# Structure is documented in "docs/collection-files.md" os: macos scripting: language: shellscript startCode: |- #!/usr/bin/env bash # {{ $homepage }} — v{{ $version }} — {{ $date }} if [ "$EUID" -ne 0 ]; then script_path=$([[ "$0" = /* ]] && echo "$0" || echo "$PWD/${0#./}") sudo "$script_path" || ( echo 'Administrator privileges are required.' exit 1 ) exit 0 fi endCode: |- echo 'Your privacy and security is now hardened 🎉💪' echo 'Press any key to exit.' read -n 1 -s actions: - category: Privacy cleanup children: - category: Clear terminal history children: - name: Clear bash history recommend: standard code: rm -f ~/.bash_history - name: Clear zsh history recommend: standard code: rm -f ~/.zsh_history - name: Clear CUPS printer job cache recommend: strict code: |- sudo rm -rfv /var/spool/cups/c0* sudo rm -rfv /var/spool/cups/tmp/* sudo rm -rfv /var/spool/cups/cache/job.cache* - name: Empty trash on all volumes recommend: strict code: |- # on all mounted volumes sudo rm -rfv /Volumes/*/.Trashes/* &>/dev/null # on main HDD sudo rm -rfv ~/.Trash/* &>/dev/null - name: Clear system cache recommend: strict code: |- sudo rm -rfv /Library/Caches/* &>/dev/null sudo rm -rfv /System/Library/Caches/* &>/dev/null sudo rm -rfv ~/Library/Caches/* &>/dev/null - category: Clear operating system logs recommend: strict children: - category: Clear unified diagnostic logs docs: https://developer.apple.com/documentation/os/logging children: - name: Clear diagnostics logs docs: https://eclecticlight.co/2017/10/10/inside-the-macos-log-logd-and-the-files-that-it-manages/ code: |- sudo rm -rfv /private/var/db/diagnostics/* sudo rm -rfv /var/db/diagnostics/* - name: Clear shared cache strings data docs: - https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent-and-a-valuable-log-log/ - https://github.com/privacysexy-forks/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc code: |- sudo rm -rfv /private/var/db/uuidtext/ sudo rm -rfv /var/db/uuidtext/ - category: Clear system logs children: - name: Clear Apple System Logs (ASL) docs: - https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf - https://apple.stackexchange.com/questions/98197/is-it-safe-to-delete-system-logs code: |- sudo rm -rfv /private/var/log/asl/* sudo rm -rfv /var/log/asl/* sudo rm -fv /var/log/asl.log # Legacy ASL (10.4) sudo rm -fv /var/log/asl.db - name: Clear install logs docs: https://discussions.apple.com/thread/1829842 code: sudo rm -fv /var/log/install.log - name: Clear all system logs in `/var/log/` directory docs: https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/ code: sudo rm -rfv /var/log/* # Clears including /var/log/system.log - name: Clear system application logs docs: https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf code: sudo rm -rfv /Library/Logs/* - name: Clear Mail logs code: rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/* - name: Clear user activity audit logs (login, logout, authentication, etc.) docs: - https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf - https://web.archive.org/web/20240314054514/https://bpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2016/06/psumac2016-19-osxlogs_macadmins_2016.pdf code: |- sudo rm -rfv /var/audit/* sudo rm -rfv /private/var/audit/* - name: Clear user report logs docs: - https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/ - https://apple.stackexchange.com/questions/272929/is-it-safe-to-delete-the-content-of-library-logs code: sudo rm -rfv ~/Library/Logs/* - name: Clear daily logs docs: https://salt4n6.com/2018/12/11/mac-os-daily-logs/ code: sudo rm -fv /System/Library/LaunchDaemons/com.apple.periodic-*.plist - name: Clear receipt logs for installed packages/apps docs: - https://apple.stackexchange.com/questions/327174/whats-the-purpose-of-directory-private-var-db-receipts - https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf code: |- sudo rm -rfv /var/db/receipts/* sudo rm -vf /Library/Receipts/InstallHistory.plist - category: Clear browser history children: - category: Clear Chrome history children: - name: Clear Chrome browsing history code: |- rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/null - name: Clear Chrome cache code: sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/null - category: Clear Safari history children: - name: Clear Safari browsing history docs: - https://discussions.apple.com/thread/7586106?answerId=30314600022#30314600022 - https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ code: |- rm -f ~/Library/Safari/History.db rm -f ~/Library/Safari/History.db-lock rm -f ~/Library/Safari/History.db-shm rm -f ~/Library/Safari/History.db-wal # For older versions of Safari rm -f ~/Library/Safari/History.plist # URL, visit count, webpage title, last visited timestamp, redirected URL, autocomplete rm -f ~/Library/Safari/HistoryIndex.sk # History index - name: Clear Safari downloads history docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/Downloads.plist - name: Clear Safari frequently visited sites docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ code: rm -f ~/Library/Safari/TopSites.plist - name: Clear Safari last session (open tabs) history docs: - https://web.archive.org/web/20240314061752/https://apple.stackexchange.com/questions/374099/where-does-safari-store-the-open-tabs/374116#374116 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7127 code: rm -f ~/Library/Safari/LastSession.plist - category: Clear Safari caches children: - name: Clear Safari cached blobs, URLs and timestamps docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ code: rm -f ~/Library/Caches/com.apple.Safari/Cache.db - name: Clear Safari URL bar web page icons docs: - https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ - https://lifehacker.com/safaris-private-browsing-mode-saves-urls-in-an-easily-a-1691944343 code: rm -f ~/Library/Safari/WebpageIcons.db - name: Clear Safari webpage previews (thumbnails) docs: - https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ - https://archive.ph/2024.03.14-100910/https://www.reddit.com/r/apple/comments/18lp92/your_apple_computer_keeps_a_screen_shot_of_nearly/?rdt=59921 code: rm -rfv ~/Library/Caches/com.apple.Safari/Webpage\ Previews - name: Clear Safari history copy docs: https://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-history-spotlight-webhistory.html code: rm -rfv ~/Library/Caches/Metadata/Safari/History - name: Clear search term history embedded in Safari preferences docs: https://krypted.com/tag/recentsearchstrings/ code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )' - name: Clear Safari cookies docs: - https://web.archive.org/web/20240314132018/https://community.spiceworks.com/t/understanding-the-safari-cookies-binarycookies-file-format/928827 - https://web.archive.org/web/20240314060318/https://link.springer.com/content/pdf/10.1007/0-387-36891-4_13.pdf code: |- rm -f ~/Library/Cookies/Cookies.binarycookies # Used before Safari 5.1 rm -f ~/Library/Cookies/Cookies.plist - name: Clear Safari zoom level preferences per site docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/PerSiteZoomPreferences.plist - name: Clear allowed URLs for Safari notifications docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/UserNotificationPreferences.plist - name: Clear Safari preferences for downloads, geolocation, pop-ups, and autoplay per site docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/PerSitePreferences.db - category: Clear Firefox history children: - name: Clear Firefox cache code: |- sudo rm -rf ~/Library/Caches/Mozilla/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqlite - name: Clear Firefox form history code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.dat - name: Clear Firefox site preferences code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqlite - name: Clear Firefox session restore data (loads after the browser closes or crashes) code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20* - name: Clear Firefox passwords docs: https://web.archive.org/web/20210425202923/http://kb.mozillazine.org/Password_Manager code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons2.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons3.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.json - name: Clear Firefox HTML5 cookies code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqlite - name: Clear Firefox crash reports code: |- rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmp - name: Clear Firefox backup files code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4 - name: Clear Firefox cookies code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-shm rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http* - category: Clear third-party application data children: - category: Clear privacy.sexy data # Marked: refactor-with-variables, refactor-with-partials # - Documentation is same across macOS, Linux and Windows, this should be shared and not duplicated. docs: |- This category offers scripts to remove data left by the privacy.sexy desktop application, helping you ensure your privacy by eliminating all traces of use. The web application version of privacy.sexy does not create or store user data on your device [1], so this category is applicable to desktop application users only. These scripts are designed for anyone wanting to ensure their script activities leave no trace on their systems. > **Caution**: > Deleting this data might affect security [2] and troubleshooting [1]: > - Logs are valuable for diagnosing issues and understanding past actions [1]. > - Script files can help review changes made to the system and aid in reverting those changes if needed. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" children: - name: Clear privacy.sexy script history docs: |- This script removes script files generated by the privacy.sexy desktop application. The desktop version executes scripts directly on your device [1], saving a script file for execution [1], troubleshooting [1], and security [2]. By running this script, you remove the executed script files, enhancing your privacy by ensuring that there is no residual data that could reveal your usage patterns or preferences. > **Caution**: > - This action is irreversible. Deleted script files cannot be retrieved. > - These files might be necessary for troubleshooting if you experience issues after using privacy.sexy scripts. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" call: function: ClearDirectoryContents parameters: directoryGlob: "$HOME/Library/Application Support/privacy.sexy/runs" - name: Clear privacy.sexy activity logs docs: |- This script removes log files generated by the privacy.sexy desktop application. Different from the web version, the desktop application records logs for troubleshooting [1]. Additionally, these logs offer auditing and transparency for security [2]. Deleting these logs can help maintain your privacy by ensuring there are no records of the application's activities on your system. > **Caution**: > - Removing logs will prevent you from reviewing the application's activities, which could be helpful in diagnosing issues. > - Logs can contain valuable information for technical support should you need assistance. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" call: function: ClearDirectoryContents parameters: directoryGlob: "$HOME/Library/Logs/privacy.sexy" - name: Clear Adobe cache recommend: standard code: sudo rm -rfv ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* &>/dev/null - name: Clear Gradle cache recommend: strict code: |- if [ -d "~/.gradle/caches" ]; then rm -rfv ~/.gradle/caches/ &> /dev/null fi - name: Clear Dropbox cache recommend: standard code: |- if [ -d "~/Dropbox/.dropbox.cache" ]; then sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null fi - name: Clear Google Drive File Stream cache recommend: standard code: |- killall "Google Drive File Stream" rm -rfv ~/Library/Application\ Support/Google/DriveFS/[0-9a-zA-Z]*/content_cache &>/dev/null - name: Clear Composer cache recommend: strict code: |- if type "composer" &> /dev/null; then composer clearcache &> /dev/null fi - name: Clear Homebrew cache recommend: strict code: |- if type "brew" &>/dev/null; then brew cleanup -s &>/dev/null rm -rfv $(brew --cache) &>/dev/null brew tap --repair &>/dev/null fi - name: Clear old Ruby gem versions recommend: strict code: |- if type "gem" &> /dev/null; then gem cleanup &>/dev/null fi - name: Clear unused Docker data recommend: strict docs: |- This script frees up disk space, but also improves user privacy by: 1. **Removal of stopped containers**: Containers often run applications or services that might process sensitive or personal data. Even if a container is stopped, its filesystem remains intact, and potentially sensitive data inside it can be accessed. By removing stopped containers, we eliminate this potential privacy risk. 2. **Deletion of unused images**: Images can sometimes contain sensitive information, especially if they were built from `Dockerfile`s that copied local files or were used in scenarios where sensitive data was processed. Deleting unused images ensures that any inadvertent sensitive information embedded in those images is eradicated. 