7.9 Apple ID password reset

Information

Apple has a service that will allow a user that has turned it on to reset their login password by signing in to Apple with their Apple ID. This sounds like a service that needs to be explicitly turned off in an Enterprise environment. There are however many factors here.

- You cannot reset your password if the computer is using FileVault
- You cannot reset anything but a local account
- You need physical access to the computer on a network that can phone home to Apple
- The current login keychain will have to be discarded unless the user remembers the old password

The main use case I see for disabling this service is where you are not using FileVault to encrypt the Mac but are using Firmware controls to limit boot options with local accounts. Otherwise the user has other options for resetting a password that are more time consuming but just as effective when they have physical access to the computer.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/files/301