2.1.1.1 Audit iCloud Keychain

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The iCloud keychain is Apple's password manager that works with macOS and iOS. The capability allows users to store passwords in either iOS or macOS for use in Safari on both platforms and other iOS-integrated applications. The most pervasive use is driven by iOS use rather than macOS. The passwords stored in a macOS keychain on an Enterprise-managed computer could be stored in Apple's cloud and then be available on a personal computer using the same account. The stored passwords could be for organizational as well as for personal accounts.

If passwords are no longer being used as organizational tokens, they are not in scope for iCloud keychain storage.

Rationale:

Ensure that the iCloud keychain is used consistently with organizational requirements.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set iCloud keychain sync based on your organization's requirements:

Open System Settings

Select Apple ID

Select iCloud

Set Keychain to meet your organization's requirements

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowCloudKeychainSync

The key should be set <true/>, to allow iCloud keychain syncing, or <false/>, to disable it, based on your organization's requirements

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

See Also

https://workbench.cisecurity.org/files/4159