| APPL-26-000001 | The macOS system must prevent Apple Watch from terminating a session lock. |
| APPL-26-000002 | The macOS system must enforce screen saver password. |
| APPL-26-000003 | The macOS system must enforce session lock no more than five seconds after screen saver is started. |
| APPL-26-000005 | The macOS system must configure user session lock when a smart token is removed. |
| APPL-26-000007 | The macOS system must disable hot corners. |
| APPL-26-000009 | The macOS system must prevent AdminHostInfo from being available at LoginWindow. |
| APPL-26-000012 | The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. |
| APPL-26-000014 | The macOS system must enforce time synchronization. |
| APPL-26-000022 | The macOS system must limit consecutive failed login attempts to three. |
| APPL-26-000023 | The macOS system must display a policy banner at remote login. |
| APPL-26-000024 | The macOS system must enforce SSH to display a policy banner. |
| APPL-26-000025 | The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. |
| APPL-26-000030 | The macOS system must configure audit log files to not contain access control lists (ACLs). |
| APPL-26-000031 | The macOS system must configure the audit log folder to not contain access control lists (ACLs). |
| APPL-26-000033 | The macOS system must disable FileVault automatic login. |
| APPL-26-000051 | The macOS system must configure SSHD ClientAliveInterval to 900. |
| APPL-26-000052 | The macOS system must configure SSHD ClientAliveCountMax to 1. |
| APPL-26-000053 | The macOS system must set login grace time to 30. |
| APPL-26-000054 | The macOS system must limit SSHD to FIPS-compliant connections. |
| APPL-26-000057 | The macOS system must limit SSH to FIPS-compliant connections. |
| APPL-26-000060 | The macOS system must set account lockout time to 15 minutes. |
| APPL-26-000070 | The macOS system must enforce screen saver timeout. |
| APPL-26-000090 | The macOS system must disable login to other users' active and locked sessions. |
| APPL-26-000100 | The macOS system must disable root login. |
| APPL-26-000110 | The macOS system must configure the SSH ServerAliveInterval to 900. |
| APPL-26-000120 | The macOS system must configure SSHD channel timeout to 900. |
| APPL-26-000130 | The macOS system must configure SSHD unused connection timeout to 900. |
| APPL-26-000140 | The macOS system must set SSH Active Server Alive Maximum to 0. |
| APPL-26-000160 | The macOS system must enforce auto logout after 86400 seconds of inactivity. |
| APPL-26-000170 | The macOS system must be configured to use an authorized time server. |
| APPL-26-000180 | The macOS system must enable the time synchronization daemon. |
| APPL-26-000190 | The macOS system must configure sudo to log events. |
| APPL-26-001001 | The macOS system must be configured to audit all administrative action events. |
| APPL-26-001002 | The macOS system must be configured to audit all login and logout events. |
| APPL-26-001003 | The macOS system must enable security auditing. |
| APPL-26-001012 | The macOS system must configure audit log files to be owned by root. |
| APPL-26-001013 | The macOS system must configure audit log folders to be owned by root. |
| APPL-26-001014 | The macOS system must configure the audit log files group to wheel. |
| APPL-26-001015 | The macOS system must configure the audit log folders group to wheel. |
| APPL-26-001016 | The macOS system must configure audit log files to mode 440 or less permissive. |
| APPL-26-001017 | The macOS system must configure audit log folders to mode 700 or less permissive. |
| APPL-26-001020 | The macOS system must be configured to audit all deletions of object attributes. |
| APPL-26-001021 | The macOS system must be configured to audit all changes of object attributes. |
| APPL-26-001022 | The macOS system must be configured to audit all failed read actions on the system. |
| APPL-26-001023 | The macOS system must be configured to audit all failed write actions on the system. |
| APPL-26-001024 | The macOS system must be configured to audit all failed program execution on the system. |
| APPL-26-001029 | The macOS system must configure audit retention to seven days. |
| APPL-26-001030 | The macOS system must configure audit capacity warning. |
| APPL-26-001031 | The macOS system must configure audit failure notification. |
| APPL-26-001044 | The macOS system must be configured to audit all authorization and authentication events. |
| APPL-26-001060 | The macOS system must set smart card certificate trust to moderate. |
