← Back to Apple macOS 12 (Monterey) Security Technical Implementation Guide

V-252455

CAT II (Medium)

The macOS system must be configured to disable password forwarding for FileVault2.

Rule ID

SV-252455r991589_rule

STIG

Apple macOS 12 (Monterey) Security Technical Implementation Guide

Version

V1R9

CCIs

CCI-002143

Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Check Content

Verify that password forwarding has been disabled on the system:

# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin"

DisableFDEAutologin = 1;

If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Fix Text

This setting is enforced using the "Smart Card" configuration profile.