3. **Cleanup of network configurations**: Networks, especially custom ones, can contain configurations that reveal details about system architecture, inter-container communication, or even hardcoded secrets. Removing unused networks mitigates risks associated with lingering, outdated, or insecure configurations. 4. **Elimination of build cache**: The Docker build process uses a cache to speed up image creation. This cache can contain remnants of previous builds, including potentially sensitive data or files. Pruning the build cache ensures that these remnants are deleted, further safeguarding privacy. 5. **Footprint reduction**: By consistently pruning unused Docker objects, the overall footprint of Docker on the system is reduced. This makes it harder for malicious actors to exploit any lingering or overlooked vulnerabilities in the system or Docker itself. This script runs `docker system prune -af` command to clean up unused Docker data [1]. Specifically, the command will [1]: - Remove all stopped containers. - Remove all networks not used by at least one container. - Remove all images not used by any container. - Remove all build cache. [1]: https://web.archive.org/web/20230810171526/https://docs.docker.com/engine/reference/commandline/system_prune/ "docker system prune | Docker Documentation" code: |- if type "docker" &> /dev/null; then docker system prune -af fi - name: Clear Pyenv-Virtualenv cache recommend: strict code: |- if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then rm -rfv $PYENV_VIRTUALENV_CACHE_PATH &>/dev/null fi - name: Clear NPM cache recommend: strict code: |- if type "npm" &> /dev/null; then npm cache clean --force fi - name: Clear Yarn cache recommend: strict code: |- if type "yarn" &> /dev/null; then echo 'Cleanup Yarn Cache...' yarn cache clean --force fi - category: Clear iOS usage data children: - name: Clear iOS app copies from iTunes recommend: strict code: rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/null - name: Clear iOS photo cache recommend: standard code: rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/* - name: Clear iOS Device Backups recommend: strict code: rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/null - name: Clear iOS simulators recommend: strict code: |- if type "xcrun" &>/dev/null; then osascript -e 'tell application "com.apple.CoreSimulator.CoreSimulatorService" to quit' osascript -e 'tell application "iOS Simulator" to quit' osascript -e 'tell application "Simulator" to quit' xcrun simctl shutdown all xcrun simctl erase all fi - name: Clear list of connected iOS devices recommend: strict code: |- sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* - name: Clear Xcode's derived data and archives recommend: strict code: |- rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/Archives/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/iOS Device Logs/* &>/dev/null - name: Clear DNS cache recommend: standard code: |- sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder - name: Clear inactive memory recommend: standard code: sudo purge - category: Clear application privacy permissions docs: |- This category provides scripts to reset privacy permissions for a variety of applications on your device, helping you to re-establish control over your personal data. Each script targets a specific permission type – such as camera, microphone, contacts, or accessibility services – enabling you to revoke permissions that have previously been granted to applications. By resetting these permissions, you not only enhance your privacy but also improve your device's security. After running these scripts, applications will require your explicit permission again to access these services or information. This means the next time an app attempts to use a service like your camera or access your contacts, you'll be prompted to grant or deny permission. It's a proactive step to ensure that your sensitive information or system services are accessed only with your current and informed consent. children: # Main documentation: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services - name: Clear **"All"** permissions docs: |- This script resets all permissions for applications. It revokes all previously granted permissions, enhancing privacy and security by ensuring no application has unauthorized access to system services or user data. call: function: ResetServicePermissions parameters: serviceId: All - name: Clear "Camera" permissions docs: |- This script resets permissions for camera access [1]. It ensures no application can access the system camera without explicit user permission, protecting against unauthorized surveillance and data breaches. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Camera - name: Clear "Microphone" permissions docs: |- This script resets permissions for microphone access [1]. It revokes all granted access to the microphone, protecting against eavesdropping and unauthorized audio recording by applications. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Microphone - name: Clear "Accessibility" permissions docs: |- This script resets permissions for accessibility features [1]. It revokes application access to accessibility services, preventing misuse and ensuring these features are used only with user consent. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Accessibility - name: Clear "Screen Capture" permissions docs: |- This script resets permissions for screen capture [1]. It ensures applications cannot capture screen content without user authorization, protecting sensitive information displayed on the screen. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: ScreenCapture - name: Clear "Reminders" permissions docs: |- This script resets permissions for accessing reminders information managed by the Reminders app [1]. It ensures applications cannot access or modify reminders data without explicit user permission, maintaining the privacy of personal reminders. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Reminders - name: Clear "Photos" permissions docs: |- This script resets permissions for accessing the pictures managed by the Photos app [1]. It revokes all permissions granted to applications, safeguarding personal photos and media from unauthorized access. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Photos - name: Clear "Calendar" permissions docs: |- This script resets permissions for accessing the calendar information managed by the Calendar app [1]. It ensures that applications cannot access calendar data without user consent, protecting personal and sensitive calendar information. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: Calendar - name: Clear "Full Disk Access" permissions docs: |- This script resets permissions for full disk access. Full disk access allows the application access to all protected files, including system administration files [1]. It revokes broad file access from applications, significantly reducing the risk of data exposure and enhancing overall system security. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyAllFiles - name: Clear "Contacts" permissions docs: |- This script resets permissions for accessing contacts. The contact information managed by the Contacts app [1]. It ensures that applications cannot access the user's contact list without explicit permission, maintaining the confidentiality of personal contacts. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: AddressBook - name: Clear "Desktop Folder" permissions docs: |- This script resets permissions for accessing the Desktop folder [1]. It revokes application access to files on the desktop, protecting personal and work-related documents from unauthorized access. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyDesktopFolder - name: Clear "Documents Folder" permissions docs: |- This script resets permissions for accessing the Documents folder [1]. It prevents applications from accessing files in this folder without user consent, safeguarding important and private documents. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyDocumentsFolder - name: Clear "Downloads Folder" permissions docs: |- This script resets permissions for accessing the Downloads folder [1]. It ensures that applications cannot access downloaded files without user authorization, protecting downloaded content from misuse. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyDownloadsFolder - name: Clear "Apple Events" permissions docs: |- This script resets permissions for Apple Events [1]. It revokes permissions for applications to send restricted Apple Events to other processes [1], enhancing privacy and security. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: AppleEvents - name: Clear "File Provider Presence" permissions docs: |- This script resets permissions for File Provider Presence [1]. It revokes the ability of File Provider applications to know when the user is accessing their managed files [1], enhancing user privacy. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: FileProviderPresence - name: Clear "Listen Events" permissions docs: |- This script resets "ListenEvent" permissions [1]. It revokes application access to listen to system events [1], preventing unauthorized monitoring of user interactions with the system. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: ListenEvent - name: Clear "Media Library" permissions docs: |- This script resets permissions for accessing the Media Library [1]. It ensures that applications cannot access Apple Music, music and video activity, and the media library [1] without user consent. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: MediaLibrary - name: Clear "Post Event" permissions docs: |- This script resets permissions for sending "PostEvent" [1]. It prevents applications from using CoreGraphics APIs to send system events [1], safeguarding against potential misuse. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: PostEvent - name: Clear "Speech Recognition" permissions recommend: strict docs: |- This script resets permissions for using Speech Recognition [1]. It revokes application access to the speech recognition facility and sending speech data to Apple [1], protecting user privacy. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SpeechRecognition - name: Clear "App Modification" permissions docs: |- This script resets permissions for modifying other apps [1]. It prevents applications from updating or deleting other apps [1], maintaining system integrity and user control. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyAppBundles - name: Clear "Application Data" permissions docs: |- This script resets permissions for accessing application data [1]. It revokes application access to specific application data, enhancing privacy and data security. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyAppData - name: Clear "Network Volumes" permissions docs: |- This script resets permissions for accessing files on network volumes [1]. It ensures applications cannot access network files without user authorization. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyNetworkVolumes - name: Clear "Removable Volumes" permissions docs: |- This script resets permissions for accessing files on removable volumes [1]. It protects data on external drives from unauthorized application access. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicyRemovableVolumes - name: Clear "System Administration Files" permissions docs: |- This script resets permissions for accessing system administration files [1]. It enhances system security by restricting application access to critical system files. [1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com" call: function: ResetServicePermissions parameters: serviceId: SystemPolicySysAdminFiles - category: Configure programs children: - name: Disable Firefox telemetry recommend: standard docs: https://github.com/privacysexy-forks/policy-templates/blob/master/README.md code: |- # Enable Firefox policies so the telemetry can be configured. sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUE # Disable sending usage data sudo defaults write /Library/Preferences/org.mozilla.firefox DisableTelemetry -bool TRUE revertCode: |- sudo defaults delete /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled sudo defaults delete /Library/Preferences/org.mozilla.firefox DisableTelemetry - name: Disable Microsoft Office telemetry recommend: standard code: defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticData revertCode: defaults delete com.microsoft.office DiagnosticDataTypePreference - name: Remove Google Software Update service recommend: strict code: |- googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall if [ -f "$googleUpdateFile" ]; then $googleUpdateFile --nuke echo 'Uninstalled Google update' else echo 'Google update file does not exist' fi - name: Disable Homebrew user behavior analytics recommend: standard docs: https://docs.brew.sh/Analytics call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export HOMEBREW_NO_ANALYTICS=1 - name: Disable NET Core CLI telemetry recommend: standard call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export DOTNET_CLI_TELEMETRY_OPTOUT=1 - name: Disable PowerShell Core telemetry recommend: standard docs: https://github.com/privacysexy-forks/PowerShell/blob/v7.1.5/README.md#telemetry