| APPL-26-001100 | The macOS system must disable root login for SSH. |
| APPL-26-001110 | The macOS system must configure audit_control group to wheel. |
| APPL-26-001120 | The macOS system must configure audit_control owner to root. |
| APPL-26-001130 | The macOS system must configure audit_control owner to mode 440 or less permissive. |
| APPL-26-001140 | The macOS system must configure audit_control to not contain access control lists (ACLs). |
| APPL-26-001150 | The macOS system must disable password authentication for SSH. |
| APPL-26-002001 | The macOS system must disable Server Message Block (SMB) sharing. |
| APPL-26-002003 | The macOS system must disable Network File System (NFS) service. |
| APPL-26-002004 | The macOS system must disable Location Services. |
| APPL-26-002005 | The macOS system must disable Bonjour multicast. |
| APPL-26-002006 | The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service. |
| APPL-26-002007 | The macOS system must disable Internet Sharing. |
| APPL-26-002008 | The macOS system must disable the built-in web server. |
| APPL-26-002009 | The macOS system must disable AirDrop. |
| APPL-26-002010 | The macOS system must disable FaceTime.app. |
| APPL-26-002012 | The macOS system must disable the iCloud Calendar services. |
| APPL-26-002013 | The macOS system must disable iCloud Reminders. |
| APPL-26-002014 | The macOS system must disable iCloud Address Book. |
| APPL-26-002015 | The macOS system must disable iCloud Mail. |
| APPL-26-002016 | The macOS system must disable iCloud Notes. |
| APPL-26-002017 | The macOS system must disable the camera. |
| APPL-26-002020 | The macOS system must disable Siri. |
| APPL-26-002021 | The macOS system must disable sending diagnostic and usage data to Apple. |
| APPL-26-002022 | The macOS system must disable Remote Apple Events. |
| APPL-26-002023 | The macOS system must disable sending audio recordings and transcripts to Apple. |
| APPL-26-002024 | The macOS system must disable sending search data from Spotlight to Apple. |
| APPL-26-002035 | The macOS system must disable Apple ID setup during Setup Assistant. |
| APPL-26-002036 | The macOS system must disable Privacy Setup services during Setup Assistant. |
| APPL-26-002037 | The macOS system must disable iCloud storage setup during Setup Assistant. |
| APPL-26-002038 | The macOS system must disable Trivial File Transfer Protocol (TFTP) service. |
| APPL-26-002039 | The macOS system must disable Siri Setup during Setup Assistant. |
| APPL-26-002040 | The macOS system must disable iCloud Keychain Sync. |
| APPL-26-002041 | The macOS system must disable iCloud Document Sync. |
| APPL-26-002042 | The macOS system must disable iCloud Bookmarks. |
| APPL-26-002043 | The macOS system must disable iCloud Photo Library. |
| APPL-26-002050 | The macOS system must disable Screen Sharing and Apple Remote Desktop. |
| APPL-26-002052 | The macOS system must disable the System Settings pane for Wallet and Apple Pay. |
| APPL-26-002053 | The macOS system must disable the system settings pane for Siri. |
| APPL-26-002060 | The macOS system must apply gatekeeper settings to block applications from unidentified developers. |
| APPL-26-002062 | The macOS system must disable Bluetooth when no approved device is connected. |
| APPL-26-002063 | The macOS system must disable the guest account. |
| APPL-26-002064 | The macOS system must enable gatekeeper. |
| APPL-26-002066 | The macOS system must disable unattended or automatic login to the system. |
| APPL-26-002068 | The macOS system must secure users' home folders. |
| APPL-26-002069 | The macOS system must require an administrator password to modify systemwide preferences. |
| APPL-26-002080 | The macOS system must disable Airplay Receiver. |
| APPL-26-002090 | The macOS system must disable TouchID for unlocking the device. |
| APPL-26-002100 | The macOS system must disable Media Sharing. |
| APPL-26-002110 | The macOS system must disable Bluetooth Sharing. |
| APPL-26-002120 | The macOS system must disable AppleID and internet Account Modification. |
| APPL-26-002140 | The macOS system must disable Content Caching service. |
| APPL-26-002150 | The macOS system must disable iCloud Desktop and Document folder sync. |
| APPL-26-002160 | The macOS system must disable iCloud Game Center. |
| APPL-26-002170 | The macOS system must disable iCloud Private Relay. |
| APPL-26-002180 | The macOS system must disable Find My service. |
| APPL-26-002200 | The macOS system must disable Personalized Advertising. |
