Detections
Analytics

2.4.11 Ensure AirDrop Is Disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.

In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.

While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards. The recommendation against enabling the sharing is not based on any known lack of security in the protocol but for specific user operational concerns.

If AirDrop is enabled the Mac is advertising that a Mac is addressable on the local network and open to either unwanted AirDrop upload requests or for a negotiation on whether the remote user is in the user's contacts list Neither process is desirable.

In most known use cases AirDrop use is ad hoc networking where AirDrop use is where Apple device users decide that a file should be exchanged and opt to use AirDrop which can be abled on the fly for that exchange.

For organizations concerned about any use of AirDrop because of Digital Loss Prevention (DLP) monitoring on other protocols JAMF has an article on reviewing AirDrop logs.

Detecting outbound AirDrop transfers and logging them

Rationale:

AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area.

Impact:

Disabling AirDrop can limit the ability to move files quickly over the network without using file shares.

Solution

Graphical Method:
Perform the following steps to disable AirDrop:

Open System Settings in the Menu Bar

Select General

Select AirDrop & Handoff

Set AirDrop to No One

Open System Settings

Select Control Center

Set AirDrop to Don't show in Menu Bar

Terminal Method:
Run the following commands to disable AirDrop:

$ /usr/bin/sudo -u <username> defaults write com.apple.NetworkBrowser DisableAirDrop -bool true

example:

$ /usr/bin/sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowAirDrop

The key must be set to <false/>

Note: AirDrop can only be enabled or disabled through configuration profiles. Any additional settings need to be set through the GUI or CL
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

See Also

https://workbench.cisecurity.org/files/4178

Item Details

References: CSCv7|5.1, CSCv7|15.4

Plugin: Unix

Control ID: 6ea4f9b43a796d0230ba0c7c694ad3de3c056b7f84deb848ffc8a70f81bd243d