5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled

Information

Apple Mobile File Integrity (AMFI) was first released in macOS 10.12. The daemon and service block attempts to run unsigned code. AMFI uses launchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation.

Apple Mobile File Integrity validates that application code is validated.

Solution

Run the following command to enable the Apple Mobile File Integrity service:

% /usr/bin/sudo /usr/sbin/nvram boot-args=""

Impact:

Applications could be compromised with malicious code.

See Also

https://workbench.cisecurity.org/benchmarks/17465