| APPL-15-000001 |
The macOS system must prevent Apple Watch from terminating a session lock. |
| APPL-15-000002 |
The macOS system must enforce screen saver password. |
| APPL-15-000003 |
The macOS system must enforce session lock no more than five seconds after screen saver is started. |
| APPL-15-000005 |
The macOS system must configure user session lock when a smart token is removed. |
| APPL-15-000007 |
The macOS system must disable hot corners. |
| APPL-15-000009 |
The macOS system must prevent AdminHostInfo from being available at LoginWindow. |
| APPL-15-000012 |
The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. |
| APPL-15-000014 |
The macOS system must enforce time synchronization. |
| APPL-15-000022 |
The macOS system must limit consecutive failed login attempts to three. |
| APPL-15-000023 |
The macOS system must display a policy banner at remote login. |
| APPL-15-000025 |
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. |
| APPL-15-000030 |
The macOS system must configure audit log files to not contain access control lists (ACLs). |
| APPL-15-000031 |
The macOS system must configure the audit log folder to not contain access control lists (ACLs). |
| APPL-15-000033 |
The macOS system must disable FileVault automatic login. |
| APPL-15-000051 |
The macOS system must configure SSHD ClientAliveInterval to 900. |
| APPL-15-000052 |
The macOS system must configure SSHD ClientAliveCountMax to 1. |
| APPL-15-000053 |
The macOS system must set login grace time to 30. |
| APPL-15-000054 |
The macOS system must limit SSHD to FIPS-compliant connections. |
| APPL-15-000057 |
The macOS system must limit SSH to FIPS-compliant connections. |
| APPL-15-000060 |
The macOS system must set account lockout time to 15 minutes. |
| APPL-15-000070 |
The macOS system must enforce screen saver timeout. |
| APPL-15-000090 |
The macOS system must disable login to other users' active and locked sessions. |
| APPL-15-000100 |
The macOS system must disable root login. |
| APPL-15-000110 |
The macOS system must configure the SSH ServerAliveInterval to 900. |
| APPL-15-000120 |
The macOS system must configure SSHD channel timeout to 900. |
| APPL-15-000130 |
The macOS system must configure SSHD unused connection timeout to 900. |
| APPL-15-000140 |
The macOS system must set SSH Active Server Alive Maximum to 0. |
| APPL-15-000160 |
The macOS system must enforce auto logout after 86400 seconds of inactivity. |
| APPL-15-000170 |
The macOS system must be configured to use an authorized time server. |
| APPL-15-000180 |
The macOS system must enable the time synchronization daemon. |
| APPL-15-000190 |
The macOS system must configure sudo to log events. |
| APPL-15-001001 |
The macOS system must be configured to audit all administrative action events. |
| APPL-15-001002 |
The macOS system must be configured to audit all login and logout events. |
| APPL-15-001003 |
The macOS system must enable security auditing. |
| APPL-15-001010 |
The macOS system must be configured to shut down upon audit failure. |
| APPL-15-001012 |
The macOS system must configure audit log files to be owned by root. |
| APPL-15-001013 |
The macOS system must configure audit log folders to be owned by root. |
| APPL-15-001014 |
The macOS system must configure the audit log files group to wheel. |
| APPL-15-001015 |
The macOS system must configure the audit log folders group to wheel. |
| APPL-15-001016 |
The macOS system must configure audit log files to mode 440 or less permissive. |
| APPL-15-001017 |
The macOS system must configure audit log folders to mode 700 or less permissive. |
| APPL-15-001020 |
The macOS system must be configured to audit all deletions of object attributes. |
| APPL-15-001021 |
The macOS system must be configured to audit all changes of object attributes. |
| APPL-15-001022 |
The macOS system must be configured to audit all failed read actions on the system. |
| APPL-15-001023 |
The macOS system must be configured to audit all failed write actions on the system. |
| APPL-15-001029 |
The macOS system must configure audit retention to seven days. |
| APPL-15-001030 |
The macOS system must configure audit capacity warning. |
| APPL-15-001031 |
The macOS system must configure audit failure notification. |
| APPL-15-001044 |
The macOS system must be configured to audit all authorization and authentication events. |
| APPL-15-001060 |
The macOS system must set smart card certificate trust to moderate. |
