices are now sold without optical drives, however drive sharing may be
needed for legacy optical media. The media should be explicitly re-shared as needed
rather than using a persistent share. Optical drives should not be used for long-term
storage. To store necessary data from an optical drive it should be copied to another
form of external storage. Optionally, an image can be made of the optical drive so that it
is stored in its original form on another form of external storage.
Audit:
Graphical Method:
Perform the following steps to ensure that DVD or CD Sharing is disabled:

2. Select General
3. Select Sharing
4. Verify that DVD or CD sharing is not enabled
Terminal Method:
Run the following command to verify that DVD or CD Sharing is disabled
$ /usr/bin/sudo /bin/launchctl list | grep -c com.apple.ODSAgent
Page 90
Remediation:
Graphical Method:
Perform the following steps to disable DVD or CD Sharing:

2. Select General
3. Select Sharing
4. Set DVD or CD sharing to disabled
Terminal Method:
Run the following command to disable DVD or CD Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.ODSAgent
Note: If using the Terminal method, the GUI will still show the service checked until
after a reboot.
CIS Controls:
Controls
Version

● ● ●

● ●


v7 Are Running
● ●
Page 91
2.3.3.2 Ensure Screen Sharing Is Disabled (Automated)
• Level 1
Description:
Screen Sharing allows a computer to connect to another computer on a network and
display the computer’s screen. While sharing the computer’s screen, the user can
control what happens on that computer, such as opening documents or applications,
opening, moving, or closing windows, and even shutting down the computer.
While mature administration and management does not use graphical connections for
standard maintenance, most help desks have capabilities to assist users in performing
their work when they have technical issues and need support. Help desks use graphical
remote tools to understand what the user sees and assist them so they can get back to
work. For MacOS, some of these remote capabilities can use Apple's OS tools. Control
is therefore not meant to prohibit the use of a just-in-time graphical view from authorized
personnel with authentication controls. Sharing should not be enabled except in narrow
windows when help desk support is required.
Screen Sharing on macOS can allow the use of the insecure VNC protocol. VNC is a
clear text protocol that should not be used on macOS.
Rationale:
Disabling Screen Sharing mitigates the risk of remote connections being made without
the user of the console knowing that they are sharing the computer.
Impact:
Help desks may require the periodic use of a graphical connection mechanism to assist
users. Any support that relies on native MacOS components will not work unless a
scripted solution to enable and disable sharing as neccessary.
Page 92
Audit:
Graphical Method:
Perform the following steps to ensure Screen Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that Screen Sharing is not enabled
Terminal Method:
Run the following commands to verify that Screen Sharing is not set:
$ /usr/bin/sudo /bin/launchctl list | grep -c com.apple.screensharing
Remediation:
Graphical Method:
Perform the following steps to disable Screen Sharing:

2. Select General
3. Select Sharing
4. Set Screen Sharing to disabled
Terminal Method:
Run the following command to turn off Screen Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing
References:
1. https://support.apple.com/guide/mac-help/turn-screen-sharing-on-or-off-
mh11848/mac
Page 93
CIS Controls:
Controls
Version

● ● ●



v7 Are Running ● ●
Page 94
2.3.3.3 Ensure File Sharing Is Disabled (Automated)
• Level 1
Description:
File sharing from a user workstation creates additional risks, such as:
• Open ports are created that can be probed and attacked

• Passwords are attached to user accounts for access that may be exposed and
endanger other parts of the organizational environment, including directory
accounts
• Increased complexity makes security more difficult and may expose additional
attack vectors
Apple's File Sharing uses the Server Message Block (SMB) protocol to share to other
computers that can mount SMB shares. This includes other macOS computers.
Apple warns that SMB sharing stored passwords is less secure, and anyone with
system access can gain access to the password for that account. When sharing with
SMB, each user accessing the Mac must have SMB enabled. Storing passwords,
especially copies of valid directory passwords, decreases security for the directory
account and should not be used.
Rationale:
By disabling File Sharing, the remote attack surface and risk of unauthorized access to
files stored on the system is reduced.
Impact:
File Sharing can be used to share documents with other users, but hardened servers
should be used rather than user endpoints. Turning on File Sharing increases the
visibility and attack surface of a system unnecessarily.
Page 95
Audit:
Graphical Method:
Perform the following steps to ensure that File Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that File Sharing is not enabled
Terminal Method:
Run the following command to verify that File Sharing is not enabled:
$ /usr/bin/sudo /bin/launchctl list | grep -c "com.apple.smbd"
Remediation:
Graphical Method:
Perform the following steps to disable File Sharing:

2. Select General
3. Select Sharing
4. Set File Sharing to disabled
Terminal Method:
Run the following command to disable File Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd
Page 96
CIS Controls:
Controls
Version

● ● ●

5.4 Restrict Administrator Privileges to Dedicated

Administrator Accounts
v8 Restrict administrator privileges to dedicated administrator accounts on ● ● ●
enterprise assets. Conduct general computing activities, such as internet browsing,
email, and productivity suite use, from the user’s primary, non-privileged account.
4.3 Ensure the Use of Dedicated Administrative Accounts

v7 Ensure that all users with administrative account access use a dedicated or
secondary account for elevated activities. This account should only be used for
● ● ●
administrative activities and not internet browsing, email, or similar activities.


Page 97
2.3.3.4 Ensure Printer Sharing Is Disabled (Automated)
• Level 1
Description:
By enabling Printer Sharing, the computer is set up as a print server to accept print jobs
from other computers. Dedicated print servers or direct IP printing should be used
instead.
Rationale:
Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print
server to gain access to the system.
Audit:
Graphical Method:
Perform the following steps to ensure that Printer Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that Printer Sharing is not enabled
Terminal Method:
Run the following command to verify that Printer Sharing is not enabled:
$ /usr/bin/sudo /usr/sbin/cupsctl | grep -c "_share_printers=0"
Remediation:
Graphical Method:
Perform the following steps to disable Printer Sharing:

2. Select General
3. Select Sharing
4. Set Printer Sharing to disabled
Terminal Method:
Run the following command to disable Printer Sharing:
$ /usr/bin/sudo /usr/sbin/cupsctl --no-share-printers
Page 98
CIS Controls:
Controls
Version

● ● ●



Page 99
2.3.3.5 Ensure Remote Login Is Disabled (Automated)
• Level 1
Description:
Remote Login allows an interactive terminal connection to a computer.
Rationale:
Disabling Remote Login mitigates the risk of an unauthorized person gaining access to
the system via Secure Shell (SSH). While SSH is an industry standard to connect to
posix servers, the scope of the benchmark is for Apple macOS clients, not servers.
macOS does have an IP-based firewall available (pf, ipfw has been deprecated) that is
not enabled or configured. There are more details and links in the Network sub-section.
macOS no longer has TCP Wrappers support built in and does not have strong Brute-
Force password guessing mitigations, or frequent patching of openssh by Apple. Since
most macOS computers are mobile workstations, managing IP-based firewall rules on
mobile devices can be very resource intensive. All of these factors can be parts of
running a hardened SSH server.
Impact:
The SSH server built into macOS should not be enabled on a standard user computer,
particularly one that changes locations and IP addresses. A standard user that runs
local applications, including email, web browser, and productivity tools, should not use
the same device as a server. There are Enterprise management toolsets that do utilize
SSH. If they are in use, the computer should be locked down to only respond to known,
trusted IP addresses and appropriate administrator service accounts.
For macOS computers that are being used for specialized functions, there are several
options to harden the SSH server to protect against unauthorized access, including
brute force attacks. There are some basic criteria that need to be considered:
• Do not open an SSH server to the internet without controls in place to mitigate
SSH brute force attacks. This is particularly important for systems bound to
Directory environments. It is great to have controls in place to protect the system,
but if they trigger after the user is already locked out of their account, they are not
optimal. If authorization happens after authentication, directory accounts for
users that don't even use the system can be locked out.
• Do not use SSH key pairs when there is no insight to the security on the client
system that will authenticate into the server with a private key. If an attacker gets
access to the remote system and can find the key, they may not need a
password or a key logger to access the SSH server.
• Detailed instructions on hardening an SSH server, if needed, are available in the
CIS Linux Benchmarks, but it is beyond the scope of this benchmark.
Page 100
Audit:
Graphical Method:
Perform the following steps to ensure that Remote Login is disabled:

2. Select General
3. Select Sharing
4. Verify that Remote Login is not enabled
Terminal Method:
Run the following command to verify that Remote Login is disabled:
$ /usr/bin/sudo /usr/sbin/systemsetup -getremotelogin
Remote Login: Off
Remediation:
Perform the following to disable Remote Login:
Graphical Method:
Perform the following steps to disable Remote Login:

2. Select General
3. Select Sharing
4. Set Remote Login to disabled
Terminal Method:
Run the following command to disable Remote Login:
$ /usr/bin/sudo /usr/sbin/systemsetup -setremotelogin off
Do you really want to turn remote login off? If you do, you will lose this
connection and can only turn it back on locally at the server (yes/no)?
Entering yes will disable remote login.

man sshd_config
Page 101
CIS Controls:
Controls
Version

● ● ●



Page 102
2.3.3.6 Ensure Remote Management Is Disabled (Automated)
• Level 1
Description:
Remote Management is the client portion of Apple Remote Desktop (ARD). Remote
Management can be used by remote administrators to view the current screen, install
software, report on, and generally manage client Macs.
The screen sharing options in Remote Management are identical to those in the Screen
Sharing section. In fact, only one of the two can be configured. If Remote Management
is used, refer to the Screen Sharing section above on issues regard screen sharing.
Remote Management should only be enabled when a Directory is in place to manage
the accounts with access. Computers will be available on port 5900 on a macOS
System and could accept connections from untrusted hosts depending on the
configuration, which is a major concern for mobile systems. As with other sharing
options, an open port even for authorized management functions can be attacked, and
both unauthorized access and Denial-of-Service vulnerabilities could be exploited. If
remote management is required, the pf firewall should restrict access only to known,
trusted management consoles. Remote management should not be used across the
Internet without the use of a VPN tunnel.
Rationale:
Remote Management should only be enabled on trusted networks with strong user
controls present in a Directory system. Mobile devices without strict controls are
vulnerable to exploit and monitoring.
Impact:
Many organizations utilize ARD for client management.
Page 103
Audit:
Graphical Method:
Perform the following steps to verify that Remote Management is not enabled:

2. Select General
3. Select Sharing
4. Verify that Remote Management is not enabled
Terminal Method:
Run the following command to verify that Remote Management is not enabled:
$ /usr/bin/sudo /bin/ps -ef | /usr/bin/grep -e ARDAgent
0 9233 8630 0 3:32pm ttys001 0:00.00 grep -e ARDAgent
Remediation:
Graphical Method:
Perform the following steps to disable Remote Management:

2. Select General
3. Select Sharing
4. Set Remote Management to disabled
Terminal Method:
Run the following command to disable Remote Management:
$ /usr/bin/sudo
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources
/kickstart -deactivate -stop
Starting...
Removed preference to start ARD after reboot.
Done.
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources
/kickstart -help
Page 104
CIS Controls:
Controls
Version

● ● ●


enterprise assets. Conduct general computing activities, such as internet browsing,
email, and productivity suite use, from the user’s primary, non-privileged account.

● ● ●

v7 Are Running
● ●
14.3 Disable Workstation to Workstation Communication

v7 Disable all workstation to workstation communication to limit an attacker's ability
to move laterally and compromise neighboring systems, through technologies such
● ●
as Private VLANs or microsegmentation.
Page 105
2.3.3.7 Ensure Remote Apple Events Is Disabled (Automated)
• Level 1
Description:
Apple Events is a technology that allows one program to communicate with other
programs. Remote Apple Events allows a program on one computer to communicate
with a program on a different computer.
Rationale:
Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining
access to the system.
Impact:
With remote Apple events turned on, an AppleScript program running on another Mac
can interact with the local computer.
Audit:
Graphical Method:
Perform the following steps to ensure that Remote Apple Events is not enabled:

2. Select General
3. Select Sharing
4. Verify that Remote Apple Events is not enabled
Terminal Method:
Run the following commands to verify that Remote Apple Events is not set
$ /usr/bin/sudo /usr/sbin/systemsetup -getremoteappleevents
Remote Apple Events: Off
Page 106
Remediation:
Graphical Method:
Perform the following steps to disable Remote Apple Events:

2. Select General
3. Select Sharing
4. Set Remote Apple Events to disabled
Terminal Method:
Run the following commands to set Remote Apple Events to Off:
$ /usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents off
setremoteappleevents: Off
CIS Controls:
Controls
Version

● ● ●



Page 107
2.3.3.8 Ensure Internet Sharing Is Disabled (Automated)
• Level 1
Description:
Internet Sharing uses the open source natd process to share an internet connection
with other computers and devices on a local network. This allows the Mac to function as
a router and share the connection to other, possibly unauthorized, devices.
Rationale:
Disabling Internet Sharing reduces the remote attack surface of the system.
Impact:
Internet Sharing allows the computer to function as a router and other computers to use
it for access. This can expose both the computer itself and the networks it is accessing
to unacceptable access from unapproved devices.
Audit:
Graphical Method:
Perform the following steps to ensure Internet Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that Internet Sharing is not enabled
Terminal Method:
Run the following commands to verify that Internet Sharing is not set:
$ /usr/bin/sudo /usr/bin/defaults read
/Library/Preferences/SystemConfiguration/com.apple.nat >nul 2>&1 | grep -c
"Enabled = 1;"
0
or
Run the following command to verify that a profile is installed that automatically disables
internet sharing:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('forceInternetSharingOff').js
EOS
true
Page 108
Remediation:
Graphical Method:
Perform the following steps to disable Internet Sharing:

2. Select General
3. Select Sharing
4. Set Internet Sharing to disabled
Terminal Method:
Run the following command to turn off Internet Sharing:
$ usr/bin/sudo /usr/bin/defaults write
/Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int
0
Note: Using the Terminal Method will not be reflected in the GUI, but will disable the
underlying service.
Profile Method:
1. The PayloadType string is com.apple.MCX

2. The key to include is forceInternetSharingOff
References:
1. STIGID AOSX-12-001270
Page 109
CIS Controls:
Controls
Version

● ● ●



Page 110
2.3.3.9 Ensure Content Caching Is Disabled (Automated)
• Level 2
Description:
Starting with 10.13 (macOS High Sierra), Apple introduced a service to make it easier to
deploy data from Apple, including software updates, where there are bandwidth
constraints to the Internet and fewer constraints or greater bandwidth exist on the local
subnet. This capability can be very valuable for organizations that have throttled and
possibly metered Internet connections. In heterogeneous enterprise networks with
multiple subnets, the effectiveness of this capability would be determined by how many
Macs were on each subnet at the time new, large updates were made available
upstream. This capability requires the use of mac OS clients as P2P nodes for updated
Apple content. Unless there is a business requirement to manage operational Internet
connectivity and bandwidth, user endpoints should not store content and act as a
cluster to provision data.
Content types supported by Content Caching in macOS
Rationale:
The main use case for Mac computers is as mobile user endpoints. P2P sharing
services should not be enabled on laptops that are using untrusted networks. Content
Caching can allow a computer to be a server for local nodes on an untrusted network.
While there are certainly logical controls that could be used to mitigate risk, they add to
the management complexity. Since the value of the service is in specific use cases,
organizations with the use case described above can accept risk as necessary.
Impact:
This setting will adversely affect bandwidth usage between local subnets and the
Internet.
Page 111
Audit:
Graphical Method:
Perform the following steps to ensure that Content Caching is not enabled:

2. Select General
3. Select Sharing
4. Verify that Content Caching is not enabled
or

3. Select Profiles
4. Verify that an installed profile has Allow Content Caching set to False
Terminal Method:
Run the following command to verify that Content Caching is not enabled:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.AssetCache')\
.objectForKey('Activated'))
let pref2 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationac
cess')\
.objectForKey('allowContentCaching'))
if ( ( pref1 == 0 ) || ( pref2 == 0 ) ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 112
Remediation:
Graphical Method:
Perform the following steps to disable Content Caching:

2. Select General
3. Select Sharing
4. Set Content Caching to disabled
Terminal Method:
Run the following command to disable Content Caching:
$ /usr/bin/sudo /usr/bin/AssetCacheManagerUtil deactivate
The output will include Content caching deactivated
Profile Method:

2. The key to include is allowContentCaching
References:
1. https://support.apple.com/guide/mac-help/about-content-caching-mchl9388ba1b/
2. https://support.apple.com/guide/mac-help/set-up-content-caching-on-mac-
mchl3b6c3720/
CIS Controls:
Controls
Version

Enterprise Assets and Software
v8 Uninstall or disable unnecessary services on enterprise assets and software, ● ●
such as an unused file sharing service, web application module, or service
function.

v7 Are Running
● ●
Page 113
2.3.3.10 Ensure Media Sharing Is Disabled (Automated)
• Level 2
Description:
Starting with macOS 10.15, Apple has provided a control which permits a user to share
Apple downloaded content on all Apple devices that are signed in with the same Apple
ID. This allows users to share downloaded Movies, Music, or TV shows with other
controlled macOS, iOS and iPadOS devices, as well as photos with Apple TVs.
With this capability, guest users can also use media downloaded on the computer.
The recommended best practice is not to use the computer as a server, but to utilize
Apple's cloud storage in order to download and use content stored there if content
stored with Apple is used on multiple devices.
https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-
mchlp13371337/mac
Rationale:
Disabling Media Sharing reduces the remote attack surface of the system.
Impact:
Media Sharing allows for pre-downloaded content on a Mac to be available to other
Apple devices on the same network. Leaving this disabled forces device users to
stream or download content from each Apple authorized device. This sharing could
even allow unauthorized devices on the same network media access.
Page 114
Audit:
Graphical Method:
Perform the following steps to ensure that Media Sharing is not enabled:

3. Select Profiles
4. Verify that an installed profile has homeSharingUIStatus set to 0
5. Verify that an installed profile has legacySharingUIStatus set to 0
6. Verify that an installed profile has mediaSharingUIStatus set to 0
Terminal Method:
Run the following command to verify that a profile is installed that disablesMedia
Sharing:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.s
haring.SharingPrefsExtension')\
.objectForKey('homeSharingUIStatus'))
let pref2 =
.objectForKey('legacySharingUIStatus'))
let pref3 =
.objectForKey('mediaSharingUIStatus'))
if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 115
Remediation:
Profile Method:
1. The PayloadType string is

com.apple.preferences.sharing.SharingPrefsExtension
2. The key to include is homeSharingUIStatus
3. The key must be set to <integer>0</integer>
4. The key to also include is legacySharingUIStatus
6. The key to also include is mediaSharingUIStatus
Audit:
Graphical Method:
Perform the following steps to ensure that Media Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that Media Sharing is not selected
Terminal Method:
Run the following command to verify that Media Sharing is not enabled:
com.apple.amp.mediasharingd home-sharing-enabled
example:
$ /usr/bin/sudo -u test /usr/bin/defaults read com.apple.amp.mediasharingd
home-sharing-enabled
$ /usr/bin/sudo -u test2 /usr/bin/defaults read com.apple.amp.mediasharingd

home-sharing-enabled
Page 116
Remediation:
Graphical Method:
Perform the following steps to disable Media Sharing:
1. Open System Preferences

2. Select Sharing
3. Uncheck Media Sharing
Terminal Method:
Run the following command to disable Media Sharing:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write
com.apple.amp.mediasharingd home-sharing-enabled -int 0
example:
$ sudo -u test2 /usr/bin/defaults write com.apple.amp.mediasharingd home-
sharing-enabled -int 0
CIS Controls:
Controls
Version

● ● ●



Page 117
2.3.3.11 Ensure Bluetooth Sharing Is Disabled (Automated)
• Level 1
Description:
Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.
Rationale:
Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to
remotely attack the system.
Impact:
Control 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general
expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem.
It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must
be enabled if sharing is an acceptable use case.
Audit:
Graphical Method:
Perform the following steps to verify that Bluetooth Sharing is not enabled:

2. Select General
3. Select Sharing
4. Verify that Bluetooth Sharing is not enabled
Terminal Method:
Run the following command to verify that Bluetooth Sharing is disabled:
/usr/bin/sudo -u <username> /usr/bin/defaults -currentHost read
com.apple.Bluetooth PrefKeyServicesEnabled
0
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read
com.apple.Bluetooth PrefKeyServicesEnabled
Page 118
Remediation:
Graphical Method:
Perform the following steps to disable Bluetooth Sharing:

2. Select General
3. Select Sharing
4. Set Bluetooth Sharing to disabled
Terminal Method:
Run the following command to disable Bluetooth Sharing is disabled:
com.apple.Bluetooth PrefKeyServicesEnabled -bool false
com.apple.Bluetooth PrefKeyServicesEnabled -bool false
Page 119
CIS Controls:
Controls
Version
3.3 Configure Data Access Control Lists

Configure data access control lists based on a user’s need to know. Apply data
v8 access control lists, also known as access permissions, to local and remote file
● ● ●
systems, databases, and applications.

● ● ●
4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added to or
● ●
removed from any group assigned administrative privileges.


v7 Are Running
● ●
14.6 Protect Information through Access Control Lists

Protect all information stored on systems with file system, network share, claims,
v7 application, or database specific access control lists. These controls will enforce the ● ● ●
principle that only authorized individuals should have access to the information
based on their need to access the information as a part of their responsibilities.
Page 120
2.3.3.12 Ensure Computer Name Does Not Contain PII or
Protected Organizational Information (Manual)
• Level 2
Description:
If the computer is used in an organization that assigns host names, it is a good idea to
change the computer name to the host name. This is more of a best practice than a
security measure. If the host name and the computer name are the same, computer
support may be able to track problems down more easily.
For organizations or for users that self-administer their own computers, it is important to
not use sensitive or personal information in computer names. The name of a computer
that uses untrusted networks will be exposed at a minimum to the responsible network
team of that network. For instance, having your name as your hostname can provide
useful knowledge to an attacker monitoring the network you may be connected to.
Examples of possibly inappropriate content in computer names include:
• User directory account names

• Computer directory account names where machine accounts exist
• Contact phone numbers
• Physical locations of offices or residences
• Personal information that can be augmented with Facebook data to assist social
engineering attacks
Standard naming patterns avoid collisions and mitigate risk for computer users.
With mobile devices, using DHCP IP tracking has serious drawbacks; hostname or
computer name tracking makes much more sense for those organizations that can
implement it. If the computer is using different names for the "Computer Name" DNS
and Directory environments, it can be difficult to manage Macs in an Enterprise asset
inventory.
Rationale:
Part of IT security is having visibility into all of the devices for which an organization is
responsible. Without a complete inventory, it is impossible to ensure all security controls
are met on all organizational devices.
Default macOS naming deconfliction controls can create issues for appropriate
management and tracking as well as privacy exposure. By default, the name of a
macOS computer is derived from the first user created. If the user has multiple
computers or an image is used without an appropriate name change, there will be
multiple computers with names derived from the same user for discovery deconfliction.
How many "Ron Colvin's MacBook Pro" should there be, and are any missing?
Page 121
Local network auto renaming to avoid collisions also allows for the enumeration of local
computer names. Computers should not be named after their users, especially on
untrusted networks. For social engineering purposes, the computer name should not
provide a full name of the user or an identifiable name that might be used to assist in
targeted user attacks.
A documented plan to better enable a complete device inventory without exposing user
or organizational information is part of mature security.
Audit:
Graphical Method:
Perform the following steps to verify the computer name:

2. Select General
3. Select Sharing
4. Verify that Hostname is set to your organization's parameters
Remediation:
Graphical Method:
Perform the following steps to set the computer name:

2. Select General
3. Select Sharing
4. Select Edit...
5. Set Hostname to your organization's parameters
References:
1. https://support.apple.com/en-ca/guide/mac-help/mchlp1177/mac
2. https://uberagent.com/blog/choosing-macos-computer-names-wisely/
3. https://support.apple.com/en-ca/guide/mac-help/mchlp2322/mac
Page 122
CIS Controls:
Controls
Version
1.1 Establish and Maintain Detailed Enterprise Asset

Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all
enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT
devices, and servers. Ensure the inventory records the network address (if static),
v8 hardware address, machine name, enterprise asset owner, department for each
asset, and whether the asset has been approved to connect to the network. For
● ● ●
mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure
physically, virtually, remotely, and those within cloud environments. Additionally, it
includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and
update the inventory of all enterprise assets bi-annually, or more frequently.
9.1 Associate Active Ports, Services and Protocols to Asset

v7 Inventory ● ●
Associate active ports, services and protocols to the hardware assets in the
asset inventory.
Page 123
2.3.4 Time Machine
One of the most important IT Operational concerns is to ensure that information is

protected against loss or tampering. The purpose of the IT devices is to process the
data, after all. At one time the cost of IT equipment and the volume of the data might
make protection of the equipment itself more important. At this point, the vast size of
data archives and the lower cost of end-user equipment makes data protection central
to operational planning. Backup strategies are generally focused on ensuring that there
are multiple copies of relevant versions of user files. The plan is that no single hardware
or software loss or failure will result in major data loss.
Apple does not provide a native remote logging capability that encrypts data in transit
(DIT). If no third party tool or agent is installed on organizational-manned Macs, it is
even more important to ensure that backup processes are implemented with log
backups as part of the architecture.
In recent years the criticality of information backup, protection of data, and data backups
has become even more important with the rise of cybercriminals that not only commit
denial-of-service attacks using ransomware to encrypt your working data to make it
inaccessible, but also encrypt the backups if reachable. Newer threats include blackmail
to compromise data confidentiality. A comprehensive plan to protect data from
compromise is even more vital with current threats. The Time Machine controls are only
recommended best practices to assist in ease of frequent backups and the encryption of
backup volumes.
Apple introduced Time Machine in 2007 as a simple-to-use, built-in mechanism for
users to ensure that their machine was backed up, and if there was a mistake or loss,
that information could be easily recovered. There are other solutions to ensure
information is protected, including several Enterprise solutions and simple drive or
directory cloning.
The controls in this section are specifically about Time Machine. The general ideas are
applicable to any data backup solution. These controls are only pertinent to
organizations already using Time Machine as part of their backup solutions to ensure
the included Apple backup solution is being used effectively. We are not endorsing that
Time Machine should be used exclusively or as part of the Enterprise backup solution.
The controls first check that Time Machine is actually enabled.
To enable Time Machine, follow the instructions here: https://support.apple.com/en-
us/HT201250
For more details on Time Machine:
• https://eclecticlight.co/tag/time-machine/
• https://www.pcmag.com/how-to/how-to-back-up-your-mac-with-time-machine
Page 124
2.3.4.1 Ensure Backup Automatically is Enabled If Time Machine
Is Enabled (Automated)
• Level 2
Description:
Backup solutions are only effective if the backups run on a regular basis. The time to
check for backups is before the hard drive fails or the computer goes missing. In order
to simplify the user experience so that backups are more likely to occur, Time Machine
should be on and set to Back Up Automatically whenever the target volume is available.
Operational staff should ensure that backups complete on a regular basis and the
backups are tested to ensure that file restoration from backup is possible when needed.
Backup dates are available even when the target volume is not available in the Time
Machine plist.
SnapshotDates = (
"2012-08-20 12:10:22 +0000",
"2013-02-03 23:43:22 +0000",
"2014-02-19 21:37:21 +0000",
"2015-02-22 13:07:25 +0000",
"2016-08-20 14:07:14 +0000"
When the backup volume is connected to the computer, more extensive information is
available through tmutil. See man tmutil
Rationale:
Backups should automatically run whenever the backup drive is available.
Impact:
The backup will run periodically in the background and could have user impact while
running.
Page 125
Audit:
Graphical Method:
Perform the following steps to ensure that automatic backups are set if Time Machine is
enabled:

2. Select General
3. Select Time Machine
4. Verify that 'Next Back Up' is set to Automatically
or

3. Select Profiles
4. Verify that an installed profile has AutoBackup=1
Terminal Method:
Run the following command to verify that Time Machine is set to automatically backup if
Time Machine is enabled:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')
\
.objectForKey('AutoBackup'))
if ( pref1 == null ) {
return("Preference Not Set")
} else if ( pref1 == 1 ) {
return("true")
} else {
return("false")
}
}
EOS
The output should either be Preference Not Set or true. If it is false, then the
computer is not in compliance
Run the following command to check the snapshot dates to verify that the dates meet
your organization's approved backup frequency:
/Library/Preferences/com.apple.TimeMachine.plist Destinations
The output will contain all the Time Machine backups in the format "YYYY-MM-DD
HH:MM:SS +0000"
Page 126
example:
function run() {
let pref1 =
\
.objectForKey('AutoBackup'))
let pref2 =
\
.objectForKey('LastDestinationID'))
if ( pref2 == null ) {
return("Preference Not Set")
} else if ( pref1 == 1 ) {
return("true")
} else {
return("false")
}
}
EOS
true
$ /usr/bin/sudo /usr/bin/defaults read read

/Library/Preferences/com.apple.TimeMachine.plist Destinations
(
{
BackupAlias = {length = 348, bytes = 0x00000000 015c0002 00011442
61636b75 ... 20564d00 ffff0000 };
BytesAvailable = 4855873536;
BytesUsed = 5125054464;
ConsistencyScanDate = "2022-09-22 18:21:01 +0000";
DestinationID = "A64EA502-30DD-480C-9F7B-4F3EEDD0D186";
DestinationUUIDs = (
"0D946E5D-68ED-4F63-BCBD-CE7FC94F47C0"
);
FilesystemTypeName = apfs;
HealthCheckDecision = 0;
InheritanceDecision = 0;
LastKnownEncryptionState = Encrypted;
RESULT = 0;
ReferenceLocalSnapshotDate = "2022-09-22 18:21:53 +0000";
SnapshotDates = (
"2022-09-22 18:21:01 +0000",
"2022-09-22 18:21:32 +0000",
"2022-09-22 18:21:57 +0000"
);
}
)
Page 127
Remediation:
Graphical Method:
Perform the following steps to enable Time Machine automatic backup:

2. Select General
5. Set Back up frequency to Automatically <every hour/every day/every week>
Terminal Method:
Run the following command to enable automatic backups if Time Machine is enabled:
/Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true
Profile Method:
1. The PayloadType string is com.apple.MCX.TimeMachine

2. The key to include is AutoBackup
3. The key must be set to
CIS Controls:
Controls
Version
11.2 Perform Automated Backups

v8 Perform automated backups of in-scope enterprise assets. Run backups ● ● ●
weekly, or more frequently, based on the sensitivity of the data.
v7 10.1 Ensure Regular Automated Back Ups ● ● ●

