![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
macOS CIS Level 1 Controls
| Remediated via Script every 6 hours | |||
| Rule ID | Name | TargetOS | Target Arch |
| os_sudo_timeout_configure | Configure Sudo Timeout Period to $ODV | 14,15 | i386,arm64 |
| os_install_log_retention_configure | Configure Install.log Retention to $ODV | 14,15 | i386,arm64 |
| audit_retention_configure | Configure Audit Retention to $ODV | 14,15 | i386,arm64 |
| os_unlock_active_user_session_disable | Disable Login to Other User's Active and Locked Sessions | 14,15 | i386,arm64 |
| audit_acls_files_configure | Configure Audit Log Files to Not Contain Access Control Lists | 14,15 | i386,arm64 |
| audit_acls_folders_configure | Configure Audit Log Folder to Not Contain Access Control Lists | 14,15 | i386,arm64 |
| audit_auditd_enabled | Enable Security Auditing | 14,15 | i386,arm64 |
| audit_control_acls_configure | Configure Audit_Control to Not Contain Access Control Lists | 14,15 | i386,arm64 |
| audit_control_group_configure | Configure Audit_Control Group to Wheel | 14,15 | i386,arm64 |
| audit_control_mode_configure | Configure Audit_Control Owner to Mode 440 or Less Permissive | 14,15 | i386,arm64 |
| audit_control_owner_configure | Configure Audit_Control Owner to Root | 14,15 | i386,arm64 |
| audit_files_group_configure | Configure Audit Log Files Group to Wheel | 14,15 | i386,arm64 |
| audit_files_mode_configure | Configure Audit Log Files to Mode 440 or Less Permissive | 14,15 | i386,arm64 |
| audit_files_owner_configure | Configure Audit Log Files to be Owned by Root | 14,15 | i386,arm64 |
| audit_folder_group_configure | Configure Audit Log Folders Group to Wheel | 14,15 | i386,arm64 |
| audit_folder_owner_configure | Configure Audit Log Folders to be Owned by Root | 14,15 | i386,arm64 |
| audit_folders_mode_configure | Configure Audit Log Folders to Mode 700 or Less Permissive | 14,15 | i386,arm64 |
| os_guest_folder_removed | Remove Guest Folder if Present | 14,15 | i386,arm64 |
| os_home_folders_secure | Secure User's Home Folders | 14,15 | i386,arm64 |
| os_httpd_disable | Disable the Built-in Web Server | 14,15 | i386,arm64 |
| os_mobile_file_integrity_enable | Enable Apple Mobile File Integrity | 14,15 | i386,arm64 |
| os_nfsd_disable | Disable Network File System Service | 14,15 | i386,arm64 |
| os_password_hint_remove | Remove Password Hint From User Accounts | 14,15 | i386,arm64 |
| os_power_nap_disable | Disable Power Nap | 14,15 | i386 |
| os_root_disable | Disable Root Login | 14,15 | i386,arm64 |
| os_show_filename_extensions_enable | Enable Show All Filename Extensions | 14,15 | i386,arm64 |
| os_sudo_log_enforce | Configure Sudo To Log Events | 15 | i386,arm64 |
| os_sudoers_timestamp_type_configure | Configure Sudoers Timestamp Type | 14,15 | i386,arm64 |
| os_system_wide_applications_configure | Ensure Appropriate Permissions Are Enabled for System Wide Applications | 14,15 | i386,arm64 |
| os_time_offset_limit_configure | Ensure Time Offset Within Limits | 15 | i386,arm64 |
| os_world_writable_system_folder_configure | Ensure No World Writable Files Exist in the System Folder | 14,15 | i386,arm64 |
| system_settings_bluetooth_sharing_disable | Disable Bluetooth Sharing | 14,15 | i386,arm64 |
| system_settings_cd_dvd_sharing_disable | Disable CD/DVD Sharing | 14,15 | i386,arm64 |
| system_settings_guest_access_smb_disable | Disable Guest Access to Shared SMB Folders | 14,15 | i386,arm64 |
| system_settings_printer_sharing_disable | Disable Printer Sharing | 14,15 | i386,arm64 |
| system_settings_rae_disable | Disable Remote Apple Events | 14,15 | i386,arm64 |
| system_settings_remote_management_disable | Disable Remote Management | 14,15 | i386,arm64 |
| system_settings_screen_sharing_disable | Disable Screen Sharing and Apple Remote Desktop | 14,15 | i386,arm64 |
| system_settings_smbd_disable | Disable Server Message Block Sharing | 14,15 | i386,arm64 |
| system_settings_softwareupdate_current | Ensure Software Update is Updated and Current | 14,15 | i386,arm64 |
| system_settings_system_wide_preferences_configure | Require Administrator Password to Modify System-Wide Preferences | 14,15 | i386,arm64 |
| system_settings_wake_network_access_disable | Ensure Wake for Network Access Is Disabled | 14,15 | i386,arm64 |
| Enforced via Configuration Profile | |||
| Rule ID | Name | Target OS | Target Architecture |
| pwpolicy_account_lockout_enforce | Limit Consecutive Failed Login Attempts to $ODV | 14,15 | i386,arm64 |
| system_settings_screensaver_ask_for_password_delay_enforce | Enforce Session Lock After Screen Saver is Started | 14,15 | i386,arm64 |
| pwpolicy_account_lockout_timeout_enforce | Set Account Lockout Time to $ODV Minutes | 14,15 | i386,arm64 |
| pwpolicy_history_enforce | Prohibit Password Reuse for a Minimum of $ODV Generations | 14,15 | i386,arm64 |
| os_software_update_deferral | Ensure Software Update Deferment Is Less Than or Equal to $ODV Days | 14,15 | i386,arm64 |
