2.1.2 Audit App Store Password Settings

Information

With OS X 10.11, Apple added settings for password storage for the App Store in macOS. These settings parallel the settings in iOS. As with iOS, the choices are a requirement to provide a password after every purchase or to have a 15-minute grace period, and whether or not to require a password for free purchases. The response to this setting is stored in a cookie and processed by iCloud.

There is plenty of risk information on the wisdom of this setting for parents with children buying games on iPhones and iPads. The most relevant information here is the likelihood that users who are not authorized to download software may have physical access to an unlocked computer where someone who is authorized recently made a purchase. If that is a concern, a password should be required at all times for App Store access in the Password Settings controls.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:

Perform the following steps to set App Store Passwords to your organization's requirements:

- Open System Settings
- Select Apple ID
- Select Media & Purchases
- Set Free Downloads to your organization's requirements
- Set Purchases and In-App Purchases to your organization's requirements

See Also

https://workbench.cisecurity.org/benchmarks/18634

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: a912ece2d0baa1458bdb5e284f3ceeb47e56478a115dd0b4a6ccff10d3e3412f