Ensure that all system data is automatically backed up on regular basis.
Page 128
2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time
Machine Is Enabled (Automated)
• Level 1
Description:
One of the most important security tools for data protection on macOS is FileVault. With
encryption in place, it makes it difficult for an outside party to access your data if they
get physical possession of the computer. One very large weakness in data protection
with FileVault is the level of protection on backup volumes. If the internal drive is
encrypted but the external backup volume that goes home in the same laptop bag is
not, it is self-defeating. Apple tries to make this mistake easily avoided by providing a
checkbox to enable encryption when setting up a Time Machine backup. Using this
option does require some password management, particularly if a large drive is used
with multiple computers. A unique, complex password to unlock the drive can be stored
in keychains on multiple systems for ease of use.
While some portable drives may contain non-sensitive data and encryption may make
interoperability with other systems difficult, backup volumes should be protected just like
boot volumes.
Rationale:
Backup volumes need to be encrypted.
Audit:
Graphical Method:
Perform the following steps to ensure the drive used for Time Machine is encrypted:

2. Select General
4. Verify that every drive setup for Time Machine states Encrypted
Terminal Method:
Run the following command to verify if the Time Machine disk encryption is enabled:
/Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted
Page 129
Remediation:
Graphical Method:
Perform the following steps to enable encryption on the Time Machine drive:

2. Select General
4. Select the unencrypted drive
5. Select - to forget that drive as a destination
6. Select + to add a different drive as the destination
7. Select Set Up Disk...
8. Set Encrypt Backup to enabled
9. Enter a password in the New Password and the same password in the Re-enter
Password fields
10. A password hint is required, but it is recommended that you do not use any
identifying information for the password
Note: In macOS 12.0 Monterey and previous, the existing Time Machine drive could
have encryption added without formatting it. This is no longer possible in macOS 13.0
Ventura. If you wish to keep previous backups from the unencrypted volume, you will
need to manually move those files over to the new encrypted drive.
Page 130
CIS Controls:
Controls
Version
3.6 Encrypt Data on End-User Devices

v8 Encrypt data on end-user devices containing sensitive data. Example
implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-
● ● ●
crypt.
3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data at rest on servers, applications, and databases containing
sensitive data. Storage-layer encryption, also known as server-side encryption,
v8 meets the minimum requirement of this Safeguard. Additional encryption methods ● ●
may include application-layer encryption, also known as client-side encryption,
where access to the data storage device(s) does not permit access to the plain-text
data.
11.3 Protect Recovery Data

v8 Protect recovery data with equivalent controls to the original data. Reference ● ● ●
encryption or data separation, based on requirements.
10.4 Ensure Protection of Backups

v7 Ensure that backups are properly protected via physical security or encryption
when they are stored, as well as when they are moved across the network. This
● ● ●
includes remote backups and cloud services.
13.6 Encrypt the Hard Drive of All Mobile Devices.

v7 Utilize approved whole disk encryption software to encrypt the hard drive of all ● ● ●
mobile devices.
14.8 Encrypt Sensitive Information at Rest

v7 Encrypt all sensitive information at rest using a tool that requires a secondary
authentication mechanism not integrated into the operating system, in order to
●
access the information.
Page 131
2.4 Control Center
The Control Center System Settings pane allows modification to Control Center
modules and what is displayed in the menu bar.
Many menu bar icons provide additional status information when the option key is
selected along with the menu, including WiFi and Bluetooth.
Page 132
2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled
(Automated)
• Level 1
Description:
The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities
are enabled. If so, the system will scan for available wireless networks in order to
connect. At the time of this revision, all computers Apple builds have wireless network
capability, which has not always been the case. This control only pertains to systems
that have a wireless NIC available. Operating systems running in a virtual environment
may not score as expected, either.
Rationale:
Enabling "Show Wi-Fi status in menu bar" is a security awareness method that helps
mitigate public area wireless exploits by making the user aware of their wireless
connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status
available.
Page 133
Audit:
Graphical Method:
Perform the following steps to verify that the Wi-Fi status shows in the menu bar:

3. Select Profiles
4. Verify that an installed profile has WiFi set to 18
Terminal Method:
Run the following command to verify that a profile is installed that enables Wi-FI to be
shown in the menu bar:
.objectForKey('WiFi').js
EOS
18
Remediation:
Profile Method:
1. The PayloadType string is com.apple.controlcenter

2. The key to include is WiFi
Page 134
AirPort is Apple’s marketing name for its 802.11x based wireless network interfaces.
Option-click the Wifi icon in the menu bar to find out more information about the
connected wireless network.
Audit:
Graphical Method:
Perform the following steps to verify that the Wi-Fi status shows in the menu bar:

3. Verify that Wi-Fi is set to Show in Menu Bar
Terminal Method:
For each user, run the following command to verify that Wi-Fi status is enabled in the
menu bar:
$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost read
com.apple.controlcenter.plist WiFi
Note: If the settings has not been changed from the default, then this audit will fail on
the command line. Follow the remediation instructions to verify that it is set to a disabled
status.
example:
com.apple.controlcenter.plist WiFi
Page 135
Remediation:
Graphical Method:
Perform the following steps to enable Wi-Fi status in the menu bar:

3. Set Wi-Fi to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Wi-Fi status in the menu bar:
com.apple.controlcenter.plist WiFi -int 2
example:
com.apple.controlcenter.plist WiFi -int 2
CIS Controls:
Controls
Version

function.
12.6 Use of Secure Network Management and

v8 Communication Protocols
Use secure network management and communication protocols (e.g., 802.1X,
● ●
Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).
15.4 Disable Wireless Access on Devices if Not Required

v7 Disable wireless access on devices that do not have a business purpose for ●
wireless access.
15.5 Limit Wireless Access on Client Devices

v7 Configure wireless access on client machines that do have an essential
wireless business purpose, to allow access only to authorized wireless networks
●
and to restrict access to other wireless networks.
Page 136
2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled
(Automated)
• Level 1
Description:
By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the
menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to
quickly turn Bluetooth on or off.
Rationale:
Enabling "Show Bluetooth status in menu bar" is a security awareness method that
helps understand the current state of Bluetooth, including whether it is enabled,
discoverable, what paired devices exist, and what paired devices are currently active.
Impact:
Bluetooth is a useful wireless tool that has been widely exploited when configured
improperly. The user should have insight into the Bluetooth status.
Audit:
Graphical Method:
Perform the following steps to ensure that Bluetooth status shows in the menu bar:

3. Select Profiles
4. Verify that an installed profile has Bluetooth set to 18
Terminal Method:
Run the following command to verify that a profile is installed that enables Bluetooth to
be shown in the menu bar:
.objectForKey('Bluetooth').js
EOS
18
Page 137
Remediation:
Profile Method:
1. The PayloadType string is com.apple.controlcenter

2. The key to include is Bluetooth
Audit:
Graphical Method:
Perform the following steps to ensure that Bluetooth status shows in the menu bar:

3. Verify that Bluetooth is set to Show in Menu Bar
Terminal Method:
For each user, run the following command to verify that the Bluetooth status is enabled
to show in the menu bar:
$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost read
com.apple.controlcenter.plist Bluetooth
18
Note: If the settings has not been changed from the default, then this audit will fail on
the command line. Follow the remediation instructions to verify that it is set to a disabled
status.
example:
com.apple.controlcenter.plist Bluetooth
18
Page 138
Remediation:
Graphical Method:
Perform the following steps to enable Bluetooth status in the menu bar:

3. Set Bluetooth to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Bluetooth status in the menu bar:
com.apple.controlcenter.plist Bluetooth -int 18
example:
com.apple.controlcenter.plist Bluetooth -int 18
CIS Controls:
Controls
Version

function.
13.9 Deploy Port-Level Access Control

v8 Deploy port-level access control. Port-level access control utilizes 802.1x, or
similar network access control protocols, such as certificates, and may
●
incorporate user and/or device authentication.

Page 139
2.5 Siri & Spotlight
Page 140
2.5.1 Audit Siri Settings (Manual)
• Level 1
Description:
With macOS 10.12 Sierra, Apple has introduced Siri from iOS to macOS. While there
are data spillage concerns with the use of data-gathering personal assistant software,
the risk here does not seem greater in sending queries to Apple through Siri than in
sending search terms in a browser to Google or Microsoft. While it is possible that Siri
will be used for local actions rather than Internet searches, Siri could, in theory, tell
Apple about confidential Programs and Projects that should not be revealed. This
appears be a usage edge case.
In cases where sensitive or protected data is processed and Siri could expose that
information through assisting a user in navigating their machine, it should be disabled.
Siri does need to phone home to Apple, so it should not be available from air-gapped
networks as part of its requirements.
Most of the use case data published has shown that Siri is a tremendous time saver on
iOS where multiple screens and menus need to be navigated through. Information like
sports scores, weather, movie times, and simple to-do items on existing calendars can
be easily found with Siri. None of the standard use cases should be more risky than
already approved activity.
For information on Apple's privacy policy for Siri, click here.
Rationale:
Where "normal" user activity is already limited, Siri use should be controlled as well.
Page 141
Audit:
Graphical Method:
Perform the following steps to verify Siri settings:

3. Select Profiles
4. Verify that an installed profile has Allow Assistant is to your organization's
parameters
Terminal Method:
Run the following command to verify that a profile is installed that sets Siri to your
organization's setting:
.objectForKey('allowAssistant').js
EOS
or
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\
.objectForKey('Ironwood Allowed').js
EOS
The output will be true if Siri is enabled with either installed profile or false if is disabled
with either installed profile.
and/or remediation has been removed. We have included the individual user information
in the additional information.
Page 142
Remediation:
Profile Method:

2. The key to include is allowAssistant
3. Set the key to <true/> or <false/> based on your organization's requirements
OR
1. The PayloadType string is com.apple.ironwood.support

2. The key to include is Ironwood Allowed
References:
Page 143
Audit:
Graphical Method:
Perform the following steps to verify Siri settings:

2. Select Accessibility
3. Select Siri
4. Verify Type to Siri is set to your organization's parameters
5. Select Siri Settings...
6. Verify the settings are within your organization's parameters
Terminal Method:
Run the following commands to verify the Siri settings:
com.apple.assistant.support.plist 'Assistant Enabled'
The output will be either 0, Siri is disabled, or 1, Siri is enabled.
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.Siri.plist
The output will be either 0, disabled, or 1 for the following Siri options:
1. LockscreenEnabled - Is Siri enabled when the system is locked?

2. StatusMenuVisible - Is Siri visible in the menu bar?
3. TypeToSiriEnabled - Is Siri enabled to accept typed requests versus spoken
ones
4. VoiceTriggerUserEnabled - Is "Hey Siri" enabled?
Page 144
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read com.apple.Siri.plist
{
LockscreenEnabled = 0;
StatusMenuVisible = 0;
TypeToSiriEnabled = 0;
VoiceTriggerUserEnabled = 0;
}

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.Siri.plist
{
}
$ /usr/bin/sudo -u thirduser /usr/bin/defaults read

$ /usr/bin/sudo -u thirduser /usr/bin/defaults read com.apple.Siri.plist
{
}
Page 145
Remediation:
Graphical Method:
Perform the following steps to set Siri to your organization's parameters:

2. Select Siri
3. Select the settings that are within your organization's requirements
4. Select Show All
5. Select Accessibility
6. Select Siri
7. Select Enable Type to Siri to your organization's requirements
Terminal Method:
Run the following commands to enable or disable Siri settings:
com.apple.assistant.support.plist 'Assistant Enabled' -bool <true/false>
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist

LockscreenEnabled -bool <true/false>

StatusMenuVisible -bool <true/false>

TypeToSiriEnabled -bool <true/false>

VoiceTriggerUserEnabled -bool <true/false>
After running the default writes, the WindowServer needs to be restarted and the
caches cleared. Run the following commands to perform that action:
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
Page 146
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write
com.apple.assistant.support.plist 'Assistant Enabled' -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist

StatusMenuVisible -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist

LockscreenEnabled -bool false
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write

com.apple.assistant.support.plist 'Assistant Enabled' -bool false
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist

VoiceTriggerUserEnabled -bool false
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist

TypeToSiriEnabled -bool false
Page 147
CIS Controls:
Controls
Version

● ● ●



Page 148
2.5.2 Ensure Listen for "Hey Siri" Is Disabled (Manual)
• Level 1
Description:
macOS includes the Siri digital assistant and if enabled it is always listening in case it is
needed. In Sonoma a user may choose either "Hey Siri" or either "Siri" and "Hey Siri", in
either case Siri is using the microphone at all times to listen for instructions and then
can record questions once activated. In an organizational environment where people
are talking and listening on video/voice calls there are too many opportunities for
unauthorized information disclosure to have a live microphone at all times. If Siri will be
used it may be on, with "Listen for" Off and a keyboard shortcut selected.
Rationale:
In most environments there is too much unbounded risk of data spillage with a
microphone always on listening for instruction and if attention is obtained listening for
questions, relying on cloud compute to answer them. There are many examples of data
leakage for technology in this space, future vulnerabilities and bugs are certainly
possible.
Impact:
Siri will not be available for hands free usage, or not available at all if turned off
completely.
Audit:
Graphical Method:
Perform the following steps to ensure that the a login banner is configured:

3. Select Profiles
4. Verify that an installed profile has VoiceTriggerUserEnabled set to 0
Terminal Method:
Run the following command to verify that a custom message on the login screen is
configured:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.Siri')\
.objectForKey('VoiceTriggerUserEnabled').js
EOS
false
Page 149
Remediation:
Profile Method:
1. The PayloadType string is com.apple.Siri

2. The key to include is set to
Note: After testing, this profile will disable Hey Siribut only for the first input but not
additional inputs. It cannot be assumed that there will only be one input, so setting this
recommendation is advised but cannot fully be assessed. For the time being this
recommendation is currently not automated, but will be in future releases if we can
properly configure this recommendation.
References:
1. https://support.apple.com/guide/mac-help/use-siri-
mchl6b029310/mac#:~:text=Turn%20on%20Siri,may%20need%20to%20scroll%
20down.)&text=On%20the%20right%2C%20turn%20on,already%20on%2C%20t
hen%20click%20Enable.
2. https://clario.co/blog/is-siri-always-listening/
3. https://www.siriuserguide.com/how-to-use-siri-macos/
CIS Controls:
Controls
Version

● ● ●



Page 150
2.6 Privacy & Security
This section contains recommendations for configurable options under the Privacy &
Security panel.
Additional privacy preference information from Apple

If the computer is present in an area where there are privacy concerns or sensitive
activity is taking place, the Mac should be configured appropriately for the sensitive
area.
Camera: If the computer is present in an area where there are privacy concerns or
sensitive activity is taking place, the camera should be covered at those times. A
permanent cover or alteration may be required when the computer is always located in
a confidential area.
Microphone: If the computer is present in an area where there are privacy concerns or
sensitive activity is taking place, the microphone input should be set to zero in the input
tab of the Sound preference pane at those times. Individual management of applications
with access to the microphone may be managed in the Security & Privacy Preference
Pane under Microphone.
WiFi and Bluetooth Some organizations have comprehensive rules that cover the use of
wireless technologies in order to implement operational security. There are often
specific policies governing the use of both Bluetooth and Wi-Fi (802.11) that may
include disabling the wireless capability in either software or hardware or both. Wireless
access is part of the feature set required for mobile computers and is considered
essential for most users.
Malware is continuously discovered that circumvents the privacy controls of the built-in
Video, audio or network capabilities. No computer has perfect security, and even if all
the drivers are disabled or removed, working drivers can be reintroduced by a
determined attacker. Additional info Apple Pays $100.5K Bug Bounty for Mac Webcam
Hack
Mac users, update Zoom now — your microphone may be spying on you
Recommended settings for Wi-Fi routers and access points
Control access to the microphone on Mac
Bluetooth security
Page 151
2.6.1 Location Services
Page 152
2.6.1.1 Ensure Location Services Is Enabled (Automated)
• Level 2
Description:
macOS uses location information gathered through local Wi-Fi networks to enable
applications to supply relevant information to users. With the operating system verifying
the location, users do not need to change the time or the time zone. The computer will
change them based on the user's location. They do not need to specify their location for
weather or travel times, and they will receive alerts on travel times to meetings and
appointments where location information is supplied.
Location Services simplify some processes with mobile computers, such as asset
management and time or log management.
There are some use cases where it is important that the computer not be able to report
its exact location. While the general use case is to enable Location Services, it should
not be allowed if the physical location of the computer and the user should not be public
knowledge.
Rationale:
Location Services are helpful in most use cases and can simplify log and time
management where computers change time zones.
Page 153
Audit:
Graphical Method:
Perform the following steps to ensure that Location Services is enabled:

3. Select Location Services
4. Verify Location Services is enabled
Terminal Method:
Run the following command to verify that Location Services are enabled:
$ /usr/bin/sudo /bin/launchctl list | /usr/bin/grep -c com.apple.locationd
$ /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd').objectForKey(
'LocationServicesEnabled').js
EOS
true
Remediation:
Graphical Method:
Perform the following steps to enable Location Services:

4. Set Location Services to enabled
Terminal Method:
Run the following command to enable Location Services:
$ /usr/bin/sudo /bin/launchctl load -w
/System/Library/LaunchDaemons/com.apple.locationd.plist
If the com.apple.locationd.plist outputs 0, run the following command to also ensure
Location Services is running:
/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd
LocationServicesEnabled -bool false
$ /usr/bin/sudo /bin/launchctl kickstart -k system/com.apple.locationd
Note: In some use cases, organizations may not want Location Services running. To
disable Location Services, System Integrity Protection must be disabled.
Page 154
References:
CIS Controls:
Controls
Version

● ● ●

● ●

Page 155
2.6.1.2 Ensure Location Services Is in the Menu Bar (Automated)
• Level 2
Description:
This setting provides the user an understanding of the current status of Location
Services and which applications are using it.
Rationale:
Apple has fully integrated location services into macOS. Where the computer is
currently located is used for Timezones, weather, travel times, geolocation, "Find my
Mac," and advertising services. This benchmark recommends that location services are
enabled for most users. Many users may have occasions when they do not want to
share their current locations, and some users may need to rarely share their locations.
The immediate availability of Location Services in the menu bar provides easy access to
the current status, which applications are using the service, and a quick shortcut to
making changes. This setting provides better user control in managing user privacy.
Impact:
Users may be provided visibility to a setting they cannot control if organizations control
Location Services globally by policy.
Audit:
Graphical Method:
Perform the following steps to verify the settings for location services icon to be in the
menu bar:

4. Select Details...
5. Verify Show location icon in menu bar when System Services request your
location is set to True
Terminal Method:
Run the following commands to verify that the location services icon is in the menu bar:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationmenu')\
.objectForKey('ShowSystemServices').js
EOS
true
Page 156
Remediation:
Graphical Method:
Perform the following steps to set whether the location services icon is in the menu bar:

4. Select Details...
5. Set Show location icon in menu bar when System Services request your
location to enabled
Terminal Method:
Run the following commands to set the option of the location services icon being in the
menu bar:
/Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool
true
CIS Controls:
Controls
Version

● ● ●

● ●

Page 157
2.6.1.3 Audit Location Services Access (Manual)
• Level 2
Description:
macOS uses location information gathered through local Wi-Fi networks to enable
applications to supply relevant information to users. While Location Services may be
very useful, it may not be desirable to allow all applications that can use Location
Services to use your location for Internet queries in order to provide tailored content
based on your current location.
Ensure applications that can use Location Services are authorized and provide that
information where the application interacts with external systems. Apple offers feedback
within System Preferences and may be enabled to supply information on the menu bar
when Location Services are used.
Safari can deny access from websites or prompt for access.
Applications that support Location Services can be individually controlled in the Privacy
tab in Security & Privacy under System Preferences.
Access should be evaluated to ensure that privacy controls are as expected.
Rationale:
Privacy controls should be monitored for appropriate settings.

Impact:
Many macOS features rely on Location Services for tailored information. Users expect
their time zone and weather to be relevant to where they are without manual
intervention. Find my Mac needs to know where your Mac is actually located. Where
possible, the tolerance between location privacy and convenience may be best left to
the user when the location itself is not sensitive. If facility locations are not public,
location information should be tightly controlled.
Page 158
Audit:
Graphical Method:
Perform the following steps to verify what applications are enabled for Location
Services:

4. Verify that the applications allowed to access Location Services are set to your
Perform the following steps to verify what websites are enabled to ask for access to
Location Services:
1. Open Safari
2. Select Safari from the menu bar
3. Select Settings
4. Select Websites
5. Select Location
6. Verify that When visiting other websites is set to your organization's
requirements
Terminal Method:
Run the following command to evaluate the applications that are enabled to use
Location Services:
$ /usr/bin/sudo /usr/bin/defaults read /var/db/locationd/clients.plist
Ensure that all applications listed have been authorized to access location information.
Page 159
Remediation:
Graphical Method:
Perform the following steps to disable unnecessary applications from accessing
Location Services:

4. Set any applications listed to your organization's requirements
Perform the following steps to set websites to ask for permission to access Location
Services:
1. Open Safari
3. Select Settings
4. Select Websites
5. Select Location
6. Set When visiting other websites to your organization's requirements
CIS Controls:
Controls
Version
2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise ● ● ●
assets or receives a documented exception. Review monthly, or more frequently.

● ● ●
2.6 Address unapproved software

v7 Ensure that unauthorized software is either removed or the inventory is updated ● ● ●
in a timely manner

Page 160
2.6.2 Full Disk Access
Page 161
2.6.2.1 Audit Full Disk Access for Applications (Manual)
• Level 2
Description:
Starting with macOS 10.13 Apple enforces GUI access to the entire File System
through System Preferences. Only Applications from known developers with mission
requirements for Full Disk Access, such as security monitoring tools, should have Full
Disk Access. Applications that have Full Disk Access can access restricted files and
bypass macOS security controls, any applications with that access should be
organizationally authorized.
Rationale:
Any applications with Full Disk Access can bypass MacOS security controls and must
be reviewed as organizationally accepted risk.
Audit:
Graphical Method:
Perform the following steps to verify what applications have full disk access:

3. Select Full Disk Access
4. Verify that the applications are set to your organization's requirements
Terminal Method:
Run the following command to verify that Location Services are enabled:
$ /usr/bin/sudo /usr/bin/sqlite3 /Library/Application\
Support/com.apple.TCC/TCC.db 'select client from access where auth_value and
service = "kTCCServiceSystemPolicyAllFiles"'
The output will be what applications have full disk access enabled.
Remediation:
Graphical Method:
Perform the following steps to set full disk access for applications that meet your
organization's requirements:

3. Select Full Disk Access
4. Set any listed applications to your organization's requirements
5. (Optional) Select the + to add applications to teh list, or - to remove them
Page 162
References:
1. https://support.apple.com/guide/security/controlling-app-access-to-files-
secddd1d86a6/web
2. https://lapcatsoftware.com/articles/FullDiskAccess.html
3. https://www.techrepublic.com/article/secure-mac-data-full-disk-access/
4. https://support.intego.com/hc/en-us/articles/360016683471-Enable-Full-Disk-
Access-in-macOS
CIS Controls:
Controls
Version

● ● ●
16.7 Use Standard Hardening Configuration Templates for

Application Infrastructure
Use standard, industry-recommended hardening configuration templates for
v8 application infrastructure components. This includes underlying servers, databases, ● ●
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.

Page 163
2.6.3 Ensure Sending Diagnostic and Usage Data to Apple Is
• Level 2
Description:
Apple provides a mechanism to send diagnostic and analytics data back to Apple to
help them improve the platform. Information sent to Apple may contain internal
organizational information that should be controlled and not available for processing by
Apple. Turn off all Analytics and Improvements sharing.
Share Mac Analytics (Share with App Developers dependent on Mac Analytic sharing)
• Includes diagnostics, usage and location data
Share iCloud Analytics
• Includes iCloud data and usage information
Rationale:
Organizations should have knowledge of what is shared with the vendor and that this
setting automatically forwards information to Apple.
Page 164
Audit:
Graphical Method:
Perform the following steps to verify that diagnostic data is not being send to Apple:

2. Open Privacy & Security
3. Select Profiles
4. Verify that an installed profile has Allow Diagnostic Submission set to False
5. Also verify that an installed profile has Auto Submit set to False
6. Also verify that an installed profile has Siri Data Sharing Opt-In Status set to
2
Terminal Method:
Run the following command to verify that a profile is installed that disables sending
diagnostic and usage data to Apple:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 =
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\
.objectForKey('AutoSubmit').js
let pref2 =
.objectForKey('allowDiagnosticSubmission').js
let pref3 =
.objectForKey('Siri Data Sharing Opt-In Status').js
if ( pref1 == false && pref2 == false && pref3 == 2){

return("true")
} else {
return("false")
}
}
EOS
true
Page 165
Remediation:
Profile Method:

2. The key to include is allowDiagnosticSubmission
4. There must also be a second PayloadType string of com.apple.SubmitDiagInfo
5. The key to include is AutoSubmit
7. There must also be a third PayloadType string of com.apple.assistant.support
8. The key to also include is Siri Data Sharing Opt-In Status
9. The key must be set to <integer>2<integer/>
References:
1. https://support.apple.com/en-ca/guide/mac-help/mh27990/mac
Page 166
Audit:
Graphical Method:
Perform the following steps to verify that diagnostic data is not being send to Apple:

3. Select Analytics & Improvements
5. Verify that Share Mac Analytics is not enabled
6. Verify that Share with App Developers is not enabled
7. Verify that Improve Siri & Dictation is not enabled
Terminal Method:
Run the following command to verify that sending diagnostic and usage data to Apple is
disabled:
$ /usr/bin/sudo /usr/bin/defaults read /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit
$ /usr/bin/sudo /usr/bin/defaults read /Library/Application\

Support/CrashReporter/DiagnosticMessagesHistory.plist ThirdPartyDataSubmit

/Users/<username>/Library/Preferences/com.apple.assistant.support "Siri Data
Sharing Opt-In Status"
2
example:
/Users/firstuser/Library/Preferences/com.apple.assistant.support "Siri Data

/Users/seconduser/Library/Preferences/com.apple.assistant.support "Siri Data
Page 167
Remediation:
Graphical Method:
Perform the following steps to disable diagnostic data being sent to Apple:

5. Set Share Mac Analytics to disabled
6. Set Share with App Developers to disabled
7. Set Improve Siri & Dictation to disabled
Terminal Method:
Run the following commands to disable the sending of diagnostic data to Apple:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false
/usr/bin/sudo /usr/bin/defaults write /Library/Application\

Support/CrashReporter/DiagnosticMessagesHistory.plist ThirdPartyDataSubmit -
bool false
$ /usr/bin/sudo /bin/chmod 644 /Library/Application\

Support/CrashReporter/DiagnosticMessagesHistory.plist
$ /usr/bin/sudo /usr/bin/chgrp admin /Library/Application\

Support/CrashReporter/DiagnosticMessagesHistory.plist

/Users/<username>/Library/Preferences/com.apple.assistant.support "Siri Data
Sharing Opt-In Status" -int 2
example:
/Users/seconduser/Library/Preferences/com.apple.assistant.support "Siri Data
Sharing Opt-In Status" -int 2
Page 168
CIS Controls:
Controls
Version

● ● ●



Page 169
2.6.4 Ensure Limit Ad Tracking Is Enabled (Automated)
• Level 1
Description:
Apple provides a framework that allows advertisers to target Apple users and end-users
with advertisements. While many people prefer to see advertising that is relevant to
them and their interests, the detailed information that is collected, correlated, and
available to advertisers in repositories via data mining is often disconcerting. This
information is valuable to both advertisers and attackers, and has been used with other
metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users
to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with
organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this
will reduce the number of relevant ads.
Page 170
Audit:
Graphical Method:
Perform the following steps to verify that limited ad tracking is set:

3. Select Profiles
4. Verify that an installed profile has allowApplePersonalizedAdvertising set to 0
Terminal Method:
Run the following command to verify that a profile is installed that enables Limit Ad
Tracking:
.objectForKey('allowApplePersonalizedAdvertising').js
EOS
false
Remediation:
Profile Method:

2. The key to include is allowApplePersonalizedAdvertising
Page 171
Audit:
Graphical Method:
Perform the following steps to verify that limited ad tracking is set:

2. Select Apple Advertising
3. Verify that Personalized Ads is not enabled
or

3. Select Profiles
4. Verify that an installed profile has allowApplePersonalizedAdvertising set to 0
Terminal Method:
For each user, run the following command to verify that ad tracking is limited:
/Users/<username>/Library/Preferences/com.apple.AdLib.plist
allowApplePersonalizedAdvertising
0
example:
/Users/firstuser/Library/Preferences/com.apple.AdLib.plist

/Users/seconduser/Library/Preferences/com.apple.AdLib.plist
1
In this example, firstuser is compliant and seconduser is not.
Page 172
Remediation:
Graphical Method:
Perform the following steps to set limited ad tracking:

2. Select Apple Advertising
3. Set Personalized Ads to disabled
Terminal Method:
For each needed user, run the following command to enable limited ad tracking:
/Users/<username>/Library/Preferences/com.apple.Adlib.plist
allowApplePersonalizedAdvertising -bool false
example:
/Users/seconduser/Library/Preferences/com.apple.Adlib.plist
allowApplePersonalizedAdvertising -bool false
CIS Controls:
Controls
Version

function.

v7 Are Running
● ●
Page 173
2.6.5 Ensure Gatekeeper Is Enabled (Automated)
• Level 1
Description:
Gatekeeper is Apple’s application that utilizes allowlisting to restrict downloaded
applications from launching. It functions as a control to limit applications from unverified
sources from running without authorization. In an update to Gatekeeper in macOS 13
Ventura, Gatekeeper checks every application on every launch, not just quarantined
apps.
Rationale:
Disallowing unsigned software will reduce the risk of unauthorized or malicious
applications from running on the system.
Audit:
Graphical Method:
Perform the following steps to ensure that Gatekeeper is enabled:

3. Verify that 'Allow apps downloaded from' is set to 'App Store and identified
developers'
or

3. Select Profiles
4. Verify that an installed profile has Policies set to Enable
5. Verify that an installed profile has Identified Developers set to Allow
Terminal Method:
Run the following command to verify that Gatekeeper is enabled:
$ /usr/bin/sudo /usr/sbin/spctl --status
assessments enabled
Page 174
Remediation:
Graphical Method:
Perform the following steps to enable Gatekeeper:

3. Set 'Allow apps downloaded from' to 'App Store and identified developers'
Terminal Method:
Run the following command to enable Gatekeeper to allow applications from App Store
and identified developers:
$ /usr/bin/sudo /usr/sbin/spctl --master-enable
Profile Method:
1. The PayloadType string is com.apple.systempolicy.control

2. The key to include is AllowIdentifiedDevelopers
4. The key to also include is EnableAssessment
Page 175
CIS Controls:
Controls
Version
v8 10.1 Deploy and Maintain Anti-Malware Software ● ● ●

Deploy and maintain anti-malware software on all enterprise assets.
10.2 Configure Automatic Anti-Malware Signature

v8 Updates
Configure automatic updates for anti-malware signature files on all enterprise
● ● ●
assets.
10.5 Enable Anti-Exploitation Features

Enable anti-exploitation features on enterprise assets and software, where
v8 possible, such as Microsoft® Data Execution Prevention (DEP), Windows® ● ●
Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and
Gatekeeper™.
8.2 Ensure Anti-Malware Software and Signatures are

v7 Updated
Ensure that the organization's anti-malware software updates its scanning
● ● ●
engine and signature database on a regular basis.
8.4 Configure Anti-Malware Scanning of Removable

v7 Devices
Configure devices so that they automatically conduct an anti-malware scan of
● ● ●
removable media when inserted or connected.
Page 176
2.6.6 Ensure FileVault Is Enabled (Automated)
• Level 1
Description:
FileVault secures a system's data by automatically encrypting its boot volume and
requiring a password or recovery key to access it.
FileVault should be used with a saved escrow key to ensure that the owner can decrypt
their data if the password is lost.
FileVault may also be enabled using command line using the fdesetup command. To
use this functionality, consult the Der Flounder blog for more details (see link below
under References).
Rationale:
Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access
to it.
Impact:
Mounting a FileVault encrypted volume from an alternate boot source will require a valid
password to decrypt it.
Page 177
Audit:
Graphical Method:
Perform the following steps to verify that FileVault is enabled:

2. Select Privacy & Privacy
3. Verify that FileVault states FileVault is turned on for the disk "<disk
name>"
5. Select Profile
6. Verify that an installed profile has FileVault Can't Disable set to True
Terminal Method:
Run the following command to verify that FileVault is enabled and cannot be disabled:
$ /usr/bin/sudo /usr/bin/fdesetup status
FileVault is On

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('dontAllowFDEDisable').js
EOS
true
Page 178
Remediation:
Graphical Method:
Perform the following steps to enable FileVault:

2. Select Security & Privacy
3. Select Turn On...
Note: This will allow you to create a recovery key for FileVault. Keep the key saved
securely in case it is needed at a later date.
Profile Method:

2. The key to include is dontAllowFDEDisable
Note: This profile is required to pass the audit.

References:
1. https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-
with-fdesetup/
2. https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-
encrypted-boot-drive-from-the-command-line-on-macos-mojave/
3. https://derflounder.wordpress.com/2021/10/29/use-of-filevault-institutional-
recovery-keys-no-longer-recommended-by-apple/
4. https://support.apple.com/guide/security/passcodes-and-passwords-
sec20230a10d/1/web/1
FileVault may not be desirable on a virtual OS. As long as the hypervisor and file
storage are encrypted, the virtual OS does not need to be. Rather than checking if the
OS is virtual and passing the control regardless of the encryption of the host system, the
normal check will be run. Security officials can evaluate the comprehensive controls
outside of the OS being tested.
Part of FileVault management in an Enterprise environment is to ensure key
management if technical staff need to decrypt encrypted volumes. More information
here: https://derflounder.wordpress.com/2021/10/29/use-of-filevault-institutional-
recovery-keys-no-longer-recommended-by-apple/
Page 179
CIS Controls:
Controls
Version

● ● ●
crypt.

data.

mobile devices.

