APPL-14-005080 - The macOS system must prohibit user installation of software into /users/.

Information

Users must not be allowed to install software into /users/.

Allowing users who do not possess explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

[IMPORTANT]
====
Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements.
====

Solution

Configure the macOS system to prohibit user installation of software into /users/ by installing the 'com.apple.applicationaccess.new' configuration profile.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-11(2), CAT|II, CCI|CCI-003980, Rule-ID|SV-259571r986258_rule, STIG-ID|APPL-14-005080, Vuln-ID|V-259571

Plugin: Unix

Control ID: eed8f671137a21ac7045502dac6792d9a8f948faa5ed42b45c3a6fdc9d5d3d30