This release focuses primarily on revisions to granular privacy, credential, and device management controls across macOS Tahoe (26) and macOS Sequoia (15).
Note: These changes only apply to the default Benchmarks and cloned Benchmarks that have these existing rules. If the rules are not in your Benchmarks, you will need to add them. These rules can cause a change in end-user experience and we encourage reviewing the configuration changes prior to roll-out.
OS Type | Rule Name | Description of Rule |
|---|---|---|
Sequoia (macOS 15) |
| Ensures the Mac is running the current version of macOS with all available security updates installed to patch known vulnerabilities |
Sequoia (macOS 15) |
| Configures proper sleep and display sleep settings for Apple Silicon Macs to balance security (device locks when asleep) with power management |
Sequoia (macOS 15) |
| Configures SSH daemon to use only FIPS 140-validated cryptographic algorithms, limiting ciphers, key exchange algorithms, and MACs to federally approved standards |
Tahoe (macOS 26) |
| Ensures the Mac is running the current version of macOS with all available security updates installed to patch known vulnerabilities |
Tahoe (macOS 26) |
| Requires password authentication when waking from screensaver to prevent unauthorized access to unattended systems |
Tahoe (macOS 26) |
| Configures proper sleep and display sleep settings for Apple Silicon Macs to balance security (device locks when asleep) with power management |
Tahoe (macOS 26) |
| Configures SSH daemon to use only FIPS 140-validated cryptographic algorithms, limiting ciphers, key exchange algorithms, and MACs to federally approved standards |
Tahoe (macOS 26) |
| Sets timeout period for sudo credential caching to reduce the window of opportunity for privilege escalation attacks |
Tahoe (macOS 26) |
| Verifies the Mac is running a supported macOS version that still receives security updates from Apple |