Navigate

Check: APPL-13-000001

Apple macOS 13 (Ventura) STIG: APPL-13-000001 (in versions v1 r4 through v1 r1)

Title

The macOS system must be configured to prevent Apple Watch from terminating a session lock. (Cat II impact)

Discussion

Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.

Check Content

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock" allowAutoUnlock = 0; If there is no result or "allowAutoUnlock" is not set to "0", this is a finding.

Fix Text

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "Restrictions Policy" configuration profile.

Additional Identifiers

Rule ID: SV-257142r905059_rule

Vulnerability ID: V-257142

Group Title: SRG-OS-000028-GPOS-00009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000056	The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-11	Session Lock