Big Sur - Prohibit User Installation of Software into /Users/

Information

Users _MUST_ not be allowed to install software into /Users/.

Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

Solution

This is implemented by a Configuration Profile.

mobileconfig profile info:

com.apple.applicationaccess.new:
familyControlsEnabled:
True
pathBlackList:
/Users/

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-11(2), CCE|CCE-85396-0, CCI|CCI-001812, STIG-ID|APPL-11-002067

Plugin: Unix

Control ID: c0e2b7cc28b931edf440eb52a8b8aeff0c0048c74689a87470844bccbbfdb8f2