What’s changed in the new CIS Benchmarks for Catalina and Mojave?

David Acland

As some of you may have spotted, CIS ( released new security benchmarks for Catalina and Mojave yesterday.

They can be downloaded for free here:

We’ve had a quick read through and thought it would be helpful to highlight the key changes in the Catalina document from the High Sierra version.

The names of each listed item below are taken directly from the CIS benchmark document.


1.3 – Enable Download new updates when available
2.4.10 – Disable Content Caching
2.4.11 – Disable Media Sharing
2.5.9 – Review Advertising settings


2.11 – Java 6 is not the default Java runtime
5.9 – Enable OCSP and CRL certificate checking
6.4 – Safari disable Internet Plugins for global use

A few other minor changes

3.2 – Configure Security Auditing Flags – This is no longer a scored item
5.10 – This has been expanded from “Ensure system is set to hibernate” to “Ensure system is set to hibernate and Destroy FileVault key”
Lots of the numbers have shuffled around, especially sections 2 and 5. These are just changes to the numbering, rather than the content


As you can see, although initially intimidating, there aren’t actually that many changes from High Sierra (macOS 10.13) to Catalina (macOS 10.15). If you’re already applying the CIS settings to your devices, you’ll only have a few things to add to bring yourself up to date.

If you want help implementing CIS for the Macs in your organisation, get in touch with the Moof team:

Contact Moof IT to discuss your Mac management needs

  • ISO_27001 logo
  • logo
  • Gcloud logo


1st Floor, 20 Noel street, London, W1f 8GW
Company Number: 11082827