Information
Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed.
Note: ntpdate has been deprecated with 10.14. sntp replaces that command.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.
Impact:
Accurate time is required for many computer functions.
Solution
Run the following commands to ensure your time is set within an appropriate limit:
$ sudo systemsetup -getnetworktimeserver
The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com
$ sudo touch /var/db/ntp-kod
$ sudo chown root:wheel /var/db/ntp-kod
$ sudo sntp -sS <your.time.server>
example:
$ sudo systemsetup -getnetworktimeserver
Network Time Server: time.apple.com
$ sudo touch /var/db/ntp-kod
$ sudo chown root:wheel /var/db/ntp-kod
$ sudo sntp -sS time.apple.com
Additional Information:
The associated check will fail if no network connection is available.