2.11 Audit Sidecar Settings

Information

Apple introduced a technology called Sidecar with the release of mac OS 10.15 'Catalina' that allows the use of an Apple iPad as an additional screen. There are no known security issues with the use of Sidecar at the time of the publication of this Benchmark. There are security concerns, however, with some of the underlying technology that allows this feature to work. The Apple support article below has the additional requirements which are reproduced below. While Sidecar may not have an explicit security concern, some organizations may have requirements that block the use of the features required to allow Sidecar to work.

https://support.apple.com/en-afri/HT210380

Additional requirements

Both devices must be signed in to iCloud with the same Apple ID using two-factor authentication.

To use Sidecar wirelessly, both devices must be within 10 meters (30 feet) of each other and have Bluetooth, Wi-Fi, and Handoff turned on. Also make sure that the iPad is not sharing its cellular connection and the Mac is not sharing its Internet connection.

To use Sidecar over USB, make sure that your iPad is set to trust your Mac.

Organizations that do not allow the use of iCloud and more specifically Handoff will not be able to use Sidecar.

Some organizations may not allow the use of mixed ownership for P2P wireless or USB connections so that unless the organization controls both the Mac and the iPad, connections may not be approved, and the use of a single Apple ID for distinctly managed devices may be prohibited.

Rationale:

Organizations need to have an understanding of integration of organizational and personal inventory in the work environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following to set Sidecar to your organization's parameters:
Graphical Method:

Open System Preferences

Select Sidecar

Select the settings that are within your organization's parameters

Terminal Method:
Run the following to enable or disable Sidecar settings:

$ sudo /usr/bin/defaults write com.apple.sidecar.display AllowAllDevices -bool <true/false>

$ sudo /usr/bin/defaults write com.apple.sidecar.display hasShownPref -bool <true/false>

Profile Method:

Create or edit a configuration profile with the key of com.apple.sidecar.display under PayloadContent

Add the following set of keys with the Forced key:

<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AllowAllDevices</key>
<<true/false>/>
<key>hasShownPref</key>
<<true/false>/>
</dict>
</dict>
</array>
</dict>

Note: Using the Terminal and Profile Methods will not display in System Preferences, but will disable the underlying service.

See Also

https://workbench.cisecurity.org/files/4000