●
Page 180
2.6.7 Audit Lockdown Mode (Manual)
• Level 2
Description:
Apple introduced Lockdown Mode as a security feature in their 2022 OS releases that
provides additional security protection Apple describes as extreme. Users and
organizations that suspect some users are targets of advanced attacks must consider
using this control.
When lockdown mode is enabled, specific trusted websites can be excluded from
Lockdown protection if necessary.
Rationale:
Lockdown Mode was designed by Apple as an aggressive approach to commonly
attacked OS features where additional controls could reduce the attack surface. IT
systems and devices, including their users, are subject to continuous exploit attempts.
Most of that activity is not from an advanced attacker and can be considered
background noise to a patched, hardened device. Advanced attackers are of more
concern and a risk review to understand organizational targets and use Lockdown Mode
where appropriate is necessary.
Impact:
Lockdown Mode must be tested appropriately for real-world impact on users prior to
use. As a new feature there is not sufficient technical reporting on user impacts.
Audit:
Graphical Method:
Perform the following steps to verify the settings for Lockdown Mode:

3. Verify Lockdown Mode is set to your organization's parameters
Terminal Method:
Run the following command to verify that Lockdown mode is enabled for the user:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read .GlobalPreferences.plist
LDMGlobalEnabled 2>/dev/null
When Lockdown mode has been enabled, it will return 1 and when disabled return 0. If
Lockdown has never been enabled, it will return no value.
NOTE: Lockdown mode is set per local user, therefore you must iterate through each
local user to verify the settings.
Page 181
Remediation:
Graphical Method:
Perform the following steps to set Lockdown Mode to your organization's requirements:

3. Set Lockdown Mode to your organization's parameters
References:
2. https://www.lifewire.com/use-lockdown-mode-on-mac-6454923
CIS Controls:
Controls
Version
4.6 Securely Manage Enterprise Assets and Software

Securely manage enterprise assets and software. Example implementations
include managing configuration through version-controlled-infrastructure-as-code
v8 and accessing administrative interfaces over secure network protocols, such as ● ● ●
Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use
insecure management protocols, such as Telnet (Teletype Network) and HTTP,
unless operationally essential.
16.2 Configure Centralized Point of Authentication

v7 Configure access for all accounts through as few centralized points of ● ●
authentication as possible, including network, security, and cloud systems.
Page 182
2.6.8 Ensure an Administrator Password Is Required to Access
System-Wide Preferences (Automated)
• Level 1
Description:
System Preferences controls system and user settings on a macOS Computer. System
Preferences allows the user to tailor their experience on the computer as well as
allowing the System Administrator to configure global security settings. Some of the
settings should only be altered by the person responsible for the computer.
Rationale:
By requiring a password to unlock system-wide System Preferences, the risk of a user
changing configurations that affect the entire system is mitigated and requires an admin
user to re-authenticate to make changes.
Impact:
Users will need to enter their password to unlock some additional preference panes that
are unlocked by default like Network, Startup and Printers & Scanners.
Page 183
Audit:
Graphical Method:
Perform the following steps to verify that an administrator password is required to
access system-wide preferences:

3. Select Advanced
4. Verify that Require an administrator password to access system-wide
settings is enabled
Terminal Method:
Run the following command to verify that accessing system-wide preferences requires
an administrator password:
$ authDBs=("system.preferences" "system.preferences.energysaver"
"system.preferences.network" "system.preferences.printing"
"system.preferences.sharing" "system.preferences.softwareupdate"
"system.preferences.startupdisk" "system.preferences.timemachine")
result="1"
for section in ${authDBs[@]}; do
if [[ $(/usr/bin/sudo /usr/bin/security -q authorizationdb read "$section" |
/usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-
sibling::*[1])' -) != "false" ]]; then
result="0" fi
done
echo $result
1
Note: Every audit and remediation incudes sudo before all commands. This is an
exception because authdb is a variable and using sudo causes an error in the output.
Page 184
Remediation:
Graphical Method:
Perform the following steps to verify that an administrator password is required to

3. Select Advanced
4. Set Require an administrator password to access system-wide settings to
enabled
Terminal Method:
The authorizationdb settings cannot be written to directly, so the plist must be exported
out to a temporary file. Changes can be made to the temporary plist, then imported back
into the authorizationdb settings.
Run the following commands to enable that an administrator password is required to
$ authDBs=("system.preferences" "system.preferences.energysaver"
"system.preferences.network" "system.preferences.printing"
"system.preferences.sharing" "system.preferences.softwareupdate"
"system.preferences.startupdisk" "system.preferences.timemachine")
for section in ${authDBs[@]}; do

/usr/bin/sudo /usr/bin/security -q authorizationdb read "$section" >
"/tmp/$section.plist"
key_value=$(/usr/libexec/PlistBuddy -c "Print :shared"
"/tmp/$section.plist" 2>&1)
if [[ "$key_value" == *"Does Not Exist"* ]]; then
/usr/bin/sudo /usr/libexec/PlistBuddy -c "Add :shared bool
false" "/tmp/$section.plist"
else
/usr/bin/sudo /usr/libexec/PlistBuddy -c "Set :shared false"
fi
/usr/bin/sudo /usr/bin/security -q authorizationdb write "$section" <
done
Note: Every audit and remediation incudes sudo before all commands. This is an
exception because authdb is a variable and using sudo causes an error in the output.
Page 185
CIS Controls:
Controls
Version

● ● ●

Page 186
2.7 Desktop & Dock
Page 187
2.7.1 Ensure Screen Saver Corners Are Secure (Automated)
• Level 2
Description:
Hot Corners can be configured to disable the screen saver by moving the mouse cursor
to a corner of the screen.
Rationale:
Setting a hot corner to disable the screen saver poses a potential security risk since an
unauthorized person could use this to bypass the login screen and gain access to the
system.
Audit:
Graphical Method:
Perform the following steps to ensure that a Hot Corner is not set to Disable Screen
Saver:

2. Select General
4. Verify that an installed profile has <wvous-tl-corner>, <wvous-bl-corner>,
<wvous-tr-corner>, and <wvous-br-corner> is not set to 6
Terminal Method:
Run the following command to verify that a profile is installed secures screen saver
corners:
$ /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" =
6|"wvous-br-corner" = 6|"wvous-tl-corner" = 6|"wvous-tr-corner" = 6'
Page 188
Remediation:
Profile Method:
1. The PayloadType string is com.apple.dock

2. The key to include is Forced
3. The key must be set to the following:
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>wvous-bl-corner</key>
<integer><≠6></integer>
<key>wvous-br-corner</key>
<key>wvous-tl-corner</key>
<key>wvous-tr-corner</key>
</dict>
</dict>
</array>
Page 189
Audit:
Graphical Method:
Perform the following steps to ensure that a Hot Corner is not set to Disable Screen
Saver:

2. Select Desktop & Dock
3. Select `Hot Corners...
4. Verify that Disable Screen Saver is not set to any of the corners
or

2. Select General
4. Verify that an installed profile has <wvous-tl-corner>, <wvous-bl-corner>,
<wvous-tr-corner>, and <wvous-br-corner> set to and value that is not 6
Terminal Method:
For all users, run the following commands to verify that Disable Screen Saver is not set
as a Hot Corner:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-tl-
corner
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-bl-

corner
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-tr-

corner
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-br-

corner
Verify that the output does not have 6 as a key value. Any other number, or an output
that includes does not exist, is compliant.
Page 190
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tl-
corner
10
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-bl-
corner
2020-07-31 14:32:29.018 defaults[39521:1276494]

The domain/default pair of (com.apple.dock, wvous-bl-corner) does not exist
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tr-

corner
2020-07-31 14:32:32.403 defaults[39523:1276515]

The domain/default pair of (com.apple.dock, wvous-tr-corner) does not exist
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-br-

corner
2020-07-31 14:32:36.045 defaults[39525:1276529]

The domain/default pair of (com.apple.dock, wvous-br-corner) does not exist
Remediation:
Graphical Method:
Perform the following steps to disable a Hot Corner set to Disable Screen Saver:

2. Select Desktop & Dock
3. Select `Hot Corners...
4. Set any corners set to Disable Screen Saver to any other selection to meets
your organization's parameters
5. Select Done
Terminal Method: Run the following command to turn off Disable Screen Saver for a
Hot Corner:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.dock <corner
that is set to '6'> -int 0
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write com.apple.dock wvous-
tl-corner -int 0
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tl-

corner
Page 191
CIS Controls:
Controls
Version
4.3 Configure Automatic Session Locking on Enterprise

Assets
v8 Configure automatic session locking on enterprise assets after a defined period ● ● ●
of inactivity. For general purpose operating systems, the period must not exceed
15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.
Page 192
2.8 Displays
Page 193
2.8.1 Audit Universal Control Settings (Manual)
• Level 1
Description:
Universal Control is an Apple feature that allows Mac users to control multiple other
Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple
ID. The technology relies on already available iCloud services, particularly Handoff.
Universal Control simplifies the use of iCloud connectivity of multiple computers using
the same Apple ID. This may simplify data transfer from organizationally-managed and
personal devices. The use of the same iCloud account and Handoff is the underlying
concern that should be evaluated. The use of the same keyboard or mouse across
multiple devices does not by itself decrease organizational security.
Rationale:
The use of devices together when some are organizational and some are not may
complicate device management standards.
Audit:
Graphical Method:
Perform the following steps to verify the Universal Control settings:

2. Select Displays
3. Select Advanced...
4. Verify that the settings meet your organization's requirements
or

3. Select Profiles
4. Verify that an installed profile has with com.apple.universalcontrol in Settings
and has Disable set to your organization's parameters.
Page 194
Terminal Method:
Run the following command to verify the settings for Universal Control:
$ /usr/bin/sudo -u <user> /usr/bin/defaults -currentHost read
com.apple.universalcontrol Disable
If the output is The domain/default pair of (com.apple.universalcontrol, Disable)
does not exist then Universal Control is enabled. If the output is 1, it is disabled

com.apple.universalcontrol DisableMagicEdges
If the output is The domain/default pair of (com.apple.universalcontrol,

DisableMagicEdges) does not exist then Push through the edge of the display to
connect a nearby Mac or iPad is enabled. If the output is 1, it is disabled
example:
The domain/default pair of (com.apple.universalcontrol, Disable) does not

exist

The domain/default pair of (com.apple.universalcontrol, Disable) does not

exist


or
Run the following command to verify that a profile is installed that sets Universal Control
to your organization's parameters:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.universalcontrol')\
.objectForKey('Disable').js
EOS
If the output is true, Universal Control is disabled. If it is false, then Universal Control is
enabled.
Page 195
Remediation:
Graphical Method:
Perform the following steps to set Universal Control to your organization's requirements:

2. Select Display
3. Select Advanced...
4. Set the options that meet your organization's requirements
Terminal Method:
Run the following command to enable or disable Universal Control:
com.apple.universalcontrol Disable -bool <true/false>

com.apple.universalcontrol DisableMagicEdges -bool <true/false>
example:
com.apple.universalcontrol Disable -bool true

com.apple.universalcontrol DisableMagicEdges -bool true
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read

com.apple.universalcontrol Disable -bool false

com.apple.universalcontrol DisableMagicEdges -bool false
Profile Method:
1. The PayloadType string is com.apple.universalcontrol

2. The key to include is Disable
user.
Universal Control: Use a single keyboard and mouse between Mac and iPad
Universal Control: Everything You Need to Know
Page 196
CIS Controls:
Controls
Version

● ● ●



Page 197
2.9 Battery (Energy Saver)
This section is for energy use controls. Prior to Big Sur (Mac OS 11) it was known only
as Energy Saver.
On desktop Macs, this preference pane is still named Energy Saver and not Battery.
Mac Energy Saver preferences explained
Page 198
2.9.1 OS Resuming From Sleep
In order to use a computer with Full Disk Encryption (FDE), macOS must keep
encryption keys in memory to allow the use of the disk that has been FileVault
protected. The storage volume has been unlocked and acts as if it were not encrypted.
When the system is not in use, the volume is protected through encryption. When the
system is sleeping and available to quickly resume, the encryption keys remain in
memory.
If an unauthorized party has possession of the computer and the computer is only slept,
there are known attack vectors that can be attempted against the RAM that has the
encryption keys or the running operating system protected by a login screen. Network
attacks if network interfaces are on, as well as USB or other open device ports, are
possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high
level of sophistication if all the other controls function as intended.
There is little impact on hibernating the system rather than sleeping after an appropriate
time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk
and requires FileVault to be unlocked prior to the OS being available. In the case of
unauthorized personnel with access to the computer, encryption would have to be
broken prior to attacking the operating system in order to recover data from the system.
Page 199
2.9.1.1 Ensure the OS Is Not Active When Resuming from
Standby (Intel) (Automated)
• Level 2
Description:
memory.
https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/
Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
The default value for "standbydelay" is three hours (10800 seconds). This value is likely
appropriate for most desktops. If Mac desktops are deployed in unmonitored, less
physically secure areas with confidential data, this value might be adjusted. The
desktop would have to retain power, however, so that the running OS or physical RAM
could be attacked.
MacBooks should be set so that the standbydelay is 15 minutes (900 seconds) or less.
This setting should allow laptop users in most cases to stay within physically secured
areas while going to a conference room, auditorium, or other internal location without
having to unlock the encryption. When the user goes home at night, the laptop will auto-
hibernate after 15 minutes and require the FileVault password to unlock prior to logging
back into the system when it resumes.
MacBooks should also be set to a hibernate mode that removes power from the RAM.
This will stop the possibility of cold boot attacks on the system.
Macs running Apple silicon chips, rather than Intel chips, do not require the same
configuration as Intel-based Macs.
Rationale:
To mitigate the risk of data loss, the system should power down and lock the encrypted
drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.
Impact:
The laptop will take additional time to resume normal operation if only sleeping rather
than hibernating.
Setting hibernatemode to 25 will disable the "always-on" feature of the Apple Silicon
Macs.
Page 200
Audit:
Terminal Method:
Run the following command to verify the hibernation settings and that FileVault keys are
destroyed on standby:
$ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep
-e MacBook
If there is an output, run the following:
$ /usr/bin/sudo /usr/bin/pmset -b -g | | /usr/bin/grep -e standby
The output should include a standbydelaylow value ≤ 900, a standbydelayhigh value ≤
900, and a highstandbythreshold value ≥ 90.
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep hibernatemode
hibernatemode 25
example:

-e MacBook
Model Name: MacBook Pro

Model Identifier: MacBookPro13,1
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e standby
standbydelaylow 600
standby 1
standbydelayhigh 600
highstandbythreshold 50
hibernatemode 25
Note: To verify if you are running an Intel processor, run /usr/sbin/sysctl -n
machdep.cpu.brand_string. The output will include Intel.
Page 201
Remediation:
Terminal Method:
Run the following command to set the hibernate delays and to ensure the FileVault keys
are set to be destroyed on standby:
$ /usr/bin/sudo /usr/bin/pmset -a standbydelaylow <value≤900>
$ /usr/bin/sudo /usr/bin/pmset -a standbydelayhigh <value≤900>
$ /usr/bin/sudo /usr/bin/pmset -a highstandbythreshold <value≥90>
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25
example:
$ /usr/bin/sudo /usr/bin/pmset -a standbydelaylow 500
$ /usr/bin/sudo /usr/bin/pmset -a standbydelayhigh 500
$ /usr/bin/sudo /usr/bin/pmset -a highstandbythreshold 100
References:
1. https://www.lifewire.com/change-mac-sleep-settings-2260804
2. https://www.zdziarski.com/blog/?p=6705
3. https://www.howtogeek.com/260478/how-to-choose-when-your-mac-hibernates-
or-enters-standby/
CIS Controls:
Controls
Version

● ● ●

Page 202
2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon) (Automated)
• Level 2
Description:
memory.
If an unauthorized party has possession of the computer and the computer is only slept,
there are known attack vectors that can be attempted against the RAM that has the
encryption keys or the running operating system protected by a login screen. Network
attacks if network interfaces are on, as well as USB or other open device ports, are
possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high
level of sophistication if all the other controls function as intended.
There is little impact on hibernating the system rather than sleeping after an appropriate
time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk
and requires FileVault to be unlocked prior to the OS being available. In the case of
unauthorized personnel with access to the computer, encryption would have to be
broken prior to attacking the operating system in order to recover data from the system.
https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/
Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
MacBooks should be set so that the sleep is 15 minutes (900 seconds) or less. This
setting should allow laptop users in most cases to stay within physically secured areas
while going to a conference room, auditorium, or other internal location without having
to unlock the encryption. When the user goes home at night, the laptop will auto-
hibernate after 15 minutes and require the FileVault password to unlock prior to logging
back into the system when it resumes.
MacBooks should also be set to a hibernate mode that removes power from the RAM.
This will stop the possibility of cold boot attacks on the system.
Macs running Apple silicon chips, rather than Intel chips, do not require the same
configuration as Intel-based Macs.
Rationale:
To mitigate the risk of data loss, the system should power down and lock the encrypted
drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.
Page 203
Impact:
The laptop will take additional time to resume normal operation if only sleeping rather
than hibernating. Touch ID will not be available when waking from hibernate.
Setting hibernatemode to 25 will disable the "always-on" feature of the Apple Silicon
Macs.
Audit:
Terminal Method:
Run the following command to verify sleep and hibernation settings:
-e MacBook
-e MacBook
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "^ sleep"
The output should be sleep with a value ≤ 15.
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "displaysleep"
The output should be displaysleep with a value ≤ 10 and ≤ the value of sleep.
hibernatemode 25
example:
$ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | grep -e
MacBook
Model Name: MacBook Pro

Model Identifier: MacBookPro18,3
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "^ sleep"
sleep 10 (sleep prevented by sharingd, powerd, bluetoothd,

com.apple.PassKit.PaymentAuthor)
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "displaysleep"
displaysleep 15
hibernatemode 25
Note: To verify if you are running an Apple Silicon processor, run /usr/sbin/sysctl -n
machdep.cpu.brand_string. The output will include Apple.
Page 204
Remediation:
Terminal Method:
Run the following command to set the sleep time and hibernate mode:
$ /usr/bin/sudo /usr/bin/pmset -a sleep <value≤10>
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep <value≤15 & >value of sleep>
Note: Setting hibernate mode will require the user to log into the machine after sleep
and disable any wake options. hibernatemode must be set to 25 or it will not force the
computer into a pre-boot state.
example:
$ /usr/bin/sudo /usr/bin/pmset -a sleep 10
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep 15
References:
1. https://www.lifewire.com/change-mac-sleep-settings-2260804
2. https://www.zdziarski.com/blog/?p=6705
3. https://www.howtogeek.com/260478/how-to-choose-when-your-mac-hibernates-
or-enters-standby/
CIS Controls:
Controls
Version

● ● ●

Page 205
2.9.1.3 Ensure FileVault is Locked on Sleep (Automated)
• Level 2
Description:
Full Disk Encryption (FDE) is a Data-at-Rest (DAR) solution. It ensures that when the
data on the drive is not in use it is full encrypted, but it can be decrypted (unlocked) as
needed. When a Mac sleeps, the encryption keys remain in memory so that the drive is
encrypted but unlocked. There are attacks available to interact with the OS and data on
the unlocked drive. FileVault volumes should be locked when not in use to resist attack.
Rationale:
The purpose of DAR is to ensure data is encrypted while at rest. If the volume is always
unlocked it is not sufficient.
Impact:
The laptop will require a user to log in with their username and password, not TouchID,
into the OS after the FileVault key is destroyed.
Audit:
Terminal Method:
Run the following command to verify the that FileVault keys are destroyed on standby or
sleep:
-e MacBook
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep DestroyFVKeyOnStandby
DestroyFVKeyOnStandby 1
Remediation:
Terminal Method:
Run the following command to ensure FileVault keys are set to be destroyed on
standby:
Page 206
CIS Controls:
Controls
Version

● ● ●

Page 207
2.9.2 Ensure Power Nap Is Disabled for Intel Macs (Automated)
• Level 1
Description:
Power Nap allows the system to stay in low power mode, especially while on battery
power, and periodically connect to previously known networks with stored credentials
for user applications to phone home and get updates. This capability requires FileVault
to remain unlocked and the use of previously joined networks to be risk accepted based
on the SSID without user input.
This control has been updated to check the status on both battery and AC Power. The
presence of an electrical outlet does not completely correlate with logical and physical
security of the device or available networks.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and
gaining access.
The use of Power Nap adds to the risk of compromised physical and logical security.
The user should be able to decrypt FileVault and have the applications download what
is required when the computer is actively used.
The control to prevent computer sleep has been retired for this version of the
Benchmark. Forcing the computer to stay on and use energy in case a management
push is needed is contrary to most current management processes. Only keep
computers unslept if after hours pushes are required on closed LANs.
Impact:
Power Nap exists for unattended user application updates like email and social media
clients. With Power Nap disabled, the computer will not wake and reconnect to known
wireless SSIDs intermittently when slept.
Page 208
Audit:
Perform the following to verify that Power Nap is not enabled:
Graphical Method:
Desktop Instructions:

2. Select Energy Saver
3. Verify that Power Nap is disabled
4. Select UPS (if applicable)
Laptop Instructions:

2. Select Battery
3. Select Power Adapter
5. Select Battery
Terminal Method:
Run the following command to verify if Power Nap is disabled:
$ /usr/bin/sudo /usr/bin/pmset -g custom | /usr/bin/grep -c "powernap'\s+'1"
Page 209
Remediation:
Graphical Method:
Perform the following steps to disable Power Nap:

3. Set Power Nap to disabled

2. Select Battery
3. Select Power Adapter (for laptops only)
5. Select Battery
Terminal Method:
Run the following command to disable Power Nap:
$ /usr/bin/sudo /usr/bin/pmset -a powernap 0
/usr/bin/man pmset
Page 210
CIS Controls:
Controls
Version

● ● ●



Page 211
2.9.3 Ensure Wake for Network Access Is Disabled (Automated)
• Level 1
Description:
This feature allows the computer to take action when the user is not present and the
computer is in energy saving mode. These tools require FileVault to remain unlocked
and fully rejoin known networks. This macOS feature is meant to allow the computer to
resume activity as needed regardless of physical security controls.
This feature allows other users to be able to access your computer’s shared resources,
such as shared printers or Apple Music playlists, even when your computer is in sleep
mode. In a closed network when only authorized devices could wake a computer, it
could be valuable to wake computers in order to do management push activity. Where
mobile workstations and agents exist, the device will more likely check in to receive
updates when already awake. Mobile devices should not be listening for signals on any
unmanaged network or where untrusted devices exist that could send wake signals.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and
gaining access.
Impact:
Management programs like Apple Remote Desktop Administrator use wake-on-LAN to
connect with computers. If turned off, such management programs will not be able to
wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off
this feature.
The control to prevent computer sleep has been retired for this version of the
Benchmark. Forcing the computer to stay on and use energy in case a management
push is needed is contrary to most current management processes. Only keep
computers unslept if after hours pushes are required on closed LANs.
Page 212
Audit:
Graphical Method:
Perform the following steps to verify that Wake for network access is disabled:

3. Verify that Wake for network access is disabled

2. Select Battery
4. Verify that Wake for network access is set to Never
Terminal Method:
Run the following command verify if Wake for network access is not enabled:
$ /usr/bin/sudo /usr/bin/pmset -g custom | /usr/bin/grep -e womp
womp 0
or
Run the following command to verify that a profile is installed that enables App Store
updates to be automatically installed:
$ /usr/bin/sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "Wake On LAN"
"Wake On LAN" = 0;
"Wake On LAN" = 0;
"Wake On LAN" = 0;
$ /usr/bin/sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "Wake On Modem

Ring"
"Wake On Modem Ring" = 0;

Page 213
Remediation:
Graphical Method:
Perform the following steps to disable Wake for network access:

3. Set Wake for network access to disabled

2. Select Battery
4. Set Wake for network access to Never
Terminal Method:
Run the following command to disable Wake for network access:
$ /usr/bin/sudo /usr/bin/pmset -a womp 0
Page 214
Profile Method:

2. The key to include is com.apple.EnergySaver.desktop.ACPower
3. The key must be set to:
<dict>
<key>Wake On LAN</key>
<integer>0</integer>
<key>Wake On Modem Ring</key>
</dict>
4. The key to also include is com.apple.EnergySaver.portable.ACPower

<dict>
</dict>
6. The key to also include is com.apple.EnergySaver.portable.BatteryPower

<dict>
</dict>
Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On
LAN will allow the profile to install but not set any settings. This profile will only apply the
setting at installation and is not sticky.
/usr/bin/man pmset
Page 215
CIS Controls:
Controls
Version

function.

Page 216
2.10 Lock Screen
Page 217
2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the
Screen Saver Is Enabled (Automated)
• Level 1
Description:
A locking screen saver is one of the standard security controls to limit access to a
computer and the current user's session when the computer is temporarily unused or
unattended. In macOS, the screen saver starts after a value is selected in the drop-
down menu. 20 minutes or less is an acceptable value. Any value can be selected
through the command line or script, but a number that is not reflected in the GUI can be
problematic. 20 minutes is the default for new accounts.
Rationale:
Setting an inactivity interval for the screen saver prevents unauthorized persons from
viewing a system left unattended for an extensive period of time.
Impact:
If the screen saver is not set, users may leave the computer available for an
unauthorized person to access information.
Audit:
Graphical Method:
Perform the following steps to verify that the screen saver is set activate after less than
or equal to 20 minutes of inactivity:

3. Select Profiles
4. Verify that an installed profile has Idle Time set to ≤1200
Terminal Method:
Run the following command to verify that a profile is installed that enables a system-
wide screensaver idle time of less than or equal to 20 minutes:
Page 218
function run() {
let timeout =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')
\
.objectForKey('idleTime'))
if ( timeout <= 1200 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Remediation:
Profile Method:
1. The PayloadType string is com.apple.screensaver

2. The key to include is idleTime
3. The key must be set to <integer><≤1200></integer>
user.
Page 219
Audit:
Graphical Method:
Perform the following steps to verify that the screen saver is set activate after less than
or equal to 20 minutes of inactivity:

2. Select Lock Screen
3. Verify that Start Screen Saver when inactive is set for 20 minutes or less
(≤1200 seconds)
or

3. Select Profiles
4. Verify that an installed profile has Idle Time set to ≤1200
Terminal Method:
Run the following command to verify that the screen saver idle time of individual users
is set to less than or equal to 20 minutes:
$ /usr/bin/sudo -u <username> /usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 =
\
.objectForKey('idleTime'))
if ( pref1 <= 1200 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Note: If there is no output, then the setting has not been changed from the default and
is considered not in compliance. Follow the remediation instructions to set the idle time
to match your organization's policy.
Page 220
Remediation:
Graphical Method:
Perform the following to set the screen saver to activate in 20 minutes or less:

3. Set Start Screen Saver when inactive to a selection that is 20 minutes or less
(≤1200)
Terminal Method:
Run the following command to set individual users to an idle time of the screen saver is
set to 20 minutes or less (≤1200):
com.apple.screensaver idleTime -int <value ≤1200>
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write
com.apple.screensaver idleTime -int 600

com.apple.screensaver idleTime
600
Note: Issues arise if the command line is used to make the setting something other than
what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or
20 (1200) minutes to avoid any issues.
CIS Controls:
Controls
Version

Assets

Page 221
2.10.2 Ensure Require Password After Screen Saver Begins or
Display Is Turned Off Is Enabled for 5 Seconds or Immediately
(Automated)
• Level 1
Description:
Sleep and screen saver modes are low power modes that reduce electrical
consumption while the system is not in use.
Rationale:
Prompting for a password when waking from sleep or screen saver mode mitigates the
threat of an unauthorized person gaining access to a system in the user's absence.
Impact:
Without a screenlock in place, anyone with physical access to the computer would be
logged in and able to use the active user's session.
Page 222
Audit:
Graphical Method:
Perform the following steps to verify that a password is required to wake from sleep or
screen saver:

3. Verify that Require password after screensaver begins or display is turned
off is set with After 0 seconds or After 5 seconds
or

3. Select Profiles
4. Verify that an installed profile has Ask For Password set to True
5. Verify that the same installed profile has Ask For Password Delay set to <0,5>
Terminal Method:
Run the following command to verify that a password is required to wake the computer
from sleep or from the screen saver after 5 seconds of less:
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock status
The output should include either screenLock delay is immediate or screenLock delay
is 5 seconds.
Run the following command to verify that a profile is installed that requires a password
to wake the computer from sleep or from the screen saver:
function run() {
let pref1 =
\
.objectForKey('askForPassword'))
let pref2 =
\
.objectForKey('askForPasswordDelay'))
if ( pref1 == 1 && pref2 <= 5 ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 223
Remediation:
Graphical Method:
Perform the following steps to enable a password for unlock after a screen saver begins
or after sleep:

3. Set Require password after screensaver begins or display is turned off to
either After 0 seconds or After 5 seconds
Terminal Method:
Run the following command to require a password to unlock the computer after the
screen saver engages or the computer sleeps:
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password
<administrator password>
or
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password
<administrator password>
Profile Method:
1. The PayloadType string is com.apple.screensaver

2. The key to include is askForPassword
4. The key to also include is askForPasswordDelay
5. The key must be set to <integer><0,5></integer>
References:
1. https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-
a385726e2ae2
2. https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaul
tScreensaver.mobileconfig
This only protects the system when the screen saver is running.
Note: The command line check in previous versions of the Benchmark does not work
as expected here. The use of a profile is recommended for both implementation and
auditing on a 10.13 system or later.
Page 224
CIS Controls:
Controls
Version
4.7 Manage Default Accounts on Enterprise Assets and

Software
v8 Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example
● ● ●
implementations can include: disabling default accounts or making them
unusable.
4.2 Change Default Passwords

v7 Before deploying any new asset, change all default passwords to have values ● ● ●
consistent with administrative level accounts.
Page 225
2.10.3 Ensure a Custom Message for the Login Screen Is
Enabled (Automated)
• Level 1
Description:
An access warning informs the user that the system is reserved for authorized use only,
and that the use of the system may be monitored.
Rationale:
An access warning may reduce a casual attacker's tendency to target the system.
Access warnings may also aid in the prosecution of an attacker by evincing the
attacker's knowledge of the system's private status, acceptable use policy, and
authorization requirements.
Impact:
If users are not informed of their responsibilities, unapproved activities may occur.
Users that are not approved for access may take the lack of a warning banner as
implied consent to access.
Page 226
Audit:
Graphical Method:
Perform the following steps to ensure that the a login banner is configured:

3. Verify Show message when locked is enabled
4. Select Set
5. Verify that the message displayed is configured to your organization's required
text
or

3. Select Profiles
4. Verify that an installed profile has Banner Text is configured to your
organization's required text
Terminal Method:
Run the following command to verify that a custom message on the login screen is
configured:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('LoginwindowText').js
EOS
The output should be a message that is configured to your organization's required text.
example:
.objectForKey('LoginwindowText').js
EOS
Center for Internet Security Test Message
Page 227
Remediation:
Graphical Method:
Perform the following steps to enable a login banner set to your organization's required
text:

3. Set Show message when locked to enabled
4. Select Set
5. Insert text in the Set a message to appear on the lock screen that matches
your organization's required text
6. Select Done
Terminal Method:
Run the following command to enable a custom login screen message:
/Library/Preferences/com.apple.loginwindow LoginwindowText "<custom message>"
example:
/Library/Preferences/com.apple.loginwindow LoginwindowText "Center for
Internet Security Test Message"
Profile Method:
1. The PayloadType string is com.apple.loginwindow

2. The key to include is LoginwindowText
3. The key must be set to <string><Your organization's required
text></string>
CIS Controls:
Controls
Version

● ● ●

Page 228
2.10.4 Ensure Login Window Displays as Name and Password Is
Enabled (Automated)
• Level 1
Description:
The login window prompts a user for his/her credentials, verifies their authorization
level, and then allows or denies the user access to the system.
Rationale:
Prompting the user to enter both their username and password makes it twice as hard
for unauthorized users to gain access to the system since they must discover two
attributes.
Audit:
Graphical Method:
Perform the following steps to verify that the login window displays name and password:

3. Verify that Login window shows is set to Name and Password
or

3. Select Profiles
4. Verify that an installed profile has Show Full Name set to True
Terminal Method:
Run the following command to verify the login window displays name and password:
.objectForKey('SHOWFULLNAME').js
EOS
true
Page 229
Remediation:
Graphical Method:
Perform the following steps to ensure the login window display name and password:

3. Set 'Login window showstoName and Password`
Terminal Method:
Run the following command to enable the login window to display name and password:
/Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
Note: The GUI will not display the updated setting until the current user(s) logs out.
Profile Method:

2. The key to include is SHOWFULLNAME
CIS Controls:
Controls
Version

● ● ●

Page 230
2.10.5 Ensure Show Password Hints Is Disabled (Automated)
• Level 1
Description:
Password hints are user-created text displayed when an incorrect password is used for
an account.
Rationale:
Password hints make it easier for unauthorized persons to gain access to systems by
displaying information provided by the user to assist in remembering the password. This
info could include the password itself or other information that might be readily
discerned with basic knowledge of the end user.
Impact:
The user can set the hint to any value, including the password itself or clues that allow
trivial social engineering attacks.
Page 231
Audit:
Graphical Method:
Perform the following steps to verify if password hints are shown:

3. Verify that Show password hints is disabled
or

3. Select Profiles
4. Verify that an installed profile has Retires Before Hint Shown set to 0
Terminal Method:
Run the following command to verify that password hints are not displayed:
.objectForKey('RetriesUntilHint').js
EOS
0
Note: The default setting is not auditable through the command line. Please turn off the
check and re-enable when the GUI does not reflect the audited results, or run the
Terminal command(s).
Remediation:
Graphical Method:
Perform the following steps to disable password hints from being shown:

3. Set 'Show password hints` to disabled
Terminal Method:
Run the following command to disable password hints:
/Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
Profile Method:

2. The key to include is RetriesUntilHint
Page 232
CIS Controls:
Controls
Version

● ● ●

Page 233
2.11 Touch ID & Password (Login Password)
The Touch ID & Password System Settings pane is named Login Password on Macs
that do not have Touch ID and does not contain any details about Touch ID.
Page 234
2.11.1 Ensure Users' Accounts Do Not Have a Password Hint
(Automated)
• Level 1
Description:
Password hints help the user recall their passwords for various systems and/or
accounts. In most cases, password hints are simple and closely related to the user's
password.
Rationale:
Password hints that are closely related to the user's password are a security
vulnerability, especially in the social media age. Unauthorized users are more likely to
guess a user's password if there is a password hint. The password hint is very
susceptible to social engineering attacks and information exposure on social media
networks.
Audit:
Terminal Method:
Run the following command to verify that no users have a password hint:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint
The output will list all users. If there are any text listed with the user, then the machine is
not compliant.
example:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -list /Users hint
firstuser passwordhint
seconduser passwordhint2
thirduser
fourthuser
Guest
Page 235
Remediation:
Graphical Method:
Perform the following steps to remove a user's password hint:

2. Select Touch ID & Passwords (or Login Password on non-Touch ID Macs)
3. Select Change...
4. Change the password and ensure that no text is entered in the Password hint
box
Note: This will only change the currently logged-in user's password, and not any others
that are not compliant on the Mac. Use the terminal method if multiple users are not in
compliance.
Terminal Method:
Run the following command to remove a user's password hint:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/<username>
hint
example:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser
hint
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser

hint
Organizations might consider entering an organizational help desk phone number or

other text (such as a warning to the user). A help desk number is only appropriate for
organizations with trained help desk personnel that are validating user identities for
password resets.
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 236
2.11.2 Audit Touch ID (Manual)
• Level 1
Description:
Apple has integrated Touch ID with macOS and allows fingerprint use for many
common operations. All use of Touch ID requires the presence of a password and the
use of that password after every reboot, or when more than 48 hours has elapsed since
the device was last unlocked. Touch ID is not a password replacement. The use of
Touch ID can, however, make the use of passwords more secure for authorized users
with physical access to a Mac. Normal day-to-day work operations can eliminate the
use of console password entry unless a reboot is required other than on Monday
morning. The infrequency of password screen unlock can enable a more complicated
pass phrase that is seldom used. When Touch ID is used it remediates the risk of
shoulder surfing (including video surveillance) to capture console credentials. There
have been many reported shoulder surfing password captures on iOS devices. Reports
have not been widespread on Macs, but shoulder surfing password capture is simpler
than the other methods of breaking in to an encrypted Mac.
When a SmartCard or YubiKey is provisioned by an organization and is available for
Console authentication, that is a much more secure option than the use of Touch ID and
is preferred.
Rationale:
Touch ID allows for an account-enrolled fingerprint to access a key that uses a
previously provided password.
Impact:
Touch ID is more convenient for use with aggressive screen lock controls.
Page 237
Audit:
Graphical Method:
Perform the following to verify Touch ID settings:

2. Select Touch ID & Password
3. Verify the Touch ID settings match your organization's requirements
Terminal Method:
For each user, run the following commands to verify that the TouchID settings are within
your organizations paramters:
$ /usr/bin/sudo -u <username> /usr/bin/bioutil -r
User Touch ID configuration:

Touch ID for unlock: <0,1>
Touch ID for ApplePay: <0,1>
Effective Touch ID for unlock: <0,1>
Effective Touch ID for ApplePay: <0,1>
$ /usr/bin/sudo /usr/bin/bioutil -r -s | /usr/bin/awk '/timeout/'
Touch ID timeout (in seconds): <value≤172800>

Note: The -s notates a system configuration and does not need to be ran for each user.
Note: The output for unlock and ApplePay is 0 for disabled and 1 for enabled. The
timeout value is seconds and can be set to any value.
example:
$ /usr/bin/sudo -u firstuser /usr/bin/bioutil -r
User Touch ID configuration:

Touch ID for unlock: 1
Touch ID for ApplePay: 1
Effective Touch ID for unlock: 1
Effective Touch ID for ApplePay: 1
$ /usr/bin/sudo usr/bin/bioutil -r -s | /usr/bin/awk '/timeout/'
Touch ID timeout (in seconds): 172800
In the above example, the user has TouchID enabled for both unlocking the system and
for ApplePay. The timeout for TouchID is set to the maximum of 48 hours (172800
seconds).
Page 238
Remediation:
Graphical Method:
Perform the following steps to set Touch ID to your organization's settings:

2. Select Touch ID & Password
3. Set the Touch ID settings to your organization's requirements
Terminal Method:
For each user, run the following commands to set TouchID to your organizations
paramters:
Use this command for TouchID to unlock the system. Use 0 to disable unlock or 1 to
enable unlock:
$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -u <0,1>
Use this command for TouchID to use ApplePay. Use 0 to disable ApplePay or 1 to
enable ApplePay:
$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -a <0,1>
Use this command to set the timeout at the system level:

$ /usr/bin/sudo usr/bin/bioutil -w -s -o <value≤172800>
example:
$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -u 1
$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -a 1
$ /usr/bin/sudo usr/bin/bioutil -w -s -o 86400
Note: The -s notates a system configuration and does not need to be ran for each user.
References:
1. https://support.apple.com/guide/mac-help/touch-id-mchl16fbf90a/mac
Page 239
CIS Controls:
Controls
Version

● ● ●

includes, at a minimum, an 8-character password for accounts using MFA and a 14-
● ● ●
character password for accounts not using MFA.

● ●
system.

Page 240
2.12 Users & Groups
Account management is a central part of security for any computer system, including
macOS. General practices should be followed to ensure that all accounts on a system
are still needed, and that default accounts have been removed. Users with administrator
roles should have distinct accounts for both administrator functions as well as day-to-
day work where the passwords are different and known only by the user assigned to the
account. Accounts with elevated privileges should not be easily discerned from the
account name from standard accounts.
When any computer system is added to a directory system there are additional controls
available, including user account management, that are not available in a standalone
computer. One of the drawbacks is the local computer is no longer in control of the
accounts that can access or manage it if given permission. For macOS, if the computer
is connected to a directory, any standard user can now log into the computer at console,
which by default may be desirable or not depending on the use case. If an administrator
group is allowed to administer the local computer, the membership of that group is
controlled completely in the directory.
macOS computers connected to a directory should be configured so that the risk is
appropriate for the mission use of the computer. Only those accounts that require local
authentication should be allowed, and only required administrator accounts should be in
the local administrator group. Authenticated users for console access and domain
admins for administration may be too broad or too limited.
Page 241
2.12.1 Ensure Guest Account Is Disabled (Automated)
• Level 1
Description:
The guest account allows users access to the system without having to create an
account or password. Guest users are unable to make setting changes and cannot
remotely login to the system. All files, caches, and passwords created by the guest user
are deleted upon logging out.
Rationale:
Disabling the guest account mitigates the risk of an untrusted user doing basic
reconnaissance and possibly using privilege escalation attacks to take control of the
system.
Impact:
A guest user can use that access to find out additional information about the system
and might be able to use privilege escalation vulnerabilities to establish greater access.
Page 242
Audit:
Graphical Method:
Perform the following steps to ensure that the guest account is not available:

2. Select Users & Groups
3. Select the i next to the Guest User
4. Verify that Allow guests to log in to this computer is disabled
or

3. Select Profiles
4. Verify that an installed profile has Disable Guest Account set to True
5. Verify that an installed profile has Enable Guest Account set to False
Terminal Method:
Run the following command to verify if the guest account is enabled:
function run() {
let pref1 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('DisableGuestAccount'))
let pref2 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('EnableGuestAccount'))
let pref3 =
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')
\
.objectForKey('GuestEnabled'))
if (( pref1 == 1 && pref2 == 0 ) || ( pref3 == 0 )) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 243
Remediation:
Graphical Method:
Perform the following steps to disable guest account availability:

4. Set Allow guests to log in to this computer to disabled
Terminal Method:
Run the following command to disable the guest account:
/Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
Profile Method:

2. The key to include is DisableGuestAccount
4. The key to include is EnableGuestAccount
By default, the guest account is enabled for access to sharing services but is not
allowed to log into the computer.
The guest account does not need a password when it is enabled to log into the
computer.
Page 244
CIS Controls:
Controls
Version

includes, at a minimum, an 8-character password for accounts using MFA and a 14-
● ● ●
character password for accounts not using MFA.
6.2 Establish an Access Revoking Process

Establish and follow a process, preferably automated, for revoking access to
v8 enterprise assets, through disabling accounts immediately upon termination, rights ● ● ●
revocation, or role change of a user. Disabling accounts, instead of deleting
accounts, may be necessary to preserve audit trails.
6.8 Define and Maintain Role-Based Access Control

Define and maintain role-based access control, through determining and
v8 documenting the access rights necessary for each role within the enterprise to
successfully carry out its assigned duties. Perform access control reviews of
●
enterprise assets to validate that all privileges are authorized, on a recurring
schedule at a minimum annually, or more frequently.

● ●
system.
Page 245
2.12.2 Ensure Guest Access to Shared Folders Is Disabled
(Automated)
• Level 1
Description:
Allowing guests to connect to shared folders enables users to access selected shared
folders and their contents from different computers on a network.
Rationale:
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user
doing basic reconnaissance and possibly using privilege escalation attacks to take
control of the system.
Impact:
Unauthorized users could access shared files on the system.
Audit:
Graphical Method:
Perform the following steps to ensure that guests cannot connect to shared folders:

4. Verify that Allow guests to connect to shared folders is disabled
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest
users:
$ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess status
The output should include SMB guest access disabled.
Page 246
Remediation:
Graphical Method:
Perform the following steps to no longer allow guest user access to shared folders:

4. Set Allow guests to connect to shared folders to disabled
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest
users:
$ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off
CIS Controls:
Controls
Version

● ● ●

Protect all information stored on systems with file system, network share,
v7 claims, application, or database specific access control lists. These controls will
enforce the principle that only authorized individuals should have access to the
● ● ●
information based on their need to access the information as a part of their
responsibilities.
Page 247
2.12.3 Ensure Automatic Login Is Disabled (Automated)
• Level 1
Description:
The automatic login feature saves a user's system access credentials and bypasses the
login screen. Instead, the system automatically loads to the user's desktop screen.
Rationale:
Disabling automatic login decreases the likelihood of an unauthorized person gaining
access to a system.
Impact:
If automatic login is not disabled, an unauthorized user could gain access to the system
without supplying any credentials.
Page 248
Audit:
Graphical Method:
Perform the following steps to ensure that automatic login is not enabled:

3. Verify that Automatic login in as... is set to Off
or

3. Select Profiles
4. Verify that an installed profile has Disable Autologin set to True
Terminal Method:
Run the following command to verify that automatic login has not been enabled:
function run() {
let pref1 =
\
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient'))
let pref2 =
\
.objectForKey('autoLoginUser'))
if ( pref1 == 1 || pref2 == null ) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 249
Remediation:
Graphical Method:
Perform the following steps to set automatic login to off:

3. Set Automatic login in as... to Off
Terminal Method:
Run the following command to disable automatic login:
$ /usr/bin/sudo /usr/bin/defaults delete
/Library/Preferences/com.apple.loginwindow autoLoginUser
Profile Method:

2. The key to include is com.apple.login.mcx.DisableAutoLoginClient
Note: If both the profile is enabled and a user is set to autologin, the profile will take
precedent. In this case, the graphical or terminal remediation method should also be
applied in case the profile is ever removed.
CIS Controls:
Controls
Version
4.7 Manage Default Accounts on Enterprise Assets and

Software
v8 Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example
● ● ●
implementations can include: disabling default accounts or making them
unusable.
4.2 Change Default Passwords

v7 Before deploying any new asset, change all default passwords to have values ● ● ●
consistent with administrative level accounts.
Page 250
2.13 Passwords
Page 251
2.13.1 Audit Passwords System Preference Setting (Manual)
• Level 1
Description:
Apple has provided a new interface in macOS Monterey for managing passwords that
mirrors the interfaced capability already available in iOS. Password management in
macOS was previously available in both Safari Preferences and in Keychain Access.
Apple is attempting to simplify password management for macOS and make the user
experience more similar to iOS. Organizations are justifiably concerned about the risk of
password managers, particularly as a possible backdoor to improved credential
management regimes and greater use of Multi-Factor-Authentication (MFA).
Apple has information posted on this system preference with additional information.
Change Passwords preferences on Mac
A warning icon is shown next to a website for any of the following reasons:
• Easily guessed
• Appeared in a data leak
• Reused on another website
Rationale:
Organizations should remove what passwords can be saved on user computers, thus
limiting the ability of attackers to potentially steal organizational credentials. Limits on
password storage must be evaluated based on both user risk and Enterprise risk.
Impact:
Organizations using passwords are constantly reported as having their password
databases leaked to the Internet so every password a user has should be unique.
Locking down secure password management solutions so that it cannot be used pushes
users to password reuse, sticky notes, or always open text files with long lists of
credentials.
Page 252
Audit:
Graphical Method:
Perform the following steps to audit the Password system settings:

2. Select Passwords
3. Enter the user's password
4. Select Security Recommendations
5. Verify that any recommendations or compromised passwords are set to match
your organization's settings
6. Review applications with stored passwords to ensure that Enterprise managed
passwords are not stored inappropriately. Application interfaces may need to be
considered as well, as they allow the opportunity to store passwords that should
not be saved.
Remediation:
Graphical Method:
Perform the following steps to set Password system settings to your organization's
settings:

2. Select Passwords
3. Enter the user's password
4. Select the Security Recommendations
5. Remove stored passwords that should not be saved.
References:
1. https://support.apple.com/guide/security/password-monitoring-
sec78e79fc3b/1/web/1
Page 253
CIS Controls:
Controls
Version

● ● ●
v8 5.6 Centralize Account Management ● ●

Centralize account management through a directory or identity service.

● ●
system.
Page 254
2.14 Game Center
Page 255
2.14.1 Audit Game Center Settings (Manual)
• Level 2
Description:
With macOS 10.13, Apple has introduced a separate section for Game Center in
System Settings. It is possible to log in with the Apple ID and use the iCloud-based
Game Center services.
Game Center is a feature from Apple that allows users to engage in game-related
activities with friends when playing multiplayer games online on the Game Center social
network. User profile data such as nickname, contact discovery, and also nearby
players may be shared through iCloud.
Apple collects information here, such as the games users play and when they play
them, all scores and achievements, and the challenges users send and receive. This
information is used to track users' high scores, achievements, and challenges and to
improve Game Center.
The automatic sign in to Game Center with AppleID should be disabled if not aligned
with organizational rules
Personal profile visibility, Finding by Friends, requests from Contacts, Nearby Player
detection and Connecting with Friends are all visibility options that should be risk
accepted through an organizational policy before use.
Users should not sign in to Game Center on organizational managed devices if not
covered under acceptable use. For personal devices Game Center should not be
signed in if the user is not using Apple's gaming service.
Rationale:
Ensure Game Center service is used consistently with organizational requirements.
Impact:
Game Center is designed as a social network to use Apple's gaming service and
includes capabilities to discover players in the service as through local network
discovery. If the Apple feature is not needed it should not be on, and should not be
signed in.
Page 256
Audit:
Graphical Method:
Perform the following steps to verify the status of iCloud Game Center service:

3. Select Profiles
4. Verify that an installed profile has Allow GameCenter set to your organization's
requirements
Terminal Method:
Run the following command to verify that a profile is installed that sets iCloud allow
GameCenter setting to your organizations settings:
.objectForKey('allowGameCenter').js
EOS
If the output is false, Game Center is disabled. If the output is true Game Center is
enabled.
and/or remediation has been removed. We have included the individual user information
in the additional information section for reference only.
Remediation:
Profile Method:

2. The key to include is allowGameCenter
3. The key should be set <true/>, to allow Game Center, or <false/>, to disable it,
based on your organization's requirements
References:
3. https://developer.apple.com/game-center/
https://github.com/usnistgov/macos_security/pull/195
Page 257
Audit:
Graphical Method:
Perform the following steps to verify the status of iCloud Game Center service:

2. Select Game Center
3. Verify that Game Center is set to your organization's requirements
Remediation:
Graphical Method:
Perform the following steps to set iCloud Game Center based on your organization's
requirements:

2. Select Game Center
3. Set Game Center to meet your organization's requirements
Page 258
2.15 Notifications
Page 259
2.15.1 Audit Notification & Focus Settings (Manual)
• Level 1
Description:
Notification capabilities are designed to allow users to receive updates from applications
that are not currently in use. These can be background applications or even notices
from processes running on a computer that is not currently being actively used. Where
the screen of a computer is visible to others other than the logged-in user due to shared
working spaces or public spaces, consideration should be given to the exposure of
sensitive data in notifications. Applications that use the system-wide application service
may be individually managed, and applications that might expose confidential
information to unauthorized users should not expose notifications except to the current
user, especially on the locked screen when the computer may be unattended.
Rationale:
Some work environments will handle sensitive or confidential information with
applications that can provide notifications to anyone who can see the computer screen.
Organizations must review the likelihood that information may be exposed
inappropriately and suppress notifications where risk is not organizationally accepted.
Impact:
Computer users are often juggling too much information through too many applications
that want their attention and are often designed to get attention and never let it go.
Notifications are a mechanism that can be used to cut through the deluge and allow
important issues to be resolved in a timely way. Global controls on limiting user
notifications, even for certain applications, could impact productivity and the timely
remediation of issues.
Audit:
Graphical Method:
Perform the following steps to verify that Notifications are set to your organization's
requirements:

2. Select Notifications
3. Verify that Show previews for each application is set to your organization's
requirements
Note: If the exposure of controlled information or data leakage is possible with

application notifications, the acceptable notification level should be established through
a risk analysis of what unauthorized leaks may occur.
Page 260
Remediation:
Graphical Method:
Perform the following steps to set Notifications to your organization's requirements:

2. Select Notifications
3. Select any applications that are not in compliance with your organization's
requirements
4. Turn off or mute notifications that may expose information to unauthorized people
that might be able to view screens of organizational computers.
CIS Controls:
Controls
Version

● ● ●

Page 261
2.16 Wallet & Apple Pay
Page 262
2.16.1 Audit Wallet & Apple Pay Settings (Manual)
• Level 2
Description:
Touch ID is a prerequisite for using Apple Pay and Wallet on macOS. Apple Pay allows
an Apple account holder to enroll their credit cards in Apple Pay and pay enrolled
vendors without using the physical card or number. Apple's service eliminates the
requirement to send the credit card number itself to the vendor. Apple Pay on a Mac
allows the use of credit cards the user has already enrolled and reduces user risk for
credit card purchases.
Rationale:
Some environments may have rules around purchases from organizationally managed
computers and may want to discourage shopping from them. It is difficult to block
access to websites that allow purchases, and Apple Pay has more controls for user
protection than the manual entry of credit card information.
Audit:
Graphical Method:
Perform the following to verify Wallet & Apple Pay settings:

2. Select Wallet & Apple Pay
3. Verify the Wallet & Apple Pay settings match your organization's requirements
Remediation:
Graphical Method:
Perform the following steps to set Wallet & Apple Pay to your organization's settings:

2. Select Wallet & Apple Pay
3. Set the Wallet & Apple Pay settings to your organization's requirements
References:
1. https://www.apple.com/apple-pay/
2. https://support.apple.com/guide/mac-help/use-wallet-apple-pay-on-mac-
mchl4773988b/mac
Page 263
2.17 Internet Accounts
Internet Accounts is an Apple feature to manage accounts for the use of Mac OS native
applications. If Interest accounts are allowed and not tied to Enterprise SSO credentials
the use of the Internet Accounts setting allows for better tracking and control.
Disabling or hiding the System Preference Pane for Internet Accounts complicates the
ability to audit and use OS level stored credentials, it does not block application access
from a Mac to a domain that offers and authenticated session on the Internet.
Page 264
2.17.1 Audit Internet Accounts for Authorized Use (Manual)
• Level 1
Description:
Apple provides a section in System Settings to create and display Internet Accounts.
Setting up an Internet Account allows the user to configure access to pre-existing
accounts that are Internet Accessible. The Internet Accounts section is not managing
network access to firewall rules, it only provides a location to manage credentials and
audit external accounts for applications that make use of the "Internet Accounts". Some
applications, like Thunderbird and Firefox, do not natively use Internet Accounts and
store credentials with the application settings. Disabling the Internet Accounts section
does not block access if network reachable, it just makes auditing and use more
difficult. Depending on the maturity of network controls auditing the providers listed in
Internet Accounts is part of managing acceptable use.
Rationale:
Internet provided services may one restricted in your organization and should be
reviewed, even with an advanced application firewall the user may not always be using
an internal trusted network subject to the organizational firewall. An audit will document
which services a user has configured.
Impact:
Reputationaly risky services may be identified that are not authorized and will require a
recess to work with the user to no longer connect form a managed Mac.
Audit:
Graphical Method:
Perform the following steps to verify what accounts have been added to Internet
Accounts:

2. Select Internet Accounts
3. Verify that all accounts are set to your organization's requirements
Page 265
Remediation:
Graphical Method:
Perform the following steps to set accounts in Internet Accounts to your organization's
requirements:

2. Select Internet Accounts
3. For each account, select the account
4. Verify that each sync option is set to yout organizations requirements
5. (Optional) Select Delete Account... to remove the account
6. (Optional) Select Add Account... to add an account to the system
References:
1. https://support.apple.com/guide/mac-help/add-your-email-and-other-accounts-
mh35565/mac#:~:text=Add%20an%20account%20in%20Internet%20Accounts%
20settings&text=On%20your%20Mac%2C%20choose%20Apple,may%20need%
20to%20scroll%20down.)&text=Click%20Add%20Account%20on%20the,name%
20of%20an%20account%20provider.
Page 266
CIS Controls:
Controls
Version

● ● ●


● ●


v7 Are Running
● ●
Page 267
2.18 Keyboard
Page 268
2.18.1 Ensure On-Device Dictation Is Enabled (Automated)
• Level 1
Description:
In macOS 14.0 Sonoma, Apple released the ability to limit dictation to staying on-device
and not sending data to the Siri severs. The use of dictation is likely to include editing
documents with confidential information. While Apple does have controls to obfuscate
voice data that exists on their servers it is recommended that Dictation collected
information does not leave the local Mac.
Rationale:
Sending data from dictation to the Siri servers could allow data spillage to occur. From a
control perspective it is much safer to ensure information of various levels of confidential
is retained locally.
Impact:
Keeping all dictation on-device does not allow the system to better understand and
learn, through machine learning, from the user.
Audit:
Terminal Method:
Run the following command to verify that a profile is installed to allow on-device
dictation only:
.objectForKey('forceOnDeviceOnlyDictation').js
EOS
true
Remediation:
Profile Method:

2. The key to include is forceOnDeviceOnlyDictation
Page 269
CIS Controls:
Controls
Version

● ● ●

Page 270
3 Logging and Auditing
This section provides guidance on configuring the logging and auditing facilities
available in macOS. Starting with macOS 10.12, Apple introduced unified logging. This
capability replaces the previous logging methodology with centralized, system-wide
common controls. A full explanation of macOS logging behavior is beyond the scope of
this Benchmark. These changes impact previous logging controls from macOS
Benchmarks. At this point, many of the syslog controls have been or are being removed
since the old logging methods have been deprecated. Controls that still appear useful
will be retained. Some legacy controls have been removed for this release.
More info:
• https://developer.apple.com/documentation/os/logging
• https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/
Page 271
3.1 Ensure Security Auditing Is Enabled (Automated)
• Level 1
Description:
macOS's audit facility, auditd, receives notifications from the kernel when certain
system calls, such as open, fork, and exit, are made. These notifications are captured
and written to an audit log.
Rationale:
Logs generated by auditd may be useful when investigating a security incident as they
may help reveal the vulnerable application and the actions taken by a malicious actor.
Audit:
Terminal Method:
Perform the following to verify that security auditing is enabled:
Run the following command to verify auditd:
$ /usr/bin/sudo /bin/launchctl list | /usr/bin/grep -i auditd
- 0 com.apple.auditd
Remediation:
Terminal Method:
Perform the following to enable security auditing:
Run the following command to load auditd:
$ /usr/bin/sudo /bin/launchctl load -w
/System/Library/LaunchDaemons/com.apple.auditd.plist
Page 272
CIS Controls:
Controls
Version
8.2 Collect Audit Logs

v8 Collect audit logs. Ensure that logging, per the enterprise’s audit log ● ● ●
management process, has been enabled across enterprise assets.
8.5 Collect Detailed Audit Logs

v8 Configure detailed audit logging for enterprise assets containing sensitive data.
Include event source, date, username, timestamp, source addresses, destination
● ●
addresses, and other useful elements that could assist in a forensic investigation.
4.9 Log and Alert on Unsuccessful Administrative Account

v7 Login
Configure systems to issue a log entry and alert on unsuccessful logins to an
● ●
administrative account.
6.2 Activate audit logging

v7 Ensure that local logging has been enabled on all systems and networking ● ● ●
devices.
Page 273
3.2 Ensure Security Auditing Flags For User-Attributable Events
Are Configured Per Local Organizational Requirements
(Automated)
• Level 2
Description:
Auditing is the capture and maintenance of information about security-related events.
Auditable events often depend on differing organizational requirements.
Rationale:
Maintaining an audit trail of system activity logs can help identify configuration errors,
troubleshoot service disruptions, and analyze compromises or attacks that have
occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail
of evidence in case the system or network is compromised.
Depending on the governing authority, organizations can have vastly different auditing
requirements. In this control we have selected a minimal set of audit flags that should
be a part of any organizational requirements. The flags selected below may not
adequately meet organizational requirements for users of this benchmark. The auditing
checks for the flags proposed here will not impact additional flags that are selected.
Audit:
Terminal Method:
Run the following command to verify the Security Auditing Flags that are enabled:
$ /usr/bin/sudo /usr/bin/grep -e "^flags:" /etc/security/audit_control
The output should include the following flags:
• -fm - audit failed file attribute modification events

• ad - audit successful/failed administrative events
• -ex - audit failed program execution
• aa - audit all authorization and authentication events
• -fr - audit all failed read actions where enforcement stops a read of a file
• lo - audit successful/failed login/logout events
• -fw - audit all failed write actions where enforcement stopped a file write
The -all flag will capture all failed events across all audit classes and can be used to
supersede the individual flags for failed events.
Note: Excluding potentially noisy audit events may be ideal, depending on your use-
case.
Note: Historical audit flags are listed below as preliminary guidance.
Page 274
Remediation:
Terminal Method:
Perform the following to set the required Security Auditing Flags:
Edit the /etc/security/audit_control file and add -fm, ad, -ex, aa, -fr, lo, and -fw to
flags. You can also substitute -all for -fm, -ex, -fr, and -fw.
References:
1. https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/
2. https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev-
1/draft/documents/sp800-179r1-draft.pdf
3. https://www.scip.ch/en/?labs.20150108
4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
5. https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-
the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-
to-Cybersecurity-Incidents.pdf
Flag settings are currently based on the guidance provided by the NIST through the
macOS Security guidance they are providing in their GitHub repository. You can find
that guidance here.
CIS Controls:
Controls
Version
v8 3.14 Log Sensitive Data Access ●

Log sensitive data access, including modification and disposal.


