1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days

Information

Apple provides the capability to manage software updates on Apple devices through mobile device management. Part of those capabilities permit organizations to defer software updates and allow for testing. Many organizations have specialized software and configurations that may be negatively impacted by Apple updates. If software updates are deferred, they should not be deferred for more than 30 days. This control only verifies that deferred software updates are not deferred for more than 30 days.

Apple software updates almost always include security updates. Attackers evaluate updates to create exploit code in order to attack unpatched systems. The longer a system remains unpatched, the greater an exploit possibility exists in which there are publicly reported vulnerabilities.

Solution

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.applicationaccess
- The key to include is enforcedSoftwareUpdateDelay
- The key must be set to <integer><1-30></integer>

Impact:

Some organizations may need more than 30 days to evaluate the impact of software updates.

See Also

https://workbench.cisecurity.org/benchmarks/15550

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 10c9f1a104fe46ad7c2622e23f844926a098a8042de3c8ac2805847a78d45f9f