Repurpose policies 17560 (#17743)

Same as #17560
fleetdm · Mar 22, 2024 · 39f0fd2 · 39f0fd2
1 parent 6f93894
commit 39f0fd2
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 10 deletions.
diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
@@ -2110,10 +2110,7 @@ spec:
         3. Select the i next to the Guest User
         4. Verify that Allow guests to log in to this computer is disable
   query: |
-    SELECT 1 WHERE
-    EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0)
-    OR
-    EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1);
+    SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
   purpose: Informational
   tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.1
   contributors: sharon-fdm

diff --git a/ee/cis/macos-14/cis-policy-queries.yml b/ee/cis/macos-14/cis-policy-queries.yml
@@ -2110,10 +2110,7 @@ spec:
         3. Select the i next to the Guest User
         4. Verify that Allow guests to log in to this computer is disable
   query: |
-    SELECT 1 WHERE
-    EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0)
-    OR
-    EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1);
+    SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
   purpose: Informational
   tags: compliance, CIS, CIS_Level1
   contributors: sharon-fdm

diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml
@@ -11,7 +11,7 @@
   resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true.
   platform: darwin
 - name: macOS - Disable guest account
-  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1;
+  query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
   critical: false
   description: This policy checks if the guest account is disabled.
   resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true.
@@ -52,4 +52,4 @@
   critical: false
   description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
   resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
-  platform: darwin
+  platform: darwin