| system_settings_screensaver_timeout_enforce | Enforce Screen Saver Timeout | 14,15 | i386,arm64 |
| pwpolicy_max_lifetime_enforce | Restrict Maximum Password Lifetime to $ODV Days | 14,15 | i386,arm64 |
| pwpolicy_minimum_length_enforce | Require a Minimum Password Length of $ODV Characters | 14,15 | i386,arm64 |
| system_settings_loginwindow_loginwindowtext_enable | Configure Login Window to Show A Custom Message | 14,15 | i386,arm64 |
| system_settings_time_server_configure | Configure macOS to Use an Authorized Time Server | 14,15 | i386,arm64 |
| os_airdrop_disable | Disable AirDrop | 14,15 | i386,arm64 |
| os_config_data_install_enforce | Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically | 14,15 | i386,arm64 |
| os_firewall_log_enable | Enable Firewall Logging | 14 | i386,arm64 |
| os_gatekeeper_enable | Enable Gatekeeper | 14,15 | i386,arm64 |
| os_on_device_dictation_enforce | Enforce On Device Dictation | 14,15 | arm64 |
| os_safari_advertising_privacy_protection_enable | Ensure Advertising Privacy Protection in Safari Is Enabled | 14,15 | i386,arm64 |
| os_safari_open_safe_downloads_disable | Disable Automatic Opening of Safe Files in Safari | 14,15 | i386,arm64 |
| os_safari_prevent_cross-site_tracking_enable | Ensure Prevent Cross-site Tracking in Safari Is Enabled | 14,15 | i386,arm64 |
| os_safari_show_full_website_address_enable | Ensure Show Full Website Address in Safari Is Enabled | 14,15 | i386,arm64 |
| os_safari_show_status_bar_enabled | Ensure Show Safari shows the Status Bar is Enabled | 14,15 | i386,arm64 |
| os_safari_warn_fraudulent_website_enable | Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled | 14,15 | i386,arm64 |
| os_terminal_secure_keyboard_enable | Ensure Secure Keyboard Entry Terminal.app is Enabled | 14,15 | i386,arm64 |
| system_settings_airplay_receiver_disable | Disable Airplay Receiver | 14,15 | i386,arm64 |
| system_settings_automatic_login_disable | Disable Unattended or Automatic Logon to the System | 14,15 | i386,arm64 |
| system_settings_bluetooth_menu_enable | Enable Bluetooth Menu | 14,15 | i386,arm64 |
| system_settings_critical_update_install_enforce | Enforce Critical Security Updates to be Installed | 14,15 | i386,arm64 |
| system_settings_diagnostics_reports_disable | Disable Sending Diagnostic and Usage Data to Apple | 15 | i386,arm64 |
| system_settings_filevault_enforce | Enforce FileVault | 14,15 | i386,arm64 |
| system_settings_firewall_enable | Enable macOS Application Firewall | 14,15 | i386,arm64 |
| system_settings_firewall_stealth_mode_enable | Enable Firewall Stealth Mode | 14,15 | i386,arm64 |
| system_settings_guest_account_disable | Disable the Guest Account | 14,15 | i386,arm64 |
| system_settings_improve_assistive_voice_disable | Disable Sending Audio Recordings and Transcripts to Apple | 15 | i386,arm64 |
| system_settings_improve_search_disable | Disable Sending Spotlight Search Information to Apple | 15 | i386,arm64 |
| system_settings_improve_siri_dictation_disable | Disable Sending Siri and Dictation Information to Apple | 15 | i386,arm64 |
| system_settings_install_macos_updates_enforce | Enforce macOS Updates are Automatically Installed | 14,15 | i386,arm64 |
| system_settings_internet_sharing_disable | Disable Internet Sharing | 14,15 | i386,arm64 |
| system_settings_loginwindow_prompt_username_password_enforce | Configure Login Window to Prompt for Username and Password | 14,15 | i386,arm64 |
| system_settings_password_hints_disable | Disable Password Hints | 14,15 | i386,arm64 |
| system_settings_personalized_advertising_disable | Disable Personalized Advertising | 14,15 | i386,arm64 |
| system_settings_siri_listen_disable | Ensure Siri Listen For is Disabled | 14,15 | i386,arm64 |
| system_settings_software_update_app_update_enforce | Enforce Software Update App Update Updates Automatically | 14,15 | i386,arm64 |
| system_settings_software_update_download_enforce | Enforce Software Update Downloads Updates Automatically | 14,15 | i386,arm64 |
| system_settings_software_update_enforce | Enforce Software Update Automatically | 14,15 | i386,arm64 |
| system_settings_time_server_enforce | Enforce macOS Time Synchronization | 14,15 | i386,arm64 |
| system_settings_wifi_menu_enable | Enable Wifi Menu | 14,15 | i386,arm64 |
| Audited Only - Physical Access Required to Remediate Compliance | |||
| Rule ID | Name | Target OS | Target Architecture |
| os_anti_virus_installed | Must Use an Approved Antivirus Program | 14,15 | i386,arm64 |
| os_authenticated_root_enable | Enable Authenticated Root | 14,15 | i386,arm64 |
| os_mdm_require | Enforce Enrollment in Mobile Device Management | 14,15 | i386,arm64 |
| os_sip_enable | Ensure System Integrity Protection is Enabled | 14,15 | i386,arm64 |
| os_time_server_enabled | Enable Time Synchronization Daemon | 14 | i386,arm64 |
| system_settings_ssh_disable | Disable SSH Server for Remote Access Sessions | 14,15 | i386,arm64 |
| system_settings_time_machine_encrypted_configure | Ensure Time Machine Volumes are Encrypted | 14,15 | i386,arm64 |