2.6.1.3 Audit Location Services Access

Information

macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. While Location Services may be very useful, it may not be desirable to allow all applications that can use Location Services to use your location for Internet queries in order to provide tailored content based on your current location.

Ensure applications that can use Location Services are authorized and provide that information where the application interacts with external systems. Apple offers feedback within System Preferences and may be enabled to supply information on the menu bar when Location Services are used.

Safari can deny access from websites or prompt for access.

Applications that support Location Services can be individually controlled in the Privacy tab in Security & Privacy under System Preferences.

Access should be evaluated to ensure that privacy controls are as expected.

Privacy controls should be monitored for appropriate settings.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Graphical Method:

Perform the following steps to disable unnecessary applications from accessing Location Services:

- Open System Settings
- Select Privacy & Security
- Select Location Services
- Set any applications listed to your organization's requirements

Perform the following steps to set websites to ask for permission to access Location Services:

- Open Safari
- Select Safari from the menu bar
- Select Settings
- Select Websites
- Select Location
- Set When visiting other websites to your organization's requirements

Impact:

Many macOS features rely on Location Services for tailored information. Users expect their time zone and weather to be relevant to where they are without manual intervention. Find my Mac needs to know where your Mac is actually located. Where possible, the tolerance between location privacy and convenience may be best left to the user when the location itself is not sensitive. If facility locations are not public, location information should be tightly controlled.

See Also

https://workbench.cisecurity.org/benchmarks/18635