2.9.3 Ensure Wake for Network Access Is Disabled

Information

This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.

This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals.

Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.

Solution

Graphical Method:

Perform the following steps to disable Wake for network access:

Desktop Instructions:

- Open System Settings
- Select Energy Saver
- Set Wake for network access to disabled

Laptop Instructions:

- Open System Settings
- Select Battery
- Select Options...
- Set Wake for network access to Never

Terminal Method:

Run the following command to disable Wake for network access:

% /usr/bin/sudo /usr/bin/pmset -a womp 0

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.MCX
- The key to include is com.apple.EnergySaver.desktop.ACPower
- The key must be set to:

<dict>
<key>Wake On LAN</key>
<integer>0</integer>
<key>Wake On Modem Ring</key>
<integer>0</integer>
</dict> <xhtml:ol start="4"> - The key to also include is com.apple.EnergySaver.portable.ACPower
- The key must be set to:

<dict>
<key>Wake On LAN</key>
<integer>0</integer>
<key>Wake On Modem Ring</key>
<integer>0</integer>
</dict> <xhtml:ol start="6"> - The key to also include is com.apple.EnergySaver.portable.BatteryPower
- The key must be set to:

<dict>
<key>Wake On LAN</key>
<integer>0</integer>
<key>Wake On Modem Ring</key>
<integer>0</integer>
</dict>

Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky.

Impact:

Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.

The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.

Turning off Wake for Network Access will also not allow Find My to work when the computer is asleep. It will also give this warning: "You won't be able to locate, lock, or erase this Mac while it's asleep because Wake for network access is turned off."

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: f9ae9c95ae24cd99f9f9b2957bb7512cef3c422b4ad3171c6daad9318409dc57