1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days

Information

Apple provides the capability to manage software updates on Apple devices through mobile device management. Part of those capabilities permit organizations to defer software updates and allow for testing. Many organizations have specialized software and configurations that may be negatively impacted by Apple updates. If software updates are deferred, they should not be deferred for more than 30 days. This control only verifies that deferred software updates are not deferred for more than 30 days.

Manage software updates for Apple devices

Rationale:

Apple software updates almost always include security updates. Attackers evaluate updates to create exploit code in order to attack unpatched systems. The longer a system remains unpatched, the greater an exploit possibility exists in which there are publicly reported vulnerabilities.

Impact:

Some organizations may need more than 30 days to evaluate the impact of software updates.

Solution

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is enforcedSoftwareUpdateDelay

The key must be set to <integer><1-30></integer>

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 0c61b49adc396727f626776c84408633a0b29ecff988b13ff4d27c2ab6648d93