| APPL-26-002210 | The macOS system must disable sending Siri and Dictation information to Apple. |
| APPL-26-002220 | The macOS system must enforce On Device Dictation. |
| APPL-26-002230 | The macOS system must disable Dictation. |
| APPL-26-002240 | The macOS system must disable Printer Sharing. |
| APPL-26-002250 | The macOS system must disable Remote Management. |
| APPL-26-002260 | The macOS system must disable the Bluetooth System Settings pane. |
| APPL-26-002270 | The macOS system must disable the iCloud Freeform services. |
| APPL-26-002271 | The macOS system must disable iPhone Mirroring. |
| APPL-26-003001 | The macOS system must issue or obtain public key certificates from an approved service provider. |
| APPL-26-003007 | The macOS system must require that passwords contain a minimum of one numeric character. |
| APPL-26-003008 | The macOS system must restrict maximum password lifetime to 60 days. |
| APPL-26-003010 | The macOS system must require a minimum password length of 14 characters. |
| APPL-26-003011 | The macOS system must require that passwords contain a minimum of one special character. |
| APPL-26-003012 | The macOS system must disable password hints. |
| APPL-26-003014 | The macOS system must remove password hints from user accounts. |
| APPL-26-003020 | The macOS system must enforce smart card authentication. |
| APPL-26-003030 | The macOS system must allow smart card authentication. |
| APPL-26-003050 | The macOS system must enforce multifactor authentication for login. |
| APPL-26-003051 | The macOS system must enforce multifactor authentication for the su command. |
| APPL-26-003052 | The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. |
| APPL-26-003060 | The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character. |
| APPL-26-003070 | The macOS system must set minimum password lifetime to 24 hours. |
| APPL-26-003080 | The macOS system must disable accounts after 35 days of inactivity. |
| APPL-26-004001 | The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel. |
| APPL-26-004002 | The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive. |
| APPL-26-004022 | The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command. |
| APPL-26-004030 | The macOS system must configure system log files owned by root and group to wheel. |
| APPL-26-004040 | The macOS system must configure system log files to mode 640 or less permissive. |
| APPL-26-004050 | The macOS system must configure install.log retention to 365. |
| APPL-26-004060 | The macOS system must configure sudoers timestamp type. |
| APPL-26-005001 | The macOS system must ensure System Integrity Protection (SIP) is enabled. |
| APPL-26-005020 | The macOS system must enforce FileVault. |
| APPL-26-005050 | The macOS system must enable macOS Application Firewall. |
| APPL-26-005052 | The macOS system must configure the login window to prompt for username and password. |
| APPL-26-005054 | The macOS system must disable the TouchID prompt during Setup Assistant. |
| APPL-26-005055 | The macOS system must disable the Screen Time prompt during Setup Assistant. |
| APPL-26-005056 | The macOS system must disable Unlock with Apple Watch during Setup Assistant. |
| APPL-26-005058 | The macOS system must disable Handoff. |
| APPL-26-005060 | The macOS system must disable proximity-based password sharing requests. |
| APPL-26-005061 | The macOS system must disable Erase Content and Settings. |
| APPL-26-005070 | The macOS system must enable Authenticated Root. |
| APPL-26-005080 | The macOS system must prohibit user installation of software into /users/. |
| APPL-26-005090 | The macOS system must authorize USB devices before allowing connection. |
| APPL-26-005100 | The macOS system must ensure Secure Boot level is set to "full". |
| APPL-26-005110 | The macOS system must enforce enrollment in Mobile Device Management (MDM). |
| APPL-26-005120 | The macOS system must enable Recovery Lock. |
| APPL-26-005130 | The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. |
| APPL-26-005140 | The macOS system must disable Genmoji AI Creation. |
| APPL-26-005150 | The macOS system must disable Apple Intelligence Image Playground. |
| APPL-26-005160 | The macOS system must disable Apple Intelligence Writing Tools. |
| APPL-26-999999 | The macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). |
| APPL-26-005170 | The macOS system must disable Apple Intelligence during Setup Assistant. |
| APPL-26-006000 | The macOS system must be a version supported by the vendor. |