2.3.3.10 Ensure Media Sharing Is Disabled

Information

Starting with macOS 10.15, Apple has provided a control which permits a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple Account. This allows users to share downloaded Movies, Music, or TV shows with other controlled macOS, iOS and iPadOS devices, as well as photos with Apple TVs.

With this capability, guest users can also use media downloaded on the computer.

The recommended best practice is not to use the computer as a server, but to utilize Apple's cloud storage in order to download and use content stored there if content stored with Apple is used on multiple devices.

https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac

Note: In macOS 15.0 Sequoia, Apple added a supported profile key for Media Sharing that replaces the keys in the benchmarks in previous versions.

Disabling Media Sharing reduces the remote attack surface of the system.

Solution

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.applicationaccess
- The key to include is allowMediaSharing
- The key must be set to <false/>
- The key to also include is allowMediaSharingModification
- The key must be set to <false/>

Impact:

Media Sharing allows for pre-downloaded content on a Mac to be available to other Apple devices on the same network. Leaving this disabled forces device users to stream or download content from each Apple authorized device. This sharing could even allow unauthorized devices on the same network media access.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2

Plugin: Unix

Control ID: 580a5d21c4ae9fcc27c8a486703813c12ba73dea6011a21e540855ce6de001d3