| APPL-15-001100 |
The macOS system must disable root login for SSH. |
| APPL-15-001110 |
The macOS system must configure audit_control group to wheel. |
| APPL-15-001120 |
The macOS system must configure audit_control owner to root. |
| APPL-15-001130 |
The macOS system must configure audit_control owner to mode 440 or less permissive. |
| APPL-15-001150 |
The macOS system must disable password authentication for SSH. |
| APPL-15-002001 |
The macOS system must disable Server Message Block (SMB) sharing. |
| APPL-15-002003 |
The macOS system must disable Network File System (NFS) service. |
| APPL-15-002004 |
The macOS system must disable Location Services. |
| APPL-15-002005 |
The macOS system must disable Bonjour multicast. |
| APPL-15-002006 |
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service. |
| APPL-15-002007 |
The macOS system must disable Internet Sharing. |
| APPL-15-002008 |
The macOS system must disable the built-in web server. |
| APPL-15-002009 |
The macOS system must disable AirDrop. |
| APPL-15-002010 |
The macOS system must disable FaceTime.app. |
| APPL-15-002012 |
The macOS system must disable the iCloud Calendar services. |
| APPL-15-002013 |
The macOS system must disable iCloud Reminders. |
| APPL-15-002014 |
The macOS system must disable iCloud Address Book. |
| APPL-15-002015 |
The macOS system must disable iCloud Mail. |
| APPL-15-002016 |
The macOS system must disable iCloud Notes. |
| APPL-15-002017 |
The macOS system must disable the camera. |
| APPL-15-002020 |
The macOS system must disable Siri. |
| APPL-15-002021 |
The macOS system must disable sending diagnostic and usage data to Apple. |
| APPL-15-002022 |
The macOS system must disable Remote Apple Events. |
| APPL-15-002035 |
The macOS system must disable Apple ID setup during Setup Assistant. |
| APPL-15-002036 |
The macOS system must disable Privacy Setup services during Setup Assistant. |
| APPL-15-002037 |
The macOS system must disable iCloud storage setup during Setup Assistant. |
| APPL-15-002038 |
The macOS system must disable Trivial File Transfer Protocol (TFTP) service. |
| APPL-15-002039 |
The macOS system must disable Siri Setup during Setup Assistant. |
| APPL-15-002040 |
The macOS system must disable iCloud Keychain Sync. |
| APPL-15-002041 |
The macOS system must disable iCloud Document Sync. |
| APPL-15-002042 |
The macOS system must disable iCloud Bookmarks. |
| APPL-15-002043 |
The macOS system must disable iCloud Photo Library. |
| APPL-15-002050 |
The macOS system must disable Screen Sharing and Apple Remote Desktop. |
| APPL-15-002052 |
The macOS system must disable the System Settings pane for Wallet and Apple Pay. |
| APPL-15-002053 |
The macOS system must disable the system settings pane for Siri. |
| APPL-15-002060 |
The macOS system must apply gatekeeper settings to block applications from unidentified developers. |
| APPL-15-002062 |
The macOS system must disable Bluetooth when no approved device is connected. |
| APPL-15-002063 |
The macOS system must disable the guest account. |
| APPL-15-002064 |
The macOS system must enable gatekeeper. |
| APPL-15-002066 |
The macOS system must disable unattended or automatic login to the system. |
| APPL-15-002068 |
The macOS system must secure users' home folders. |
| APPL-15-002069 |
The macOS system must require an administrator password to modify systemwide preferences. |
| APPL-15-002080 |
The macOS system must disable Airplay Receiver. |
| APPL-15-002090 |
The macOS system must disable TouchID for unlocking the device. |
| APPL-15-002100 |
The macOS system must disable Media Sharing. |
| APPL-15-002110 |
The macOS system must disable Bluetooth Sharing. |
| APPL-15-002120 |
The macOS system must disable AppleID and internet Account Modification. |
| APPL-15-002130 |
The macOS system must disable CD/DVD Sharing. |
| APPL-15-002140 |
The macOS system must disable Content Caching service. |
| APPL-15-002150 |
The macOS system must disable iCloud Desktop and Document folder sync. |
| APPL-15-002160 |
The macOS system must disable iCloud Game Center. |
| APPL-15-002170 |
The macOS system must disable iCloud Private Relay. |
| APPL-15-002180 |
The macOS system must disable Find My service. |
| APPL-15-002200 |
The macOS system must disable Personalized Advertising. |
| APPL-15-002210 |
The macOS system must disable sending Siri and Dictation information to Apple. |
| APPL-15-002220 |
The macOS system must enforce On Device Dictation. |