call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export POWERSHELL_TELEMETRY_OPTOUT=1 - category: Configure Parallels Desktop docs: |- Parallels Desktop for Mac is software providing hardware virtualization for macOS [1]. When you use it, it collects and shares your personal data to third parties [2]. Personal data include IP address of your device, your broad geographical location (country, state (if applicable), and city) and used product [2]. It includes third-party advertisements [3] and automatic check for updates [4] by default. Both of these behaviors communicate with online services that reveal personal data about you. [1]: https://web.archive.org/web/20221012155943/https://en.wikipedia.org/wiki/Parallels_Desktop_for_Mac "Parallels Desktop for Mac - Wikipedia | en.wikipedia.org" [2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com" [3]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com" [4]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com" children: - name: Disable Parallels Desktop advertisements recommend: standard docs: |- Parallels Desktop in-product notifications to show ads from Parallels or other third party companies [1]. The main setting is `ProductPromo.ForcePromoOff` [1] that you can check using: 1. `defaults read 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff'` 2. `defaults read 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff'` By default, on clean installations the value is `0` which is equivalent of `no`. There is also `WelcomeScreenPromo.PromoOff` setting that's pre-configured to `1` (`no` as default). It's undocumented but still kept disabled by this script. [1]: https://web.archive.org/web/20240314062932/https://forum.parallels.com/threads/unable-to-process-the-upgrade-request.345603/ "Unable to process the upgrade request | Parallels Forums | forum.parallels.com" [2]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com" code: |- defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool yes defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes revertCode: |- defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool no defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes - category: Disable Parallels Desktop automatic updates docs: |- Parallels Desktop by default checks for updates frequently and automatically downloads them [1]. This reveal personal data about you [2] without your control. [1]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com" [2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com" children: - name: Disable automatic downloads for Parallels Desktop updates docs: |- Automatic downloads are enabled by default, and this script disables automatic downloads. Automatic downloads are configured using the `Application preferences.Download updates automatically` property [1]. - Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically'` - Values: 0 - Disabled, 1 - Enabled (default) [1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com" code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool no revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool yes - name: Disable automatic checks for Parallels Desktop updates docs: |- Automatic checks are weekly by default, and this script disables the checks completely. Frequency to check for updates can be configured using `Application preferences.Check for updates` property [1]. - Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates'` - Values: 0 - Never, 1 - Once a day, 2 - Once a week (default), 3 - Once a month [1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com" code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 0 revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 2 - category: Configure OS children: - category: Configure Apple Remote Desktop children: - name: Disable remote management service recommend: strict code: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop revertCode: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console - name: Remove Apple Remote Desktop Settings recommend: strict code: |- sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist sudo rm -rf /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktop - name: Disable online spell correction code: defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool false revertCode: defaults delete NSGlobalDomain WebAutomaticSpellingCorrectionEnabled - name: Disable remote Apple events recommend: strict code: sudo systemsetup -setremoteappleevents off revertCode: sudo systemsetup -setremoteappleevents on - name: Disable automatic storage of documents in iCloud Drive docs: https://macos-defaults.com/finder/nsdocumentsavenewdocumentstocloud.html recommend: standard code: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false revertCode: defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud - name: Disable display of recent applications on Dock docs: https://developer.apple.com/documentation/devicemanagement/dock code: defaults write com.apple.dock show-recents -bool false revertCode: defaults delete com.apple.dock show-recents - name: Disable AirDrop file sharing recommend: strict code: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true revertCode: defaults write com.apple.NetworkBrowser DisableAirDrop -bool false - category: Configure Siri children: - name: Disable participation in Siri data collection recommend: standard code: defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2 revertCode: defaults delete com.apple.assistant.support 'Siri Data Sharing Opt-In Status' - category: Disable Siri children: - name: Disable "Ask Siri" recommend: strict docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/ code: defaults write com.apple.assistant.support 'Assistant Enabled' -bool false revertCode: defaults write com.apple.assistant.support 'Assistant Enabled' -bool true - name: Disable Siri voice feedback recommend: strict docs: - https://github.com/privacysexy-forks/starter/blob/master/system/siri.sh - https://web.archive.org/web/20201002133713/https://machippie.github.io/system/ code: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 3 revertCode: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 2 - name: Disable Siri services (Siri and assistantd) recommend: strict docs: - https://web.archive.org/web/20240314060540/https://apple.stackexchange.com/questions/57514/what-is-assistantd - https://archive.ph/2024.03.14-055010/https://community.jamf.com/t5/jamf-pro/kill-siri/td-p/171543 - https://web.archive.org/web/20240314060501/https://apple.stackexchange.com/questions/258816/how-to-completely-disable-siri-on-sierra/370426#370426 # To