Detections
Analytics
2.10 Audit Siri Settings
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
With macOS 10.12 Sierra, Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with the use of data-gathering personal assistant software, the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches, Siri could, in theory, tell Apple about confidential Programs and Projects that should not be revealed. This appears be a usage edge case.In cases where sensitive or protected data is processed and Siri could expose that information through assisting a user in navigating their machine, it should be disabled. Siri does need to phone home to Apple, so it should not be available from air-gapped networks as part of its requirements.
Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times, and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be more risky than already approved activity.
For information on Apple's privacy policy for Siri, click here.
Rationale:
Where 'normal' user activity is already limited, Siri use should be controlled as well.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Graphical Method:Perform the following steps to set Siri to your organization's parameters:
Open System Preferences
Select Siri
Select the settings that are within your organization's requirements
Select Show All
Select Accessibility
Select Siri
7 Select Enable Type to Siri to your organization's requirements
Terminal Method:
Run the following commands to enable or disable Siri settings:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool <true/false>
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool <true/false>
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool <true/false>
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool <true/false>
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool <true/false>
After running the default writes, the WindowServer needs to be restarted and the caches cleared. Run the following commands to perform that action:
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAssistant
Set the key to <true/> or <false/> based on your organization's requirements
Note: Siri can only be enabled or disabled through configuration profiles. Any additional settings need to be set through either System Settings or Terminal.
See Also
Item Details
Audit Name: CIS Apple macOS 11.0 Big Sur v3.0.0 L1
References: CSCv7|5.1, CSCv7|9.2
Plugin: Unix
Control ID: e9d744402e27bb4393dd38d002f3f6c89d57a5972a552feae10d40bed3d23399