The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

An XCCDF Rule

Description

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

ID: SV-257160r905113_rule
Version: APPL-13-000032
Severity: Medium
References: CCI-000366
Updated: 26 days ago

Remediation Templates

Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands:

/usr/bin/sudo /usr/bin/fdesetup add -user <username>

/usr/bin/sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false
Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user:

/usr/bin/sudo /usr/bin/fdesetup remove -user <username>

The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

Description

Remediation Templates

A Manual Procedure