The macOS system must prohibit user installation of software into /users/.

STIG ID: APPL-14-005080  |  SRG: SRG-OS-000362-GPOS-00149 |  Severity: medium |  CCI: CCI-001812 |  Vulnerability Id: V-259571

Vulnerability Discussion

Users must not be allowed to install software into /users/.

Allowing users who do not possess explicit privileges to install software presents the risk of untested
and potentially malicious software being installed on the system. Explicit privileges (escalated or
administrative privileges) provide the regular user with explicit capabilities and control that exceeds
the rights of a regular user.

[IMPORTANT]
====
Apple has deprecated the use of application restriction controls
(https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70).
Using these controls may not work as expected. Third-party software may be required to fulfill the
compliance requirements.
====

Check

Verify the macOS system is configured to prohibit user installation of software into
/users/ with the following command:

/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('familyControlsEnabled'))
let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('pathBlackList').js
for ( let app in pathlist ) {
if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){
return("true")
}
}
return("false")
}
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to prohibit user installation of software
into /users/ by installing the "com.apple.applicationaccess.new" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.