InformationApple's iCloud is a consumer-oriented service that allows a user to store data as well as find, control and backup devices that are associated with their Apple ID (Apple account). The use of iCloud on Enterprise devices should align with the acceptable use policy for devices that are managed as well as confidentiality requirements for data handled by the user. If iCloud is allowed the data that is copied to Apple servers will likely be duplicated on both personal as well as Enterprise devices.
For many users the Enterprise email system may replace many of the available features in iCloud. If using either an Exchange or Google environment email, calendars, notes and contacts can sync to the official Enterprise repository and be available through multiple devices.
Depending on workplace requirements it may not be appropriate to intermingle Enterprise and personal bookmarks, photos and documents. Since the service allows every device associated with the user's ID to synchronize and have access to the cloud storage the concern is not just about having sensitive data on Apple's servers but having that same data on the phone of the teenage son or daughter of an employee. The use of family sharing options can reduce the risk.
Apple's iCloud is just one of many cloud-based solutions being used for data synchronization across multiple platforms and it should be controlled consistently with other cloud services in your environment. Work with your employees and configure the access to best enable data protection for your mission.
Organizations must make a risk decision on how their computers will interact with public cloud services.
iCloud services are integrated deeply into macOS and in many cases are expected to be used by Mac users. iCloud is a public cloud and is not covered by an organizational security plan. In many cases synchronizing user data from an organizational computer to an uncontrolled location, no matter who is the data owner, is unacceptable.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionPerform the following to disable unapproved services:
Open System Preferences
Select Apple ID
Uncheck any services that are not allowed for your organization
Use a profile to disable services where organizationally required.
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-9, 800-53|CM-10, 800-53|CM-11, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|13.4
Control ID: f4411fe2b7390c2c496e540fbbdef7ff49196dad09b1a1c65f3d93458e083f4d