The macOS system must disable iCloud Keychain Sync.

STIG ID: APPL-15-002040  |  SRG: SRG-OS-000095-GPOS-00049 |  Severity: medium |  CCI: CCI-000381 |  Vulnerability Id: V-268501

Vulnerability Discussion

The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.

Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be controlled by an organization-approved service.

Check

Verify the macOS system is configured to disable iCloud Keychain Sync with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudKeychainSync').js
EOS

If the result is not "false", this is a finding.

Fix

Configure the macOS system to disable iCloud Keychain Sync by installing the "com.apple.applicationaccess" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.