The macOS system must disable Find My service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268525 | APPL-15-002180 | SV-268525r1034515_rule | CCI-000381 | medium |
| Description | ||||
| The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations must rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. | ||||
| STIG | Date | |||
| Apple macOS 15 (Sequoia) Security Technical Implementation Guide | 2025-05-05 | |||
Details
Check Text (C-268525r1034515_chk)
Verify the macOS system is configured to disable Find My service with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowFindMyDevice'))
let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowFindMyFriends'))
let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\
.objectForKey('DisableFMMiCloudSetting'))
if ( pref1 == false && pref2 == false && pref3 == true ) {
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
Fix Text (F-72456r1034514_fix)
Configure the macOS system to disable Find My service by installing the "com.apple.applicationaccess" configuration profile.