2.6.2 Audit App Store Password Settings

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

With OS X 10.11, Apple added settings for password storage for the App Store in macOS. These settings parallel the settings in iOS. As with iOS, the choices are a requirement to provide a password after every purchase or to have a 15-minute grace period, and whether or not to require a password for free purchases. The response to this setting is stored in a cookie and processed by iCloud.

There is plenty of risk information on the wisdom of this setting for parents with children buying games on iPhones and iPads. The most relevant information here is the likelihood that users who are not authorized to download software may have physical access to an unlocked computer where someone who is authorized recently made a purchase. If that is a concern, a password should be required at all times for App Store access in the Password Settings controls.

Rationale:

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set App Store Passwords to your organization's requirements:

Open System Preferences

Select Apple ID

Select Media & Purchases

Select the setting for Free Downloads that are withing your organization's requirements

Select the setting for Purchases and In-App Purchases that are within your organization's requirements

See Also

https://workbench.cisecurity.org/files/4180