Title

The macOS system must enable recovery lock. (Cat II impact)

Discussion

A recovery lock password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.

Check Content

For non-Apple Silicon systems, this is not applicable. Verify the macOS system is configured with recovery lock with the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" If the result is not "1", this is a finding.

Fix Text

Configure the macOS system with recovery lock with the SetRecoveryLock command. This can be used to set a Recovery Lock password and must be from the MDM.

Additional Identifiers

Rule ID: SV-259575r941347_rule

Vulnerability ID: V-259575

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.