refactor[rules]: update checks for SkipSetupItems

add[rules]: add skip Apple Intelligence during setup assistant
2026-02-03 14:03:24 +00:00 · 2025-09-11 10:22:28 -04:00
parent 280ef89f71
commit c78425c5b0
7 changed files with 69 additions and 12 deletions
--- a/rules/os/os_appleid_prompt_disable.yaml
+++ b/rules/os/os_appleid_prompt_disable.yaml
@@ -5,9 +5,9 @@ discussion: |

  macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipCloudSetup').js
+  .objectForKey('SkipSetupItems').containsObject("AppleID")
  EOS
 result:
  string: 'true'
--- a/rules/os/os_icloud_storage_prompt_disable.yaml
+++ b/rules/os/os_icloud_storage_prompt_disable.yaml
@@ -5,9 +5,9 @@ discussion: |

  The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipiCloudStorageSetup').js
+  .objectForKey('SkipSetupItems').containsObject("iCloudStorage")
  EOS
 result:
  string: 'true'
--- a/rules/os/os_privacy_setup_prompt_disable.yaml
+++ b/rules/os/os_privacy_setup_prompt_disable.yaml
@@ -5,9 +5,9 @@ discussion: |

  Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipPrivacySetup').js
+  .objectForKey('SkipSetupItems').containsObject("Privacy")
  EOS
 result:
  string: 'true'
--- a/rules/os/os_siri_prompt_disable.yaml
+++ b/rules/os/os_siri_prompt_disable.yaml
@@ -5,9 +5,9 @@ discussion: |

  Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipSiriSetup').js
+  .objectForKey('SkipSetupItems').containsObject("Siri")
  EOS
 result:
  string: 'true'
--- a/rules/os/os_skip_apple_intelligence_enable.yaml
+++ b/rules/os/os_skip_apple_intelligence_enable.yaml
@@ -0,0 +1,57 @@
+id: os_skip_apple_intelligence_enable
+title: Disable Apple Intelligence During Setup Assistant
+discussion: |
+  The prompt for setting up Apple Intelligence during Setup Assistant _MUST_ be disabled.
+check: |
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+  .objectForKey('SkipSetupItems').containsObject("Intelligence")
+  EOS
+result:
+  string: 'true'
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - AC-4
+    - AC-20
+    - CM-7
+  800-53r4:
+    - AC-20
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r3:
+    - 03.01.20
+    - 03.04.06
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 4.1
+  cmmc:
+    - AC.L1-3.1.20
+macOS:
+  - '26.0'
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-171
+  - cisv8
+  - cnssi-1253_low
+  - cnssi-1253_high
+  - cmmc_lvl2
+  - cmmc_lvl1
+  - cnssi-1253_moderate
+severity: medium
+mobileconfig: true
+mobileconfig_info:
+  com.apple.SetupAssistant.managed:
+    SkipSetupItems:
+      - Intelligence
--- a/rules/os/os_skip_unlock_with_watch_enable.yaml
+++ b/rules/os/os_skip_unlock_with_watch_enable.yaml
@@ -5,9 +5,9 @@ discussion: |

  Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipUnlockWithWatch').js
+  .objectForKey('SkipSetupItems').containsObject("WatchMigration")
  EOS
 result:
  string: 'true'
--- a/rules/os/os_touchid_prompt_disable.yaml
+++ b/rules/os/os_touchid_prompt_disable.yaml
@@ -5,9 +5,9 @@ discussion: |

  macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings.
 check: |
-  /usr/bin/osascript -l JavaScript << EOS
+  /usr/bin/osascript -l JavaScript 2>/dev/null << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
-  .objectForKey('SkipTouchIDSetup').js
+  .objectForKey('SkipSetupItems').containsObject("Biometric")
  EOS
 result:
  string: 'true'