This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must disable Bluetooth when no approved device is connected.

STIG ID: APPL-15-002062  |  SRG: SRG-OS-000423-GPOS-00187 |  Severity: high (CAT I)  |  CCI: CCI-002418 |  Vulnerability Id: V-268509

Vulnerability Discussion

The macOS system must be configured to disable Bluetooth unless an approved device is connected.

[IMPORTANT]
====
Information system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====

Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000481-GPOS-00481

Check

Verify the macOS system is configured to disable Bluetooth with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\
.objectForKey('DisableBluetooth').js
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to disable Bluetooth by installing the "com.apple.MCXBluetooth" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.