{"id":22325520,"url":"https://github.com/jamf/stig-macos-10_14","last_synced_at":"2025-07-14T00:35:28.161Z","repository":{"id":145080158,"uuid":"272721648","full_name":"jamf/STIG-macOS-10_14","owner":"jamf","description":"STIG for macOS Mojave - audit and remediation with scripts and Configuration Profiles","archived":false,"fork":false,"pushed_at":"2020-06-16T13:56:36.000Z","size":162,"stargazers_count":21,"open_issues_count":0,"forks_count":2,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-05T16:11:13.682Z","etag":null,"topics":["configuration-profiles","jamf","macos","security","stig"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jamf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-16T13:54:06.000Z","updated_at":"2024-08-08T22:42:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"55419c06-cea1-452c-9d01-4d0d261fefc2","html_url":"https://github.com/jamf/STIG-macOS-10_14","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jamf/STIG-macOS-10_14","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamf%2FSTIG-macOS-10_14","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamf%2FSTIG-macOS-10_14/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamf%2FSTIG-macOS-10_14/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamf%2FSTIG-macOS-10_14/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jamf","download_url":"https://codeload.github.com/jamf/STIG-macOS-10_14/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamf%2FSTIG-macOS-10_14/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265227900,"owners_count":23731060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configuration-profiles","jamf","macos","security","stig"],"created_at":"2024-12-04T02:12:23.636Z","updated_at":"2025-07-14T00:35:28.151Z","avatar_url":"https://github.com/jamf.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# STIG for macOS 10.14 Mojave - Script and Configuration Profile Remediation\n\n## INFO:\nThe STIG is available on IASE at: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems,mac-os\n\nU_Apple_OS_X_10-14_V1R2_STIG \n\nVersion: 1, Release: 2, 24 Jan 2020\n\n## USAGE:\n### Add the following scripts to your Jamf Pro\n\n##### 1_STIG_10_14_Set_Priorities.sh\nThis script will require additional configuration prior to deployment.\n\nSets organizational compliance for each listed item, which gets written to STIG_security_score.plist. Values default to \"true\".\n\nTo disregard a given item set the value to \"false\" by changing the associated comment: AOSX_14_00000X=\"true\" or AOSX_14_00000X=\"false\"\n\nThe script writes to /Library/Application Support/SecurityScoring/STIG_security_score.plist by default.\n\n##### 2_STIG_10_14_Audit_Compliance.sh\nRun this before and after 3_STIG_10_14_Remediation to audit the remediation.\n\nReads the plist at /Library/Application Support/SecurityScoring/STIG_security_score.plist. For items prioritized (listed as \"true,\") the script queries against the current computer/user environment to determine compliance against each item.\n\nItems that pass compliance do not require further remediation and are set to \"false\" in the STIG_security_score.plist.\n\nNon-compliant items are recorded at /Library/Application\\ Support/SecurityScoring/STIG_audit\n\n##### 3_STIG_10_14_Remediation.sh\nReads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist.\n\nFor items still prioritized (listed as \"true,\") the script applies recommended remediation actions for the client/user.\n\n### Create a single Jamf Policy using all three scripts\n* 1_STIG_10_14_Set_Priorities.sh – Script Priority: Before\n* 2_STIG_10_14_Audit_Compliance.sh – Script Priority: Before\n* 3_STIG_10_14_Remediation.sh – Script Priority: Before\n* 2_STIG_10_14_Audit_Compliance.sh – Script Priority: After\n\n### Set the following options for the Jamf Policy\n* Recurring trigger to track compliance over time (Daily, weekly, or Monthly)\n* Update Inventory\n\n### Create Extension Attributes using the following scripts\n##### 2.5_STIG_Audit_List Extension Attribute\nSet as Data Type \"String.\"\nReads contents of /Library/Application\\ Support/SecurityScoring/STIG_audit file and records to Jamf Pro inventory record.\n\n##### 2.6_STIG_Audit_Count Extension Attribute\nSet as Data Type \"Integer.\" \nReads contents of /Library/Application\\ Support/SecurityScoring/STIG_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6_STIG_Audit_Count greater than 0) to immediately determine computers not in compliance.\n\n## REMEDIATED USING CONFIGURATION PROFILES:\nThe following Configuration profiles are available in mobileconfig and plist form. Mobileconfigs can be uploaded to Jamf Pro as Configuration Profiles.