From 2295575fdb36695e1594ac90ab8ebbfe9d52fdfe Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Fri, 3 Mar 2023 15:12:23 -0500
Subject: [PATCH] CIS_MAC13_2.8.1 (#10192)
---
ee/cis/macos-13/cis-policy-queries.yml | 56 +++++++++++++++++++
.../test/profiles/2.8.1.disable.mobileconfig | 37 ++++++++++++
.../test/profiles/2.8.1.enable.mobileconfig | 37 ++++++++++++
3 files changed, 130 insertions(+)
create mode 100644 ee/cis/macos-13/test/profiles/2.8.1.disable.mobileconfig
create mode 100644 ee/cis/macos-13/test/profiles/2.8.1.enable.mobileconfig
diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 395cc99c49..601d51c74b 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -902,6 +902,62 @@ spec:
---
apiVersion: v1
kind: policy
+spec:
+ name: CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)
+ platforms: macOS
+ platform: darwin
+ description: |
+ Universal Control is an Apple feature that allows Mac users to control multiple other Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple ID. The technology relies on already available iCloud services, particularly Handoff.
+ Universal Control simplifies the use of iCloud connectivity of multiple computers using the same Apple ID. This may simplify data transfer from organizationally-managed and personal devices. The use of the same iCloud account and Handoff is the underlying concern that should be evaluated. The use of the same keyboard or mouse across multiple devices does not by itself decrease organizational security.
+ resolution: |
+ Automated method:
+ Ask your system administrator to deploy an MDM profile that enables the Bluetooth status in the menu bar.
+ Create or edit a configuration profile with the following information:
+ 1. The `PayloadType` string is com.apple.universalcontrol.
+ 2. The key to include is 'Disable'.
+ 3. The key must be set to .
+ query: |
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol'
+ AND
+ name='Disable'
+ AND value = '0';
+ /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
+ Depending on your organization's decision, you can delete this policy or its counterpart.*/
+ purpose: Informational
+ tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.8.1-enabled, decision-needed
+ contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+ name: CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)
+ platforms: macOS
+ platform: darwin
+ description: |
+ Universal Control is an Apple feature that allows Mac users to control multiple other Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple ID. The technology relies on already available iCloud services, particularly Handoff.
+ Universal Control simplifies the use of iCloud connectivity of multiple computers using the same Apple ID. This may simplify data transfer from organizationally-managed and personal devices. The use of the same iCloud account and Handoff is the underlying concern that should be evaluated. The use of the same keyboard or mouse across multiple devices does not by itself decrease organizational security.
+ resolution: |
+ Automated method:
+ Ask your system administrator to deploy an MDM profile that enables the Bluetooth status in the menu bar.
+ Create or edit a configuration profile with the following information:
+ 1. The `PayloadType` string is com.apple.universalcontrol.
+ 2. The key to include is 'Disable'.
+ 3. The key must be set to .
+ query: |
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol'
+ AND
+ name='Disable'
+ AND value = '1';
+ /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
+ Depending on your organization's decision, you can delete this policy or its counterpart.*/
+ purpose: Informational
+ tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.8.1-disabled, decision-needed
+ contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
spec:
name: CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)
platforms: macOS
diff --git a/ee/cis/macos-13/test/profiles/2.8.1.disable.mobileconfig b/ee/cis/macos-13/test/profiles/2.8.1.disable.mobileconfig
new file mode 100644
index 0000000000..82816dd0ef
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/2.8.1.disable.mobileconfig
@@ -0,0 +1,37 @@
+
+
+
+
+ PayloadContent
+
+
+ PayloadDisplayName
+ test
+ PayloadType
+ com.apple.universalcontrol
+ PayloadIdentifier
+ com.fleetdm.cis-2.8.1.check-disabled
+ PayloadUUID
+ A6481AEB-354C-4718-9E01-B4562C7F341A
+ Disable
+
+
+
+ PayloadDescription
+ test
+ PayloadDisplayName
+ Ensure Universal Control is disabled
+ PayloadIdentifier
+ com.fleetdm.cis-2.8.1-disabled
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 8EA6B5B4-A0EF-49B3-8A6E-C8F02C27456B
+ PayloadVersion
+ 1
+
+
diff --git a/ee/cis/macos-13/test/profiles/2.8.1.enable.mobileconfig b/ee/cis/macos-13/test/profiles/2.8.1.enable.mobileconfig
new file mode 100644
index 0000000000..126c98c07c
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/2.8.1.enable.mobileconfig
@@ -0,0 +1,37 @@
+
+
+
+
+ PayloadContent
+
+
+ PayloadDisplayName
+ test
+ PayloadType
+ com.apple.universalcontrol
+ PayloadIdentifier
+ com.fleetdm.cis-2.8.1.check-enabled
+ PayloadUUID
+ F39058CB-027B-453D-B2DF-414F9B84D241
+ Disable
+
+
+
+ PayloadDescription
+ test
+ PayloadDisplayName
+ Ensure Universal Control is enabled
+ PayloadIdentifier
+ com.fleetdm.cis-2.8.1-enabled
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ ECC41516-FFD8-4321-9696-63B1939CB956
+ PayloadVersion
+ 1
+
+