● ●

devices.
14.9 Enforce Detail Logging for Access or Changes to

Sensitive Data
v7 Enforce detailed audit logging for access to sensitive data or changes to ●
sensitive data (utilizing tools such as File Integrity Monitoring or Security
Information and Event Monitoring).
Page 275
3.3 Ensure install.log Is Retained for 365 or More Days and No
Maximum Size (Automated)
• Level 1
Description:
macOS writes information pertaining to system-related events to the file
/var/log/install.log and has a configurable retention policy for this file. The default
logging setting limits the file size of the logs and the maximum size for all logs. The
default allows for an errant application to fill the log files and does not enforce sufficient
log retention. The Benchmark recommends a value based on standard use cases. The
value should align with local requirements within the organization.
The default value has an "all_max" file limitation, no reference to a minimum retention,
and a less precise rotation argument.
The all_max flag control will remove old log entries based only on the size of the log
files. Log size can vary widely depending on how verbose installing applications are in
their log entries. The decision here is to ensure that logs go back a year, and depending
on the applications a size restriction could compromise the ability to store a full year.
While this Benchmark is not scoring for a rotation flag, the default rotation is sequential
rather than using a timestamp. Auditors may prefer timestamps in order to simply review
specific dates where event information is desired.
Please review the File Rotation section in the man page for more information.
man asl.conf
• The maximum file size limitation string should be removed "all_max="

• An organization appropriate retention should be added "ttl="
• The rotation should be set with timestamps "rotate=utc" or "rotate=local"
Rationale:
Archiving and retaining install.log for at least a year is beneficial in the event of an
incident as it will allow the user to view the various changes to the system along with the
date and time they occurred.
Impact:
Without log files system maintenance and security forensics cannot be properly
performed.
Page 276
Audit:
Terminal Method:
Run the following command to verify that log files are retained for at least 365 days with
no maximum size:
$ /usr/bin/sudo /usr/bin/grep -i ttl /etc/asl/com.apple.install
The output must include ttl≥365
$ /usr/bin/sudo /usr/bin/grep -i all_max= /etc/asl/com.apple.install
No results should be returned.
Remediation:
Terminal Method:
Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or
greater on the file line. Also, remove the all_max= setting and value from the file line.
CIS Controls:
Controls
Version
8.1 Establish and Maintain an Audit Log Management

Process
Establish and maintain an audit log management process that defines the
v8 enterprise’s logging requirements. At a minimum, address the collection, review, ● ● ●
and retention of audit logs for enterprise assets. Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with the ● ● ●
enterprise’s audit log management process.
6.4 Ensure adequate storage for logs

v7 Ensure that all systems that store logs have adequate storage space for the logs ● ●
generated.
v7 6.7 Regularly Review Logs ● ●

On a regular basis, review logs to identify anomalies or abnormal events.
Page 277
3.4 Ensure Security Auditing Retention Is Enabled (Automated)
• Level 1
Description:
The macOS audit capability contains important information to investigate security or
operational issues. This resource is only completely useful if it is retained long enough
to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible
under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a
third party tool is in use to allow remote logging or the store and forwarding of logs, this
local storage requirement is not required.
Rationale:
The audit records need to be retained long enough to be reviewed as necessary.
Impact:
The recommendation is that at least 60 days or 5 gigabytes of audit records are
retained. Systems that have very little remaining disk space may have issues retaining
sufficient data.
Audit:
Terminal Method:
Run the following command to verify audit retention:
$ /usr/bin/sudo /usr/bin/grep -e "êxpire-after" /etc/security/audit_control
The output value for expire-after: should be ≥ 60d OR 5G
Note: If your organization is offloading your security logs, we recommend following the
same guidance (at minimum) for your off-site log storage. Your local storage limit (or
time frame) may fail if they are set to lower in this case, but are following the guidance.
Remediation:
Terminal Method:
Perform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 5G
Page 278
Default Value:
More info in the man page. To reference the man page use the command $ man
audit_control
CIS Controls:
Controls
Version
8.1 Establish and Maintain an Audit Log Management

Process
Establish and maintain an audit log management process that defines the
v8 enterprise’s logging requirements. At a minimum, address the collection, review, ● ● ●
and retention of audit logs for enterprise assets. Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with the ● ● ●
enterprise’s audit log management process.
6.4 Ensure adequate storage for logs

v7 Ensure that all systems that store logs have adequate storage space for the logs ● ●
generated.
v7 6.7 Regularly Review Logs ● ●

On a regular basis, review logs to identify anomalies or abnormal events.
Page 279
3.5 Ensure Access to Audit Records Is Controlled (Automated)
• Level 1
Description:
The audit system on macOS writes important operational and security information that
can be both useful for an attacker and a place for an attacker to attempt to obfuscate
unwanted changes that were recorded. As part of defense-in-depth, the
/etc/security/audit_control configuration and the files in /var/audit should be owned only
by root with group wheel with read-only rights and no other access allowed. macOS
ACLs should not be used for these files.
Rationale:
Audit records should never be changed except by the system daemon posting events.
Records may be viewed or extracts manipulated, but the authoritative files should be
protected from unauthorized changes.
Impact:
This control is only checking the default configuration to ensure that unwanted access to
audit records is not available.
Page 280
Audit:
Terminal Method:
Run the following commands to check file access rights:
$ /usr/bin/sudo /bin/ls -n $(/usr/bin/sudo /usr/bin/grep '^dir'
/etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk
'{s+=$3} END {print s}'
$ /usr/bin/sudo /bin/ls -n $(/usr/bin/sudo /usr/bin/grep '^dir'

'{s+=$4} END {print s}'
$ /usr/bin/sudo /bin/ls -l $(/usr/bin/sudo /usr/bin/grep '^dir'

'!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
$ /usr/bin/sudo /bin/ls -n $(/usr/bin/sudo /usr/bin/grep '^dir' /var/audit/ |

/usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
$ /usr/bin/sudo /bin/ls -n $(/usr/bin/sudo /usr/bin/grep '^dir' /var/audit/ |

/usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'
$ /usr/bin/sudo /bin/ls -l $(/usr/bin/sudo /usr/bin/grep '^dir' /var/audit/ |

/usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----
|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
Page 281
Remediation:
Terminal Method:
Run the following to commands to set the audit records to the root user and wheel
group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
$ /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
$ /usr/bin/sudo /bin/chmod -R o-rw /var/audit/

Note: It is recommended to do a thorough verification process on why the audit logs
have been changed before following the remediation steps. If the system has different
access controls on the audit logs, and the changes cannot be traced, a new install may
be prudent. Check for signs of file tampering as well as unapproved OS changes.
From ls man page
-e Print the Access Control List (ACL) associated with the file, if
present, in long (-l) output.
More info:
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-
control-lists-acls/
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html
CIS Controls:
Controls
Version

● ● ●

● ● ●
responsibilities.
Page 282
3.6 Ensure Firewall Logging Is Enabled and Configured
(Automated)
• Level 1
Description:
The socketfilter Firewall is what is used when the Firewall is turned on in the Security &
Privacy Preference Pane. In order to appropriately monitor what access is allowed and
denied, logging must be enabled. The logging level must be set to "detailed" to be
useful in monitoring connection attempts that the firewall detects. Throttled login is not
sufficient for examining Firewall connection attempts.
In-depth log monitoring on macOS may require changes to the "Enable-Private-Data"
key in SystemLogging.System to ensure more complete logging.
Reviewing macOS Unified Logs
Rationale:
In order to troubleshoot the successes and failures of a Firewall, detailed logging should
be enabled.
Impact:
Detailed logging may result in excessive storage.
Page 283
Audit:
Graphical Method:
Perform the following steps to ensure that Firewall updates install automatically:

3. Select Profiles
4. Verify that an installed profile has Firewall set to Enabled
5. Verify that the same installed profile has Logging set to Enabled
6. Verify that the same installed profile has Logging option set to Detailed
Terminal Method:
Run the following command to verify that the Firewall log is enabled:
function run() {
let pref1 =
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 =
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
let pref3 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.alf')\
.objectForKey('loggingenabled').js
let pref4 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.alf')\
.objectForKey('loggingoption').js
if ( ( pref1 == true && pref2 == "detail" ) || ( pref3 == 1 && pref4 == 2 )
) {
return("true")
} else {
return("false")
}
}
EOS
true
Page 284
Remediation:
Terminal Method:
Run the following command to enable logging of the firewall:
setloggingmode on
Turning on log mode
setloggingopt detail
Setting detail log option

Note: If the Firewall settings are set through a configuration profile, then modifications
cannot be done through the command line. If attempted, you will receive the message
Firewall settings cannot be modified from command line on managed Mac
computers.
Profile Method:

2. The key to include is EnableFirewall
4. The key to also include is EnableLogging
6. The key to also include is LoggingOption
7. The key must be set to <string>detail</string>
Note: Firewall Logging must be enabled with this profile. It can either be set with the
Firewall and Stealth Mode (2.5.2.2 and 2.5.2.3) or as a separate profile. Setting logging
with its own profile will not cause a conflict.
References:
1. https://developer.apple.com/documentation/devicemanagement/firewall?languag
e=objc
More info http://krypted.com/tag/socketfilterfw/
Page 285
CIS Controls:
Controls
Version

Devices


● ●

devices.
6.3 Enable Detailed Logging

v7 Enable system logging to include detailed information such as an event source,
date, user, timestamp, source addresses, destination addresses, and other useful
● ●
elements.

v7 Are Running
● ●
Page 286
3.7 Audit Software Inventory (Manual)
• Level 2
Description:
With the introduction of Mac OS X 10.6.6, Apple added a new application, App Store,
which resides in the Applications directory. This application allows a user with admin
privileges and an Apple ID to browse Apple's online App Store, purchase (including no-
cost purchases), and install new applications, bypassing Enterprise software inventory
controls. Any admin user can install software in the /Applications directory whether from
internet downloads, thumb drives, optical media, cloud storage, or even binaries
through email. Even standard users can run executables downloaded to their home
folder by default. The source of the software is not nearly as important as a consistent
audit of all installed software for patch compliance and appropriateness.
A single user desktop where the user, administrator, and the person approving software
are all the same person probably does not need to audit software inventory to this
extent. It is helpful in the case of stability problems or malware, however.
Scan systems on a monthly basis and determine the number of unauthorized pieces of
software that are installed. Verify that if an unauthorized piece of software is found one
month, it is removed from the system the next.
Export System Information through the built-in System Information Application or other
third-party tools on an organizationally defined timetable.
Rationale:
Part of comprehensive IT security involves device management and ensuring that all
software is authorized and patched. Checking for macOS updates and app updates are
relatively simple for the end user, and can even be updated with minimal privileges from
trusted sources, if enabled. Remote monitoring of the patch status for software
maintained through Apple is very well supported by management applications. Neither
Apple capabilities nor third-party patch management solutions will cover all mission-
necessary software for most organizations. Full visibility into software present on the
system enables vulnerability and risk management.
P.S. Don't forget about browser plugins/extensions for all installed software.
Page 287
Audit:
Graphical Mode:
Perform the following steps to access System Information:
1. Open /Applications/Utilities/System Information

2. Select Software
3. Select System Report
4. Select Applications
5. Verify that no Applications listed are against your organization's requirements
6. Select Installations
7. Verify that no Installations listed are against your organization's requirements
Terminal Method:
Run the following command to view all System Profiler details
$ /usr/bin/sudo /usr/sbin/system_profiler SPApplicationsDataType
Remediation:
Delete any unnecessary applications from the system.
References:
2. https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/
$ /usr/bin/sudo /usr/bin/man system_profiler
CIS Controls:
Controls
Version
2.1 Establish and Maintain a Software Inventory

Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
v8 install/use date, and business purpose for each entry; where appropriate, include ● ● ●
the Uniform Resource Locator (URL), app store(s), version(s), deployment
mechanism, and decommission date. Review and update the software inventory bi-
annually, or more frequently.
2.1 Maintain Inventory of Authorized Software

v7 Maintain an up-to-date list of all authorized software that is required in the ● ● ●
enterprise for any business purpose on any business system.
Page 288
4 Network Configurations
This section contains guidance on configuring the networking-related aspects of macOS
that have been removed from System Settings but still can be set through Terminal.
Page 289
4.1 Ensure Bonjour Advertising Services Is Disabled (Automated)
• Level 2
Description:
Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices
and services within a local subnet. DNS on macOS is integrated with Bonjour and
should not be turned off, but the Bonjour advertising service can be disabled.
Rationale:
Bonjour can simplify device discovery from an internal rogue or compromised host. An
attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly-
configured service or additional information to aid a targeted attack. Implementing this
control disables the continuous broadcasting of "I'm here!" messages. Typical end-user
endpoints should not have to advertise services to other computers. This setting does
not stop the computer from sending out service discovery messages when looking for
services on an internal subnet, if the computer is looking for a printer or server and
using service discovery. To block all Bonjour traffic except to approved devices, the pf
or other firewall would be needed.
Impact:
Some applications, like Final Cut Studio and AirPort Base Station management, may
not operate properly if the mDNSResponder is turned off.
Audit:
Graphical Method:
Perform the following steps to ensure that Bonjour Advertising is disabled:

3. Select Profiles
4. Verify that an installed profile has NoMulticastAdvertisements set to 1
Terminal Method:
Run the following command to verify that Bonjour Advertising is not enabled:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\
.objectForKey('NoMulticastAdvertisements').js
EOS
true
Page 290
Remediation:
Terminal Method:
Run the following command to disable Bonjour Advertising services:
/Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements
-bool true
Profile Method:
1. The PayloadType string is com.apple.mDNSResponder

2. The key to include is NoMulticastAdvertisements
Anything Bonjour discovers is already available on the network and probably
discoverable with network scanning tools. The security benefit of disabling Bonjour for
that reason is minimal.
CIS Controls:
Controls
Version

● ● ●

● ●


v7 Are Running
● ●
Page 291
4.2 Ensure HTTP Server Is Disabled (Automated)
• Level 1
Description:
macOS used to have a graphical front-end to the embedded Apache web server in the
Operating System. Personal web sharing could be enabled to allow someone on
another computer to download files or information from the user's computer. Personal
web sharing from a user endpoint has long been considered questionable, and Apple
has removed that capability from the GUI. Apache, however, is still part of the Operating
System and can be easily turned on to share files and provide remote connectivity to an
end-user computer. Web sharing should only be done through hardened web servers
and appropriate cloud services.
Rationale:
Web serving should not be done from a user desktop. Dedicated webservers or
appropriate cloud storage should be used. Open ports make it easier to exploit the
computer.
Impact:
The web server is both a point of attack for the system and a means for unauthorized
file transfers.
Audit:
Terminal Method:
Run the following command to verify that the HTTP server services are not currently
enabled. This check does not reflect any auto-start settings, only whether the web
server is currently enabled:
$ /usr/bin/sudo /bin/launchctl list | /usr/bin/grep -c "org.apache.httpd"
Remediation:
Terminal Method:
Run the following command to disable the HTTP server services:
$ /usr/bin/sudo /usr/sbin/apachectl stop
$ /usr/bin/sudo /bin/launchctl unload -w

/System/Library/LaunchDaemons/org.apache.httpd.plist
Page 292
References:
1. https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-
230793
2. https://httpd.apache.org/security/vulnerabilities_24.html
CIS Controls:
Controls
Version

● ● ●

● ●


v7 Are Running
● ●
Page 293
4.3 Ensure NFS Server Is Disabled (Automated)
• Level 1
Description:
macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone
on another computer to mount shares and gain access to information from the user's
computer. File sharing from a user endpoint has long been considered questionable,
and Apple has removed that capability from the GUI. NFSD is still part of the Operating
System and can be easily turned on to export shares and provide remote connectivity to
an end-user computer.
The etc/exports file contains the list of NFS shared directories. If the file exists, it is likely
that NFS sharing has been enabled in the past or may be available periodically. As an
additional check, the audit verifies that there is no /etc/exports file.
Rationale:
File serving should not be done from a user desktop. Dedicated servers should be used.
Open ports make it easier to exploit the computer.
Impact:
The nfs server is both a point of attack for the system and a means for unauthorized file
transfers.
Audit:
Terminal Method:
Run the following commands to verify that the NFS fileserver service is not enabled:
$ /usr/bin/sudo /bin/launchctl list | /usr/bin/grep -c com.apple.nfsd
$ /usr/bin/sudo /bin/cat /etc/exports
cat: /etc/exports: No such file or directory
Page 294
Remediation:
Terminal Method:
Run the following command to disable the nfsd fileserver services:
$ /usr/bin/sudo /sbin/nfsd stop
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
Remove the exported Directory listing.

$ /usr/bin/sudo /bin/rm /etc/exports
CIS Controls:
Controls
Version

● ● ●



Page 295
5 System Access, Authentication and Authorization
The controls in this section are a combination of hardening controls that are not
specifically in a System Settings pane. Many of these controls are only accessible using
the Command Line or a Device Profile and not available in the Graphical User Interface.
The Benchmark does contain simple, easy to follow instructions for technical staff to
audit and implement recommended controls.
Page 296
5.1 File System Permissions and Access Controls
File system permissions have always been part of computer security. There are several
principles that are part of best practices for a POSIX-based system which are contained
in this section. This section does not contain a complete list of every permission on a
macOS System that might be problematic. Developers and use cases differ, and what
some administrators who are long in the profession might consider a travesty are issues
to which a risk assessor steeped in BYOD trends may not give a second glance. Here
we document controls that should point out truly bad practices or anomalies which
should be looked at and considered closely. Many of the controls are to mitigate the risk
of privilege escalation attacks and data exposure to unauthorized parties.
Page 297
5.1.1 Ensure Home Folders Are Secure (Automated)
• Level 1
Description:
By default, macOS allows all valid users into the top level of every other user's home
folder and restricts access to the Apple default folders within. Another user on the same
system can see you have a "Documents" folder but cannot see inside it. This
configuration does work for personal file sharing but can expose user files to standard
accounts on the system.
The best parallel for Enterprise environments is that everyone who has a Dropbox
account can see everything that is at the top level but can't see your pictures. Similarly
with macOS, users can see into every new Directory that is created because of the
default permissions.
Home folders should be restricted to access only by the user. Sharing should be used
on dedicated servers or cloud instances that are managing access controls. Some
environments may encounter problems if execute rights are removed as well as read
and write. Either no access or execute only for group or others is acceptable.
Rationale:
Allowing all users to view the top level of all networked users' home folder may not be
desirable since it may lead to the revelation of sensitive information.
Impact:
If implemented, users will not be able to use the "Public" folders in other users' home
folders. "Public" folders with appropriate permissions would need to be set up in the
/Shared folder.
Page 298
Audit:
Terminal Method:
Run the following command to ensure that all home folders are secure:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -
maxdepth 1 -type d -not -perm 700 | /usr/bin/grep -v "Shared" | /usr/bin/grep
-v "Guest"
The output will show what user folders are not secure.
example:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -
maxdepth 1 -type d -not -perm 700 | /usr/bin/grep -v "Shared" | /usr/bin/grep
-v "Guest"
/System/Volumes/Data/Users/firstuser
/System/Volumes/Data/Users/thirduser
Remediation:
Terminal Method:
For each user, run the following command to secure all home folders:
$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Alternately, run the following command if there needs to be executable access for a
home folder:
$ /usr/bin/sudo /bin/chmod -R og-rw /Users/<username>
example:
$ /usr/bin/sudo /bin/chmod -R og-rw /Users/firstuser/
$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/thirduser/
CIS Controls:
Controls
Version

● ● ●

● ● ●
responsibilities.
Page 299
5.1.2 Ensure System Integrity Protection Status (SIP) Is Enabled
(Automated)
• Level 1
Description:
System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan.
System Integrity Protection restricts access to System domain locations and restricts
runtime attachment to system processes. Any attempt to inspect or attach to a system
process will fail. Kernel Extensions are now restricted to /Library/Extensions and are
required to be signed with a Developer ID.
Rationale:
Running without System Integrity Protection on a production system runs the risk of the
modification of system binaries or code injection of system processes that would
otherwise be protected by SIP.
Impact:
System binaries and processes could become compromised.
Audit:
Terminal Method:
Run the following command to verify that System Integrity Protection is enabled:
$ /usr/bin/sudo /usr/bin/csrutil status
`System Integrity Protection status: enabled.`
Page 300
Remediation:
Terminal Method:
Perform the following steps to enable System Integrity Protection:
1. Reboot into the Recovery Partition (reboot and hold down Command (⌘) + R)
2. Select Utilities
3. Select Terminal
4. Run the following command:
$ /usr/bin/sudo /usr/bin/csrutil enable
Successfully enabled System Integrity Protection. Please restart the machine

for the changes to take effect.
5. Reboot the computer
Note: You should research why the system had SIP disabled. It might be a better option
to erase the Mac and reinstall the operating system. That is at your discretion.
Note: You cannot enable System Integrity Protection from the booted operating system.
If the remediation is attempted in the booted OS and not the Recovery Partition the
output will give the error csrutil: failed to modify system integrity
configuration. This tool needs to be executed from the Recovery OS.
References:
1. https://developer.apple.com/documentation/security/disabling_and_enabling_syst
em_integrity_protection
Related to SIP controls, Library Validation is a security feature introduced in macOS

10.10 Yosemite. Library Validation protects processes from loading arbitrary libraries.
This stops root from loading arbitrary libraries into any process (depending on SIP
status), and keeps root from becoming more powerful. Security is strengthened,
because some user processes can no longer be fooled to run additional code without
root's explicit request, which may grant access to daemons that depend on Library
Validation for secure validation of code identity.
With SIP enabled, Library Validation cannot be disabled. To test against a non-validated
library, you will need to disabled SIP AND disable Library Validation.
Page 301
CIS Controls:
Controls
Version

2.6 Allowlist Authorized Libraries

Use technical controls to ensure that only authorized software libraries, such
v8 as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. ● ●
Block unauthorized libraries from loading into a system process. Reassess bi-

Gatekeeper™.

in a timely manner
Page 302
5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled
(Automated)
• Level 1
Description:
Apple Mobile File Integrity (AMFI) was first released in macOS 10.12. The daemon and
service block attempts to run unsigned code. AMFI uses lanchd, code signatures,
certificates, entitlements, and provisioning profiles to create a filtered entitlement
dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and
library validation.
Rationale:
Apple Mobile File Integrity validates that application code is validated.

Impact:
Applications could be compromised with malicious code.
Audit:
Terminal Method:
Run the following command to verify that Apple Mobile File Integrity is enabled:
$ /usr/bin/sudo /usr/sbin/nvram -p | /usr/bin/grep -c
"amfi_get_out_of_my_way=1"
0
Note: AMFI cannot be disabled with SIP enabled, but a change attempt can be made
that will appear successful, and report incorrectly as successful. If the AMFI audit fails,
and the SIP audit passes, this is still an issue the admin should research.
Remediation:
Terminal Method:
Run the following command to enable the Apple Mobile File Integrity service:
$ /usr/bin/sudo /usr/sbin/nvram boot-args=""
References:
1. https://eclecticlight.co/2018/12/29/amfi-checking-file-integrity-on-your-mac/
2. https://github.com/usnistgov/macos_security/issues/39
3. https://github.com/usnistgov/macos_security/issues/40
4. https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/
Page 303
CIS Controls:
Controls
Version

2.6 Allowlist Authorized Libraries

Use technical controls to ensure that only authorized software libraries, such
v8 as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. ● ●
Block unauthorized libraries from loading into a system process. Reassess bi-

in a timely manner
Page 304
5.1.4 Ensure Sealed System Volume (SSV) Is Enabled
(Automated)
• Level 1
Description:
Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur.
During system installation, a SHA-256 cryptographic hash is calculated for all immutable
system files and stored in a Merkle tree which itself is hashed as the Seal. Both are
stored in the metadata of the snapshot created of the System volume.
The seal is verified by the boot loader at startup. macOS will not boot if system files
have been tampered with. If validation fails, the user will be instructed to reinstall the
operating system.
During read operations for files located in the Sealed System Volume, a hash is
calculated and compared to the value stored in the Merkle tree.
Rationale:
Running without Sealed System Volume on a production system could run the risk of
Apple software that integrates directly with macOS being modified.
Impact:
Apple Software that integrates with the operating system could become compromised.
Audit:
Terminal Method:
Run the following command to verify that Sealed System Volume is enabled:
$ /usr/bin/sudo /usr/bin/csrutil authenticated-root status
Authenticated Root status: enabled
Remediation:
If SSV has been disabled, assume that the operating system has been compromised.
Back up any files, and do a clean install to a known good Operating System.
Page 305
References:
1. https://developer.apple.com/news/?id=3xpv8r2m
2. https://eclecticlight.co/2020/11/30/is-big-surs-system-volume-sealed/
3. https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-
security-protection/
4. https://support.apple.com/guide/security/signed-system-volume-security-
secd698747c9/web
CIS Controls:
Controls
Version

● ● ●
crypt.

data.

mobile devices.

