usnistgov · grahampugh · Nov 18, 2025
diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml
@@ -14,21 +14,19 @@ discussion: |
   ====
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('familyControlsEnabled'))
-    let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('pathBlackList').js
-    for ( let app in pathlist ) {
-        if ( ObjC.unwrap(pathlist[app]) == "/Applications/Calendar.app" && pref1 == true ){
-            return("true")
-        }
-    }
-    return("false")
-    }
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('familyControlsEnabled'))
+  let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('pathBlackList').js
+  for ( let app in pathlist ) {
+      if ( ObjC.unwrap(pathlist[app]) == "/Applications/Calendar.app" && pref1 == true ){
+          "true"
+      }
+  }
+  "false"
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -62,7 +60,7 @@ references:
     - CM.L2-3.4.6
     - CM.L2-3.4.7
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - cnssi-1253_low
   - cnssi-1253_high

diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml
@@ -11,21 +11,19 @@ discussion: |
   ====
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('familyControlsEnabled'))
-    let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('pathBlackList').js
-    for ( let app in pathlist ) {
-        if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){
-            return("true")
-        }
-    }
-    return("false")
-    }
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('familyControlsEnabled'))
+  let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('pathBlackList').js
+  for ( let app in pathlist ) {
+      if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){
+          "true"
+      }
+  }
+  "false"
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -59,7 +57,7 @@ references:
     - CM.L2-3.4.6
     - CM.L2-3.4.7
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - cnssi-1253_low
   - cnssi-1253_high

diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml
@@ -16,21 +16,19 @@ discussion: |
   ====
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('familyControlsEnabled'))
-    let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('pathBlackList').js
-    for ( let app in pathlist ) {
-        if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){
-            return("true")
-        }
-    }
-    return("false")
-    }
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('familyControlsEnabled'))
+  let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('pathBlackList').js
+  for ( let app in pathlist ) {
+      if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){
+          "true"
+      }
+  }
+  "false"
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -64,7 +62,7 @@ references:
     - CM.L2-3.4.6
     - CM.L2-3.4.7
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - cnssi-1253_low
   - cnssi-1253_high

diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml
@@ -11,21 +11,19 @@ discussion: |
   ====
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('familyControlsEnabled'))
-    let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('pathBlackList').js
-    for ( let app in pathlist ) {
-        if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){
-            return("true")
-        }
-    }
-    return("false")
-    }
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('familyControlsEnabled'))
+  let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('pathBlackList').js
+  for ( let app in pathlist ) {
+      if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){
+          "true"
+      }
+  }
+  "false"
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -59,7 +57,7 @@ references:
     - CM.L2-3.4.6
     - CM.L2-3.4.7
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - cnssi-1253_low
   - cnssi-1253_high

diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml
@@ -6,18 +6,16 @@ discussion: |
   This rule ensures that a full session lock is triggered within no more than $ODV seconds of inactivity.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+  let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
   .objectForKey('loginWindowIdleTime'))
-    if ( timeout <= $ODV ) {
-      return("true")
-    } else {
-      return("false")
-    }
+  if ( timeout <= $ODV ) {
+      "true"
+  } else {
+      "false"
   }
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -39,7 +37,7 @@ references:
     controls v8:
       - 4.3
 macOS:
-  - '26.0'
+  - "26.0"
 odv:
   hint: Number of seconds.
   recommended: 1200

diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml
@@ -4,18 +4,16 @@ discussion: |
   Software updates _MUST_ be deferred for $ODV days or less.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
   .objectForKey('enforcedSoftwareUpdateDelay')) || 0
-    if ( timeout <= $ODV ) {
-      return("true")
-    } else {
-      return("false")
-    }
+  if ( timeout <= $ODV ) {
+      "true"
+  } else {
+      "false"
   }
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -40,7 +38,7 @@ references:
       - 7.3
       - 7.4
 macOS:
-  - '26.0'
+  - "26.0"
 odv:
   hint: Number of days.
   recommended: 30

diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml
@@ -11,21 +11,19 @@ discussion: |
   ====
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('familyControlsEnabled'))
-    let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
-    .objectForKey('pathBlackList').js
-    for ( let app in pathlist ) {
-        if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){
-            return("true")
-        }
-    }
-    return("false")
-    }
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('familyControlsEnabled'))
+  let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+  .objectForKey('pathBlackList').js
+  for ( let app in pathlist ) {
+      if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){
+          "true"
+      }
+  }
+  "false"
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -45,7 +43,7 @@ references:
   cmmc:
     - CM.L2-3.4.9
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - cnssi-1253_low
   - cnssi-1253_high

diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml
@@ -6,20 +6,18 @@ discussion: |
   The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
   let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\
   .objectForKey('AutoSubmit').js
   let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
   .objectForKey('allowDiagnosticSubmission').js
   if ( pref1 == false && pref2 == false ){
-      return("true")
+      "true"
   } else {
-      return("false")
-  }
+      "false"
   }
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -52,7 +50,7 @@ references:
   cmmc:
     - AC.L1-3.1.20
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - 800-53r5_low
   - 800-53r4_low

diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml
@@ -8,22 +8,20 @@ discussion: |
   Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
   .objectForKey('allowFindMyDevice'))
-    let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
   .objectForKey('allowFindMyFriends'))
-    let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\
+  let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\
   .objectForKey('DisableFMMiCloudSetting'))
-    if ( pref1 == false && pref2 == false && pref3 == true ) {
-      return("true")
-    } else {
-      return("false")
-    }
+  if ( pref1 == false && pref2 == false && pref3 == true ) {
+      "true"
+  } else {
+      "false"
   }
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -58,7 +56,7 @@ references:
     - CM.L2-3.4.6
     - CM.L2-3.4.7
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - 800-53r5_low
   - 800-53r5_moderate

diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
@@ -6,20 +6,18 @@ discussion: |
   Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  function run() {
-    let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
+  let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
   .objectForKey('AllowIdentifiedDevelopers'))
-    let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
+  let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
   .objectForKey('EnableAssessment'))
-    if ( pref1 == true && pref2 == true ) {
-      return("true")
-    } else {
-      return("false")
-    }
+  if ( pref1 == true && pref2 == true ) {
+      "true"
+  } else {
+      "false"
   }
   EOS
 result:
-  string: 'true'
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:
@@ -47,7 +45,7 @@ references:
   cmmc:
     - CM.L2-3.4.5
 macOS:
-  - '26.0'
+  - "26.0"
 tags:
   - 800-53r5_low
   - 800-53r5_moderate