see status: • `launchctl print-disabled system` • `launchctl print-disabled user/$UID` • `launchctl print-disabled gui/$UID` code: |- launchctl disable "user/$UID/com.apple.assistantd" launchctl disable "gui/$UID/com.apple.assistantd" sudo launchctl disable 'system/com.apple.assistantd' launchctl disable "user/$UID/com.apple.Siri.agent" launchctl disable "gui/$UID/com.apple.Siri.agent" sudo launchctl disable 'system/com.apple.Siri.agent' if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then >&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection' fi revertCode: |- launchctl enable "user/$UID/com.apple.assistantd" launchctl enable "gui/$UID/com.apple.assistantd" sudo launchctl enable 'system/com.apple.assistantd' launchctl enable "user/$UID/com.apple.Siri.agent" launchctl enable "gui/$UID/com.apple.Siri.agent" sudo launchctl enable 'system/com.apple.Siri.agent' if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then >&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection' fi - name: Disable "Do you want to enable Siri?" pop-up docs: |- This script stops the "Enable Siri" pop-up [1] from appearing the first time a user logs into macOS [2]. Introduced in macOS version 10.12 [2], this pop-up asks, "Do you want to enable Siri?" [1] which could lead to Siri being enabled unintentionally. This script configures the `com.apple.SetupAssistant!DidSeeSiriSetup` setting to suppress this pop-up [1] [2] [3] [4]. This command tells the system that the Siri setup is complete, preventing the pop-up in future sessions and enhancing privacy by avoiding unintended Siri activation. [1]: https://archive.ph/2024.03.14-053325/https://discussions.apple.com/thread/7694127?answerId=30752577022&sortBy=best%2330752577022 "macOS keeps nagging me about enabling Siri - Apple Community | discussions.apple.com" [2]: https://web.archive.org/web/20240314052600/https://derflounder.wordpress.com/2016/09/20/supressing-siri-pop-up-windows-on-macos-sierra/ "Suppressing Siri pop-up windows on macOS Sierra | Der Flounder" [3]: https://web.archive.org/web/20240314052901/https://windowsreport.com/mac/siri-keeps-popping-up/ "Siri keeps popping up on Mac? Here's how to easily fix that • MacTips | windowsreport.com" [4]: https://web.archive.org/web/20240314052247/https://community.jamf.com/t5/jamf-pro/disable-siri-setup-assistant-in-macos-sierra/m-p/205836/highlight/true#M194536 "Solved: Re: Disable Siri setup assistant in macOS Sierra - Jamf Nation Community - 205834 | community.jamf.com" code: defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool True revertCode: defaults delete com.apple.SetupAssistant 'DidSeeSiriSetup' - category: Remove Siri from user interface children: - name: Remove Siri from menu bar recommend: strict code: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0 revertCode: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 1 - name: Remove Siri from status menu recommend: strict docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/ code: |- defaults write com.apple.Siri 'StatusMenuVisible' -bool false defaults write com.apple.Siri 'UserHasDeclinedEnable' -bool true revertCode: |- defaults delete com.apple.Siri 'StatusMenuVisible' defaults delete com.apple.Siri 'UserHasDeclinedEnable' - name: Disable Spotlight indexing code: sudo mdutil -i off -d / revertCode: sudo mdutil -i on / - name: Disable personalized advertisements and identifier tracking recommend: standard docs: |- This script enhances your privacy by deactivating Personalized Ads and disabling the collection of identifiers related to your device. The process involves modifying certain key configurations, which prevents Apple's advertising platform from using your personal information to deliver targeted ads [1]. When Personalized Ads is enabled, your information may be used to provide ads that closely align with your interests [1]. You might occasionally encounter such targeted ads in Apple News, Stocks, and the Mac App Store [2]. Disabling Personalized Ads will prevent Apple from using your data for ad targeting [2]. Although this does not necessarily decrease the quantity of ads you receive, it may result in the ads being less relevant to your interests [2]. The primary keys to deactivating personalized ads are: - **`allowApplePersonalizedAdvertising`**: If set to false, this restricts Apple's personalized advertising [3]. This is applicable on macOS 12 and subsequent versions [3]. - **`allowIdentifierForAdvertising`**: The `advertisingIdentifier` is a unique string assigned to each device [5]. Apple uses this identifier and recommends its use in third-party applications for tasks like frequency capping, attribution, conversion events, estimating the number of unique users, detecting advertising fraud, and debugging [5]. Although there is no official documentation on it, a discussion on JAMF.com corroborates its existence [6]. My tests show that disabling any of the keys mentioned above results in the "System Preferences > Apple Advertising > Personalized ads" option being deactivated in the GUI, starting from macOS Monterey. Please note: The `forceLimitAdTracking` key limits ad tracking [3] [4] and is found in CIS benchmarks for macOS [4]. However, the official macOS documentation specifies that it is applicable only to iOS 7 and newer versions, not to macOS [3]. The key does not exist on the OS by default. [1]: https://web.archive.org/web/20230731152633/https://www.apple.com/legal/privacy/data/en/apple-advertising/ "Legal - Apple Advertising & Privacy - Apple" [2]: https://web.archive.org/web/20220805052411/https://support.apple.com/en-sg/guide/mac-help/mh32356/mac "Change Privacy preferences on Mac - Apple Support (SG)" [3]: https://web.archive.org/web/20230731155827/https://developer.apple.com/documentation/devicemanagement/restrictions "Restrictions | Apple Developer Documentation" [4]: https://web.archive.org/web/20230731155653/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_11_0_Big_Sur_Benchmark_v2_0_0.pdf "CIS Apple macOS 11.0 Big Sur Benchmark" [5]: https://web.archive.org/web/20230731155131/https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier "advertisingIdentifier | Apple Developer Documentation" [6]: https://web.archive.org/web/20230731154840/https://community.jamf.com/t5/jamf-pro/macos-quot-limit-ad-tracking-quot/td-p/217001 'Solved: macOS "Limit Ad Tracking" - Jamf Nation Community - 217001' code: |- defaults write com.apple.AdLib allowIdentifierForAdvertising -bool false defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool false defaults write com.apple.AdLib forceLimitAdTracking -bool true # Default: (`defaults read