\n\n### 10.14_STIG-allowCloudPhotoLibrary\n* AOSX_14_002043 - Custom payload \u003e com.apple.applicationaccess \u003e allowCloudPhotoLibrary=false\n\n### 10.14_STIG-Certificates\n* AOSX_14_003001 - Certificate payload\n\n### 10.14_STIG-Disable Hot Corners\n* AOSX_14_000007 - Custom payload \u003e com.apple.dock \u003e wvous-tl-corner=0, wvous-br-corner=0, wvous-bl-corner=0, wvous-tr-corner=0\n\n### 10.14_STIG-Disable Siri and dictation\n* AOSX_14_002020 - Custom payload \u003e com.apple.ironwood.support \u003e Ironwood Allowed=false\n* AOSX_14_002020 - Custom payload \u003e com.apple.ironwood.support \u003e Assistant Allowed=false\n\n### 10.14_STIG-DisableBluetooth\n* AOSX_14_002062 - Custom payload \u003e com.apple.MCXBluetooth \u003e DisableBluetooth=true\n\n### 10.14_STIG-DisableFDEAutologin\n* AOSX_14_000032 - Custom payload \u003e com.apple.loginwindow \u003e DisableFDEAutoLogin=true\n\n### 10.14_STIG-forceInternetSharingOff\n* AOSX_14_002007 - Custom payload \u003e com.apple.MCX \u003e forceInternetSharingOff=true\n\n### 10.14_STIG-NoMulticastAdvertisements\n* AOSX_14_002005 - Custom payload \u003e com.apple.mDNSResponder \u003e NoMulticastAdvertisements=true\n\n### 10.14_STIG-Passcode\n* AOSX_14_000020 - Passcode payload \u003e MAXIMUM NUMBER OF FAILED ATTEMPTS 3\n* AOSX_14_000021 - Passcode payload \u003e DELAY AFTER FAILED LOGIN ATTEMPTS\n* AOSX_14_000022 - Passcode payload \u003e MAXIMUM NUMBER OF FAILED ATTEMPTS 3\n* AOSX_14_000022 - Passcode payload \u003e DELAY AFTER FAILED LOGIN ATTEMPTS\n* AOSX_14_003007 - Passcode payload \u003e Require alphanumeric value (checked)\n* AOSX_14_003008 - Passcode payload \u003e MAXIMUM PASSCODE AGE 60\n* AOSX_14_003009 - Passcode payload \u003e PASSCODE HISTORY 5\n* AOSX_14_003010 - Passcode payload \u003e MINIMUM PASSCODE LENGTH 15\n* AOSX_14_003011 - Passcode payload \u003e MINIMUM NUMBER OF COMPLEX CHARACTERS 1\n* AOSX_14_003011 - Passcode payload \u003e Allow simple value (unchecked)\n\n### 10.14_STIG-Restrictions\n* AOSX_14_002009 - Restrictions payload \u003e Media \u003e Allow AirDrop (unchecked)\n* AOSX_14_002010 - Restrictions payload \u003e Applications \u003e Disallow \"/Applications/FaceTime.app\"\n* AOSX_14_002011 - Restrictions payload \u003e Applications \u003e Disallow \"/Applications/Messages.app\"\n* AOSX_14_002012 - Restrictions payload \u003e Functionality \u003e Allow iCloud Calendar (unchecked)\n* AOSX_14_002013 - Restrictions payload \u003e Functionality \u003e Allow iCloud Reminders (unchecked)\n* AOSX_14_002014 - Restrictions payload \u003e Functionality \u003e Allow iCloud Contacts (unchecked)\n* AOSX_14_002015 - Restrictions payload \u003e Functionality \u003e Allow iCloud Mail (unchecked)\n* AOSX_14_002016 - Restrictions payload \u003e Functionality \u003e Allow iCloud Notes (unchecked)\n* AOSX_14_002017 - Restrictions payload \u003e Functionality \u003e Allow use of Camera (unchecked)\n* AOSX_14_002018 - Restrictions payload \u003e Preferences \u003e disable selected items \"Internet Accounts\"\n* AOSX_14_002019 - Restrictions payload \u003e Applications \u003e Disallow \"/Applications/Mail.app\"\n* AOSX_14_002023 - Restrictions payload \u003e Applications \u003e Disallow \"/Applications/Calendar.app\"\n* AOSX_14_002031 - Restrictions payload \u003e Preferences \u003e disable selected items \"iCloud\"\n* AOSX_14_002040 - Restrictions payload \u003e Functionality \u003e Allow iCloud Keychain (unchecked)\n* AOSX_14_002041 - Restrictions payload \u003e Functionality \u003e Allow iCloud Drive (unchecked)\n* AOSX_14_002042 - Restrictions payload \u003e Functionality \u003e Allow iCloud Bookmarks (unchecked)\n* AOSX_14_002049 - Restrictions payload \u003e Functionality \u003e Allow iCloud Drive (unchecked)\n* AOSX_14_002067 - Restrictions payload \u003e Applications \u003e Disallow \"/Users\"\n\n### 10.14_STIG-Security and Privacy-LoginWindow\n* AOSX_14_000001 - Security \u0026 Privacy Payload \u003e General \u003e Allow user to unlock the Mac using an Apple Watch (un-checked)\n* AOSX_14_000002 - Security \u0026 Privacy Payload \u003e General \u003e Require password * after sleep or screen saver begins (checked)\n* AOSX_14_000003 - Security \u0026 Privacy Payload \u003e General \u003e Require password * after sleep or screen saver begins (select * time no more than five seconds)\n* AOSX_14_000004 - Login Window payload \u003e Options \u003e Start screen saver after: (checked) \u003e 15 Minutes of Inactivity (or less) \n* AOSX_14_000006 - Login Window payload \u003e Options \u003e Start screen saver after: (checked) \u003e USE SCREEN SAVER MODULE AT PATH: (path to screensaver)\n* AOSX_14_002021 - Security \u0026 Privacy payload \u003e Privacy \u003e Allow sending diagnostic and usage data to Apple... (unchecked)\n* AOSX_14_002034 - Login Window payload \u003e Options \u003e Disable Siri setup during login (checked)\n* AOSX_14_002035 - Login Window payload \u003e Options \u003e Disable Apple ID setup during login (checked)\n* AOSX_14_002060 - Security \u0026 Privacy payload \u003e General \u003e Mac App Store and identified developers (selected)\n* AOSX_14_002061 - Security \u0026 Privacy payload \u003e General \u003e Do not allow user to override Gatekeeper setting (checked)\n* AOSX_14_002063 - Login Window payload \u003e Options \u003e Allow Guest User (unchecked)\n* AOSX_14_002066 - Login Window payload \u003e Options \u003e Disable automatic login (checked)\n* AOSX_14_003012 - Login Window payload \u003e Options \u003e Show password hint when needed and available (checked)\n\n### 10.14_STIG-SkipiCloudStorageSetup\n* AOSX_14_002037 - Custom payload \u003e com.apple.SetupAssistant.managed \u003e SkipiCloudStorageSetup=true\n\n### 10.14_STIG-SkipPrivacySetup\n* AOSX_14_002036 - Custom payload \u003e com.apple.SetupAssistant.managed \u003e SkipPrivacySetup=true\n\n### 10.14_STIG-Smart Card Enforced\n* AOSX_14_000005 - Smart Card payload \u003e Enable Screen Saver on Smart Card removal (checked)\n* AOSX_14_001060 - Smart Card Payload \u003e VERIFY CERTIFICATE TRUST = Check Certificate\n* AOSX_14_003002 - Smart Card Payload \u003e VERIFY CERTIFICATE TRUST = Check Certificate\n* AOSX_14_003005 - Smart Card payload \u003e Enforce Smart Card use (checked)\n* AOSX_14_003025 - Smart Card payload \u003e Enforce Smart Card use (checked)\n\n##\n## RECOMMENDED STIG EXCEPTIONS\n\n* AOSX_14_000008 – Keep Wi-Fi enabled if it is approved and needed. – The macOS system must be configured with Wi-Fi support software disabled. \n* AOSX_14_004020 – Keep Wi-Fi enabled if it is approved and needed. – The macOS system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.\n* AOSX_14_000012 – Managed by a directory server (AD) – The macOS system must automatically remove or disable temporary user accounts after 72 hours.\n* AOSX_14_000013 – Managed by a directory server (AD) – The macOS system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.\n* AOSX_14_000020 – This setting will cause unrecoverable account lockout (also see AOSX_14_000021) – The macOS system must enforce the limit of three consecutive invalid logon attempts by a user.\n* AOSX_14_000021 – This setting will cause unrecoverable account lockout (also see AOSX_14_000020) NOT COMPATIBLE WITH MACOS V10.11 OR LATER\n* AOSX_14_000022 – REDUNDANT to AOSX_14_000020 and AOSX_14_000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.\n* AOSX_14_002065 – REDUNDANT to AOSX_14_002068 – The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.\n\n## DUPLICATE AUDIT CHECKS\n* AOSX_14_000010 – DUPLICATE check to AOSX_14_004010 and AOSX_14_004011\n* AOSX_14_000011 – DUPLICATE check to AOSX_14_000040\n* AOSX_14_000040 – DUPLICATE check to AOSX_14_000011\n* AOSX_14_001060 – DUPLICATE check to AOSX_14_003002\n* AOSX_14_002034 – DUPLICATE check to AOSX_14_002039\n* AOSX_14_002041 – DUPLICATE check to AOSX_14_002049\n* AOSX_14_002049 – DUPLICATE check to AOSX_14_002041\n* AOSX_14_003002 – DUPLICATE check to AOSX_14_001060\n* AOSX_14_003005 – DUPLICATE check to AOSX_14_003025\n* AOSX_14_003020 – DUPLICATE check to AOSX_14_003024\n* AOSX_14_003024 – DUPLICATE check to AOSX_14_003020\n* AOSX_14_003025 – DUPLICATE check to AOSX_14_003005\n* AOSX_14_004010 – DUPLICATE check to AOSX_14_000010 and AOSX_14_004011\n* AOSX_14_004011 – DUPLICATE check to AOSX_14_000010 and AOSX_14_004010\n* AOSX_14_004020 – DUPLICATE check to AOSX_14_000008\n\n## NOTES\n* AOSX_14_000005 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_001060 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003002 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003005 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003025 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003050 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003051 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n* AOSX_14_003052 – Smart Card - Before applying the \"Smart Card Policy\", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.\n\n* AOSX_14_000020 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_000021 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_000022 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_003007 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_003008 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_003009 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_003010 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n* AOSX_14_003011 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamf%2Fstig-macos-10_14","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjamf%2Fstig-macos-10_14","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamf%2Fstig-macos-10_14/lists"}