macOS CIS Level 1Compliance Report
This report was generated automatically during a single AI-assisted session using the NIST macOS Security Compliance Project (mSCP) 2.0 framework, cross-referenced with live fleet data from a Smplify MDM instance. It documents six MDM configuration profiles built to the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark Level 1 baseline, and provides a gap analysis for migration to NIST SP 800-53 Rev 5 Moderate.
Executive Summary
This session demonstrates end-to-end automated macOS security compliance using the NIST macOS Security Compliance Project (mSCP) 2.0 framework integrated with Smplify MDM. The session was initiated from a fleet with zero compliance policies deployed and concluded with six CIS Level 1 configuration profiles created, tagged, and ready for staged deployment — without disrupting any enrolled devices.
Accomplishments
Fleet inventory and risk assessment. All six enrolled devices were inventoried from Smplify. Key findings included a device stuck in UNENROLL_PENDING state with no active MDM enforcement, an unassigned iPhone on a different tenant, and a MacBook Air running macOS 15.7.5 — significantly behind the current fleet OS version of 26.5.
CIS Level 1 baseline interpretation. The live cis_lvl1.yaml from the mSCP GitHub repository was fetched and parsed. All 90+ rules were mapped to Apple MDM payload identifiers and organized into six logical policy groups.
Six production-ready profiles built and tagged. Profiles were created in Smplify covering firewall, full-disk encryption, password policy, screen lock, login window hardening, and software update enforcement. All profiles were tagged "NIST mSCP Demo" for tracking. No profiles were deployed.
UAMDM prerequisite identified. The FileVault profile (com.apple.MCX.FileVault2) was flagged as requiring User Approved MDM enrollment before enforcement — the only profile in the set with this constraint.
Compliance gap and disruption analysis. Each profile was assessed against each eligible macOS device. All six devices fail all six controls (no policies installed). Four controls were classified as safe for immediate automated remediation; two require advance notice to users.
CIS Level 1 → NIST 800-53r5 Moderate upgrade path. A full baseline diff was produced, identifying approximately 25 net-new rules, 10 ODV value changes, and 28 CIS-only controls not required by 800-53r5 Moderate. Per-rule customization values and rationale were documented.
This report was generated during a demonstration session. All profiles are staged in Smplify but have not been deployed to any devices. This document should not be used as evidence of compliance certification for any regulatory or audit purpose.
Fleet Snapshot
The following devices were inventoried from the Smplify tenant at the time of this session. CIS Level 1 profiles apply exclusively to macOS devices; iOS and iPadOS devices are out of scope for this baseline.
| Device | Model | User | OS Version | Platform | Status | Scope |
|---|---|---|---|---|---|---|
| Mac mini | Mac16,10 |
Ben | macOS 26.5 | macOS | Enrolled | In scope |
| MacBook Air (M1) | MacBook Air | Admin at Smplify | macOS 15.7.5 | macOS | Enrolled | In scope — OS outdated |
| iPad Air | iPad Air | Ben | iPadOS 26.5 | iPadOS | Enrolled | Out of scope |
| iPhone 15 Pro | iPhone 15 Pro | Ben | iOS 26.5 | iOS | Enrolled | Out of scope |
| iPhone (13 mini) | iPhone 13 mini | API User | iOS 26.2.1 | iOS | UNENROLL_PENDING | Out of scope — action required |
| iPhone (13 mini) | iPhone 13 mini | Unassigned | iOS 26.4.2 | iOS | Enrolled — anomalous | Out of scope — review ownership |
MacBook Air on macOS 15.7.5: This device is several major OS versions behind the remainder of the fleet. Multiple CIS L1 controls have version-specific enforcement behaviors, and several mSCP rules explicitly require macOS 26.x. This device must be updated before profiles will apply correctly.
UNENROLL_PENDING iPhone: This device is no longer under active MDM control. No policies, restrictions, or remote wipe capability apply. Resolve immediately — either complete the unenrollment or re-enroll.
Unassigned iPhone: No user is associated and the device belongs to an anomalous tenant context. Attribute or decommission before applying any policy scope.
CIS Level 1 Configuration Profiles
The following six profiles were built in Smplify using Apple MDM payload schemas, mapped to the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark Level 1 rules from the mSCP 2.0 cis_lvl1.yaml baseline. Each profile is documented using the mSCP guidance structure: discussion, check, fix, result, and references.
CIS L1 — Firewall
system_settings_firewall_enable · system_settings_firewall_stealth_mode_enable
A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. The macOS application firewall operates at the application layer, blocking unauthorized incoming connections on a per-application basis.
Stealth mode prevents the Mac from responding to probing requests — ICMP pings and port scans return no response, effectively rendering the device invisible to passive network reconnaissance. Both controls should be enabled for any device operating on untrusted or shared networks.
CIS Benchmark: 3.6 (Enable Firewall), 3.7 (Enable Stealth Mode). Both are Level 1 automated controls with no user-facing impact.
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Both commands should return enabled. Alternatively: defaults read /Library/Preferences/com.apple.alf globalstate should return 1 or 2.
com.apple.security.firewall payload with keys EnableFirewall: true and EnableStealthMode: true enforces and locks both settings. No reboot required; applies silently on next MDM check-in.Neither the Mac mini nor MacBook Air has any policies installed. Both devices are presumed to have the firewall in its default state (disabled or user-controlled). Profile is staged and ready to deploy.
Silent background enforcement. No user-facing change. No reboot required.
CIS L1 — FileVault Encryption
system_settings_filevault_enforce · supplemental_filevault
FileVault 2 provides full-disk encryption for macOS using XTS-AES-128 with a 256-bit key. Enabling FileVault ensures that all data at rest on the system volume is encrypted and inaccessible without the user's credentials or a valid recovery key. This is the primary control for protecting data on lost or stolen devices.
The mSCP supplemental guidance (supplemental_filevault) recommends storing the personal recovery key in MDM and not displaying it to the user, to prevent key loss. The Smplify profile uses Defer: true with DeferForceAtUserLoginMaxBypassAttempts: 0, prompting the user to enable FileVault at next login with no bypass option.
CIS Benchmark: 2.5.1. This is the single highest-priority data protection control in the CIS Level 1 baseline.
The com.apple.MCX.FileVault2 payload schema carries userapprovedmdm: true. Apple requires that macOS devices explicitly approve the MDM enrollment via System Settings → Privacy & Security → Profiles before a FileVault management profile will be accepted. Devices enrolled via ADE/DEP receive this approval automatically; manually enrolled devices require a user-initiated approval step. Verify UAMDM status before deploying this profile.
fdesetup status
Expected: FileVault is On. If the response is FileVault is Off. or Deferred enablement appears to be active…, the control is not yet enforced.
Defer: true. On next user login following profile installation, macOS will prompt the user to enable FileVault. The encryption process runs transparently in the background and does not require a reboot. Recovery key is escrowed to MDM.No policies are deployed. FileVault status cannot be confirmed via MDM without a compliance check script. The Mac mini should be confirmed for UAMDM status before this profile is deployed. The MacBook Air must be updated to macOS 26.x first.
Confirm Mac mini UAMDM status. Encryption runs silently after user login prompt. May briefly impact performance on older hardware during initial encryption.
CIS L1 — Password Policy
pwpolicy_minimum_length_enforce · pwpolicy_history_enforce · pwpolicy_max_lifetime_enforce · pwpolicy_account_lockout_enforce · pwpolicy_account_lockout_timeout_enforce · supplemental_password_policy
Password complexity and lifecycle controls are fundamental identity controls mapped to NIST SP 800-53r5 IA-5. A minimum length of 15 characters significantly raises the cost of brute-force attacks. History enforcement (15 previous passwords) prevents recycling of recently used credentials. A maximum age of 365 days ensures credentials are rotated annually.
Account lockout after 5 failed attempts with a 15-minute reset window balances usability with protection against online credential attacks. CIS L1 deliberately sets a higher lockout threshold than NIST 800-53r5 Moderate (which recommends 3) to reduce user friction.
/usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | \ /usr/bin/tail +2 | /usr/bin/xmllint --xpath \ 'boolean(//*[contains(text(),"policyAttributePassword")])' -
| Parameter | CIS L1 Value | 800-53r5 Moderate ODV |
|---|---|---|
| Minimum length | 15 | 14 |
| Password history | 15 | 5 |
| Maximum age (days) | 365 | 60 ← stricter |
| Lockout threshold | 5 | 3 ← stricter |
| Lockout reset (min) | 15 | 15 |
The 5-attempt lockout threshold is strict. Users unaware of the change who are uncertain of their password may trigger an unexpected lockout. Send advance notice and confirm admin recovery paths are in place before deploying.