●
Page 306
5.1.5 Ensure Appropriate Permissions Are Enabled for System
Wide Applications (Automated)
• Level 1
Description:
Applications in the System Applications Directory (/Applications) should be world-
executable since that is their reason to be on the system. They should not be world-
writable and allow any process or user to alter them for other processes or users to then
execute modified versions.
Rationale:
Unauthorized modifications of applications could lead to the execution of malicious
code.
Impact:
Applications changed will no longer be world-writable. Depending on the environment,
there will be different risk tolerances on each non-conforming application. Global
changes should not be performed where mission-critical applications are misconfigured.
Audit:
Terminal Method:
Run the following command to verify that all applications have the correct permissions:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Applications -iname
"*\.app" -type d -perm -2 -ls | grep -v Xcode.app | /usr/bin/wc -l |
/usr/bin/xargs
Remediation:
Terminal Method:
Run the following command to change the permissions for each application that does
not meet the requirements:
$ /usr/bin/sudo IFS=$'\n'
for apps in $( /usr/bin/find /System/Volumes/Data/Applications -iname
"*\.app" -type d -perm -2 | grep -v Xcode.app ); do
/bin/chmod -R o-w "$apps"
done
Note: Global changes should not be performed where mission-critical applications are
part of the improperly permissioned applications.
Page 307
CIS Controls:
Controls
Version

● ● ●

● ● ●
responsibilities.
Page 308
5.1.6 Ensure No World Writable Folders Exist in the System
Folder (Automated)
• Level 1
Description:
Software sometimes insists on being installed in the /System/Volumes/Data/System
Directory and has inappropriate world-writable permissions.
Macs with writable files in System should be investigated forensically. A file with open
writable permissions is a sign of at best a rogue application. It could also be a sign of a
computer compromise and a persistent presence on the system.
Rationale:
Folders in /System/Volumes/Data/System should not be world-writable. The audit check
excludes the "Drop Box" folder that is part of Apple's default user template.
Impact:
Changing file permissions could disrupt the use of applications that rely on files in the
System Folder with vulnerable permissions.
Audit:
Terminal Method:
Run the following command to check for directories in the /System folder that are world-
writable:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -
ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs
Remediation:
Terminal Method:
Run the following command to set permissions so that folders are not world-writable in
the /System folder:
for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -
perm -2 | /usr/bin/grep -v "downloadDir ); do
/bin/chmod -R o-w "$sysPermissions"
done
Page 309
CIS Controls:
Controls
Version

● ● ●

● ● ●
responsibilities.
Page 310
5.1.7 Ensure No World Writable Folders Exist in the Library
Folder (Automated)
• Level 2
Description:
Software sometimes insists on being installed in the /System/Volumes/Data/Library
Directory and has inappropriate world-writable permissions.
Rationale:
Folders in /System/Volumes/Data/Library should not be world-writable. The audit
check excludes the /System/Volumes/Data/Library/Caches and
/System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is
set.
Audit:
Terminal Method:
Run the following to verify that no directories in the /System/Volumes/Data/Library
folder are world-writable:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -
ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data |
/usr/bin/wc -l | /usr/bin/xargs
Remediation:
Terminal Method:
Run the following command to set permissions so that folders are not world-writable in
the /System/Volumes/Data/Library folder:
for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -
perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data
); do
/bin/chmod -R o-w "$libPermissions"
done
Page 311
CIS Controls:
Controls
Version

● ● ●

● ● ●
responsibilities.
Page 312
5.2 Password Management
Password security is an important part of general IT security where passwords are in

use. For macOS, passwords are still much more widely used than other methods for
account access. While there are other authentication and authorization methods for
access from a macOS computer to organizational services, console access to the Mac
is probably done using a password. This section contains password controls.
Apple has provided sufficient security controls to resist password attacks against the
locked console, thus the CIS benchmark no longer recommends locking the keychain in
addition to locking the console or display.
Recent updates based on research by NIST in SP800-63 call into question traditional
password complexity and rotation requirements. Sticky notes are not a password
management program, and password vault APIs are under increasing attack. Ideally,
the user will remember their important passwords. The new understanding has informed
changes to the previous password recommendations.
Length, threshold, and a yearly rotation requirement are the only scored controls below.
Other controls will remain as unscored options. Passwords used for macOS are likely to
also function as encryption keys for FileVault. Depending on the information
confidentiality on FileVault volumes, stronger passwords may be required than are
necessary to pass the controls in this Benchmark.
Apple-supported solutions for managing local passwords on macOS are to use either an
XML file that contains password rules that are imported with pwpolicy or through the use
of a profile. In either case, the controls in this section can be implemented with an
organizationally-approved password policy.
Before applying your organizations password policy, the existing password policy
should be cleared so there is no out-dated or conflicting legacy settings in the password
policy. A pre-existing password policly could result in false results. To clear the
password policy before applying the newest options, use the command /usr/bin/sudo
/usr/bin/pwpolicy -clearaccountpolicies
Content is available where security hardening content is available and is native to

Management suites and MDM tools.
Content also available here: https://github.com/ronc-LAemigre/macos-sec-config
NIST guidance on passwords starting at 5.1.1.1
https://pages.nist.gov/800-63-3/sp800-63b.html
Additional references:
• https://developer.apple.com/documentation/devicemanagement/passcode
• https://krypted.com/mac-security/programatically-setting-password-policies/
• https://www.macworld.co.uk/news/flaw-mac-t2-chip-passwords-3813616/
Page 313
Note: The current method of creating and setting password policy is using the pwpolicy
-setglobalpolicy command. That command has been deprecated by Apple, but is still
in use in the current version of macOS. The Benchmark will continue to use this
command line method for passwords until Apple removes it from the OS. Setting
password policy with mobile configuration profiles is the preferred method going
forward.
Page 314
5.2.1 Ensure Password Account Lockout Threshold Is Configured
(Automated)
• Level 1
Description:
The account lockout threshold specifies the amount of times a user can enter an
incorrect password before a lockout will occur.
Ensure that a lockout threshold is part of the password policy on the computer.
Rationale:
The account lockout feature mitigates brute-force password attacks on the system.
Impact:
The number of incorrect log on attempts should be reasonably small to minimize the
possibility of a successful password attack, while allowing for honest errors made during
a normal user log on.
The locked account will auto-unlock after a few minutes when bad password attempts
stop. The computer will accept the still-valid password if remembered or recovered.
Page 315
Audit:
Graphical Method:
Perform the following steps to ensure that the Password Account Threshold is set to
less than or equal to 5 and the lockout time is greater than or equal to 15:

3. Select Profiles
4. Verify that an installed profile has Max Failed Attempts set to ≤ 5
5. Verify that an installed profile also has Failed Login Reset (minutes) set to ≤ 15
Terminal Method:
Run the following command to verify that the number of failed attempts is less than or
equal to 5:
$ /usr/bin/sudo /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null |
/usr/bin/tail +2 | /usr/bin/xmllint --xpath
'//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-
sibling::integer[1]/text()' -
The output should be ≤ 5

Run the following command to verify that the lockout time in minutes is greater than or
equal to 15:
$ /usr/bin/sudo pref1=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep
-A1 "policyAttributeMinutesUntilFailedAuthenticationReset" | /usr/bin/tail -1
| /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && pref2=$(pwpolicy -
getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath
'//dict/key[text()="autoEnableInSeconds"]/following-
sibling::integer[1]/text()' - ) && if [[ "$pref1" != "" && pref1 -ge 15 ]];
then echo "true"; elif [[ "$pref2" != "" && pref2 -ge 900 ]]; then echo
"true"; else echo "false"; fi
true
Page 316
Remediation:
Terminal Method:
Run the following command to set the maximum number of failed login attempts to less
than or equal to 5:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy
"maxFailedLoginAttempts=<value≤5>"

"policyAttributeMinutesUntilFailedAuthenticationReset=<value≤15>"
example:
"maxFailedLoginAttempts=5"
/usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy

"policyAttributeMinutesUntilFailedAuthenticationReset=15"
Profile Method:
1. The PayloadType string is com.apple.mobiledevice.passwordpolicy

2. The key to include is maxFailedAttempts
3. The key must be set to <integer><value≤5></integer>
4. The key to include is minutesUntilFailedLoginReset
5. The key must be set to <integer><value≤15></integer>
Note: The profile method is the preferred method for setting password policy since -
setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future
macOS release.
References:
1. CIS Password Policy - https://workbench.cisecurity.org/communities/113
Page 317
CIS Controls:
Controls
Version
6.2 Establish an Access Revoking Process

Establish and follow a process, preferably automated, for revoking access to
v8 enterprise assets, through disabling accounts immediately upon termination, rights ● ● ●
revocation, or role change of a user. Disabling accounts, instead of deleting
accounts, may be necessary to preserve audit trails.
16.7 Establish Process for Revoking Access

Establish and follow an automated process for revoking system access by
v7 disabling accounts immediately upon termination or change of responsibilities of an ● ●
employee or contractor . Disabling these accounts, instead of deleting accounts,
allows preservation of audit trails.
Page 318
5.2.2 Ensure Password Minimum Length Is Configured
(Automated)
• Level 1
Description:
A minimum password length is the fewest number of characters a password can contain
to meet a system's requirements.
Ensure that a minimum of a 15-character password is part of the password policy on the
computer.
Where the confidentiality of encrypted information in FileVault is more of a concern,
requiring a longer password or passphrase may be sufficient rather than imposing
additional complexity requirements that may be self-defeating.
Rationale:
Information systems that are not protected with strong password schemes including
passwords of minimum length provide a greater opportunity for attackers to crack the
password and gain access to the system.
Impact:
Short passwords can be easily attacked.
Audit:
Graphical Method:
Perform the following steps to ensure that the Password Account Threshold is set to
greater than or equal to 15:

3. Select Profiles
4. Verify that an installed profile has Min Password Length set to ≥ 15
Terminal Method:
Run the following command to verify that the password length is greater than or equal to
15:
$ /usr/bin/sudo /usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -e
"policyAttributePassword matches" | /usr/bin/cut -b 46-53 | /usr/bin/cut -
d',' -f1 | /usr/bin/cut -d'{' -f2
The output value should be ≥ 15
Page 319
Remediation:
Terminal Method:
Run the following command to set the password length to greater than or equal to 15:
"minChars=<value≥15>"
example:
"minChars=15"
Profile Method:

2. The key to include is minLength
3. The key must be set to <integer><value≥15></integer>
macOS release.
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 320
5.2.3 Ensure Complex Password Must Contain Alphabetic
Characters Is Configured (Manual)
• Level 2
Description:
Complex passwords contain one character from each of the following classes: English
uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-
alphanumeric characters.
Ensure that an Alphabetic character is part of the password policy on the computer.
Rationale:
The more complex a password, the more resistant it will be against persons seeking
unauthorized access to a system.
Impact:
Password policy should be in effect to reduce the risk of exposed services being
compromised easily through dictionary attacks or other social engineering attempts.
Audit:
Graphical Method:
Perform the following steps to ensure that the passwords must contain at least 1
alphabetic character:

3. Select Profiles
4. Verify that an installed profile has Requires Alphanumeric set to True
Terminal Method:
Run the following command to verify that the password requires at least one letter:
-e "Contain at least one number and one alphabetic character." | cut -b 13-
68) && pref2=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1
minimumLetters | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d
'<' -f1) && if [ "$pref1" = "Contain at least one number and one alphabetic
character" ]; then echo "true"; elif [[ "$pref2" != "" && pref2 -ge 1 ]];
then echo "true"; else echo "false"; fi
true
Page 321
Remediation:
Terminal Method:
Run the following command to set the that passwords must contain at least one letter:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy -
setaccountpolicies "requiresAlpha=<value≥1>"
example:
"requiresAlpha=1"
Profile Method:

2. The key to include is requireAlphanumeric
Note: This profile sets a requirement of both an alphabetical and a numeric character.
macOS release.
Note: The CIS macOS community has decided to not require the additional password
complexity settings (Recommendations 5.3 - 5.6). Because of that, we have left the
complexity recommendations as a manual assessment. Since there are a large amount
of admins in the greater macOS world that do need these settings, we include both the
guidance for the proper setting as well as probes for CIS-CAT to test.
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 322
5.2.4 Ensure Complex Password Must Contain Numeric
Character Is Configured (Manual)
• Level 2
Description:
Ensure that a number or numeric value is part of the password policy on the computer.
Rationale:
Impact:
Audit:
Graphical Method:
Perform the following steps to ensure that the passwords must contain at least 1
numeric character:

3. Select Profiles
4. Verify that an installed profile has Requires Alphanumeric set to True
Terminal Method:
Run the following command to verify that passwords require at least one number:
-e "Contain at least one number and one alphabetic character." | cut -b 13-
68) && pref2=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1
minimumNumericCharacters | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 |
/usr/bin/cut -d '<' -f1) && if [ "$pref1" = "Contain at least one number and
one alphabetic character" ]; then echo "true"; elif [[ "$pref2" != "" &&
pref2 -ge 1 ]]; then echo "true"; else echo "false"; fi
true
Page 323
Remediation:
Terminal Method:
Run the following command to set passwords to require at least one number:
setaccountpolicies "requiresNumeric=<value≥1>"
example:
"requiresNumeric=2"
Profile Method:

2. The key to include is requireAlphanumeric
Note: This profile sets a requirement of both an alphabetical and a numeric character.
macOS release.
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 324
5.2.5 Ensure Complex Password Must Contain Special Character
Is Configured (Manual)
• Level 2
Description:
alphanumeric characters. Ensure that a special character is part of the password policy
on the computer.
Rationale:
Impact:
Audit:
Graphical Method:
Perform the following steps to ensure that the passwords must contain at least 1 special
character:

3. Select Profiles
4. Verify that an installed profile has Min Complex Length set to ≥ 1
Terminal Method:
Run the following command to set verify that the password requires at least one special
character:
-e "policyAttributePassword matches '(.*[â-zA-Z0-9].*){1,}'" | cut -b 12-67)
&& pref2=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1
minimumSymbols | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d
'<' -f1) && if [ "$pref1" = "policyAttributePassword matches '(.*[â-zA-Z0-
9].*){1,}'" ]; then echo "true"; elif [[ "$pref2" != "" && pref2 -ge 1 ]];
true
Page 325
Remediation:
Terminal Method:
Run the following command to set passwords to require at least one special character:
setaccountpolicies "requiresSymbol=<value≥1>"
example:
"requiresSymbol=1"
Profile Method:

2. The key to include is minComplexChars
macOS release.
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 326
5.2.6 Ensure Complex Password Must Contain Uppercase and
Lowercase Characters Is Configured (Manual)
• Level 2
Description:
Ensure that both uppercase and lowercase letters are part of the password policy on the
computer.
Rationale:
Impact:
Audit:
Terminal Method:
Run the following command to verify that the password requires an upper and lower
case letter:
$ /usr/bin/sudo pref=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep
-A1 minimumMixedCaseCharacters | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 |
/usr/bin/cut -d '<' -f1) && if [[ "$pref" != "" && pref -ge 1 ]]; then echo
"true"; else echo "false"; fi
true
Remediation:
Terminal Method:
Run the following command to set passwords to require at upper and lower case letter:
"requiresMixedCase=<value≥1>"
example:
"requiresMixedCase=1"
Page 327
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 328
5.2.7 Ensure Password Age Is Configured (Automated)
• Level 1
Description:
Over time, passwords can be captured by third parties through mistakes, phishing
attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of
exposure and to decrease the incentives of password reuse (passwords that are not
forced to be changed periodically generally are not ever changed), users should reset
passwords periodically. This control uses 365 days as the acceptable value. Some
organizations may be more or less restrictive. This control mainly exists to mitigate
against password reuse of the macOS account password in other realms that may be
more prone to compromise. Attackers take advantage of exposed information to attack
other accounts.
Rationale:
Passwords should be changed periodically to reduce exposure.
Impact:
Required password changes will lead to some locked computers requiring admin
assistance.
Audit:
Graphical Method:
Perform the following steps to ensure that the passwords expire after at most 365 days:

3. Select Profiles
4. Verify that an installed profile has Max Age (days) set to ≤ 365
Terminal Method:
Run the following command to verify that the password expires after at most 365 days:
-A1 policyAttributeExpiresEveryNDays | /usr/bin/tail -1 | /usr/bin/cut -d'>'
-f2 | /usr/bin/cut -d '<' -f1) && pref2=$(/usr/bin/pwpolicy -
getaccountpolicies | /usr/bin/grep -A1 policyAttributeDaysUntilExpiration |
/usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && if [[
"$pref1" != "" && pref1 -le 365 ]]; then echo "true"; elif [[ "$pref2" != ""
&& pref2 -le 365 ]]; then echo "true"; else echo "false"; fi
true
Page 329
Remediation:
Terminal Method:
Run the following command to require that passwords expire after at most 365 days:
"maxMinutesUntilChangePassword=<value≤525600>"
example:
"maxMinutesUntilChangePassword=43200"
Profile Method:

2. The key to include is maxPINAgeInDays
macOS release.
CIS Controls:
Controls
Version
5.3 Disable Dormant Accounts

v8 Delete or disable any dormant accounts after a period of 45 days of ● ● ●
inactivity, where supported.
v7 16.9 Disable Dormant Accounts ● ● ●

Automatically disable dormant accounts after a set period of inactivity.
Page 330
5.2.8 Ensure Password History Is Configured (Automated)
• Level 1
Description:
Over time, passwords can be captured by third parties through mistakes, phishing
attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of
exposure and to decrease the incentives of password reuse (passwords that are not
forced to be changed periodically generally are not ever changed), users must reset
passwords periodically. This control ensures that previous passwords are not reused
immediately by keeping a history of previous password hashes. Ensure that password
history checks are part of the password policy on the computer. This control checks
whether a new password is different than the previous 15. The latest NIST guidance
based on exploit research referenced in this section details how one of the greatest
risks is password exposure rather than password cracking. Passwords should be
changed to a new unique value whenever a password might have been exposed to
anyone other than the account holder. Attackers have maintained persistent control
based on predictable password change patterns and substantially different patterns
should be used in case of a leak.
Rationale:
Old passwords should not be reused.
Impact:
Required password changes will lead to some locked computers requiring admin
assistance.
Page 331
Audit:
Graphical Method:
Perform the following steps to ensure that the password is not the same as at least the
last 15 passwords:

3. Select Profiles
4. Verify that an installed profile has Max History Kept set to ≥ 15
Terminal Method:
Run the following command to verify that the password is required to be different from
at least the last 15 passwords:
$ /usr/bin/sudo pref$=(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep
-A1 policyAttributePasswordHistoryDepth | /usr/bin/tail -1 | /usr/bin/cut -
d'>' -f2 | /usr/bin/cut -d '<' -f1) && if [[ "$pref" != "" && pref -ge 1 ]];
true
Remediation:
Terminal Method:
Run the following command to require that the password must to be different from at
least the last 15 passwords:
"usingHistory=<value≥15>"
example:
"usingHistory=15"
Profile Method:

2. The key to include is pinHistory
macOS release.
Page 332
CIS Controls:
Controls
Version

● ● ●

● ●
system.
Page 333
5.3 Encryption
Apple has created simple, easy-to-use encryption capabilities built into macOS. Those
tools need to be utilized in order to protect information processed by macOS computers.
Page 334
5.3.1 Ensure all user storage APFS volumes are encrypted
(Manual)
• Level 1
Description:
Apple developed a new file system which was first made available in 10.12 and then
became the default in 10.13. The file system is optimized for Flash and Solid-State
storage and encryption. https://en.wikipedia.org/wiki/Apple_File_System macOS
computers generally have several volumes created as part of APFS formatting,
including Preboot, Recovery and Virtual Memory (VM), as well as traditional user disks.
All APFS volumes that do not have specific roles and do not require encryption should
be encrypted. "Role" disks include Preboot, Recovery and VM. User disks are labelled
with "(No specific role)" by default.
Rationale:
In order to protect user data from loss or tampering volumes, carrying data should be
encrypted.
Impact:
While FileVault protects the boot volume, data may be copied to other attached storage
and reduce the protection afforded by FileVault. Ensure all user volumes are encrypted
to protect data.
Page 335
Audit:
Terminal Method:
Run the following command to list the APFS Volumes:
$ /usr/bin/sudo /usr/sbin/diskutil ap list
Ensure all user data disks are encrypted.
example:
$ /usr/bin/sudo /usr/sbin/diskutil ap list
APFS Volume Disk (Role): disk1s1 (No specific role)

Name: Macintosh HD (Case-insensitive)
Mount Point: /
Capacity Consumed: 188514598912 B (188.5 GB)
FileVault: Yes (Unlocked)
APFS Containers (2 found)

|
+-- Container disk1 XXXX
| ====================================================
| APFS Container Reference: disk1
| Size (Capacity Ceiling): 249152200704 B (249.2 GB)
| Minimum Size: 249152200704 B (249.2 GB)
| Capacity In Use By Volumes: 195635597312 B (195.6 GB) (78.5% used)
| Capacity Not Allocated: 53516603392 B (53.5 GB) (21.5% free)
| |
| +-< Physical Store disk0s4 XXXXXY
| | -----------------------------------------------------------
| | APFS Physical Store Disk: disk0s4
| | Size: 249152200704 B (249.2 GB)
| |
| +-> Volume disk1s1 XXXXXZ
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s1 (No specific role)
| | Name: HighSierra (Case-insensitive)
| | Mount Point: /
| | Capacity Consumed: 188514598912 B (188.5 GB)
| | FileVault: Yes (Unlocked)
| |
| +-> Volume disk1s2 XXXXXZZ
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s2 (Preboot)
| | Name: Preboot (Case-insensitive)
| | Mount Point: Not Mounted
| | Capacity Consumed: 23961600 B (24.0 MB)
| | FileVault: No
| |
Page 336
| +-> Volume disk1s3 XXXXXYY
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s3 (Recovery)
| | Name: Recovery (Case-insensitive)
| | Mount Point: Not Mounted
| | Capacity Consumed: 518127616 B (518.1 MB)
| | FileVault: No
| |
| +-> Volume disk1s4 XXXXXYYY
| ---------------------------------------------------
| APFS Volume Disk (Role): disk1s4 (VM)
| Name: VM (Case-insensitive)
| Mount Point: /private/var/vm
| Capacity Consumed: 6442704896 B (6.4 GB)
| FileVault: No
|
+-- Container disk4 XXXXXYYYY
====================================================
APFS Container Reference: disk4
Size (Capacity Ceiling): 119824367616 B (119.8 GB)
Minimum Size: 143192064 B (143.2 MB)
Capacity In Use By Volumes: 126492672 B (126.5 MB) (0.1% used)
Capacity Not Allocated: 119697874944 B (119.7 GB) (99.9% free)
|
+-< Physical Store disk3s2 XXXXXYYYYYY
| -----------------------------------------------------------
| APFS Physical Store Disk: disk3s2
| Size: 119824371200 B (119.8 GB)
|
+-> Volume disk4s1 C4D99580-1FDA-43BF-BB62-B21BF7EE568C
---------------------------------------------------
APFS Volume Disk (Role): disk4s1 (No specific role)
Name: Passport (Case-insensitive)
Mount Point: /Volumes/Passport
Capacity Consumed: 839680 B (839.7 KB)
FileVault: Yes (Unlocked)
Remediation:
Use Disk Utility to erase a user disk and format as APFS (Encrypted).
Note: APFS Encrypted disks will be described as "FileVault" whether they are the boot
volume or not in the ap list.
Page 337
CIS Controls:
Controls
Version

● ● ●
crypt.

data.

mobile devices.

●
Page 338
5.3.2 Ensure all user storage CoreStorage volumes are encrypted
(Manual)
• Level 1
Description:
Apple introduced CoreStorage with 10.7. It is used as the default for formatting on
macOS volumes prior to 10.13.
All HFS and CoreStorage Volumes should be encrypted.
Rationale:
In order to protect user data from loss or tampering, volumes carrying data should be
encrypted.
Impact:
While FileVault protects the boot volume, data may be copied to other attached storage
and reduce the protection afforded by FileVault. Ensure all user volumes are encrypted
to protect data.
Page 339
Audit:
Terminal Method:
Run the following command to list the CoreStorage Volumes:
$ /usr/bin/sudo /usr/sbin/diskutil cs list
Ensure all "Logical Volume Family" disks are encrypted
example:
$ /usr/bin/sudo /usr/sbin/diskutil cs list
CoreStorage logical volume groups (2 found)

|
+-- Logical Volume Group XXXXX
| =========================================================
| Name: Macintosh HD
| Status: Online
| Size: 250160967680 B (250.2 GB)
| Free Space: 6516736 B (6.5 MB)
| |
| +-< Physical Volume XXXXXY
| | ----------------------------------------------------
| | Index: 0
| | Disk: disk0s2
| | Status: Online
| | Size: 250160967680 B (250.2 GB)
| |
| +-> Logical Volume Family XXXXXYY
| ----------------------------------------------------------
| Encryption Type: AES-XTS
| Encryption Status: Unlocked
| Conversion Status: Complete
| High Level Queries: Fully Secure
| | Passphrase Required
| | Accepts New Users
| | Has Visible Users
| | Has Volume Key
| |
| +-> Logical Volume XXXXXYYY
| ---------------------------------------------------
| Disk: disk2
| Status: Online
| Size (Total): 249802129408 B (249.8 GB)
| Revertible: Yes (unlock and decryption required)
| LV Name: Macintosh HD
| Volume Name: Macintosh HD
| Content Hint: Apple_HFS
|
Page 340
+-- Logical Volume Group XXXXXYYYY
=========================================================
Name: Passport
Status: Online
Size: 119690149888 B (119.7 GB)
Free Space: 1486848 B (1.5 MB)
|
+-< Physical Volume XXXXXYYY
| ----------------------------------------------------
| Index: 0
| Disk: disk3s2
| Status: Online
| Size: 119690149888 B (119.7 GB)
|
+-> Logical Volume Family XXXXXYYYYY
----------------------------------------------------------
Encryption Type: AES-XTS
Encryption Status: Unlocked
Conversion Status: Complete
High Level Queries: Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume XXXXXYYYYYY
---------------------------------------------------
Disk: disk4
Status: Online
Size (Total): 119336337408 B (119.3 GB)
Revertible: No
LV Name: Passport
Volume Name: Passport
Content Hint: Apple_HFS
Remediation:
Use Disk Utility to erase a disk and format as macOS Extended (Journaled, Encrypted).
Page 341
CIS Controls:
Controls
Version
v8 3.9 Encrypt Data on Removable Media ● ●

Encrypt data on removable media.

data.

mobile devices.

●
Page 342
5.4 Ensure the Sudo Timeout Period Is Set to Zero (Automated)
• Level 1
Description:
The sudo command allows the user to run programs as the root user. Working as the
root user allows the user an extremely high level of configurability within the system.
This control, along with the control to use a separate timestamp for each tty, limits the
window where an unauthorized user, process, or attacker could utilize legitimate
credentials that are valid for longer than required.
Rationale:
The sudo command stays logged in as the root user for five minutes before timing out
and re-requesting a password. This five-minute window should be eliminated since it
leaves the system extremely vulnerable. This is especially true if an exploit were to gain
access to the system, since they would be able to make changes as a root user.
Impact:
This control has a serious impact where users often have to use sudo. It is even more of
an impact where users have to use sudo multiple times in quick succession as part of
normal work processes. Organizations with that common use case will likely find this
control too onerous and are better to accept the risk of not requiring a 0 grace period.
In some ways the use of sudo -s, which is undesirable, is better than a long grace
period since that use does change the hash to show that it is a root shell rather than a
normal shell where sudo commands will be implemented without a password.
Page 343
Audit:
Terminal Method:
Perform the following to verify the sudo timeout period:
$ /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp
timeout: 0.0 minutes"
1
Run the following commands to verify that the root is the owner of the /etc/sudoers.d
folder, and that wheel is the group
$ /usr/bin/stat /etc/sudoers.d
16777229 19662948 drwxr-xr-x 2 root wheel 0 64 "Jun 7 23:12:24 2022" "May 9

17:30:48 2022" "Jun 7 23:12:24 2022" "May 9 17:30:48 2022" 4096 0 0
/etc/sudoers.d
Remediation:
Terminal Method:
Run the following command to edit the sudo settings:
$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>
example: $ /usr/bin/sudo /usr/sbin/visudo -f

/etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the
sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_timeout=0 to the configuration file.
If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change
ownership and group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/
In previous iterations and OS versions of the macOS Benchmark, the guidance was to
edit the sudoers file directly. While this would properly configure the OS, any update
would change the settings back to the default configuration. Creating a configuration file
in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the
proper configuration.
Page 344
CIS Controls:
Controls
Version

Assets

Page 345
5.5 Ensure a Separate Timestamp Is Enabled for Each User/tty
Combo (Automated)
• Level 1
Description:
Using tty tickets ensures that a user must enter the sudo password in each Terminal
session.
With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty
tickets for each interface so that root access is limited to a specific terminal. The default
configuration can be overwritten or not configured correctly on earlier versions of
macOS.
Rationale:
In combination with removing the sudo timeout grace period, a further mitigation should
be in place to reduce the possibility of a background process using elevated rights when
a user elevates to root in an explicit context or tty.
Additional mitigation should be in place to reduce the risk of privilege escalation of
background processes.
Impact:
This control should have no user impact. Developers or installers may have issues if
background processes are spawned with different interfaces than where sudo was
executed.
Audit:
Terminal Method:
Run the following commands to verify that the default sudoers controls are in place with
explicit tickets per tty:
$ /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Type of authentication
timestamp record: tty"
Page 346
Remediation:
Terminal Method:
Run the following command to edit the sudo settings:
$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>
example: $ /usr/bin/sudo /usr/sbin/visudo -f
/etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the
sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_type=tty to the configuration file.
Note: The Defaults timestamp_type=tty line can be added to an existing configuration
file or a new one. That will depend on your organization's preference and works either
way.
Default Value:
If no value is set, the default value of tty_tickets enabled will be used.
References:
1. https://github.com/jorangreef/sudo-prompt/issues/33
In previous iterations and OS versions of the macOS Benchmark, the guidance was to
edit the sudoers file directly. While this would properly configure the OS, any update
would change the settings back to the default configuration. Creating a configuration file
in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the
proper configuration.
With the configuration file, there is no need to remove the Defaults !tty_tickets line
from the visudo settings. The configuration file will take precedent.
CIS Controls:
Controls
Version

Assets

Page 347
5.6 Ensure the "root" Account Is Disabled (Automated)
• Level 1
Description:
The root account is a superuser account that has access privileges to perform any
actions and read/write to any file on the computer. With some versions of Linux, the
system administrator may commonly use the root account to perform administrative
functions.
Rationale:
Enabling and using the root account puts the system at risk since any successful exploit
or mistake while the root account is in use could have unlimited access privileges within
the system. Using the sudo command allows users to perform functions as a root user
while limiting and password protecting the access privileges. By default the root account
is not enabled on a macOS computer. An administrator can escalate privileges using
the sudo command (use -s or -i to get a root shell).
Impact:
Some legacy POSIX software might expect an available root account.
Audit:
Graphical Method:
Perform the following steps to ensure that the root user is not enabled:
1. Open /System/Library/CoreServices/Applications/Directory Utility

2. Click the lock icon to unlock the service
3. Click Edit in the menu bar
4. Verify that the menu shows Enable Root User, not Disable Root User
Terminal Method:
Run the following command to verify the the root user has not been enabled:
$ /usr/bin/sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority
No such key: AuthenticationAuthority
Page 348
Remediation:
Graphical Method:
Perform the following steps to ensure that the root user is disabled:
1. Open /System/Library/CoreServices/Applications/Directory Utility

2. Click the lock icon to unlock the service
3. Click Edit in the menu bar
4. Click Disable Root User
Terminal Method:
Run the following command to disable the root user:
$ /usr/bin/sudo /usr/sbin/dsenableroot -d
username = root
user password:
CIS Controls:
Controls
Version

enterprise assets. Conduct general computing activities, such as internet
browsing, email, and productivity suite use, from the user’s primary, non-privileged
account.

● ● ●
Page 349
5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session (Automated)
• Level 1
Description:
macOS has a privilege that can be granted to any user that will allow that user to unlock
active user's sessions.
Rationale:
Disabling the administrator's and/or user's ability to log into another user's active and
locked session prevents unauthorized persons from viewing potentially sensitive and/or
personal information.
Impact:
While Fast user switching is a workaround for some lab environments, especially where
there is even less of an expectation of privacy, this setting change may impact some
maintenance workflows.
Audit:
Terminal Method:
Run the following command to verify that a user cannot log into another user's active
and/or locked session:
$ /usr/bin/sudo /usr/bin/security authorizationdb read
system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui'
Remediation:
Terminal Method:
Run the following command to disable a user logging into another user's active and/or
locked session:
$ /usr/bin/sudo /usr/bin/security authorizationdb write
system.login.screensaver use-login-window-ui
YES (0)
References:
1. https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-
database-in-os-x-mavericks/
2. https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver
Page 350
CIS Controls:
Controls
Version

Assets

Page 351
5.8 Ensure a Login Window Banner Exists (Automated)
• Level 2
Description:
A Login window banner warning informs the user that the system is reserved for
authorized use only. It enforces an acknowledgment by the user that they have been
informed of the use policy in the banner if required. The system recognizes either the
.txt and the .rtf formats.
Rationale:
An access warning may reduce a casual attacker's tendency to target the system.
Access warnings may also aid in the prosecution of an attacker by evincing the
attacker's knowledge of the system's private status, acceptable use policy, and
authorization requirements.
Impact:
Users will have to click on the window with the Login text before logging into the
computer.
Page 352
Audit:
Terminal Method:
Run the following command to verify the login window text:
$ /usr/bin/sudo /bin/cat /Library/Security/PolicyBanner.*
If the output includes no matches found: /Library/Security/PolicyBanner.* the
system is not compliant.
Run the following to verify permissions of the policy banner file:
$ /usr/bin/stat -f %A /Library/Security/PolicyBanner.*
The output should have 4 as the 3rd digit.

