id: os_password_autofill_disable
title: "Disable Password Autofill"
discussion: |
  Password Autofill _MUST_ be disabled.

  macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.
check: |
  /usr/bin/osascript -l JavaScript << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
  .objectForKey('allowPasswordAutoFill').js
  EOS
result:
  string: "false"
fix: |
  This is implemented by a Configuration Profile.
references:
  cce:
    - CCE-92843-2
  cci:
    - N/A
  800-53r5:
    - IA-5(13)
    - CM-7
    - CM-7(1)
    - IA-11
    - IA-5
  800-53r4:
    - IA-5
    - IA-5(13)
    - IA-11
    - CM-7
    - CM-7(1)
  disa_stig:
    - N/A
  srg:
    - N/A
  800-171r2:
    - 3.4.6
    - 3.5.1
    - 3.5.2
  cis:
    benchmark:
      - N/A
    controls v8:
      - 4.1
      - 4.8
  cmmc:
    - CM.L2-3.4.6
    - CM.L2-3.4.7
    - IA.L2-3.5.8
    - IA.L2-3.5.9
macOS:
  - "14.0"
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-171
  - cisv8
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
mobileconfig: true
mobileconfig_info:
  com.apple.applicationaccess:
    allowPasswordAutoFill: false