Apple macOS 15 (Sequoia) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.
The system must not have the UUCP service active. UUCP, a set of programs that enables sending files between different Unix systems and sending commands to be executed on another system, is not es...Rule Medium Severity -
The macOS system must disable FaceTime.app.
The macOS built-in FaceTime.app must be disabled. The FaceTime.app establishes a connection to Apple's iCloud service even when security controls have been put in place to disable iCloud access. ...Rule Medium Severity -
The macOS system must disable the iCloud Calendar services.
The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of da...Rule Medium Severity -
The macOS system must disable Siri.
Support for Siri is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an in...Rule Medium Severity -
The macOS system must disable Trivial File Transfer Protocol (TFTP) service.
If the system does not require TFTP support, it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent...Rule High Severity -
The macOS system must disable iCloud Document Sync.
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage. Apple's iCloud service does n...Rule Medium Severity -
The macOS system must apply gatekeeper settings to block applications from unidentified developers.
The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to allow the system to run only applicat...Rule High Severity -
The macOS system must disable the guest account.
Guest access must be disabled. Turning off guest access prevents anonymous users from accessing files.Rule Medium Severity -
The macOS system must secure users' home folders.
The system must be configured to prevent access to other users' home folders. The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder wh...Rule Medium Severity -
The macOS system must disable Airplay Receiver.
Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device. Support for Airplay Receiver is nonessential and must b...Rule Medium Severity -
The macOS system must disable Media Sharing.
Media Sharing must be disabled. When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same ...Rule Medium Severity -
The macOS system must disable AppleID and internet Account Modification.
The system must disable Account Modification. Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contacts in the Internet Account System Setting Pane ...Rule Medium Severity -
The macOS system must disable Content Caching service.
Content Caching must be disabled. Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices fu...Rule Medium Severity -
The macOS system must disable iCloud Desktop and Document folder sync.
The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled. Apple's iCloud service does not provide an organization with e...Rule Medium Severity -
The macOS system must disable iCloud Game Center.
This works only with supervised devices (mobile device management [MDM]) and allows to disable Apple Game Center. The rationale is that Game Center is using Apple ID and will share data on AppleID-...Rule Medium Severity -
The macOS system must disable Find My service.
The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service use...Rule Medium Severity -
The macOS system must disable Printer Sharing.
Printer Sharing must be disabled.Rule Medium Severity -
The macOS system must disable the iCloud Freeform services.
The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the att...Rule Medium Severity -
The macOS system must require that passwords contain a minimum of one numeric character.
The macOS must be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less ...Rule Medium Severity -
The macOS system must require a minimum password length of 14 characters.
The macOS must be configured to require that a minimum of 14 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.