If there is an output, then the policy banner will not display.
example:
$ /usr/bin/sudo /bin/cat /Library/Security/PolicyBanner.txt
Center for Internet Security Test Message
$ /usr/bin/sudo /bin/cat /Library/Security/PolicyBanner.rtf
{\rtf1\ansi\ansicpg1252\cocoartf1561\cocoasubrtf610
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
{\*\expandedcolortbl;;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx
6236\tx6803\pardirnatural\partightenfactor0
\f0\fs24 \cf0 Center for Internet Security Test Message}
$ /usr/bin/sudo /bin/cat /Library/Security/PolicyBanner.*
{\rtf1\ansi\ansicpg1252\cocoartf1561\cocoasubrtf610
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
{\*\expandedcolortbl;;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx
6236\tx6803\pardirnatural\partightenfactor0
\f0\fs24 \cf0 Center for Internet Security Test Message}Center for Internet
Security Test Message
$ /usr/bin/sudo stat -f %A /Library/Security/PolicyBanner.*
644
Page 353
Remediation:
Terminal Method:
Run the following commands to create or edit the login window text and set the proper
permissions:
Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the
/Library/Security/ folder, to include the required login window banner text.
Perform the following to set permissions on the policy banner file:
$ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.txt
$ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.rtf

Note: If your organization uses an .rtfd file to set the policy banner, run $
/usr/bin/sudo /usr/sbin/chown -R o+rx /Library/Security/PolicyBanner.rtfd to
update the permissions.
References:
1. https://support.apple.com/en-au/HT202277
CIS Controls:
Controls
Version

● ● ●

Page 354
5.9 Ensure the Guest Home Folder Does Not Exist (Automated)
• Level 1
Description:
In the previous two controls, the guest account login has been disabled and sharing to
guests has been disabled, as well. There is no need for the legacy Guest home folder to
remain in the file system. When normal user accounts are removed, you have the option
to archive it, leave it in place, or delete. In the case of the guest folder, the folder
remains in place without a GUI option to remove it. If at some point in the future a Guest
account is needed, it will be re-created. The presence of the Guest home folder can
cause automated audits to fail when looking for compliant settings within all User
folders, as well. Rather than ignoring the folder's continued existence, it is best
removed.
Rationale:
The Guest home folders are unneeded after the Guest account is disabled and could be
used inappropriately.
Impact:
The Guest account should not be necessary after it is disabled, and it will be
automatically re-created if the Guest account is re-enabled
Audit:
Terminal Method:
Run the following command to verify if the Guest user home folder exists:
$ /usr/bin/sudo /bin/ls /Users/ | /usr/bin/grep Guest
Remediation:
Terminal Method:
Run the following command to remove the Guest user home folder:
$ /usr/bin/sudo /bin/rm -R /Users/Guest
Page 355
CIS Controls:
Controls
Version

● ● ●

Page 356
5.10 Ensure XProtect Is Running and Updated (Automated)
• Level 1
Description:
XProtect is Apple's native signature-based antivirus technology. XProtect both finds and
blocks the execution of known malware. There are many AV and Endpoint Threat
Detection and Response (ETDR) tools available for Mac OS. The native Apple
provisioned tool looks for specific known malware is completely integrated into the OS.
No matter what other tools are being used XProtect should have the latest signatures
available.
Rationale:
Apple creates signatures for known malware that actually effects Macs and that
knowledge should be leveraged.
Impact:
Some organizations may have effective Mac OS anti-malware tools that XProtect
conflicts with.
Audit:
Terminal Method:
Run the following command to verify that XProtect is running and up-to-date:
$ sudo /bin/launchctl list | /usr/bin/grep -cE
"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)
"
2
Note: To verify the updates to XProtect, run the following command:
$ sudo /usr/sbin/system_profiler SPInstallHistoryDataType | grep -A 5
"XProtectPlistConfigData"
Page 357
Remediation:
Terminal Method:
Run the following command to enable and update XProtect:
$ sudo /bin/launchctl load -w
/Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.pl
ist
$ sudo /bin/launchctl load -w

/Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.Plugi
nService.plist
$ sudo /usr/sbin/softwareupdate -l --background-critical
softwareupdate[97180]: Triggering a background check with forced scan

(critical and config-data updates only) ...
Note: Xprotect can only be enabled/disabled if SIP (System Integrity Protection) is
disabled. If Xprotect is disabled, the system might be compromised and needs to be
investigated.
References:
1. https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-
monterey/
2. https://eclecticlight.co/2020/12/14/silently-updated-security-data-files-in-big-sur/
3. https://eclecticlight.co/2019/10/17/security-data-files-how-theyve-changed-in-
catalina/
4. https://eclecticlight.co/2022/05/12/apple-has-pushed-an-update-to-xprotect-21/
5. https://support.apple.com/guide/security/protecting-against-malware-
sec469d47bd8/web
6. https://eclecticlight.co/2023/06/12/malware-detection-and-remediation-by-
xprotect-remediator/
To verify the XProtect Remediator logs run the following command:
$ sudo /usr/bin/log show --predicate 'subsystem ==
"com.apple.XProtectFramework.PluginAPI" AND category ==
"XPEvent.structured"' --info --last 1d' to check logs'
Page 358
CIS Controls:
Controls
Version
v8 10.1 Deploy and Maintain Anti-Malware Software ● ● ●

Deploy and maintain anti-malware software on all enterprise assets.
10.2 Configure Automatic Anti-Malware Signature

v8 Updates
Configure automatic updates for anti-malware signature files on all enterprise
● ● ●
assets.

Gatekeeper™.
8.2 Ensure Anti-Malware Software and Signatures are

v7 Updated
Ensure that the organization's anti-malware software updates its scanning
● ● ●
engine and signature database on a regular basis.
8.4 Configure Anti-Malware Scanning of Removable

v7 Devices
Configure devices so that they automatically conduct an anti-malware scan of
● ● ●
removable media when inserted or connected.
Page 359
6 Applications
All Operating System default installs include OS vendor applications, or vendor
endorsed channels. Most of these applications do not require explicit security controls
as part of an OS Benchmark or a separate Benchmark. When the application is OS-
specific it is much more efficient to include security guidance as part of the OS
Benchmark where security controls are available. This section contains a small list of
macOS applications where security controls exist and should be reviewed.
There is no insistence that any of the built-in application must be used, three are many
alternative third party applications that may be used instead. Included applications are
often core to the Operating System, and a lack of security controls will likely make the
OS itself more vulnerable.
Page 360
6.1 Finder
Page 361
6.1.1 Ensure Show All Filename Extensions Setting is Enabled
(Automated)
• Level 1
Description:
A filename extension is a suffix added to a base filename that indicates the base
filename's file format.
Rationale:
Visible filename extensions allow the user to identify the file type and the application it is
associated with which leads to quick identification of misrepresented malicious files.
Impact:
The user of the system can open files of unknown or unexpected filetypes if the
extension is not visible.
Page 362
Audit:
Graphical Method:
Perform the following steps to ensure that file extensions are shown:
1. Open Finder
2. Select Finder in the menu bar
3. Select Settings
4. Select Advanced
5. Verify that Show all filename extensions is set
Terminal Method:
Run the following command to verify that displaying of file extensions is enabled:
/Users/<username>/Library/Preferences/.GlobalPreferences.plist
AppleShowAllExtensions
example:
/Users/firstuser/Library/Preferences/.GlobalPreferences.plist

/Users/secondname/Library/Preferences/.GlobalPreferences.plist
The domain/default pair of

(/Users/secondname/Library/Preferences/.GlobalPreferences.plist,
AppleShowAllExtensions) does not exist
In this example, firstuser is in compliance and seconduser is not.
Page 363
Remediation:
Graphical Method:
Perform the following steps to ensure file extensions are shown:
1. Open Finder
2. Select Finder in the menu bar
3. Select Settings
4. Select Advanced
5. Set Show all filename extensions to enabled
Terminal Method:
Run the following command to enable displaying of file extensions:
/Users/<username>/Library/Preferences/.GlobalPreferences.plist
AppleShowAllExtensions -bool true
$ /usr/bin/sudo killall Finder
example:
/Users/secondname/Library/Preferences/.GlobalPreferences.plist
AppleShowAllExtensions -bool true
$ /usr/bin/sudo killall Finder
Default Value:
Filename extensions are turned off by default.

References:
1. https://blog.xpnsec.com/macos-filename-homoglyphs-revisited/
2. https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-
with-applescript-part-2-disguising-script-0184706/
CIS Controls:
Controls
Version

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

v7 Ensure that unauthorized software is either removed or the inventory is ● ● ●
updated in a timely manner
Page 364
6.2 Mail
Mail is Apple's OS-included email client on both macOS and iOS. It supports a range of
email server services including iCloud, Exchange, Gmail and standard IMAP and POP
accounts. With the vast barrage of phishing attacks, any Internet email client is an
exploitable risk on a user system. Any email client should be hardened with controls that
assist the user against social engineering attacks to reduce the risk of unwanted emails.
This benchmark is not advocating for all users to use Apple Mail, just providing
guidance on controls for the built-in email client. Other email clients will have their own
set of security controls.
Apple provides a service for Apple+ users called "Hide My Email." With this service,
Apple creates unique email addresses (@iCloud.com) for domains that ask for my email
addresses which Apple forwards to your email address of record under your Apple ID.
This feature reduces tracking capabilities for third parties.
What is Hide My Email?
What is Email Hashing? The Importance of Hashed Email for Future Success
Apple Mail fully supports S/MIME without the use of any third party plugin. While there
are very few remaining trusted CAs issuing free S/MIME certificates, the use of a
trusted CA and digital signing enables others to interact with you using end-to-end
encryption through encrypted email. An internal CA may also be used but partner trust
of the CA will have to be coordinated.
More S/MIME info
Sign or encrypt emails in Mail on Mac
Installing an S/MIME Certificate and Sending Secure Email in macOS
Obtaining and using an S/MIME certificate on Apple MacOS
Sources of Free S/MIME Certificates
Page 365
6.2.1 Ensure Protect Mail Activity in Mail Is Enabled (Manual)
• Level 2
Description:
Apple provides privacy protection that should be enabled for the mail app on macOS to
reduce information collection from a user that receives email.
Rationale:
Email is routinely abused by attackers, spammers and marketers. The "Protect Mail
Activity" control reduces risk by hiding the current IP address of your Mac and privately
downloading remote content.
The Protect Mail Activity function of privately downloading remote content is not
applicable for those users that do not download any remote content. Typical Internet
email is no longer plain text and will not render properly without remote content.
Personal email or mailing list email may function without complaint by blocking remote
content.
Impact:
Some remote content may be access-controlled and refuse to download with this setting
enabled.
Audit:
Graphical Method:
Perform the following steps to verify that protect mail activity is enabled:
1. Open Mail
2. Select Mail in the menu bar
3. Select Settings...
4. Select Privacy
5. Verify that Protect Mail Activity is enabled
Remediation:
Graphical Method:
Perform the following steps to enabled protect mail activity:
1. Open Mail
2. Select Mail in the menu bar
3. Select Settings...
4. Select Privacy
5. Set Protect Mail Activity to enabled
Page 366
References:
1. https://support.apple.com/guide/mail/use-mail-privacy-protection-
mlhl03be2866/mac
CIS Controls:
Controls
Version
9.1 Ensure Use of Only Fully Supported Browsers and

Email Clients
v8 Ensure only fully supported browsers and email clients are allowed to execute in ● ● ●
the enterprise, only using the latest version of browsers and email clients provided
through the vendor.
9.3 Maintain and Enforce Network-Based URL Filters

Enforce and update network-based URL filters to limit an enterprise asset from
v8 connecting to potentially malicious or unapproved websites. Example ● ●
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.

Email Clients
v7 Ensure that only fully supported web browsers and email clients are allowed to ● ● ●
execute in the organization, ideally only using the latest version of the browsers
and email clients provided by the vendor.

Enforce network-based URL filters that limit a system's ability to connect to
v7 websites not approved by the organization. This filtering shall be enforced for each ● ●
of the organization's systems, whether they are physically at an organization's
facilities or not.
Page 367
6.3 Safari
Safari is Apple's included web browser. Many macOS services only operate, or operate
more efficiently through the use of Safari.
https://www.apple.com/safari/
Page 368
6.3.1 Ensure Automatic Opening of Safe Files in Safari Is
• Level 1
Description:
Safari will automatically run or execute what it considers safe files. This can include
installers and other files that execute on the operating system. Safari evaluates file
safety by using a list of filetypes maintained by Apple. The list of files include text,
image, video and archive formats that would be run in the context of the OS rather than
the browser.
Rationale:
Hackers have taken advantage of this setting via drive-by attacks. These attacks occur
when a user visits a legitimate website that has been corrupted. The user unknowingly
downloads a malicious file either by closing an infected pop-up or hovering over a
malicious banner. An attacker can create a malicious file that will fall within Safari's safe
file list that will download and execute without user input.
Impact:
Apple considers many files that the operating system itself auto-executes as "safe files."
Many of these files could be malicious and could execute locally without the user even
knowing that a file of a specific type had been downloaded.
Page 369
Audit:
Graphical Method:

3. Select Profiles
4. Verify that an installed profile has AutoOpenSafeDownloads set 0
Terminal Method:
Run the following command to verify that a profile is installed that disables safe files
from opening in Safari:
$ /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType |
/usr/bin/grep AutoOpenSafeDownloads | /usr/bin/tr -d ' '
AutoOpenSafeDownloads = 0;
Remediation:
Profile Method:
1. The PayloadType string is com.apple.Safari

2. The key to include is AutoOpenSafeDownloads
3. The key must be set to: <false/>
Page 370
Audit:
Graphical Method:
Perform the following to verify that safe files are not opened when download in Safari:
1. Open Safari
3. Select Settings
4. Select General
5. Verify that Open "safe" files after downloading is disabled
or

2. Select `Privacy & Security
3. Select Profiles
4. Verify that an installed profile has AutoOpenSafeDownloads set 0
Terminal Method:
Run the following command to verify that opening safe files after download in Safari is
disabled:
/Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preference
s/com.apple.Safari AutoOpenSafeDownloads
example:
/Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences
/com.apple.Safari AutoOpenSafeDownloads
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in
the Security & Privacy pane in System Preferences.
Page 371
Remediation
Graphical Method:
Perform the following steps to set safe files to not open after downloading in Safari:
1. Open Safari
3. Select Settings
4. Select General
5. Set Open "safe" files after downloading to disabled
Terminal Method:
Run the following command to disable safe files from not opening when downloaded in
Safari:
s/com.apple.Safari AutoOpenSafeDownloads -bool false
example:
/com.apple.Safari AutoOpenSafeDownloads -bool false
Page 372
CIS Controls:
Controls
Version

Email Clients
v8 Ensure only fully supported browsers and email clients are allowed to execute ● ● ●
in the enterprise, only using the latest version of browsers and email clients
provided through the vendor.
9.6 Block Unnecessary File Types

v8 Block unnecessary file types attempting to enter the enterprise’s email ● ●
gateway.

Email Clients
7.9 Block Unnecessary File Types

v7 Block all e-mail attachments entering the organization's e-mail gateway if the ● ●
file types are unnecessary for the organization's business.
v7 8.5 Configure Devices Not To Auto-run Content ● ● ●

Configure devices to not auto-run content from removable media.
Page 373
6.3.2 Audit History and Remove History Items (Manual)
• Level 2
Description:
Organizational management of user web browsing history is a challenge affected by
multiple facets. Organizations should decide whether to manage browser history and
how much history should be maintained.
Rationale:
There are conflicting concerns in the retention of browser history. Unlimited retention:
• Consumes disk space

• Preferred by on disk forensics teams
• User searchable for old visited pages
• User privacy concerns
• Security concerns to retain old links that may be stale or lead to compromised
pages or pages with changes or inappropriate content
Old browser history becomes stale and the use or misuse of the data can lead to
unwanted outcomes. Search engine results are maintained and often provide much
more relevant current information than old website visit information.
Impact:
If old browsing history is not available, it will not be available to authorized or
unauthorized users. Some users may find old and even stale information useful.
Page 374
Audit:
Graphical Method:
Perform the following steps to verify how long the history in Safari is kept:

3. Select Profiles
4. Verify that an installed profile has HistoryAgeInDaysLimit set to your
Terminal Method:
Run the following command to verify that a profile is installed that sets how long the
history is kept in Safari:
/usr/bin/grep HistoryAgeInDaysLimit | /usr/bin/tr -d ' '
The output will be HistoryAgeInDaysLimit = followed by your organizations
requirements.
Remediation:
Profile Method:

2. The key to include is HistoryAgeInDaysLimit
3. The key must be set to: <integer><1,7,14,31,365,36500></integer>
Note: Setting the plist key to a value that is not represented by the GUI could cause
issues.
user.
Page 375
Audit:
Graphical Method:
Perform the following steps to verify how long the history in Safari is kept:
1. Open Safari
3. Select Settings
4. Select General
5. Verify that Remove history items is set to your organization's requirements
or

2. Select General
3. Select Profiles
4. Verify that an installed profile has HistoryAgeInDaysLimit set to your
Terminal Method:
Run the following command to verify how long Safari keeps history:
s/com.apple.Safari HistoryAgeInDaysLimit
The output will be:
1- After one day 7 - After one week 14 - After two weeks 31 - After one month 365 - After
one year 36500 - Manually
issues.
Page 376
example:
/com.apple.Safari HistoryAgeInDaysLimit

/Users/seconduser/Library/Containers/com.apple.Safari/Data/Library/Preference
$ /usr/bin/sudo -u thirduser /usr/bin/defaults read

/Users/thirduser/Library/Containers/com.apple.Safari/Data/Library/Preferences
14
$ /usr/bin/sudo -u fourthuser /usr/bin/defaults read

/Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preference
31
$ /usr/bin/sudo -u fifthuser /usr/bin/defaults read

/Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences
365
$ /usr/bin/sudo -u sixthuser /usr/bin/defaults read

/Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences
36500
Page 377
Remediation:
Graphical Method:
Perform the following steps to set Safari to remove history after a set amount of days:
1. Open Safari
3. Select Settings
4. Select General
5. Set Remove history items to your organization's requirements
Terminal Method:
Run the following command to set when Safari will remove history items:
s/com.apple.Safari HistoryAgeInDaysLimit -int <1,7,14,31,365,36500>
example:
/com.apple.Safari HistoryAgeInDaysLimit -int 36500

s/com.apple.Safari HistoryAgeInDaysLimit -int 365
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write

$ /usr/bin/sudo -u fourthuser /usr/bin/defaults write

/Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preference
s/com.apple.Safari HistoryAgeInDaysLimit -int 14
$ /usr/bin/sudo -u fifthuser /usr/bin/defaults write

/Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences
$ /usr/bin/sudo -u sixthuser /usr/bin/defaults write

/Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences
issues.
Page 378
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 379
6.3.3 Ensure Warn When Visiting A Fraudulent Website in Safari
• Level 1
Description:
Apple uses the Google Safe Browsing API to check for fraudulent websites and report
them to the user attempting to visit one.
Rationale:
Attackers use crafted web pages to social engineer users to load unwanted content.
Warning users prior to loading the content enables better security.
Impact:
Once-compromised websites serving malware could be sanitized and remain in the

database, though there is no widespread reporting of that risk.
Audit:
Graphical Method:
Perform the following to verify that warn when visiting a fraudulent site in Safari is
enabled:

3. Select Profiles
4. Verify that an installed profile has WarnAboutFraudulentWebsites set to 1
Terminal Method:
Run the following command to verify that a profile is installed that warns when visiting
fraudulent sites in Safari:
/usr/bin/grep WarnAboutFraudulentWebsites | /usr/bin/tr -d ' '
WarnAboutFraudulentWebsites = 1;
Page 380
Remediation:
Profile Method:

2. The key to include is WarnAboutFraudulentWebsites
3. The key must be set to: <true/>
user.
References:
1. https://support.apple.com/guide/safari/security-ibrw1074/16.0/mac/12.0
Page 381
Audit:
Graphical Method:
Perform the following to verify that warn when visiting a fraudulent site in Safari is
enabled:
1. Open Safari
3. Select Settings
4. Select Security
5. Verify that Warn when visiting a fraudulent site is enabled
or

3. Select Profiles
4. Verify that an installed profile has WarnAboutFraudulentWebsites set to 1
Terminal Method:
Run the following command to verify that warn when visiting a fraudulent site in Safari is
not disabled:
s/com.apple.Safari WarnAboutFraudulentWebsites
1
example:
/com.apple.Safari WarnAboutFraudulentWebsites
1
Page 382
Remediation:
Graphical Method:
Perform the following steps to set Safari to warn when visiting a fraudulent site:
1. Open Safari
3. Select Settings
4. Select Security
5. Set Warn when visiting a fraudulent site to enabled
Terminal Method:
Run the following command to enable warn when visiting a fraudulent site in Safari:
s/com.apple.Safari WarnAboutFraudulentWebsites -bool true
example:
/com.apple.Safari WarnAboutFraudulentWebsites -bool true
Page 383
CIS Controls:
Controls
Version

Email Clients
through the vendor.


Email Clients

facilities or not.
Page 384
6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled
(Automated)
• Level 1
Description:
There is a vast network of groups that collect, use and sell user data. One method used
to collect user data is pay and provide contented and services for website owners, along
with that "assistance" the site owners push tracking cookies on visitors. In many cases
the help allows a content owner to keep the site up. The tracking cookies allow
information brokers to track web users across visited sites. For better privacy and to
provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their
business model of selling personal data. Users should protect their data and not
volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively.
Page 385
Audit:
Graphical Method:
Perform the following to verify that preventing cross-site tracking in Safari is enabled:

3. Select Profiles
4. Verify that an installed profile has BlockStoragePolicy set to 2
5. Verify that an installed profile also has
WebKitPreferences.storageBlockingPolicy set to 1
6. Verify that an installed profile also has WebKitStorageBlockingPolicy set to 1
Terminal Method:
Run the following command to verify that a profile is installed that prevents cross-site
tracking in Safari:
/usr/bin/grep BlockStoragePolicy | /usr/bin/tr -d ' '
BlockStoragePolicy = 2;

/usr/bin/grep WebKitPreferences.storageBlockingPolicy | /usr/bin/tr -d ' '
WebKitPreferences.storageBlockingPolicy = 1;

/usr/bin/grep WebKitStorageBlockingPolicy | /usr/bin/tr -d ' '
WebKitStorageBlockingPolicy = 1;
and/or remediation has been removed. To be complaint, a profile must be installed for
Page 386
Remediation:
Profile Method:

2. The key to include is BlockStoragePolicy
3. The key must be set to: 2
4. The key to also include is WebKitPreferences.storageBlockingPolicy
6. The key to also include is WebKitStorageBlockingPolicy
References:
1. https://support.apple.com/guide/safari/prevent-cross-site-tracking-sfri40732/mac
Audit:
Graphical Method:
Perform the following to verify that preventing cross-site tracking in Safari is enabled:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Verify that Prevent cross-site tracking is enabled
Page 387
Terminal Method:
Run the following command to verify that preventing cross-site tracking in Safari is not
disabled:
s/com.apple.Safari BlockStoragePolicy

s/com.apple.Safari WebKitPreferences.storageBlockingPolicy

s/com.apple.Safari WebKitStorageBlockingPolicy
1
example:
/com.apple.Safari BlockStoragePolicy

/com.apple.Safari WebKitPreferences.storageBlockingPolicy

/com.apple.Safari WebKitStorageBlockingPolicy
1
Page 388
Remediation:
Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
s/com.apple.Safari BlockStoragePolicy -int 2

s/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1

s/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
/com.apple.Safari BlockStoragePolicy -int 2

/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1

/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Page 389
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 390
6.3.5 Audit Hide IP Address in Safari Setting (Manual)
• Level 2
Description:
Public (Routable) IP addresses can be used to track people to their current location,
including home and business addresses. While a valid IP address is necessary to load
the site, the valid address does not need to be provided to known trackers and should
be hidden.
Rationale:
Trackers can correlate your visits through various applications, including websites, and
are a threat to your privacy.
Impact:
Website address blocking through iCloud Private Relay may prevent some wanted
pages to load that use IP geolocation access controls.
Page 391
Audit:
Graphical Method:
Perform the following steps to verify the setting for hiding IP addresses from trackers in
Safari:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Verify that Hide IP address from trackers is set to your organization's
requirement
Terminal Method:
Run the following command to verify if IP addresses are hidden from trackers in Safari:
s/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic
The output will be either 33422560 if hide IP address from trackers is disabled, 33422564
if enabled from Trackers Only, or 33422572 if enabled from Trackers and Websites.
example:
/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic
130272

s/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic
130276
In the above example the firstuser has hide ip address from trackers disabled.
Seconduser has it enabled.
Page 392
Remediation:
Graphical Method:
Perform the following steps to set Safari whether or not to hide IP addresses from
trackers:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Set Hide IP address from trackers to your organization's requirements
Terminal Method:
Run the following command to enable or disable hiding IP addresses from trackers in
Safari:
s/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int <130272/130276>
33422560 will set hide IP address from trackers to disabled. 33422564 will enable from
Trackers Only, and 33422572 will enabled from Trackers and Websites.
example:
/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int 33422560

s/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int 33422564
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write

/com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int 33422572
References:
1. https://support.apple.com/en-bn/guide/safari/sfri35610/16.0/mac/12.0
Page 393
CIS Controls:
Controls
Version

Email Clients
through the vendor.


Email Clients

facilities or not.
Page 394
6.3.6 Ensure Advertising Privacy Protection in Safari Is Enabled
(Automated)
• Level 1
Description:
Apple provides a framework that allows advertisers to target Apple users and end-users
with advertisements. While many people prefer that when they see advertising it is
relevant to them and their interests, the detailed information that is data mining
collected, correlated, and available to advertisers in repositories is often disconcerting.
This information is valuable to both advertisers and attackers and has been used with
other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users
to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with
organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this
will reduce the number of relevant ads.
Page 395
Audit:
Graphical Method:
Perform the following steps to verify that allow privacy-preserving measurement of ad
effectiveness in Safari is enabled:

3. Select Profiles
4. Verify that an installed profile has
WebKitPreferences.privateClickMeasurementEnabled set 1
Terminal Method:
/usr/bin/grep "WebKitPreferences.privateClickMeasurementEnabled" |
/usr/bin/tr -d ' '
"WebKitPreferences.privateClickMeasurementEnabled" = 1;
Remediation:
Profile Method:

2. The key to include is WebKitPreferences.privateClickMeasurementEnabled
Note: A user can still uncheck this option in the GUI, but it remains on in the
background and will show it enabled when re-launching Safari.
Page 396
Audit:
Graphical Method:
Perform the following steps to verify that allow privacy-preserving measurement of ad
effectiveness in Safari is enabled:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Verify that Allow privacy-preserving measurement of ad effectiveness is
enabled
or

3. Select Profiles
4. Verify that an installed profile has
WebKitPreferences.privateClickMeasurementEnabled set 1
Terminal Method:
Run the following command to verify that allow privacy-preserving measurement of ad
effectiveness in Safari is not disabled:
s/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled
1
example:
/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled
1
Note: The default setting is not auditable through the command line. Please turn off the
check and re-enable when the GUI does not reflect the audited results, or run the
Terminal command(s).
Page 397
Remediation:
Graphical Method:
Perform the following steps to set Safari to allow privacy-preserving measurement of ad
effectiveness:
1. Open Safari
3. Select Settings
4. Select Privacy
5. Set Allow privacy-preserving measurement of ad effectiveness to enabled
Terminal Method:
Run the following command to enable allow privacy-preserving measurement of ad
effectiveness in Safari:
s/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool
true
example:
/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 398
6.3.7 Ensure Show Full Website Address in Safari Is Enabled
(Automated)
• Level 1
Description:
Attackers use websites with malicious or unwanted content to exploit the user or the
computer. Part of the attack chain is to lure someone to load their content rather than
the desired content. In order to reduce the risk in interacting with unwanted content, the
full website address should always be displayed in Safari.
Rationale:
Full visibility into what site is being visited is important for privacy and security.
Impact:
Many URLs are very long and complicated, particularly for internal content management
systems. Some complete URLS in the Smart Search Field may be difficult to parse.
Audit:
Graphical Method:
Perform the following steps to verify that showing full website addresses in Safari is
enabled:

3. Select Profiles
4. Verify that an installed profile has ShowFullURLInSmartSearchField set 1
Terminal Method:
/usr/bin/grep ShowFullURLInSmartSearchField | /usr/bin/tr -d ' '
ShowFullURLInSmartSearchField = 1;
Page 399
Remediation:
Profile Method:

2. The key to include is ShowFullURLInSmartSearchField
References:
1. https://apple.stackexchange.com/questions/371473/always-show-full-url-in-
safari-address-bar
Audit:
Graphical Method:
Perform the following steps to verify that showing full website addresses in Safari is
enabled:
1. Open Safari
3. Select Settings
4. Select Advanced
5. Verify that Show full website address is enabled
or

3. Select Profiles
4. Verify that an installed profile has ShowFullURLInSmartSearchField set 1
Page 400
Terminal Method:
Run the following command to verify that showing full website addresses in Safari is not
disabled:
s/com.apple.Safari ShowFullURLInSmartSearchField
1
example:
/com.apple.Safari ShowFullURLInSmartSearchField
1
Remediation:
Graphical Method:
Perform the following steps to set Safari to show full website addresses:
1. Open Safari
3. Select Settings
4. Select Security
5. Set Show full website address to enabled
Terminal Method:
Run the following command to enable showing full website addresses in Safari:
s/com.apple.Safari ShowFullURLInSmartSearchField -bool true
example:
/com.apple.Safari ShowFullURLInSmartSearchField -bool true
Page 401
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 402
6.3.8 Audit Autofill (Manual)
• Level 2
Description:
Autofill capabilities in a Web Browser are a feature to allow a user to avoid re-typing the
same user information in every form that a user encounters. Part of the modern internet
consists of vendors establishing a seemingly close relationship with as many users as
possible to market to them, data-mine form them and sell their data to third parry data
aggregators. Autofill can be a method for a user to share too much information with
untrusted website owners. Many security professionals advise disabling autofill to
reduce the risk of over-sharing. These security professionals appear to believe that
manual data entry is better, since completing the required forms are often the only
method to connect to needed data. The best method for security is to ensure that the
data ready to be auto-filled is an acceptable risk to sites a user interacts with. Users
must review what data they accept the risk to share.
Rationale:
Auditing and accepting information a user is willing to share prior to loading the blank
form is the best way to manage risk.
Impact:
A user could overshare information based on trusting a site more than required.
Page 403
Audit:
Graphical Method:
Perform the following steps to verify autofill in Safari:

