os_unlock_active_user_session_disable and pwpolicy_custom_regex_enforce

exo
New Contributor II

 Hi,

I have managed to mostly create a configuration profile that will make our Sonoma Macs compliant with CIS Lvl. 2. But I have come across two problems:

1. An Administrator Account Cannot Login to Another User's Active and Locked Session

If I am not mistaken, this should be fixable in one of two ways:

a) By executing

/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1



which I have done, and the corresponding check, whether this has worked,

/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'


produces a result of 1, which is correct. But still that policy is failing in Jamf Protect.


b) By setting values in

/Library/Preferences/com.apple.PowerManagement.plist 

which I have also done through a policy. But this actually sets the values in 

/Library/Managed Preferences

and has no effect.

Can you point me in the right direction?


2. When I set values in

com.apple.mobiledevice.passwordpolicy.plist

 in my configuration profile, they also get written to

/Library/Managed Preferences

and have no effect. Since I need to specify a custom regex, and the UI in Jamf doesn't allow for that, I cannot satisfy this point in CIS Lvl. 2 compliance.

Can you help?

Kind regard
Toby

8 REPLIES 8

AJPinto
Honored Contributor III

Configuration Profiles deployed by MDM will always go in to /Library/Managed Preferences. Beyond running the command to validate the setting provided by NIST which you suggest is failing, have you validated if you can confirm the behavior? Settings configured with a Configuration Profile are not always validatable with terminal commands.

 

Your first question is involving 7.32. Disable Login to Other User’s Active and Locked Sessions, but Im not able to figure out what benchmark your second question is related to. Which benchmark are you trying to meet with this custom regex?

 

 

exo
New Contributor II

Thank you for your response :)

The second question refers to this control:

ID: pwpolicy_custom_regex_enforce

CIS Benchmark: 5.2.6 (level 2)

AJPinto
Honored Contributor III

Is there a reason you are not just using a Configuration Profile from Jamf Pro (or other MDM) to enforce the password policy on macOS?

exo
New Contributor II

I am. But the regex option seems to not have any effect if defined as an upload for a plist. The GUI doesn't offer the option at all.

AntMac
Contributor II

If you haven't explored them yet, the MacOS Security Compliance Project and the JAMF Compliance Editor might be beneficial. These do a lot of the hard work for you in terms of creating config profiles, compliance remediation script, EAs and more.

JAMF Compliance editor has a nice GUI if you prefer that over the terminal-based compliance project. They both reference the same baselines, but JAMF Compliance editor is JAMF specific. I did a lot of these things previous the hard manual way before these tools were available. They've been a game changer. Hopefully they will also be helpful to you.  

Establishing Compliance Baselines (jamf.com)

https://github.com/usnistgov/macos_security 



 

exo
New Contributor II

Yes, I have used the Compliance Editor for defining CIS Lvl. 2 rules and can see in Jamf Protect, that all of our devices are compliant. But if I implement any other rules, say NIST or CIS v8, they are not shown in Jamf Protect.

I am wondering if there is a way of configuring which framework Jamf Protect takes into consideration.It is also only showing a subset of CIS controls (apparently for performance reasons). I imagine I am not the only one who wants to use a framework other than CIS Lvl. 1 or 2.

AntMac
Contributor II

Following on from my response in your other thread. 
JAMF Protect only has the CIS1, CIS2 and JAMF provided baselines. Those are non-editable/customisable.


If you want to use another framework you would need to work out, what do you need immediate visibility over for remediation and what can the EAs in JAMF Pro do for areas that doesn't need immediate remediation. The CIS Benchmarks may cover some of those area for you. 


My work complies with NIST and we had to write custom analytics to address any NIST controls that we needed real time visibility and/or remediation over. The rest we rely on the EAs to determine compliance as our inventory cycle runs often enough to address the other things.  

Other thing we are looking at for future is log forwarding for other areas that are not necessarily for a NIST control. But things we do need to keep an eye on. 

I'm sure others will pipe up as well. But this has been my experience with Protect and Pro over the past few years.  

exo
New Contributor II

So, this is what I am still struggling with: os_unlock_active_user_session_disable

 

The guidance document contains a command, which I am executing as a script through a policy via Jamf, and it contains a check command. When I execute the check command locally, or execute the compliance checking script locally, the rule passes.

But Jamf Protect shows the rule as failing.

 

Does anyone have any ideas about that?