com.apple.AdLib`) # - `defaults read com.apple.AdLib allowApplePersonalizedAdvertising`: true (1) # - `defaults read com.apple.AdLib allowIdentifierForAdvertising`: true (1) # - `defaults read com.apple.AdLib forceLimitAdTracking`: non-existing revertCode: |- defaults write com.apple.AdLib allowIdentifierForAdvertising -bool true defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool true sudo defaults delete com.apple.AdLib forceLimitAdTracking - category: Security improvements children: - category: Configure macOS Application Firewall children: - name: Enable application firewall recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681 - https://daiderd.com/nix-darwin/manual/index.html - https://developer.apple.com/documentation/devicemanagement/firewall code: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true defaults write com.apple.security.firewall EnableFirewall -bool true revertCode: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool false defaults write com.apple.security.firewall EnableFirewall -bool false - name: Enable firewall logging recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671 - https://daiderd.com/nix-darwin/manual/index.html code: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true revertCode: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool false - name: Enable stealth mode recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327 - https://daiderd.com/nix-darwin/manual/index.html - https://developer.apple.com/documentation/devicemanagement/firewall code: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true defaults write com.apple.security.firewall EnableStealthMode -bool true revertCode: |- /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false defaults write com.apple.security.firewall EnableStealthMode -bool false - category: Disable automatic permission for incoming traffic in applications children: - name: Disable automatic incoming connections for signed apps docs: https://daiderd.com/nix-darwin/manual/index.html recommend: strict code: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool true - name: Disable automatic incoming connections for downloaded signed apps docs: https://daiderd.com/nix-darwin/manual/index.html recommend: strict code: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool true - name: Disable Captive portal # An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, # so it's best to disable this feature and log in to captive portals using regular Web browser instead. recommend: standard docs: # Risks with captive portals: - https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy # More about apple Captive portal: - https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y - https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html - https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/ code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false revertCode: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active - category: Enable protective screen saver children: - name: Enable password requirement for waking from sleep or screen saver # The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230744 code: sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword - name: Enable session lock five seconds after screen saver initiation docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230745 # An unattended system with an excessive grace period is vulnerable to a malicious user. code: sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5 revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' - category: Disable guest accounts docs: - https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823 - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615 children: - name: Disable guest sign-in from login screen code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES - name: Disable guest access to file shares over AF code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES - name: Disable guest access to file shares over SMB code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES - category: Disable unauthorized connections children: - name: Disable incoming SSH and SFTP remote logins recommend: standard docs: https://osxdaily.com/2016/08/16/enable-ssh-mac-command-line/ # Check if enabled: sudo systemsetup -getremotelogin, returns "Remote Login: On" or "Off" code: echo 'yes' | sudo systemsetup -setremotelogin off revertCode: sudo systemsetup -setremotelogin on - name: Disable the insecure TFTP service recommend: standard # If the system does not require Trivial File Transfer Protocol (TFTP), then support for # it is non-essential and should be disabled. The information system should be configured to # provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection # of devices and the unauthorized transfer of information. docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230813 code: sudo launchctl disable 'system/com.apple.tftpd' revertCode: sudo launchctl enable 'system/com.apple.tftpd' - name: Disable Bonjour multicast advertising recommend: standard docs: https://www.stigviewer.com/stig/apple_os_x_10.11/2017-04-06/finding/V-67593 code: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true revertCode: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool false - name: Disable insecure telnet protocol recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.13/2020-09-11/finding/V-214882 - https://www.stigviewer.com/stig/apple_os_x_10.10_yosemite_workstation/2017-04-06/finding/V-59671 code: sudo launchctl disable system/com.apple.telnetd revertCode: sudo launchctl enable system/com.apple.telnetd - category: Disable printer sharing (IPP, LDP, SMB and Bonjour protocols) # Used typically for servers # By default, the CUPS only listens to requests from the machine that it's running on # cupsctl is a tool to manage the configuration of the CUPS daemon docs: - https://www.cups.org/doc/sharing.html - https://www.cups.org/doc/security.html # Security risks children: - name: Disable local printer sharing with other computers recommend: standard docs: https://www.cups.org/doc/man-cupsctl.html code: cupsctl --no-share-printers revertCode: cupsctl --share-printers - name: Disable printing from external addresses, including the internet recommend: standard docs: https://www.cups.org/doc/man-cupsctl.html code: cupsctl --no-remote-any revertCode: cupsctl --remote-any - name: Disable remote printer administration recommend: standard docs: https://www.cups.org/doc/man-cupsctl.html code: cupsctl --no-remote-admin revertCode: cupsctl --remote-admin - category: Privacy over security children: - category: Disable