macos_security/rules/os/os_mdm_require.yaml at main · usnistgov/macos_security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
id: os_mdm_require
title: Enforce Enrollment in Mobile Device Management
discussion: |
  You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software.

  User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:

  * Allowed Kernel Extensions
  * Allowed Approved System Extensions
  * Privacy Preferences Policy Control Payload
  * ExtensibleSingleSignOn
  * FDEFileVault

  In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:

  * Activation Lock Bypass
  * Access to Bootstrap Tokens
  * Scheduling Software Updates
  * Query list and delete local users
check: |
  /usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"
result:
  integer: 1
fix: |
  Ensure that system is enrolled via UAMDM.
references:
  cce:
    - CCE-95227-5
  cci:
    - CCI-000366
  800-53r5:
    - CM-2
    - CM-6
  800-53r4:
    - CM-2
    - CM-6
  disa_stig:
    - APPL-26-005110
  srg:
    - SRG-OS-000480-GPOS-00227
  800-171r3:
    - 03.04.01
    - 03.04.02
  cis:
    benchmark:
      - N/A
    controls v8:
      - 4.1
      - 5.1
  cmmc:
    - CM.L2-3.4.2
macOS:
  - '26.0'
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-171
  - cisv8
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
  - stig
  - cnssi-1253_moderate
severity: medium
mobileconfig: false
mobileconfig_info: