From ceddd26a736ef272ffbd8b980b410bb91aecbd14 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Thu, 21 Mar 2024 17:57:21 -0400
Subject: [PATCH] Update macos-device-health.policies.yml (#17783)

- Fix guest account and password policies
---
 .../lib/macos-device-health.policies.yml       | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml
index 401c086fa0..6fdc883204 100644
--- a/it-and-security/lib/macos-device-health.policies.yml
+++ b/it-and-security/lib/macos-device-health.policies.yml
@@ -11,13 +11,25 @@
   resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true.
   platform: darwin
 - name: macOS - Disable guest account
-  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1;
+  query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
   critical: false
   description: This policy checks if the guest account is disabled.
   resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true.
   platform: darwin
 - name: macOS - Require 10 character password
-  query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
+  query: SELECT 1 WHERE 
+    EXISTS (
+      SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='askForPassword' AND 
+        CAST(value AS INT)
+    ) 
+    AND EXISTS (
+      SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='minLength' AND 
+        CAST(value AS INT) <= 10
+    );
   critical: false
   description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
   resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10.
@@ -40,4 +52,4 @@
   critical: false
   description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
   resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
-  platform: darwin
\ No newline at end of file
+  platform: darwin