Information
Starting with macOS 10.15, Apple has provided a control which permits a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows users to share downloaded Movies, Music, or TV shows with other controlled macOS, iOS and iPadOS devices, as well as photos with Apple TVs.
With this capability, guest users can also use media downloaded on the computer.
The recommended best practice is not to use the computer as a server, but to utilize Apple's cloud storage in order to download and use content stored there if content stored with Apple is used on multiple devices.
https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac
Rationale:
Disabling Media Sharing reduces the remote attack surface of the system.
Impact:
Media Sharing allows for pre-downloaded content on a Mac to be available to other Apple devices on the same network. Leaving this disabled forces device users to stream or download content from each Apple authorized device. This sharing could even allow unauthorized devices on the same network media access.
Solution
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.preferences.sharing.SharingPrefsExtension
The key to include is homeSharingUIStatus
The key must be set to <integer>0</integer>
The key to also include is legacySharingUIStatus
The key must be set to <integer>0</integer>
The key to also include is mediaSharingUIStatus
The key must be set to <integer>0</integer>
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
To verify individual users:
Audit:
Graphical Method:
Perform the following steps to ensure that Media Sharing is not enabled:
Open System Preferences
Select Sharing
Verify that Media Sharing is not enabled
or
Open System Preferences
Select Profiles
Verify that an installed profile has homeSharingUIStatus set to 0
Verify that an installed profile has legacySharingUIStatus set to 0
Verify that an installed profile has mediaSharingUIStatus set to 0
Terminal Method:
Run the following command to verify that Media Sharing is not enabled:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.amp.mediasharingd home-sharing-enabled
0
example:
$ /usr/bin/sudo -u test /usr/bin/defaults read com.apple.amp.mediasharingd home-sharing-enabled
0
$ /usr/bin/sudo -u test2 /usr/bin/defaults read com.apple.amp.mediasharingd home-sharing-enabled
1
Remediation:
Graphical Method:
Perform the following steps to disable Media Sharing:
Open System Preferences
Select Sharing
Set Media Sharing to disabled
Terminal Method:
Run the following command to disable Media Sharing:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
example:
$ sudo -u test2 /usr/bin/defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: 353e3a918da9916c407c7733ba2f40cc81176d4cf8205f96544a0a15520c7fe6