3. Select Profiles
4. Verify that an installed profile has AutoFillFromAddressBook set to your
5. Verify that an installed profile has AutoFillPasswords set to your organization's
requirements
6. Verify that an installed profile has AutoFillCreditCardData set to your
7. Verify that an installed profile has AutoFillMiscellaneousForms set to your
Terminal Method:
Run the following command to verify that a profile is installed that sets autofill in Safari
to your organization's requirements:
/usr/bin/grep AutoFillFromAddressBook | /usr/bin/tr -d ' ' && /usr/bin/sudo
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep
AutoFillPasswords | /usr/bin/tr -d ' ' && /usr/bin/sudo
AutoFillCreditCardData | /usr/bin/tr -d ' ' && /usr/bin/sudo
AutoFillMiscellaneousForms | /usr/bin/tr -d ' '
The output will be:

AutoFillFromAddressBook=
AutoFillPasswords=
AutoFillCreditCardData=
AutoFillMiscellaneousForms=
Each key should be set to your organizations' requirements.
Page 404
Remediation:
Profile Method:

2. The key to include is AutoFillFromAddressBook
3. The key must be set to: <<true/false>/>
4. The key to include is AutoFillPasswords
6. The key to include is AutoFillCreditCardData
8. The key to include is AutoFillMiscellaneousForms
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 405
6.3.9 Ensure Pop-up Windows Are Blocked (Automated)
• Level 1
Description:
Bowser pop-up windows have long been one of the most annoying delivery
mechanisms of unwanted web content. The content can be as unwanted content,
including Not Safe For Work, or malicious content relying on a user interacting with the
pop-up. Safari has a built-in capability to disable pop-ups that should be enabled.
Rationale:
Pop-up windows are almost always unwanted content and should be blocked.
Impact:
Obsolete web content delivery systems may still rely on pop-ups on internal web
portals. Specific domains can be set to be allowed if absolutely necessary. Web
Developers should update content to reduce risk in the environment so that no pop-ups
are allowed
Audit:
Graphical Method:
Perform the following to verify that pop-up blocking in Safari is enabled:

3. Select Profiles
4. Verify that an installed profile has safariAllowPopups set to 0
Terminal Method:
Run the following command to verify that a profile is installed that blocks popups on
sites in Safari:
/usr/bin/grep safariAllowPopups | /usr/bin/tr -d ' '
safariAllowPopups=0;
Page 406
Remediation:
Profile Method:

2. The key to include is safariAllowPopups
3. The key must be set to: <false/>
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 407
6.3.10 Ensure Javascript Is Enabled (Manual)
• Level 1
Description:
While some graybeards (Me not included) promote the good old days when web pages
were primarily or exclusively text and dynamic content was not available current web
sites contain extensive scripting (JavaScript) to provide an appealing experience. For
most users mission critical information on websites (Internal or External) are likely to
require JavaScript and if the browser does not allow JavaScript the site will not work
well, or at all and may lead to help desk calls.
Rationale:
For normal user experience in web browsing JavaScript must be enabled. Specialized
browsing for specific use cases, advanced users or explicit domains may be desirable
but is cumbersome in the current environment.
Impact:
Purposely malicious JavaScript on allowed pages is a security vulnerability and may not
be acceptable in certain environments. User expectations must be managed if
JavaScript use is considered as too risky.
Audit:
Graphical Method:
Perform the following to verify that Javascript in Safari is enabled:

3. Select Profiles
4. Verify that an installed profile has WebKitPreferences.javaScriptEnabled set to
1
Terminal Method:
Run the following command to verify that a profile is installed that enables Javascript in
Safari:
/usr/bin/grep WebKitPreferences.javaScriptEnabled | /usr/bin/tr -d ' '
WebKitPreferences.javaScriptEnabled = 1;
Page 408
Remediation:
Profile Method:

2. The key to include is WebKitPreferences.javaScriptEnabled
Note: This mobile configuration profile setting with enable Javascript and remove the
ability for the user to disable it in the GUI.
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 409
6.3.11 Ensure Show Status Bar Is Enabled (Automated)
• Level 1
Description:
The Status Bar in Safari shows the full URL of any link on hover. It protects the user
from visiting sites where the domain has been obfuscated by allowing the user to review
whether the link points to an unexpected location.
Rationale:
Showing the Status Bar allows the user to review full URL of hyperlinks.
Impact:
The Status Bar is only visible at they very bottom of the Web page when a hyperlink is
hovered over. There should be no noticeable impact.
Audit:
Graphical Method:
Perform the following to verify that the status bar in Safari is enabled:

3. Select Profiles
4. Verify that an installed profile has ShowOverlayStatusBar set to 1
Terminal Method:
Run the following command to verify that a profile is installed that enables the status bar
in Safari:
/usr/bin/grep ShowOverlayStatusBar | /usr/bin/tr -d ' '
ShowOverlayStatusBar = 1;
Remediation:
Profile Method:

2. The key to include is ShowOverlayStatusBar
Page 410
CIS Controls:
Controls
Version

Email Clients

Email Clients
Page 411
6.4 Terminal
Terminal is the Command Line Interface (CLI) for macOS.

Terminal User Guide
Page 412
6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled
(Automated)
• Level 1
Description:
Secure Keyboard Entry prevents other applications on the system and/or network from
detecting and recording what is typed into Terminal. Unauthorized applications and
malicious code could intercept keystrokes entered in the Terminal.
Rationale:
Enabling Secure Keyboard Entry minimizes the risk of a key logger detecting what is
entered in Terminal.
Impact:
Enabling this in Terminal would prevent an application that is otherwise validly
intercepting keyboard input from intercepting that input in Terminal.app. This could
impact productivity tools.
Audit:
Graphical Method:
Perform the following steps to ensure that keyboard entries are secure in Terminal:

3. Select Profiles
4. Verify that an installed profile has SecureKeyboardEntry is set to 1
Terminal Method:
Run the following command to verify that a profile is installed that enables secure
keyboard entry in Terminal:
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\
.objectForKey('SecureKeyboardEntry').js
EOS
true
Page 413
Remediation:
Profile Method:
1. The PayloadType string is com.apple.Terminal

2. The key to include is SecureKeyboardEntry
user.
References:
1. https://support.apple.com/en-ca/guide/terminal/trml109/mac
2. https://developer.apple.com/library/archive/technotes/tn2150/_index.html
3. https://krypted.com/mac-os-x/secure-keyboard-entry-on-macos/
Page 414
Audit:
Graphical Method:
Perform the following steps to ensure that keyboard entries are secure in Terminal:
1. Open the Applications folder

2. Open the Utilities folder
3. Open Terminal
4. Select Terminal in the Menu Bar
5. Verify that Secure Keyboard Entry is enabled
Terminal Method:
For each user, run the following command to verify that keyboard entries in Terminal
are secured:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read -app Terminal
SecureKeyboardEntry
1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read -app Terminal
SecureKeyboardEntry
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read -app Terminal

SecureKeyboardEntry
1
In the above example the user seconduser is compliant, and the user firstuser is not
compliant.
Page 415
Remediation:
Graphical Method:
Perform the following steps to enable secure keyboard entries in Terminal:
1. Open the Applications folder

2. Open the Utilities folder
3. Open Terminal
4. Select Terminal in the Menu Bar
5. Set Secure Keyboard Entry to enabled
Terminal Method:
Run the following command to ensure keyboard entries are secure in Terminal:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write -app Terminal
SecureKeyboardEntry -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write -app Terminal
SecureKeyboardEntry -bool true
CIS Controls:
Controls
Version

function.
4.1 Maintain Inventory of Administrative Accounts

v7 Use automated tools to inventory all administrative accounts, including
domain and local accounts, to ensure that only authorized individuals have
● ●
elevated privileges.


v7 Are Running
● ●
Page 416
Appendix: Summary Table
CIS Benchmark Recommendation Set
Correctly
Yes No
1 Install Updates, Patches and Additional Security Software
1.1 Ensure All Apple-provided Software Is Current  

(Automated)
1.2 Ensure Auto Update Is Enabled (Automated)  
1.3 Ensure Download New Updates When Available Is  

Enabled (Automated)
1.4 Ensure Install of macOS Updates Is Enabled  

(Automated)
1.5 Ensure Install Application Updates from the App Store Is  

Enabled (Automated)
1.6 Ensure Install Security Responses and System Files Is  

Enabled (Automated)
1.7 Ensure Software Update Deferment Is Less Than or  

Equal to 30 Days (Automated)
1.8 Ensure the System is Managed by a Mobile Device  

Management (MDM) Software (Manual)
2 System Settings
2.1 Apple ID
2.1.1 iCloud
2.1.1.1 Audit iCloud Keychain (Manual)  
2.1.1.2 Audit iCloud Drive (Manual)  
2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is  

2.1.1.4 Audit Security Keys Used With AppleIDs (Manual)  
Page 417
Correctly
Yes No
2.1.1.5 Audit Freeform Sync to iCloud (Manual)  
2.1.2 Audit App Store Password Settings (Manual)  
2.2 Network
2.2.1 Ensure Firewall Is Enabled (Automated)  
2.2.2 Ensure Firewall Stealth Mode Is Enabled (Automated)  
2.3 General
2.3.1 AirDrop & Handoff
2.3.1.1 Ensure AirDrop Is Disabled When Not Actively  

Transferring Files (Automated)
2.3.1.2 Ensure AirPlay Receiver Is Disabled (Automated)  
2.3.2 Date & Time
2.3.2.1 Ensure Set Time and Date Automatically Is Enabled  

(Automated)
2.3.2.2 Ensure Time Is Set Within Appropriate Limits  

(Automated)
2.3.3 Sharing
2.3.3.1 Ensure DVD or CD Sharing Is Disabled (Automated)  
2.3.3.2 Ensure Screen Sharing Is Disabled (Automated)  
2.3.3.3 Ensure File Sharing Is Disabled (Automated)  
2.3.3.4 Ensure Printer Sharing Is Disabled (Automated)  
2.3.3.5 Ensure Remote Login Is Disabled (Automated)  
2.3.3.6 Ensure Remote Management Is Disabled (Automated)  
2.3.3.7 Ensure Remote Apple Events Is Disabled (Automated)  
Page 418
Correctly
Yes No
2.3.3.8 Ensure Internet Sharing Is Disabled (Automated)  
2.3.3.9 Ensure Content Caching Is Disabled (Automated)  
2.3.3.10 Ensure Media Sharing Is Disabled (Automated)  
2.3.3.11 Ensure Bluetooth Sharing Is Disabled (Automated)  
2.3.3.12 Ensure Computer Name Does Not Contain PII or  

Protected Organizational Information (Manual)
2.3.4 Time Machine
2.3.4.1 Ensure Backup Automatically is Enabled If Time  

2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time  

2.4 Control Center
2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled  

(Automated)
2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled  

(Automated)
2.5 Siri & Spotlight
2.5.1 Audit Siri Settings (Manual)  
2.5.2 Ensure Listen for "Hey Siri" Is Disabled (Manual)  
2.6 Privacy & Security
2.6.1 Location Services
2.6.1.1 Ensure Location Services Is Enabled (Automated)  
2.6.1.2 Ensure Location Services Is in the Menu Bar  

(Automated)
Page 419
Correctly
Yes No
2.6.1.3 Audit Location Services Access (Manual)  
2.6.2 Full Disk Access
2.6.2.1 Audit Full Disk Access for Applications (Manual)  
2.6.3 Ensure Sending Diagnostic and Usage Data to Apple Is  

2.6.4 Ensure Limit Ad Tracking Is Enabled (Automated)  
2.6.5 Ensure Gatekeeper Is Enabled (Automated)  
2.6.6 Ensure FileVault Is Enabled (Automated)  
2.6.7 Audit Lockdown Mode (Manual)  
2.6.8 Ensure an Administrator Password Is Required to  

Access System-Wide Preferences (Automated)
2.7 Desktop & Dock
2.7.1 Ensure Screen Saver Corners Are Secure (Automated)  
2.8 Displays
2.8.1 Audit Universal Control Settings (Manual)  
2.9 Battery (Energy Saver)
2.9.1 OS Resuming From Sleep
2.9.1.1 Ensure the OS Is Not Active When Resuming from  

Standby (Intel) (Automated)
2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep  

and Display Sleep (Apple Silicon) (Automated)
2.9.1.3 Ensure FileVault is Locked on Sleep (Automated)  
2.9.2 Ensure Power Nap Is Disabled for Intel Macs  

(Automated)
Page 420
Correctly
Yes No
2.9.3 Ensure Wake for Network Access Is Disabled  

(Automated)
2.10 Lock Screen
2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for  

the Screen Saver Is Enabled (Automated)
2.10.2 Ensure Require Password After Screen Saver Begins or  

Display Is Turned Off Is Enabled for 5 Seconds or
Immediately (Automated)
2.10.3 Ensure a Custom Message for the Login Screen Is  

Enabled (Automated)
2.10.4 Ensure Login Window Displays as Name and Password  

2.10.5 Ensure Show Password Hints Is Disabled (Automated)  
2.11 Touch ID & Password (Login Password)
2.11.1 Ensure Users' Accounts Do Not Have a Password Hint  

(Automated)
2.11.2 Audit Touch ID (Manual)  
2.12 Users & Groups
2.12.1 Ensure Guest Account Is Disabled (Automated)  
2.12.2 Ensure Guest Access to Shared Folders Is Disabled  

(Automated)
2.12.3 Ensure Automatic Login Is Disabled (Automated)  
2.13 Passwords
2.13.1 Audit Passwords System Preference Setting (Manual)  
2.14 Game Center
Page 421
Correctly
Yes No
2.14.1 Audit Game Center Settings (Manual)  
2.15 Notifications
2.15.1 Audit Notification & Focus Settings (Manual)  
2.16 Wallet & Apple Pay
2.16.1 Audit Wallet & Apple Pay Settings (Manual)  
2.17 Internet Accounts
2.17.1 Audit Internet Accounts for Authorized Use (Manual)  
2.18 Keyboard
2.18.1 Ensure On-Device Dictation Is Enabled (Automated)  
3 Logging and Auditing
3.1 Ensure Security Auditing Is Enabled (Automated)  
3.2 Ensure Security Auditing Flags For User-Attributable  

Events Are Configured Per Local Organizational
Requirements (Automated)
3.3 Ensure install.log Is Retained for 365 or More Days and  

No Maximum Size (Automated)
3.4 Ensure Security Auditing Retention Is Enabled  

(Automated)
3.5 Ensure Access to Audit Records Is Controlled  

(Automated)
3.6 Ensure Firewall Logging Is Enabled and Configured  

(Automated)
3.7 Audit Software Inventory (Manual)  
4 Network Configurations
Page 422
Correctly
Yes No
4.1 Ensure Bonjour Advertising Services Is Disabled  

(Automated)
4.2 Ensure HTTP Server Is Disabled (Automated)  
4.3 Ensure NFS Server Is Disabled (Automated)  
5 System Access, Authentication and Authorization
5.1 File System Permissions and Access Controls
5.1.1 Ensure Home Folders Are Secure (Automated)  
5.1.2 Ensure System Integrity Protection Status (SIP) Is  

Enabled (Automated)
5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled  

(Automated)
5.1.4 Ensure Sealed System Volume (SSV) Is Enabled  

(Automated)
5.1.5 Ensure Appropriate Permissions Are Enabled for System  

Wide Applications (Automated)
5.1.6 Ensure No World Writable Folders Exist in the System  

Folder (Automated)
5.1.7 Ensure No World Writable Folders Exist in the Library  

Folder (Automated)
5.2 Password Management
5.2.1 Ensure Password Account Lockout Threshold Is  

Configured (Automated)
5.2.2 Ensure Password Minimum Length Is Configured  

(Automated)
5.2.3 Ensure Complex Password Must Contain Alphabetic  

Characters Is Configured (Manual)
Page 423
Correctly
Yes No
5.2.4 Ensure Complex Password Must Contain Numeric  

5.2.5 Ensure Complex Password Must Contain Special  

5.2.6 Ensure Complex Password Must Contain Uppercase  

and Lowercase Characters Is Configured (Manual)
5.2.7 Ensure Password Age Is Configured (Automated)  
5.2.8 Ensure Password History Is Configured (Automated)  
5.3 Encryption
5.3.1 Ensure all user storage APFS volumes are encrypted  

(Manual)
5.3.2 Ensure all user storage CoreStorage volumes are  

encrypted (Manual)
5.4 Ensure the Sudo Timeout Period Is Set to Zero  

(Automated)
5.5 Ensure a Separate Timestamp Is Enabled for Each  

User/tty Combo (Automated)
5.6 Ensure the "root" Account Is Disabled (Automated)  
5.7 Ensure an Administrator Account Cannot Login to  

Another User's Active and Locked Session (Automated)
5.8 Ensure a Login Window Banner Exists (Automated)  
5.9 Ensure the Guest Home Folder Does Not Exist  

(Automated)
5.10 Ensure XProtect Is Running and Updated (Automated)  
6 Applications
6.1 Finder
Page 424
Correctly
Yes No
6.1.1 Ensure Show All Filename Extensions Setting is Enabled  

(Automated)
6.2 Mail
6.2.1 Ensure Protect Mail Activity in Mail Is Enabled (Manual)  
6.3 Safari
6.3.1 Ensure Automatic Opening of Safe Files in Safari Is  

6.3.2 Audit History and Remove History Items (Manual)  
6.3.3 Ensure Warn When Visiting A Fraudulent Website in  

Safari Is Enabled (Automated)
6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled  

(Automated)
6.3.5 Audit Hide IP Address in Safari Setting (Manual)  
6.3.6 Ensure Advertising Privacy Protection in Safari Is  

Enabled (Automated)
6.3.7 Ensure Show Full Website Address in Safari Is Enabled  

(Automated)
6.3.8 Audit Autofill (Manual)  
6.3.9 Ensure Pop-up Windows Are Blocked (Automated)  
6.3.10 Ensure Javascript Is Enabled (Manual)  
6.3.11 Ensure Show Status Bar Is Enabled (Automated)  
6.4 Terminal
6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled  

(Automated)
Page 425
Appendix: CIS Controls v7 IG 1 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.2 Ensure Auto Update Is Enabled  
1.3 Ensure Download New Updates When Available Is
 
Enabled
 
Enabled
 
Enabled
1.7 Ensure Software Update Deferment Is Less Than or
 
Equal to 30 Days
 
Management (MDM) Software
2.1.1.1 Audit iCloud Keychain  
2.1.1.2 Audit iCloud Drive  
 
Disabled
2.1.1.5 Audit Freeform Sync to iCloud  
2.1.2 Audit App Store Password Settings  
2.2.1 Ensure Firewall Is Enabled  
2.2.2 Ensure Firewall Stealth Mode Is Enabled  
 
Transferring Files
2.3.1.2 Ensure AirPlay Receiver Is Disabled  
2.3.3.1 Ensure DVD or CD Sharing Is Disabled  
2.3.3.2 Ensure Screen Sharing Is Disabled  
2.3.3.3 Ensure File Sharing Is Disabled  
2.3.3.4 Ensure Printer Sharing Is Disabled  
2.3.3.5 Ensure Remote Login Is Disabled  
Page 426
Recommendation Set
Correctly
Yes No
2.3.3.6 Ensure Remote Management Is Disabled  
2.3.3.7 Ensure Remote Apple Events Is Disabled  
2.3.3.8 Ensure Internet Sharing Is Disabled  
2.3.3.10 Ensure Media Sharing Is Disabled  
2.3.3.11 Ensure Bluetooth Sharing Is Disabled  
 
Is Enabled
 
Machine Is Enabled
2.5.1 Audit Siri Settings  
2.5.2 Ensure Listen for "Hey Siri" Is Disabled  
2.6.1.1 Ensure Location Services Is Enabled  
2.6.1.3 Audit Location Services Access  
2.6.2.1 Audit Full Disk Access for Applications  
 
Disabled
2.6.5 Ensure Gatekeeper Is Enabled  
2.6.6 Ensure FileVault Is Enabled  
 
System-Wide Preferences
2.7.1 Ensure Screen Saver Corners Are Secure  
2.8.1 Audit Universal Control Settings  
 
Standby (Intel)
 
and Display Sleep (Apple Silicon)
2.9.1.3 Ensure FileVault is Locked on Sleep  
2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for
 
the Screen Saver Is Enabled
Display Is Turned Off Is Enabled for 5 Seconds or  
Immediately
Page 427
Recommendation Set
Correctly
Yes No
 
Enabled
2.10.4 Ensure Login Window Displays as Name and Password
 
Is Enabled
2.10.5 Ensure Show Password Hints Is Disabled  
2.11.2 Audit Touch ID  
2.12.3 Ensure Automatic Login Is Disabled  
2.15.1 Audit Notification & Focus Settings  
2.17.1 Audit Internet Accounts for Authorized Use  
2.18.1 Ensure On-Device Dictation Is Enabled  
3.1 Ensure Security Auditing Is Enabled  
3.2 Ensure Security Auditing Flags For User-Attributable
Events Are Configured Per Local Organizational  
Requirements
3.7 Audit Software Inventory  
4.2 Ensure HTTP Server Is Disabled  
4.3 Ensure NFS Server Is Disabled  
5.1.1 Ensure Home Folders Are Secure  
5.1.2 Ensure System Integrity Protection Status (SIP) Is
 
Enabled
 
Wide Applications
 
Folder
 
Folder
5.2.7 Ensure Password Age Is Configured  
Page 428
Recommendation Set
Correctly
Yes No
5.3.2 Ensure all user storage CoreStorage volumes are
 
encrypted
5.5 Ensure a Separate Timestamp Is Enabled for Each
 
User/tty Combo
5.6 Ensure the "root" Account Is Disabled  
5.7 Ensure an Administrator Account Cannot Login to
 
Another User's Active and Locked Session
5.8 Ensure a Login Window Banner Exists  
5.10 Ensure XProtect Is Running and Updated  
6.2.1 Ensure Protect Mail Activity in Mail Is Enabled  
 
Disabled
6.3.2 Audit History and Remove History Items  
6.3.3 Ensure Warn When Visiting A Fraudulent Website in
 
Safari Is Enabled
6.3.5 Audit Hide IP Address in Safari Setting  
6.3.6 Ensure Advertising Privacy Protection in Safari Is
 
Enabled
6.3.8 Audit Autofill  
6.3.9 Ensure Pop-up Windows Are Blocked  
6.3.10 Ensure Javascript Is Enabled  
6.3.11 Ensure Show Status Bar Is Enabled  
Page 429
Recommendations
Recommendation Set
Correctly
Yes No
 
Enabled
 
Enabled
 
Enabled
 
Equal to 30 Days
 
 
Disabled
2.1.1.4 Audit Security Keys Used With AppleIDs  
 
Transferring Files
Page 430
Recommendation Set
Correctly
Yes No
2.3.3.9 Ensure Content Caching Is Disabled  
 
Protected Organizational Information
 
Is Enabled
 
Machine Is Enabled
 
Disabled
2.6.4 Ensure Limit Ad Tracking Is Enabled  
2.6.7 Audit Lockdown Mode  
 
Page 431
Recommendation Set
Correctly
Yes No
 
Standby (Intel)
 
 
Immediately
 
Enabled
 
Is Enabled
2.12.1 Ensure Guest Account Is Disabled  
2.13.1 Audit Passwords System Preference Setting  
Requirements
3.3 Ensure install.log Is Retained for 365 or More Days and
 
No Maximum Size
Page 432
Recommendation Set
Correctly
Yes No
 
Enabled
 
Wide Applications
 
Folder
 
Folder
5.2.1 Ensure Password Account Lockout Threshold Is
 
Configured
 
Characters Is Configured
 
Character Is Configured
5.2.5 Ensure Complex Password Must Contain Special
 
 
Lowercase Characters Is Configured
5.2.8 Ensure Password History Is Configured  
 
encrypted
Page 433
Recommendation Set
Correctly
Yes No
 
User/tty Combo
 
 
Disabled
 
Safari Is Enabled
 
Enabled
Page 434
Recommendations
Recommendation Set
Correctly
Yes No
 
Enabled
 
Enabled
 
Enabled
 
Equal to 30 Days
 
 
Disabled
 
Transferring Files
Page 435
Recommendation Set
Correctly
Yes No
 
 
Is Enabled
 
Machine Is Enabled
 
Disabled
 
Page 436
Recommendation Set
Correctly
Yes No
 
Standby (Intel)
 
 
Immediately
 
Enabled
 
Is Enabled
Requirements
 
No Maximum Size
Page 437
Recommendation Set
Correctly
Yes No
 
Enabled
 
Wide Applications
 
Folder
 
Folder
 
Configured
 
 
 
 
 
encrypted
Page 438
Recommendation Set
Correctly
Yes No
 
User/tty Combo
 
 
Disabled
 
Safari Is Enabled
 
Enabled
Page 439
Appendix: CIS Controls v7 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
2.14.1 Audit Game Center Settings  
2.16.1 Audit Wallet & Apple Pay Settings  
Page 440
Recommendations
Recommendation Set
Correctly
Yes No
 
Enabled
 
Enabled
 
Enabled
 
Equal to 30 Days
 
 
Disabled
 
Transferring Files
Page 441
Recommendation Set
Correctly
Yes No
 
 
Is Enabled
 
Machine Is Enabled
 
Disabled
 
 
Standby (Intel)
 
Page 442
Recommendation Set
Correctly
Yes No
 
Immediately
 
Enabled
 
Is Enabled
Requirements
 
No Maximum Size
Page 443
Recommendation Set
Correctly
Yes No
 
Enabled
 
Wide Applications
 
Folder
 
Folder
 
Configured
 
 
 
 
 
User/tty Combo
 
Page 444
Recommendation Set
Correctly
Yes No
 
Disabled
 
Safari Is Enabled
 
Enabled
Page 445
Recommendations
Recommendation Set
Correctly
Yes No
 
Enabled
 
Enabled
 
Enabled
 
Equal to 30 Days
 
 
Disabled
 
Transferring Files
Page 446
Recommendation Set
Correctly
Yes No
 
 
Is Enabled
 
Machine Is Enabled
 
Disabled
 
Page 447
Recommendation Set
Correctly
Yes No
 
Standby (Intel)
 
 
Immediately
 
Enabled
 
Is Enabled
Requirements
 
No Maximum Size
Page 448
Recommendation Set
Correctly
Yes No
 
Enabled
 
Wide Applications
 
Folder
 
Folder
 
Configured
 
 
 
 
 
encrypted
Page 449
Recommendation Set
Correctly
Yes No
 
User/tty Combo
 
 
Disabled
 
Safari Is Enabled
 
Enabled
Page 450
Recommendations
Recommendation Set
Correctly
Yes No
 
Enabled
 
Enabled
 
Enabled
 
Equal to 30 Days
 
 
Disabled
 
Transferring Files
Page 451
Recommendation Set
Correctly
Yes No
 
 
Is Enabled
 
Machine Is Enabled
 
Disabled
 
Page 452
Recommendation Set
Correctly
Yes No
 
Standby (Intel)
 
 
Immediately
 
Enabled
 
Is Enabled
Requirements
 
No Maximum Size
Page 453
Recommendation Set
Correctly
Yes No
 
Enabled
 
Wide Applications
 
Folder
 
Folder
 
Configured
 
 
 
 
 
encrypted
Page 454
Recommendation Set
Correctly
Yes No
 
User/tty Combo
 
 
Disabled
 
Safari Is Enabled
 
Enabled
Page 455
Appendix: CIS Controls v8 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
2.14.1 Audit Game Center Settings  
2.16.1 Audit Wallet & Apple Pay Settings  
Page 456
Appendix: Change History
Date Version Changes for this version
September 29, 2023 2.0.0 Draft Release
October 16, 2023 2.0.0 Initial Release
Page 457

CIS Apple MacOS 14.0 Sonoma v1.0.0

Uploaded by

Copyright:

Available Formats

CIS Apple MacOS 14.0 Sonoma v1.0.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Apple MacOS 14.0 Sonoma v1.0.0

Uploaded by

Copyright:

Available Formats

CIS Apple macOS 14.

Used for blocks of code, command, and script

Monospace font Used for inline code, commands, or examples.

Italic texts set in angle brackets denote a variable

Used to denote the title of a book, article, or other

Note Additional information or caveats

CIS Critical Security Controls® (CIS Controls®)

Items in this profile intend to:

o be practical and prudent;

o are intended for environments or use cases where security is paramount

The response should be in the last 30 days (Example): LastFullSuccessfulDate =

Installation of updates can be disruptive to the users especially if an restart is required.

1. Open System Settings

Software Update Tool

Finding available software

1. Open System Settings

The output will include the following:

Software Update Tool

Finding available software

$ /usr/bin/sudo /usr/sbin/softwareupdate -i 'ProVideoFormats-2.2.7'

Software Update Tool

Finding available software

Downloaded Pro Video Formats

7.3 Perform Automated Operating System Patch

7.4 Perform Automated Application Patch Management

3.4 Deploy Automated Operating System Patch

3.5 Deploy Automated Software Patch Management

1. Open System Settings

1. Open System Settings

1. The PayloadType string is com.apple.SoftwareUpdate

7.3 Perform Automated Operating System Patch

7.4 Perform Automated Application Patch Management

3.4 Deploy Automated Operating System Patch

3.5 Deploy Automated Software Patch Management

1. Open System Settings

1. Open System Settings

1. The PayloadType string is com.apple.SoftwareUpdate

7.3 Perform Automated Operating System Patch

7.4 Perform Automated Application Patch Management

3.4 Deploy Automated Operating System Patch

3.5 Deploy Automated Software Patch Management

1. Open System Settings

1. Open System Settings

1. Open System Settings

1. The PayloadType string is com.apple.SoftwareUpdate

7.3 Perform Automated Operating System Patch

7.4 Perform Automated Application Patch Management

3.4 Deploy Automated Operating System Patch

3.5 Deploy Automated Software Patch Management

Unpatched software may be exploited.

1. Open System Settings

1. Open System Settings

1. Open System Settings

1. The PayloadType string is com.apple.SoftwareUpdate

7.3 Perform Automated Operating System Patch

7.4 Perform Automated Application Patch Management

3.4 Deploy Automated Operating System Patch

3.5 Deploy Automated Software Patch Management

1. Open System Settings

1. Open System Settings