Details

The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage.

Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service.

Solution

This is implemented by a Configuration Profile.

mobileconfig profile info:

com.apple.applicationaccess:
allowCloudDocumentSync:
False

Supportive Information

The following resource is also helpful.

• https://github.com/usnistgov/macos_security

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-20
• 800-53|AC-20(1)
• 800-53|CM-7
• 800-53|CM-7(1)
• 800-53|CM-7(5)(b)
• 800-53|CM-7a.
• 800-53|SC-7(10)
• CCE|CCE-85286-3, CCI|CCI-000381
• CCI|CCI-001774
• STIG-ID|APPL-11-002041

Source

• Tenable.com/audits