2.10 Audit Siri Settings

Information

With macOS 10.12 Sierra, Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with the use of data-gathering personal assistant software, the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches, Siri could, in theory, tell Apple about confidential Programs and Projects that should not be revealed. This appears be a usage edge case.

In cases where sensitive or protected data is processed and Siri could expose that information through assisting a user in navigating their machine, it should be disabled. Siri does need to phone home to Apple, so it should not be available from air-gapped networks as part of its requirements.

Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times, and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be more risky than already approved activity.

For information on Apple's privacy policy for Siri, click here.

Rationale:

Where 'normal' user activity is already limited, Siri use should be controlled as well.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set Siri to your organization's parameters:

Open System Preferences

Select Siri

Select the settings that are within your organization's requirements

Select Show All

Select Accessibility

Select Siri
7 Select Enable Type to Siri to your organization's requirements

Terminal Method:
Run the following commands to enable or disable Siri settings:

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool <true/false>

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool <true/false>

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool <true/false>

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool <true/false>

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool <true/false>

After running the default writes, the WindowServer needs to be restarted and the caches cleared. Run the following commands to perform that action:

$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd

$ /usr/bin/sudo /usr/bin/killall SystemUIServer

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool true

$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true

$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false

$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd

$ /usr/bin/sudo /usr/bin/killall SystemUIServer

$ /usr/bin/sudo -u seconduser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool false

$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd

$ /usr/bin/sudo /usr/bin/killall SystemUIServer

$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false

$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false

$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd

$ /usr/bin/sudo /usr/bin/killall SystemUIServer

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowAssistant

Set the key to <true/> or <false/> based on your organization's requirements

Note: Siri can only be enabled or disabled through configuration profiles. Any additional settings need to be set through either System Settings or Terminal.

See Also

https://workbench.cisecurity.org/files/4176