1.24 Ensure 'Add users from lock screen' is set to 'Disabled'

Information

Do not allow adding users on a locked device.
The recommended state for this setting is: Disabled.

Rationale:

Users and the guest profile can do most of the same things as the device's owner, but each profile has its own storage space. Guests could install malicious apps or carry out any other malicious activities that may compromise overall device security. Also, Wi-Fi and Bluetooth connections are shared which could give guests unauthorized access to networks/devices that could compromise data. Hence, Add users from lock screen setting should be disabled.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the below steps to disable Add users from lock screen setting:

Tap Settings Gear Icon.
Tap System.
Tap Advanced.
Tap Multiple users.
Toggle Add users from lock screen setting to OFF position.

Impact:

Users will not be able to add additional users when the device is locked.

Default Value:

By default, Add users from lock screen setting is enabled.

See Also

https://workbench.cisecurity.org/files/2466

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|16.5

Plugin: MDM

Control ID: df2c571e04ed2da8a3fc6ee28d86d23c8cadea8052f086b14f9e1b4e4dc12006