An error occurred:

Check: APPL-15-005090

Apple macOS 15 (Sequoia) STIG: APPL-15-005090 (in versions v1 r4 through v1 r1)

Title

The macOS system must authorize USB devices before allowing connection. (Cat II impact)

Discussion

USB devices connected to a Mac must be authorized. [IMPORTANT] ==== This feature is removed if a smart card is paired or smart card attribute mapping is configured. ==== Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140

Check Content

Verify the macOS system is configured to authorize USB devices before allowing connection with the following command: /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowUSBRestrictedMode')) if ( pref1 == false ) { return("false") } else { return("true") } } EOS If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to authorize USB devices before allowing connection by installing the "com.apple.applicationaccess" configuration profile.

Additional Identifiers

Rule ID: SV-268567r1034641_rule

Vulnerability ID: V-268567

Group Title: SRG-OS-000378-GPOS-00163

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001958

Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.
CCI-003959

Prohibit the use or connection of unauthorized hardware components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7(9)

Prohibiting The Use of Unauthorized Hardware
IA-3

Device Identification and Authentication