| 1.1 Verify all Apple-provided software is current | SYSTEM AND INFORMATION INTEGRITY |
| 1.2 Enable Auto Update | SYSTEM AND INFORMATION INTEGRITY |
| 1.3 Enable Download new updates when available | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable app update installs | SYSTEM AND INFORMATION INTEGRITY |
| 1.5 Enable system data files and security updates install - 'ConfigDataInstall' | SYSTEM AND INFORMATION INTEGRITY |
| 1.5 Enable system data files and security updates install - 'CriticalUpdateInstall' | SYSTEM AND INFORMATION INTEGRITY |
| 1.6 Enable macOS update installs | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.1 Turn off Bluetooth, if no paired devices exist | CONFIGURATION MANAGEMENT |
| 2.1.2 Show Bluetooth status in menu bar | CONFIGURATION MANAGEMENT |
| 2.2.1 Enable 'Set time and date automatically' - Set time and date automatically | AUDIT AND ACCOUNTABILITY |
| 2.2.2 Ensure time set is within appropriate limits | CONFIGURATION MANAGEMENT |
| 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver | ACCESS CONTROL |
| 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver | ACCESS CONTROL |
| 2.4.1 Disable Remote Apple Events | CONFIGURATION MANAGEMENT |
| 2.4.2 Disable Internet Sharing | CONFIGURATION MANAGEMENT |
| 2.4.3 Disable Screen Sharing | CONFIGURATION MANAGEMENT |
| 2.4.4 Disable Printer Sharing | CONFIGURATION MANAGEMENT |
| 2.4.5 Disable Remote Login | ACCESS CONTROL |
| 2.4.6 Disable DVD or CD Sharing | CONFIGURATION MANAGEMENT |
| 2.4.7 Disable Bluetooth Sharing | CONFIGURATION MANAGEMENT |
| 2.4.8 Disable File Sharing - AppleFileServer | CONFIGURATION MANAGEMENT |
| 2.4.8 Disable File Sharing - SMB | CONFIGURATION MANAGEMENT |
| 2.4.9 Disable Remote Management | CONFIGURATION MANAGEMENT |
| 2.5.1.1 Enable FileVault | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.1.2 Ensure all user storage APFS volumes are encrypted | CONFIGURATION MANAGEMENT |
| 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted | CONFIGURATION MANAGEMENT |
| 2.5.2.1 Enable Gatekeeper | |
| 2.5.2.2 Enable Firewall | |
| 2.5.2.3 Enable Firewall Stealth Mode | |
| 2.5.6 Limit Ad tracking and personalized Ads | |
| 2.7.2 Time Machine Volumes Are Encrypted | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Disable Wake for network access | ACCESS CONTROL |
| 2.9 Disable Power Nap | ACCESS CONTROL |
| 2.10 Enable Secure Keyboard Entry in terminal.app | CONFIGURATION MANAGEMENT |
| 2.11 Ensure EFI version is valid and being regularly checked - daemon | |
| 2.11 Ensure EFI version is valid and being regularly checked - integrity-check | |
| 2.12 Automatic Actions for Optical Media | |
| 2.13 Review Siri Settings | |
| 3.1 Enable security auditing | AUDIT AND ACCOUNTABILITY |
| 3.3 Retain install.log for 365 or more days with no maximum size - all_max | AUDIT AND ACCOUNTABILITY |
| 3.3 Retain install.log for 365 or more days with no maximum size - ttl | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure security auditing retention | AUDIT AND ACCOUNTABILITY |
| 3.5 Control access to audit records - /etc/security/audit_control | CONFIGURATION MANAGEMENT |
| 3.5 Control access to audit records - /var/audit | AUDIT AND ACCOUNTABILITY |
| 3.6 Ensure Firewall is configured to log | AUDIT AND ACCOUNTABILITY |
| 4.2 Enable 'Show Wi-Fi status in menu bar' - Show Wi-Fi status in menu bar | CONFIGURATION MANAGEMENT |
| 4.4 Ensure http server is not running | CONFIGURATION MANAGEMENT |
| 4.5 Ensure nfs server is not running | CONFIGURATION MANAGEMENT |
| 5.1.1 Secure Home Folders | CONFIGURATION MANAGEMENT |
| 5.1.2 Check System Wide Applications for appropriate permissions | ACCESS CONTROL |
