Information
Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input.
This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.
Impact:
Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept.
Solution
Graphical Method:
Perform the following steps to disable Power Nap:
Desktop Instructions:
Open System Settings
Select Energy Saver
Set Power Nap to disabled
Select UPS (if applicable)
Set Power Nap to disabled
Laptop Instructions:
Open System Settings
Select Battery
Select Power Adapter (for laptops only)
Set Power Nap to disabled
Select Battery
Set Power Nap to disabled
Select UPS (if applicable)
Set Power Nap to disabled
Terminal Method:
Run the following command to disable Power Nap:
$ /usr/bin/sudo /usr/bin/pmset -a powernap 0
Additional Information:
/usr/bin/man pmset