CIS L1 — Screen Saver & Lock
system_settings_screensaver_password_enforce · system_settings_screensaver_ask_for_password_delay_enforce · system_settings_screensaver_timeout_enforce
Unattended sessions are one of the most common vectors for physical-access attacks. Screen lock controls ensure that a device left unattended requires re-authentication before use. The 20-minute timeout (CIS L1 value; NIST Moderate recommends 15 minutes) activates the screen saver after inactivity, and the 5-second password grace period prevents nuisance locking during brief pauses while still closing the window for opportunistic access.
CIS Benchmark: 2.10, 6.1.4. Both controls are enforced via MDM with no reboot required and no active session interruption.
osascript -e 'tell application "System Events" to \ tell security preferences to get require password to wake' defaults -currentHost read com.apple.screensaver idleTime
loginWindowIdleTime: 1200 (20 minutes), askForPassword: true, askForPasswordDelay: 5. Applies on next MDM check-in. No reboot required. Users in active sessions are not interrupted — the screen saver only triggers after 20 minutes of inactivity.CIS L1 — Login Window & Sharing
system_settings_automatic_login_disable · system_settings_guest_account_disable · os_airdrop_disable · system_settings_airplay_receiver_disable · system_settings_bluetooth_sharing_disable · system_settings_internet_sharing_disable · system_settings_remote_management_disable · system_settings_screen_sharing_disable · system_settings_printer_sharing_disable · system_settings_loginwindow_loginwindowtext_enable · system_settings_loginwindow_prompt_username_password_enforce · os_unlock_active_user_session_disable
This profile addresses two related control families: login window hardening and network sharing service reduction. The login window controls ensure that the device reveals no account names at rest (requiring both username and password to be typed), displays an authorized-use-only banner, and prevents automatic login — all of which reduce the information available to an attacker with physical access.
Sharing service controls enforce the principle of least functionality by disabling all network sharing capabilities that are not explicitly required: AirDrop, AirPlay receiver, Bluetooth sharing, internet sharing, remote management (ARD), screen sharing, and printer sharing. Each represents a lateral movement or data exfiltration vector if left enabled and unmonitored.
This system is for authorized use only. Unauthorized access is prohibited and may be subject to legal action.
Note: This text should be reviewed by legal counsel and customized with organization-specific language before deployment in production environments.
com.apple.loginwindow; sharing and access restrictions via com.apple.applicationaccess. Login window changes are visible at next login — no impact on active sessions. Sharing service disablement is immediate.Check for active screen share connections before deploying to avoid abrupt disconnection. All other changes apply without user disruption.
CIS L1 — Software Update
system_settings_critical_update_install_enforce · system_settings_software_update_download_enforce · system_settings_install_macos_updates_enforce · os_config_data_install_enforce · os_software_update_app_update_enforce · system_settings_softwareupdate_current
Unpatched operating systems remain one of the leading causes of successful exploitation in enterprise environments. This profile enforces automatic checking, downloading, and installation of critical security updates and system data files, ensuring that Rapid Security Responses (RSRs) and XProtect updates are applied without user intervention.
MacOS version updates are enforced automatically. Note that on the MacBook Air running macOS 15.7.5, this profile will not produce meaningful compliance — the device must first be manually updated to macOS 26.x before MDM-enforced software update controls apply correctly for this baseline.
defaults read /Library/Preferences/com.apple.SoftwareUpdate \ AutomaticCheckEnabled AutomaticDownload \ CriticalUpdateInstall ConfigDataInstall \ AutomaticallyInstallMacOSUpdates
All values should return 1.
true. Installs occur outside business hours by default; no immediate forced reboot. Applies silently on MDM check-in.MacBook Air on 15.7.5 noted — profile will install but full enforcement effect requires OS upgrade first.
User Approved MDM (UAMDM) Requirement
Apple introduced User Approved MDM in macOS 10.13.2 as a security measure to prevent silent, unauthorized MDM enrollment. Certain high-privilege configuration payloads — including kernel extensions, system extensions, privacy preference policy controls, and FileVault management — require that the device owner explicitly approve the MDM enrollment before these profiles will be accepted.
