2.6.1.4 Ensure iCloud Drive Document and Desktop Sync is Disabled - Desktop

Information

With macOS 10.12 Apple introduced the capability to have a user's Desktop and Documents folders automatically synchronize to the user's iCloud Drive, provided they have enough room purchased through Apple on their iCloud drive. This capability mirrors what Microsoft is doing with the use of OneDrive and Office 365. There are concerns with using this capability.

The storage space that Apple provides for free is used by users with iCloud mail, all of a user's Photo Library created with the ever larger Multi-Pixel iPhone cameras and all of the iOS Backups. Adding a synchronization capability for users who have files going back a decade or more and storage may be tight without much larger Apple charges than the free 5GB. Users with multiple computers running 10.12 and above with unique content on each will have issues as well.

Enterprise users may not be allowed to store Enterprise information in a third-party public cloud. In previous implementations iCloud Drive or even DropBox the user selected what files were synchronized even if there were no other controls. The new feature synchronizes all files in a folder widely used to put working files.

The automatic synchronization of all files in a user's Desktop and Documents folders should be disabled.

https://derflounder.wordpress.com/2016/09/23/icloud-desktop-and-documents-in-macos-sierra-the-good-the-bad-and-the-ugly/

Rationale:

Automated Document synchronization should be planned and controlled to approved storage.

Impact:

Users will not be able to use iCloud for the automatic sync of the Desktop and Documents folders.

Solution

Perform the following to disable iCloud Desktop and Document syncing:
Graphical Method:

Open System Preferences

Select Apple ID

Select iCloud

Select iCloud Drive

Select Options next to iCloud Drive

Uncheck Desktop & Documents Folders

Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.applicationaccess

Add the key allowCloudDesktopAndDocuments

Set the key to </false>

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 39e240d47f855fdd99d519f1b6cc0551ccbda8c6106face75d80b7c7038c7b24