Not really an issue with this version which is working fine on Catalina but it does have big fails on Big Sur.

I'm getting run times of over 12 hours, most about 18.

Any plans to update this for Big Sur?

I have some confusion regarding this CIS script.

Question #1: can I use one than other like whether REMEDIATED USING CONFIGURATION PROFILES or Script remediation with policy? Or do I have to use both?

Question #2: Getting syntax error for Python command not found for following command

currentUser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')"

Question #3: Confused about Script 2_Security_Audit_Compliance.sh script and then that will impact on other as well. So please let me know how can I perform that. Another thing those remediation which I will remediate via Profile do i need to make those organizational value true or false. like

2.1.1 Turn off Bluetooth, if no paired devices exist this one I applied with Custom profile so do I need to set this value True or false.

OrgScore2_1_1="false".

Question #3: When I deployed Custom setting profile then .plist is not updating but that showing it aplied.
Example: 2.10 Enable Secure Keyboard Entry in terminal.app and iTerm 2

Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true

I used the configuration profile and that is showing secure Keyboard Entry checked when I look from apple menu but that didnot changed on /Users/pcmwksadm/Library/Preferences/com.apple.Terminal.plist key value SecureKeyboardEntry True.

I have noticed that the Jamf scripts have the wrong benchmarks in some cases.

EXAMPLE:
Within the 1_Set_Organization_Priorities.sh script, the following is stated:

## 2.5.6 Enable Location Services (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.

## 2.5.7 Monitor Location Services Access (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.

This does not align with the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf from CIS Workbench.

According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document,

• 2.5.6 is as follows: 2.5.6 Limit Ad tracking and personalized Ads (Automated)
• 2.5.7 is as follows: 2.5.7 Camera Privacy and Confidentiality Concerns (Manual)

According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, Location services are 2.5.3 and 2.5.4

The 1_Set_Organization_Priorities.sh script show 2.5.3 and 2.5.4 as follows:

# 2.5.3 Enable Firewall 
# Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
OrgScore2_5_3="true"
# OrgScore2_5_3="false"

# 2.5.4 Enable Firewall Stealth Mode 
# Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
OrgScore2_5_4="true"
# OrgScore2_5_4="false"

The CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document shows firewall as follows:

• 2.5.2.2 Enable Firewall (Automated)......................................................................................... 97
• 2.5.2.3 Enable Firewall Stealth Mode (Automated) ......................................................... 102

To date, these are the only discrepancies I have found. There may be others.

As of the current CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, the Jamf Scripts for CIS do not align.

When will Jamf come out with the CIS for macOS Big Sur

In the remediation script, if 2.4.1(Remote Apple Events) is enabled, the remediation fails since the absolute path is not used.

Script result: setremoteappleevents: Turning Remote AppleEvents on or off requires Full Disk Access privileges.

Updating the script to use /usr/sbin/systemsetup -setremoteappleevents off resolves that issue.

Jamf PPPC profile is installed.

For 2.6.4 in audit script - the audit for 2.6.4 is incorrect when calling out the audit and plistlocation - its a typo - 2_7_4
Audit2_7_4="$(defaults read "$plistlocation" OrgScore2_7_4)"

For 2.5.1.2 in audit script - the audit for 2.5.1.2 is incorrect when calling out the plistlocation - its a typo - 2_6_1_2
Audit2_5_1_2="$(defaults read "$plistlocation" OrgScore2_6_1_2)"

The guest home folder is detected with:
ls /Users/ 2>&1 | grep -c Guest

This can result in misdetection if a local user account is contains "Guest". For example if you create user accounts with the name "Kiosk Guest Account" or "Guest Campus".

These are not Guest accounts in a strict sense. Therefore the should not be counted as a detection. To fix this, replace the line with
ls /Users/ 2>&1 | grep -cx Guest

This will ensure a whole line matching and solve the issue.

I ran the 1_Set_Organization_Priorities.sh and when I run the 2nd and 3rd files I ge the following message
The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore6_1_5) does not exist

the .plist file is there, what do I need to do different?

In 2_Security_Audit_Compliance.sh:
When the script runs on our systems (which have encrypted APFS volumes) this check was failing even though the volumes were encrypted. I tracked the issue to line 528:

ENCRYPTION=$(echo "$APVOLINFO" | awk '/FileVault/ {print $3;exit}')

This is returning the value "(Unlocked)"

I changed the script to the following:
ENCRYPTION=$(echo "$APVOLINFO" | awk '/FileVault/ {print $2;exit}')

It now returns "Yes" and the check passes properly.