Detections
Analytics

2.11 Audit Universal Control Settings

Information

Universal Control is an Apple feature that allows Mac users to control multiple other Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple ID. The technology relies on already available iCloud services, particularly Handoff.

Universal Control simplifies the use of iCloud connectivity of multiple computers using the same Apple ID. This may simplify data transfer from organizationally-managed and personal devices. The use of the same iCloud account and Handoff is the underlying concern that should be evaluated. The use of the same keyboard or mouse across multiple devices does not by itself decrease organizational security.

Rationale:

The use of devices together when some are organizational and some are not may complicate device management standards.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.universalcontrol

The key to include is Disable

Set the key to <true/> or <false/> based on your organization's requirements

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Additional Information:

Universal Control: Use a single keyboard and mouse between Mac and iPad

Universal Control: Everything You Need to Know

To verify individual users:

Audit:

Graphical Method:

Open System Preferences

Select Displays

Select Universal Control...

Verify that the settings meet your organization's requirements

or

Open System Preferences

Select Profiles

Verify that an installed profile has with com.apple.universalcontrol in Details and has Disable set to your organization's parameters.

Terminal Method:

Run the following command to verify the settings for Universal Control:

$ /usr/bin/sudo -u <user> /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable

If the output is The domain/default pair of (com.apple.universalcontrol, Disable) does not exist then Universal Control is enabled. If the output is 1, it is disabled

$ /usr/bin/sudo -u <user> /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges

If the output is The domain/default pair of (com.apple.universalcontrol, DisableMagicEdges) does not exist then Push through the edge of the display to connect a nearby Mac or iPad is enabled. If the output is 1, it is disabled

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable

The domain/default pair of (com.apple.universalcontrol, Disable) does not exist

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges

The domain/default pair of (com.apple.universalcontrol, Disable) does not exist

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable

1

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges

1

Remediation:

Graphical Method:

Perform the following steps to set Universal Control to your organization's requirements:

Open System Preferences

Select Display

Set the options that meet your organization's requirements

Terminal Method:

Run the following command to enable or disable Universal Control:

$ /usr/bin/sudo -u <user> /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool <true/false>

$ /usr/bin/sudo -u <user> /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool <true/false>

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool true

$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool true

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool false

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool false

See Also

https://workbench.cisecurity.org/benchmarks/14564

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2

Plugin: Unix

Control ID: 5ad1202b205128913db8a9f4f3e690c376d3730d675b5ea4bf6250f49882c7b2