Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
fleet/ee/cis/macos-15
History
Dante Catalfamo 90e1dc311b
Update macOS 15 to CIS Benchmark 2.0.0 (#43909) 
**Related issue:** Resolves #35171


# macOS 15 CIS benchmark v1.1.0 → v2.0.0 change set

## Policy changes

| CIS ID | Policy name (new) | Change type | Effect |
|---|---|---|---|
| 1.1 | CIS - Ensure Apple-provided Software Updates Are Installed
(Fleetd Required) | Modified | Renamed from "Ensure All Apple-provided
Software Is Current"; resolution expanded with terminal `softwareupdate
-i -a` method; `cis_id` added. Query unchanged (still uses fleetd's
`software_update` table). |
| 1.6 | CIS - Ensure Software Update Deferment Is Less Than or Equal to
30 Days (MDM Required) | Modified | Added Apple-deprecation note to
description; `cis_id` added. Query unchanged. |
| 1.7 | CIS - Ensure XProtect Is Running and Updated | Removed | Deleted
— v2.0.0 removed 1.7 from the numbered benchmark and moved it to
Supplemental section 7.4. Per authoring outline, Fleet does not track
section 7+ recommendations. |
| 2.1.1.1 | CIS - Ensure iCloud Passwords & Keychain is enabled/disabled
(MDM Required) | Modified | Renamed from "iCloud Keychain" to match
v2.0.0's "Audit iCloud Passwords & Keychain"; Description, Rationale,
and Impact Statement updated from the new PDF; `cis_id` added to both
enable/disable variants. Query unchanged (`allowCloudKeychainSync` key
is the same). |
| 2.3.1.1 | CIS - Ensure AirDrop Is Disabled (MDM Required) | Modified |
Added note to resolution stating AirDrop can only be toggled via
configuration profile; `cis_id` added. Query unchanged. |
| 2.3.3.4 | CIS - Ensure Remote Login Is Disabled | Modified |
Description rewritten to match v2.0.0 text; terminal remediation
(`systemsetup -setremotelogin off`) added to resolution; `cis_id` added.
Query unchanged (still checks `disabled.plist`). |
| 2.6.3.1, 2.6.3.2, 2.6.3.3, 2.6.3.4 | CIS - Ensure Sending Diagnostic
and Usage Data to Apple Is Disabled (MDM Required) | Modified | **Query
change**: Siri Data Sharing Opt-In Status check moved from
`com.apple.applicationaccess` → `com.apple.assistant.support` domain to
track v2.0.0's new PayloadType; `cis_id` added (combined). |
| 2.4.1 | CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0. |
| 2.4.2 | CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0
(replaced by Manual 2.4.1 "Audit Menu Bar and Control Center Icons"). |
| 6.1.1 | CIS - Ensure Show All Filename Extensions Setting is Enabled |
Removed | Deleted — recommendation downgraded to Manual in v2.0.0. |

Policy count: 113 → 109.

## Test artifacts added

| Target CIS ID | File | Type | Notes |
|---|---|---|---|
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_pass.sh` | pass
script | `systemsetup -setremotelogin off` |
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_fail.sh` | fail
script | `systemsetup -setremotelogin on` |
| 1.6 | `ee/cis/macos-15/test/profiles/1.6.mobileconfig` | MDM profile |
Sets `enforcedSoftwareUpdateDelay=30`,
`forceDelayedSoftwareUpdates=true` |
| 2.3.1.1 | `ee/cis/macos-15/test/profiles/2.3.1.1.mobileconfig` | MDM
profile | Sets `allowAirDrop=false` |
| 2.6.3.2 | `ee/cis/macos-15/test/profiles/2.6.3.2.mobileconfig` | MDM
profile | Four payloads covering the combined Fleet query: Siri opt-in
(new v2.0.0 domain), AutoSubmit, allowDiagnosticSubmission,
AXSAudioDonationSiriImprovementEnabled |

No test added for 1.1 — query depends on live OS update state (fleetd
`software_update` table) and cannot be toggled by a script or profile.

No test added for 2.1.1.1 — it is an org-decision Audit recommendation
(Fleet ships both enable and disable variants); one of the two policies
fails by construction regardless of system state.

## Documentation updates

| File | Change |
|---|---|
| `ee/cis/macos-15/README.md` | Benchmark version bumped v1.1.0 →
v2.0.0. Limitations list renumbered to v2.0.0 section numbers; added
2.4.1 (new "Audit Menu Bar and Control Center Icons") and 6.1.1 (now
Manual "Audit Show All Filename Extensions"). Org-decision entry renamed
from "Audit iCloud Keychain" to "Audit iCloud Passwords & Keychain" to
match v2.0.0 terminology. |
2026-04-23 16:17:34 -04:00
..
test Update macOS 15 to CIS Benchmark 2.0.0 (#43909) 2026-04-23 16:17:34 -04:00
cis-policy-queries.yml Update macOS 15 to CIS Benchmark 2.0.0 (#43909) 2026-04-23 16:17:34 -04:00
README.md Update macOS 15 to CIS Benchmark 2.0.0 (#43909) 2026-04-23 16:17:34 -04:00

README.md

macOS 15 Sequoia benchmark

Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the CIS website for full details about this version.

For requirements and usage details, see the CIS Benchmarks documentation.

Limitations

The following CIS benchmarks cannot be checked with a policy in Fleet:

  1. 2.1.2 Audit App Store Password Settings
  2. 2.3.3.11 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
  3. 2.4.1 Audit Menu Bar and Control Center Icons
  4. 2.6.7 Audit Lockdown Mode
  5. 2.12.2 Audit Touch ID
  6. 2.16.1 Audit Wallet & Apple Pay Settings
  7. 2.15.1 Audit Notification Settings
  8. 3.6 Audit Software Inventory
  9. 6.1.1 Audit Show All Filename Extensions
  10. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
  11. 2.6.3.5 Ensure Share iCloud Analytics Is Disabled

Checks that require decision

CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.

Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy. The policy will be appended with a -enabled or -disabled label, such as 2.1.1.1-enabled.

  • 2.1.1.1 Audit iCloud Passwords & Keychain
  • 2.1.1.2 Audit iCloud Drive
  • 2.5.1 Audit Siri
  • 2.8.1 Audit Universal Control

Furthermore, CIS has decided to not require the following password complexity settings:

  • 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
  • 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
  • 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
  • 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured

However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.