From 48efeb866f23f0385fa153a50b4de161da1ef30d Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Mon, 18 Jul 2022 12:06:59 -0400
Subject: [PATCH] new 13.0 settings added

---
 .../os_config_profile_ui_install_disable.yaml | 33 +++++++++++++++++++
 .../sysprefs_USB_restricted_mode.yaml         | 33 +++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 rules/os/os_config_profile_ui_install_disable.yaml
 create mode 100644 rules/sysprefs/sysprefs_USB_restricted_mode.yaml

diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml
new file mode 100644
index 00000000..37047882
--- /dev/null
+++ b/rules/os/os_config_profile_ui_install_disable.yaml
@@ -0,0 +1,33 @@
+id: os_config_profile_ui_install_disable
+title: "Disable Installation of Configuration Profiles through the User Interface"
+discussion: |
+  Installation of configuration profiles through the user interface _MUST_ be disabled and only be permitted through an authorized MDM server.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('allowUIConfigurationProfileInstallation').js
+  EOS
+result:
+  string: "false"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A    
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - N/A
+macOS:
+  - "13.0"
+tags:
+  - none
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowUIConfigurationProfileInstallation: false
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_USB_restricted_mode.yaml b/rules/sysprefs/sysprefs_USB_restricted_mode.yaml
new file mode 100644
index 00000000..f8168cf2
--- /dev/null
+++ b/rules/sysprefs/sysprefs_USB_restricted_mode.yaml
@@ -0,0 +1,33 @@
+id: sysprefs_USB_restricted_mode
+title: "USB Devices Must be Authorized Before Allowing"
+discussion: |
+  USB devices connected to a Mac _MUST_ be authorized.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('allowUSBRestrictedMode').js
+  EOS
+result:
+  string: "true"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A    
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - N/A
+macOS:
+  - "13.0"
+tags:
+  - none
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowUSBRestrictedMode: true