| APPL-15-002230 |
The macOS system must disable Dictation. |
| APPL-15-002240 |
The macOS system must disable Printer Sharing. |
| APPL-15-002250 |
The macOS system must disable Remote Management. |
| APPL-15-002260 |
The macOS system must disable the Bluetooth System Settings pane. |
| APPL-15-002270 |
The macOS system must disable the iCloud Freeform services. |
| APPL-15-003001 |
The macOS system must issue or obtain public key certificates from an approved service provider. |
| APPL-15-003007 |
The macOS system must require that passwords contain a minimum of one numeric character. |
| APPL-15-003008 |
The macOS system must restrict maximum password lifetime to 60 days. |
| APPL-15-003010 |
The macOS system must require a minimum password length of 14 characters. |
| APPL-15-003011 |
The macOS system must require that passwords contain a minimum of one special character. |
| APPL-15-003012 |
The macOS system must disable password hints. |
| APPL-15-003013 |
The macOS system must enable firmware password. |
| APPL-15-003014 |
The macOS system must remove password hints from user accounts. |
| APPL-15-003020 |
The macOS system must enforce smart card authentication. |
| APPL-15-003030 |
The macOS system must allow smart card authentication. |
| APPL-15-003050 |
The macOS system must enforce multifactor authentication for login. |
| APPL-15-003051 |
The macOS system must enforce multifactor authentication for the su command. |
| APPL-15-003052 |
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. |
| APPL-15-003060 |
The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character. |
| APPL-15-003070 |
The macOS system must set minimum password lifetime to 24 hours. |
| APPL-15-003080 |
The macOS system must disable accounts after 35 days of inactivity. |
| APPL-15-004001 |
The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel. |
| APPL-15-004002 |
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive. |
| APPL-15-004030 |
The macOS system must configure system log files owned by root and group to wheel. |
| APPL-15-004040 |
The macOS system must configure system log files to mode 640 or less permissive. |
| APPL-15-004050 |
The macOS system must configure install.log retention to 365. |
| APPL-15-005001 |
The macOS system must ensure System Integrity Protection is enabled. |
| APPL-15-005020 |
The macOS system must enforce FileVault. |
| APPL-15-005050 |
The macOS system must enable macOS Application Firewall. |
| APPL-15-005052 |
The macOS system must configure the login window to prompt for username and password. |
| APPL-15-005054 |
The macOS system must disable the TouchID prompt during Setup Assistant. |
| APPL-15-005055 |
The macOS system must disable the Screen Time prompt during Setup Assistant. |
| APPL-15-005056 |
The macOS system must disable Unlock with Apple Watch during Setup Assistant. |
| APPL-15-005058 |
The macOS system must disable Handoff. |
| APPL-15-005060 |
The macOS system must disable proximity-based password sharing requests. |
| APPL-15-005061 |
The macOS system must disable Erase Content and Settings. |
| APPL-15-005070 |
The macOS system must enable Authenticated Root. |
| APPL-15-005080 |
The macOS system must prohibit user installation of software into /users/. |
| APPL-15-005090 |
The macOS system must authorize USB devices before allowing connection. |
| APPL-15-005100 |
The macOS system must ensure Secure Boot level is set to "full". |
| APPL-15-005110 |
The macOS system must enforce enrollment in Mobile Device Management (MDM). |
| APPL-15-005120 |
The macOS system must enable Recovery Lock. |
| APPL-15-005130 |
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. |
| APPL-15-005140 |
The macOS system must disable Genmoji. |
| APPL-15-005150 |
The macOS system must disable Apple Intelligence Image Generation. |
| APPL-15-005160 |
The macOS system must disable Apple Intelligence Writing Tools. |
| APPL-15-999999 |
The macOS system must be a supported release. |
| APPL-15-000024 |
The macOS system must enforce SSH to display a policy banner. |
| APPL-15-001024 |
The macOS system must be configured to audit all failed program execution on the system. |
| APPL-15-001140 |
The macOS system must configure audit_control to not contain access control lists (ACLs). |
| APPL-15-002023 |
The macOS system must disable sending audio recordings and transcripts to Apple. |
| APPL-15-002024 |
The macOS system must disable sending search data from Spotlight to Apple. |