InformationIf the computer is present in an area where there are privacy concerns or sensitive images or actions are taking place the camera should be covered at those times. A permanent cover or alteration may be required when the computer is always located in a confidential area.
Malware is continuously discovered that circumvents the privacy controls of the built-in camera. No computer has perfect security and it seems likely that even if all the drivers are disabled or removed that working drivers can be re-introduced by a determined attacker.
At this point video chatting and other uses of the built-in camera are standard uses for a computer. In cases where the camera is not allowed to be used at all or when the computer is located in private areas additional precautions are warranted. OS components used for the built-in video camera can also be used for other connected cameras, whether USB or Bluetooth. Removed OS components that enable a camera may be re-installed or re-enabled.
The General rule should be that if the camera can capture images that could cause embarrassment or an adverse impact the camera should be covered until it is appropriate to use.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
SolutionPerform the following to set the camera settings to your organization's requirements:
Create or edit a configuration profile with the PayLoadType of com.apple.applicationaccess
Add the key allowCamera
Set the key to </true> or </false> based on your organization's preference
**Note:**There is no supported method from Apple to enable/disable the built-in FaceTime camera through the GUI or the command line. Remove any external cameras based on your organization's policies.
There should be no hardware modifications done to the computers to remove any built-in FaceTime cameras.
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: 1846c7372a7c259962e2e82ba49247ef10f82007d561c543369cf3a9e2a63cd6