2.4.13 Ensure AirPlay Receiver Is Disabled

Information

In macOS Monterey (12.0), Apple has added the capability to share content from another Apple device to the screen of a host Mac. While there are many valuable uses of this capability, such sharing on a standard Mac user workstation should be enabled ad hoc as required rather than allowing a continuous sharing service. The feature can be restricted by Apple ID or network and is configured to use by accepting the connection on the Mac. Part of the concern is frequent connection requests may function as a denial-of-service and access control limits may provide too much information to an attacker.

https://macmost.com/how-to-use-a-mac-as-an-airplay-receiver.html

https://support.apple.com/guide/mac-pro-rack/use-airplay-apdf1417128d/mac

Rationale:

This capability appears very useful for kiosk and shared work spaces. The ability to allow by network could be especially useful on segregated guest networks where visitors could share their screens on computers with bigger monitors, including computers connected to projectors.

Impact:

Turning off AirPlay sharing by default will not allow users to share without turning the service on. The service should be enable as needed rather than left on.

Solution

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowAirPlayIncomingRequests

The key must be set to <false/>

Default Value:

AirPlay Receiver is enabled by default.

Additional Information:

To verify individual users:

Audit:

Graphical Method:

Perform the following steps to ensure that AirPlay Receiver is Disbaled:

Open System Preferences

Select Sharing

Verify that AirPlay Receiver is not enabled

or

Open System Preferences

Select Profiles

Verify that an installed profile has Allow AirPlay Incoming Requests set to False

Terminal Method:

For each user, run the following command to verify that AirPlay Receiver is disabled:

$ /usr/bin/sudo -u <username> /usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')

.objectForKey('AirplayRecieverEnabled').js

EOS

true

example:

$ /usr/bin/sudo -u firstuser /usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')

.objectForKey('AirplayRecieverEnabled').js

EOS

true

Remediation:

Graphical Method:

Perform the following steps to disable AirPlay Receiver:

Open System Preferences

Select Sharing

Set AirPlay Receiver to disabled

Terminal Method:

For each user, run the following command to disable AirPlay Receiver:

$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false

See Also

https://workbench.cisecurity.org/benchmarks/11683