macOS 15 - Sequoia
The macOS system must disable AppleID and internet Account Modification
Description
The system must disable Account Modification. Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contacts in the Internet Account System Setting Pane or the AppleID System Setting Pane.This prevents the addition of unauthorized accounts.[IMPORTANT]====Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information system security officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.====
Check
Verify the macOS system is configured to disable account modification with the following command:/usr/bin/osascript -l JavaScript << EOS$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\.objectForKey('allowAccountModification').jsEOSIf the result is not "false", this is a finding.
Fix
Configure the macOS system to disable Account Modification by installing the "com.apple.applicationaccess" configuration profile.