The com.apple.MCX.FileVault2 payload carries userapprovedmdm: true in the mSCP payload schema. This is the only profile in the current CIS L1 set with this requirement. The remaining five profiles (com.apple.security.firewall, com.apple.mobiledevice.passwordpolicy, com.apple.screensaver, com.apple.loginwindow, com.apple.SoftwareUpdate) do not require UAMDM and can be deployed to any enrolled device.
Per-Device UAMDM Assessment
| Device | Enrollment Method | UAMDM Status | Action Required |
|---|---|---|---|
| Mac mini (Ben) | Unknown — verify | Unconfirmed | Check System Settings → Privacy & Security → Profiles. If ADE/DEP enrolled, UAMDM is automatic. |
| MacBook Air (Admin) | Unknown — verify | Not applicable | OS must be updated to macOS 26.x before FileVault profile is relevant. |
How to Verify UAMDM Status
Run the following on each device to confirm UAMDM approval status:
Look for MDM enrollment: Yes (User Approved) in the output. If the response shows Yes without User Approved, the device requires manual approval in System Settings before the FileVault profile will take effect.
Compliance Gap Analysis
At the time of this session, no MDM policies of any kind were installed on any macOS device in the fleet. The following table summarizes the compliance posture against each CIS L1 profile for each in-scope device.
| Profile | Mac mini (26.5) | MacBook Air (15.7.5) | Auto-remediate |
|---|---|---|---|
| Firewall | Failing | Failing | Safe |
| FileVault | Failing (presumed) | Skip — OS outdated | Verify UAMDM first |
| Password Policy | Failing | Failing | Notify users first |
| Screen Saver & Lock | Failing | Failing | Safe |
| Login Window & Sharing | Failing | Failing | Safe (verify no active screen share) |
| Software Update | Failing | Failing | Safe |
Phase 1 (immediate): Deploy Firewall, Screen Saver & Lock, Login Window & Sharing, and Software Update profiles to the Mac mini. These four are safe to deploy with no user impact.
Phase 2 (after user notice): Deploy Password Policy to both Macs after notifying users and confirming admin recovery paths.
Phase 3 (after UAMDM verification): Verify UAMDM status on the Mac mini, then deploy the FileVault profile.
Pre-condition for MacBook Air: Update macOS from 15.7.5 to 26.x before deploying any profiles to this device.
Baseline Upgrade: CIS Level 1 → NIST 800-53r5 Moderate
The following analysis documents the rule-level changes required to migrate from the CIS Apple macOS 26.0 Tahoe v1.0.0 Level 1 baseline to the NIST SP 800-53 Rev 5 Moderate baseline, as defined in the mSCP 800-53r5_moderate.yaml file.
Key Net-New Rules (800-53r5 Moderate Only)
| Rule | Controls | Category | ODV Note |
|---|---|---|---|
audit_flags_aa_configureaudit_flags_lo_configureaudit_flags_ex_configure+4 more audit_flags_* | AU-2, AU-12 | Audit flags | No ODV — binary on/off |
os_ssh_fips_140_ciphers | SC-13, SC-8 | Cryptography | Must enumerate FIPS-approved cipher list |
os_ssh_fips_140_macs | SC-13, SC-8 | Cryptography | Must enumerate FIPS-approved MAC algorithms |
os_ssh_server_alive_interval_configure | SC-10 | SSH timeout | Recommended: 900 (15 minutes) |
os_ssh_server_alive_count_max_configure | SC-10 | SSH timeout | Recommended: 0 |
os_implement_cryptography | SC-13 | Cryptography | No ODV — enforces FIPS-validated crypto |
os_bonjour_disable | CM-7 | Services | No ODV |
os_tftpd_disable | CM-7 | Services | No ODV |
os_efi_integrity_validated | SI-7 | Integrity | No ODV — EFI check |
audit_failure_halt_system_configure | AU-5 | Auditing | No ODV — halt on audit failure |
Rules Requiring ODV Value Changes
| Rule | CIS L1 Value | 800-53r5 Moderate ODV | Impact |
|---|---|---|---|
pwpolicy_account_lockout_enforce | 5 attempts | 3 attempts | Stricter — higher user lockout risk |
pwpolicy_max_lifetime_enforce | 365 days | 60 days | Significantly stricter — more frequent password changes |
pwpolicy_history_enforce | 15 passwords | 5 passwords | Less restrictive |
pwpolicy_minimum_length_enforce | 15 chars | 14 chars | Functionally equivalent |
system_settings_screensaver_timeout_enforce | 20 min | 15 min | Tighter lock timeout |
