diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 461df3e71..47060a056 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -103,6 +103,66 @@ spec:
---
apiVersion: v1
kind: policy
+spec:
+ name: CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)
+ platforms: macOS
+ platform: darwin
+ description: |
+ iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
+ One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
+ This query will check for the existance of the policy not its value (That should be set per organization's decision)
+ resolution: |
+ The administrator should configure this via MDM profile.
+ Create or edit a configuration profile with the following information:
+ 1. The PayloadType string is com.apple.applicationaccess.
+ 2. The key to include is allowCloudDocumentSync.
+ 3. The key must be set to .
+ query: |
+ SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess'
+ AND
+ name='allowCloudDocumentSync'
+ AND (value = '1' OR value = 'true')
+ );
+ /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
+ Depending on your organization's decision, you can delete this policy or its counterpart.*/
+ purpose: Informational
+ tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.2-disabled, decision-needed
+ contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+ name: CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)
+ platforms: macOS
+ platform: darwin
+ description: |
+ iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
+ One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
+ This query will check for the existance of the policy not its value (That should be set per organization's decision)
+ resolution: |
+ The administrator should configure this via MDM profile.
+ Create or edit a configuration profile with the following information:
+ 1. The PayloadType string is com.apple.applicationaccess.
+ 2. The key to include is allowCloudDocumentSync.
+ 3. The key must be set to .
+ query: |
+ SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess'
+ AND
+ name='allowCloudDocumentSync'
+ AND (value = '0' OR value = 'false')
+ );
+ /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
+ Depending on your organization's decision, you can delete this policy or its counterpart.*/
+ purpose: Informational
+ tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.2-enabled, decision-needed
+ contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
spec:
name: CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)
platforms: macOS
diff --git a/ee/cis/macos-13/test/profiles/2.1.1.2-disable.mobileconfig b/ee/cis/macos-13/test/profiles/2.1.1.2-disable.mobileconfig
new file mode 100644
index 000000000..f701b8fa7
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/2.1.1.2-disable.mobileconfig
@@ -0,0 +1,37 @@
+
+
+
+
+ PayloadContent
+
+
+ PayloadDisplayName
+ test
+ PayloadType
+ com.apple.applicationaccess
+ PayloadIdentifier
+ com.fleetdm.cis-2.1.1.2.check-disable
+ PayloadUUID
+ 1028E002-9AFE-446A-84E0-27DA5DA39B4A
+ allowCloudDocumentSync
+
+
+
+ PayloadDescription
+ test
+ PayloadDisplayName
+ Disable iCloud Drive storage solution usage
+ PayloadIdentifier
+ com.fleetdm.cis-2.1.1.2-disable
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 7B3DE4EA-0AFA-44F5-9716-37526EE441EA
+ PayloadVersion
+ 1
+
+
diff --git a/ee/cis/macos-13/test/profiles/2.1.1.2-enable.mobileconfig b/ee/cis/macos-13/test/profiles/2.1.1.2-enable.mobileconfig
new file mode 100644
index 000000000..50d8788d7
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/2.1.1.2-enable.mobileconfig
@@ -0,0 +1,37 @@
+
+
+
+
+ PayloadContent
+
+
+ PayloadDisplayName
+ test
+ PayloadType
+ com.apple.applicationaccess
+ PayloadIdentifier
+ com.fleetdm.cis-2.1.1.2.check-enable
+ PayloadUUID
+ 8618AA0E-B6AC-4D1C-AE01-C46956EC1926
+ allowCloudDocumentSync
+
+
+
+ PayloadDescription
+ test
+ PayloadDisplayName
+ Enable iCloud Drive storage solution usage
+ PayloadIdentifier
+ com.fleetdm.cis-2.1.1.2-enable
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 2C2FC587-14E8-4A52-98B5-30BA1C975BBA
+ PayloadVersion
+ 1
+
+