The managed_policies table returns both "device level" settings and "user level" settings.
"Device level" settings have empty username. All macOS 13 CIS benchmarks require checking settings at the "device level" (aka "system-wide profiles"). So we should add a username = '' check on all 80+ macOS queries that use managed_policies.
This finding stems from the research here: #8119 (comment)
PS: Sample note from the CIS document:
Note: Since the profile method sets a system-wide setting and not a user-level one,
the profile method is the preferred method. It is always better to set system-wide than per user.
The
managed_policiestable returns both "device level" settings and "user level" settings."Device level" settings have empty
username. All macOS 13 CIS benchmarks require checking settings at the "device level" (aka "system-wide profiles"). So we should add ausername = ''check on all 80+ macOS queries that usemanaged_policies.This finding stems from the research here: #8119 (comment)
PS: Sample note from the CIS document: