2.6.2 Audit App Store Password Settings

Information

With OS X 10.11 Apple added settings for password storage for the App Store in macOS. These settings parallel the settings in iOS. As with iOS the choices are a requirement to provide a password after every purchase or to have a 15-minute grace period, and whether to require a password for free purchases. The response to this setting is stored in a cookie and processed by iCloud.

There is plenty of risk information on the wisdom of this setting for parents with children buying games on iPhones and iPads. The most relevant information here is the likelihood that users that are not authorized to download software may have physical access to an unlocked computer where someone who is authorized recently made a purchase. If that is a concern a password should be required at all times for App Store access in the Password Settings controls.

Rationale:

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to set App Store Passwords to your organization's requirements:
Graphical Method:

Open System Preferences

Select Apple ID

Select Media & Purchases

Select the setting for Free Downloads that are withing your organization's requirements

Select the setting for Purchases and In-App Purchases that are within your organization's requirements

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 2ee2661b87394be0a8f6067d3046ee3a28480a7b3a1369f873f591cd85be4e52