Prepared for:
Apple
One Apple Park Way
Cupertino, CA 95014

Prepared by:
Intertek Acumen Security
2400 Research Blvd
Suite 395
Rockville, MD 20850

Revision History

Trademarks

Apple's trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html

Other company, product, and service names may be trademarks or service marks of others.

Introduction

This guide provides instructions to configure and operate Apple macOS 11 Big Sur: Contacts in the Common Criteria evaluated configuration.

Target of Evaluation

The evaluated application is the Apple macOS 11 Big Sur: Contacts application, hereafter referred to as "Contacts". Contacts is bundled with the Apple macOS 11 Big Sur operating system. Contacts provides access and management of user contact information. Contacts was evaluated on the following physical devices:

Contacts was tested on version 11.4 of Apple macOS 11 Big Sur.

Document Purpose and Scope

This document describes the installation and Common Criteria evaluation related usage of Apple macOS 11 Big Sur: Contacts on MacBook Air, MacBook Pro, Mac mini, iMac, iMac Pro, and Mac Pro devices. Contacts and the underlying platform must be configured as described in this document to satisfy the requirements of Protection Profile for Application Software, Version 1.3.

Installation/Update

Contacts is loaded by default on macOS 11 Big Sur. Contacts cannot be deleted.

Checking the Version

The version of Contacts can be verified using the following steps:

1. Open Contacts
2. Choose Contacts menu > About Contacts

An example of this version verification can be found in Figure 1. Note that the Version field indicates version 13.0.

Figure 1 - Contacts Version Verification: A screenshot of the macOS Contacts application's 'About Contacts' window, displaying 'Version 13.0 (2452.7)' and copyright information.

Software Identification

The software identity of Contacts can be verified by inspecting the Info.plist file in Contacts (i.e., Contacts.app/Content/Info.plist) and verifying the following:

• Bundle name: Contacts
• Bundle identifier: com.apple.AddressBook
• Short version string: 13.0

Installing Updates

Updates to Contacts are distributed with updates to macOS. Updates can be checked for and installed using the following steps:

1. Choose Apple menu > About This Mac
2. Click Software Update...
3. MacOS will display "Checking for updates..."
4. If any updates are available, macOS will list the updates and provide an Install Now or Upgrade Now option.

Reinstall macOS

You can use macOS Recovery, the built-in recovery system on your Mac, to reinstall macOS. macOS Recovery keeps your files and user settings intact when reinstalling.

1. Start up your computer in macOS Recovery:
   • On a Mac with Apple silicon: Choose Apple menu > Shut Down, press and hold the power button until "Loading startup options" appears, select Options, click Continue, then follow the onscreen instructions.
   • On an Intel-based Mac: Choose Apple menu > Restart, then immediately press and hold one of these key combinations, depending on what you want to do:
     • Install the latest version of macOS compatible with your computer: Option-Command-R.
     • Reinstall your computer's original version of macOS (including available updates): Option-Shift-Command-R.
     • Reinstall your current version of macOS: Command-R.
2. In the Recovery app window, select Reinstall for your macOS release, then click Continue.
3. Follow the onscreen instructions. In the pane where you select a volume, select your current macOS volume (in most cases, it's the only one available).

Enabling Data Encryption

Encryption of Contacts data in non-volatile memory is provided by FileVault. FileVault is the disk encryption solution provided by macOS. FileVault must be enabled using the following steps:

1. Open System Preferences
2. Navigate to Security & Privacy
3. Click Turn On FileVault... and follow the onscreen instructions.
4. The status will change to “FileVault is turned on for the disk..."

Figure 2 - Verification of FileVault: A screenshot of the macOS Security & Privacy settings showing the FileVault tab. It indicates 'FileVault secures the data on your disk by encrypting its contents automatically.' and displays 'FileVault is turned on for the disk "Macintosh HD - Data".' A warning about needing a password or recovery key is also visible.

Other Assumptions

The administrator of the underlying platform and application software must not be careless, willfully negligent, or hostile.

The user of the application software is not willfully negligent or hostile. The user also uses the software in compliance with the applied enterprise security policy.

Managing Accounts

Contacts stores contact information locally with no user intervention. Contacts can be configured to synchronize contact information with an Apple iCloud server or other server. All account management is performed by choosing Contacts menu > Preferences..., then clicking Accounts.

Figure 3: Accounts Preferences: A screenshot of the macOS Contacts application's Preferences window, showing the Accounts tab. The left pane lists 'iCloud' and 'CardDAV'. The right pane displays account information for iCloud, with options to 'Enable this account', set a Description, User Name, and Fetch settings.

Adding Accounts

Click the Add button [add] and follow the onscreen instructions. Secure communication using HTTPS/TLS are automatically configured (see Section 4.1 for additional details).

Note: Contacts automatically stores credentials in the login Keychain.

Deleting Accounts

Select the account you wish to delete and then click the Remove button [remove].

Enabling Accounts

Select the account you wish to enable or disable. Check "Enable this account" to enable the account or uncheck to disable the account. When an account is disabled, the contact information and account details are saved; however, Contacts does not synchronize with the server.

Secure Communications

TLS Configuration

Contacts supports secure communications with Apple servers or other user-configured servers via HTTPS/TLS. When communicating with Apple servers, Contacts leverages preconfigured reference identifiers. When connecting to non-Apple servers, the platform automatically creates the reference identifiers from the DNS name or IP address used to specify the server.

All configuration of TLS parameters is handled exclusively by the underlying platform (Apple macOS). No additional configuration is required to ensure proper usage.

Digital Certificates

Contacts leverages “Trusted” CA certificates that are preinstalled in the macOS Trust Store to verify the authenticity of server certificates. No configuration is necessary to facilitate the use of these certificates. Additional information regarding the default Trust Store can be found at https://support.apple.com/HT212140. Additional trust anchors may be added by performing the following steps:

1. Open Keychain Access
2. Select the Keychain you wish to add the trust anchor to:
   • The System Keychain applies to all users and can only be updated by an Administrator
   • The login Keychain only applies to the current user
3. Choose File > Import Items...
4. Select the CA certificate to add as a trust anchor and click Open
5. Select the imported certificate. Note: You may have to click “All Items” or “Certificates" to display the certificate
6. Choose File > Get Info
7. Expand the Trust section
8. Change the "Secure Sockets Layer (SSL)" selection to “Always Trust"
9. Close the window to save the change

Resource Usage

Contacts uses the following resources:

• Network Connectivity: This is required for Contacts to communicate with remote Apple servers or other user-configured servers.
• Camera: This is required for Contacts to associate a picture with contacts.
• Photo Library: This is required to access photos and associate them with contacts.
• Address Book: This is required for Contacts to operate as it is intended.

Acronyms