2.1.1.2 Audit iCloud Drive

Information

iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.

One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.

Organizations should review third party storage solutions pertaining to existing data confidentiality and integrity requirements.

Solution

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.applicationaccess
- The key to include is allowCloudDocumentSync
- The key should be set <true/> to allow iCloud Drive, or <false/> to disable it, based on your organization's requirements

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Impact:

Users will not be able to use continuity on macOS to resume the use of newly composed but unsaved files.

See Also

https://workbench.cisecurity.org/benchmarks/15550

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: c64d81389cbaed82b4c8b8845f10c96cd3ee987472a2d3a8a957f7c7403f2312