Information
The iCloud keychain is Apple's password manager that works with macOS and iOS. The capability allows users to store passwords in either iOS or macOS for use in Safari on both platforms and other iOS-integrated applications. The most pervasive use is driven by iOS use rather than macOS. The passwords stored in a macOS keychain on an Enterprise-managed computer could be stored in Apple's cloud and then be available on a personal computer using the same account. The stored passwords could be for organizational as well as for personal accounts.
If passwords are no longer being used as organizational tokens they are not in scope for iCloud keychain storage.
Rationale:
Ensure that the iCloud keychain is used consistently with organizational requirements.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following to set iCloud keychain sync based on your organization's requirements:
Graphical Method:
Open System Preferences
Select iCloud
Uncheck (or check) Keychain to meet your organization's requirements
Profile Method:
Create or edit a configuration profile with the PayLoadType of com.apple.applicationaccess
Add the key allowCloudKeychainSync
Set the key to your organization's requirements
Note: iCloud Keychain and iCloud Drive must be set in a single configuration profile.
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: 1ada34529737be965cad7b354fdf47b379998a5259518857c396ea23f9083fe8