2.8.1 Audit Universal Control Settings

Information

Universal Control is an Apple feature that allows Mac users to control multiple other Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple Account. The technology relies on already available iCloud services, particularly Handoff.

Universal Control simplifies the use of iCloud connectivity of multiple computers using the same Apple Account. This may simplify data transfer from organizationally-managed and personal devices. The use of the same iCloud account and Handoff is the underlying concern that should be evaluated. The use of the same keyboard or mouse across multiple devices does not by itself decrease organizational security.

Universal Clipboard, a feature of Universal Control, allows any device using the same Apple Account to access the clipboard of any other devices using the same Apple Account.

The use of devices together when some are organizational and some are not may complicate device management standards.

Universal control settings may also enable a user to share their clipboard across multiple devices authenticated to the same Apple Account, so disabling that should be discussed by the organization.

Solution

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.universalcontrol
- The key to include is Disable
- Set the key to <true/> or <false/> based on your organization's requirements

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Note: If your organization is allowing Universal Control, your organization can still disable Universal Clipboard via a profile. To disable Universal Clipboard, create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.coreservices.useractivityd
- The key to include is ClipboardSharingEnabled
- Set the key to <false/>

Impact:

The user should not be impacted if Universal Control is set either way.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2

Plugin: Unix

Control ID: 9baa7ce08b22b95c675fbf80f62e96a0012213c76edebcdc8dede8c7d0d98312