The Addigy Compliance Benchmarks follow the macOS Security Compliance Project open source effort to provide a programmatic approach to generating security guidance. Apple acknowledges the macOS Security Compliance Project with information on its Platform Certifications page.
Because the benchmarks are often worded differently across multiple publications, it can take time to know immediately what a particular benchmark will do. Below is a list of the rules used in the CIS - Level 1 - Enterprise (iOS 17) compliance benchmarks, matched to the equivalent Apple Setting. The first set of rules are Apple MDM Restrictions. The last few are Passcode MDM Payloads.
Knowing if device supervision is required to enforce a compliance benchmark is also important.
✪ = Will require Supervision in a future release
✪ = Device must be Supervised
MDM Restrictions
Visit MDM restrictions for iPhone and iPad devices for the complete list of Apple MDM Restrictions, including the minimum supported operating systems.
CIS Benchmark |
Apple Setting |
Supervised |
Restriction functionality |
---|---|---|---|
1. Ensure iCloud Backup is set to Disabled |
iCloud Backup |
✪ This restriction is deprecated on unsupervised devices and will be supervised only in a future release. |
Device backup is performed only in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier). |
2. Disable iCloud Keychain Sync |
iCloud Keychain |
✪ This restriction is deprecated on unsupervised devices and will be supervised only in a future release. |
iCloud Keychain can’t be used. |
3. Ensure Managed Apps Storing Data in iCloud is Set to Disabled |
Managed App’s stored data in iCloud |
No |
Users can’t store data from Managed Apps in iCloud. |
4. Ensure Allow iCloud Documents and Data is set to Disabled |
iCloud Documents and Data |
✪ Yes (iOS 13) or later ✪ Yes (iPadOS 13.1) or later |
Documents and data aren’t added to iCloud. |
5. Ensure Treat AirDrop as unmanaged destination is set to Enabled |
Treat AirDrop as unmanaged destination |
No |
Users see AirDrop as an option from a Managed App. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations.”
Default is off. |
6. Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled |
Documents from managed sources appear in unmanaged destinations |
No |
Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
|
7. Ensure Allow documents from unmanaged sources in managed destinations is set to Disabled |
Documents from unmanaged sources appear in managed destinations |
No |
Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
|
8. Ensure Force Apple Watch wrist detection is set to Enabled |
Force Apple Watch wrist detection |
No |
Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or the paired iPhone. Default is off. |
9. Ensure Require Touch ID / Face ID authentication before AutoFill is set to Enabled |
Require Face ID or Touch ID authentication for AutoFill |
✪ Yes |
Users are required to authenticate with Face ID, Touch ID, or passcode to automatically fill password and credit card information. Default is off. |
10. Disable Sending Diagnostic and Usage Data to Apple |
Send diagnostic and usage data to Apple |
No |
Users can’t choose to send diagnostic information to Apple. |
11. Ensure Allow Erase All Content and Settings is set to Disabled |
Erase All Content and Settings |
✪ Yes |
Users can’t erase their device and reset it to factory defaults. |
12. Ensure Force automatic date and time is set to Enabled |
“Set Automatically” in Date and Time settings |
✪ Yes |
Set Automatically is turned on, and users can’t turn it off. Default is off. |
13. Ensure Force Encrypted Backups is Enabled |
Force encrypted backups |
No |
Users can’t choose whether device backups performed in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Default is off. |
14. Ensure Allow Installing Configuration Profiles is Set to Disabled |
Allow a configuration profile to be installed |
✪ Yes |
Users can’t manually install configuration profiles in Settings. |
15. Ensure Allow adding VPN configurations is set to Disabled |
Add VPN configurations |
✪ Yes |
Users and third-party apps can’t create and add VPN configurations. |
16. Ensure Allow setting up new nearby devices is set to Disabled |
Set up a nearby Apple device |
✪ Yes |
Users can’t use their Apple devices to set up and configure other Apple devices. |
17. Disable Proximity Based Password Sharing Requests |
Proximity AutoFill |
✪ Yes |
Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS, and macOS this feature restricts only Wi-Fi Password requests. |
18. Disable Personalized Advertising |
Allow personalized ads delivered by Apple |
No |
Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. |
19. Ensure Accept cookies is set to From websites I visit or From current website only |
Block cookies |
No |
The cookie policy is set in Safari. For more information, see Manage Safari cookies . |
20. Ensure Force Fraud Warning is set to Enabled |
Force fraud warning |
No |
Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. Default is off. |
21. Ensure Show Control Center in Lock screen is set to Disabled |
Control Center in Lock Screen |
No |
Users can’t swipe up to view Control Center. |
22. Ensure Show Notification Center in Lock screen is set to Disabled |
Notification Center in Lock Screen |
No |
Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. |
23. Ensure Allow Siri while device is locked is set to Disabled |
Siri while device locked |
No |
Siri responds only when the device is unlocked. |
24. Ensure Allow USB accessories while the device is locked is set to Disabled |
Allow accessory connections |
✪ Yes |
The device can always connect to specific accessories while locked. |
25. Ensure Allow voice dialing while device is locked is set to Disabled |
allowVoiceDialing |
If false, the system disables voice dialing if the device is locked with a passcode. Available in iOS 4 and later. Default: true |
Passcode MDM Payloads
The last five benchmarks are passcode payloads. Visit Passcode MDM payload settings for Apple devices for more information and the complete list of passcode payload settings.
CIS Benchmark |
Apple Setting |
Supervised |
Description |
---|---|---|---|
26. Limit Consecutive Failed Login Attempts to 6 |
Maximum number of failed attempts |
No |
Forces a device to be erased after a specified number of incorrect attempts. If you don’t change this setting, after six failed attempts, the device imposes a time delay before a passcode or password can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS or iPadOS device. After the final attempt on a Mac computer, the user account gets disabled. The passcode or password time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded. |
27. Ensure Maximum grace period for device lock is set to Immediately |
Maximum grace period for device lock |
No |
Specifies how soon a device can be unlocked again after use, without prompting again for the passcode or password. An iPhone and iPad can be adjusted for a more frequent rate. The options are immediately, 1, 5, 10, 15 minutes, or 1, 4, or 8 hours. |
28. Ensure Maximum Auto-Lock is set to 2 minutes or less |
Maximum Auto-Lock (in minutes) |
No |
If the device isn’t used for the period of time you specify, it automatically locks. It can be set to “never” on devices using Automated Device Enrollment or Device Enrollment or can be set to lock after 1 to 5 minutes. Enter the passcode or password to unlock the device. iPhone and iPad devices enrolled with User Enrollment honor this key, but the user is unable to choose “never.” |
29. Require a Minimum Passcode Length of 6 Characters |
Minimum length |
No |
Specifies the minimum number of characters a passcode or password can contain. |
30. Prohibit Repeating, Ascending, and Descending Character Sequences |
Allow simple value |
No |
Permits users to use sequential or repeated characters in their passcodes or passwords—for example, “3333” or “DEFG.” |