os_sudo_timeout_configure | 5 min | 0 (always prompt) | Users must enter password for every sudo invocation |
system_settings_time_server_configure | time.apple.com | Org-approved NTP (e.g. time.nist.gov) | Requires org customization |
system_settings_loginwindow_loginwindowtext_enable | Generic banner | AO-approved org-specific banner | Legal review required |
os_software_update_deferral | N/A (CIS L1) | 30 days (non-security) | New rule — set deferral window |
audit_retention_configure | 7 days | Org-defined (90+ days for FedRAMP) | Must match org retention policy |
CIS-Only Rules Not in 800-53r5 Moderate
These rules exist in cis_lvl1.yaml but have no corresponding tag in 800-53r5_moderate.yaml. They can be retained for defense-in-depth but are not required for Moderate compliance. Notable examples include all Safari privacy controls (os_safari_*), Siri and dictation controls (system_settings_siri_disable, os_on_device_dictation_enforce), Apple Intelligence controls (system_settings_external_intelligence_*), and CIS-specific manual checks (supplemental_cis_manual).
Manual Effort Comparison
The following table estimates the time a skilled macOS administrator — with working knowledge of the mSCP framework, Apple MDM protocol reference, and the Smplify console — would require to replicate this session's output manually.
| Task | Manual Estimate | Complexity |
|---|---|---|
| Fleet inventory and risk assessment | 3–4 hours | High |
| mSCP CIS L1 baseline fetch and interpretation | 1–2 hours | Medium |
| Build and tag 6 MDM profiles in Smplify | 4–6 hours | High |
| UAMDM prerequisite identification | 30–60 minutes | Low |
| Compliance gap and disruption analysis | 3–4 hours | High |
| CIS L1 → 800-53r5 Moderate baseline diff with ODV | 6–8 hours | High |
| Total | 17–25 hours (2–3 days) | — |
Note: Manual estimate assumes an experienced administrator already familiar with mSCP, Apple MDM payloads, and Smplify. For administrators newer to any of these three areas, the estimate extends to 5–7 days. The baseline diff task (Section 6) is typically scoped as a multi-day engagement for a dedicated compliance consultant.
References
-
1
NIST macOS Security Compliance Project (mSCP)
https://github.com/usnistgov/macos_security
Joint project of NIST, NASA, DISA, and LANL. Technical implementation of NIST SP 800-219 Rev. 1. -
2
CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark
https://www.cisecurity.org/benchmark/apple_os_x
mSCP baseline:baselines/cis_lvl1.yaml -
3
NIST SP 800-53 Rev 5 — Security and Privacy Controls for Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
mSCP baseline:baselines/800-53r5_moderate.yaml -
4
NIST SP 800-219 Rev 1 — Automated Secure Configuration Guidance from the mSCP
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-219r1.pdf -
5
Apple Mobile Device Management Protocol Reference
https://developer.apple.com/documentation/devicemanagement
Authoritative reference for all MDM payload identifiers and keys used in this report. -
6
Apple Platform Security Guide
https://support.apple.com/guide/security/welcome/web
Technical documentation on FileVault, Secure Enclave, Gatekeeper, System Integrity Protection, and related controls referenced in this report. - 7
-
8
User Approved MDM — Apple Platform Deployment
https://support.apple.com/guide/deployment/
Documentation on UAMDM enrollment requirements and verification for macOS managed devices. -
9
NIST SP 800-111 — Guide to Storage Encryption Technologies for End User Devices
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
Supporting reference for FileVault full-disk encryption controls (SC-28). -
10
mSCP Pages — Interactive Guidance Documentation
https://pages.nist.gov/macos_security
Human-readable guidance documents generated from the mSCP rule library, including HTML and PDF exports for all supported baselines.
Generated: May 20, 2026 ·
Baseline: CIS Apple macOS 26.0 Tahoe v1.0.0 Level 1 ·
mSCP Branch: dev_2.0 ·
Platform: macOS 26.0 Tahoe
Status: DEMONSTRATION SESSION — Not for production certification or regulatory audit use.