File Quarantine (tracks downloaded files and warns) # OS tracks downloaded files with help of quarantine-aware applications # (such as Safari, Chrome) adding quarantine extended attributes to files. # then OS warns and asks if you really want to open it docs: https://web.archive.org/web/20210319081714/https://support.apple.com/en-gb/HT202491 children: - category: Clean File Quarantine from downloaded files children: - name: Clear logs of all downloaded files from File Quarantine recommend: strict docs: - https://www.macobserver.com/tips/how-to/your-mac-remembers-everything-you-download-heres-how-to-clear-download-history/ - https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/ - https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/ - https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/ # Query entries using: # sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select DISTINCT LSQuarantineDataURLString from LSQuarantineEvent' code: |- db_file=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 db_query='delete from LSQuarantineEvent' if [ -f "$db_file" ]; then echo "Database exists at \"$db_file\"" if ls -lO "$db_file" | grep --silent 'schg'; then sudo chflags noschg "$db_file" echo "Found and removed system immutable flag" has_system_immutable_flag=true fi if ls -lO "$db_file" | grep --silent 'uchg'; then sudo chflags nouchg "$db_file" echo "Found and removed user immutable flag" has_user_immutable_flag=true fi sqlite3 "$db_file" "$db_query" echo "Executed the query \"$db_query\"" if [ "$has_system_immutable_flag" = true ] ; then sudo chflags schg "$db_file" echo "Added system immutable flag back" fi if [ "$has_user_immutable_flag" = true ] ; then sudo chflags uchg "$db_file" echo "Added user immutable flag back" fi else echo "No action needed, database does not exist at \"$db_file\"" fi - name: Clear File Quarantine attribute from downloaded files docs: https://superuser.com/questions/28384/what-should-i-do-about-com-apple-quarantine code: |- find ~/Downloads \ -type f \ -exec \ sh -c \ ' attr="com.apple.quarantine" file="{}" if [[ $(xattr "$file") = *$attr* ]]; then if xattr -d "$attr" "$file" 2>/dev/null; then echo "🧹 Cleaned attribute from \"$file\"" else >&2 echo "❌ Failed to clean attribute from \"$file\"" fi else echo "No attribute in \"$file\"" fi ' \ {} \; - category: Disable macOS File Quarantine tracking for downloaded files children: - name: Disable downloaded file logging in quarantine docs: - https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/ - https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/ - https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/ recommend: strict code: |- file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 if [ -f "$file_to_lock" ]; then sudo chflags schg "$file_to_lock" echo "Made file immutable at \"$file_to_lock\"" else echo "No action is needed, file does not exist at \"$file_to_lock\"" fi revertCode: |- file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 if [ -f "$file_to_lock" ]; then sudo chflags noschg "$file_to_lock" echo "Successfully reverted immutability from \"$file_to_lock\"" else >&2 echo "Cannot revert immutability, file does not exist at\"$file_to_lock\"" fi - name: Disable extended quarantine attribute for downloaded files (disables warning) # Disables dialogs shown when opening an application for the first time # i.e. "Application Downloaded from Internet" quarantine warning. docs: - https://apple.stackexchange.com/questions/373176/disable-the-use-of-the-com-apple-quarantine-extended-attribute-on-mojave - https://superuser.com/questions/266176/is-there-some-way-to-disable-the-dialogs-shown-when-opening-an-application-for-t - https://macos-defaults.com/misc/lsquarantine.html code: sudo defaults write com.apple.LaunchServices 'LSQuarantine' -bool NO revertCode: sudo defaults delete com.apple.LaunchServices 'LSQuarantine' - category: Disable Gatekeeper (enforces code-signing) # Built on top of File Quarantine, requires code-signing for apps. # Warns user if a file is not signed by it's developer with certificate issued by Apple. # Can protect against unknown threats. children: - name: Disable Gatekeeper's automatic reactivation docs: - https://osxdaily.com/2015/11/05/stop-gatekeeper-auto-rearm-mac-os-x/ - https://web.archive.org/web/20230327050142/https://www.cnet.com/tech/computing/how-to-disable-gatekeeper-permanently-on-os-x/ code: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true revertCode: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false - name: Disable Gatekeeper docs: # References for spctl --master-disable - https://www.manpagez.com/man/8/spctl/ # References for /var/db/SystemPolicy-prefs.plist - https://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/ - https://community.jamf.com/t5/jamf-pro/users-can-t-change-password-greyed-out/m-p/54228 code: |- os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}') os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}') if [[ $os_major_ver -le 10 \ || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ ]]; then echo "No action needed, Gatekeeper is not available this OS version" else gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')" if [ $gatekeeper_status = "disabled" ]; then echo "No action needed, Gatekeeper is already disabled" elif [ $gatekeeper_status = "enabled" ]; then sudo spctl --master-disable sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'no' echo "Disabled Gatekeeper" else >&2 echo "Unknown gatekeeper status: $gatekeeper_status" fi fi revertCode: |- os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}') os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}') if [[ $os_major_ver -le 10 \ || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ ]]; then >&2 echo "Gatekeeper is not available in this OS version" else gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')" if [ $gatekeeper_status = "disabled" ]; then sudo spctl --master-enable sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'yes' echo "Enabled Gatekeeper" elif [ $gatekeeper_status = "enabled" ]; then echo "No action needed, Gatekeeper is already enabled" else >&2 echo "Unknown Gatekeeper status: $gatekeeper_status" fi fi - name: Disable library validation entitlement (library signature validation) docs: - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation - https://www.macenhance.com/docs/general/sip-library-validation.html - https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/ code: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool true revertCode: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool false - category: Disable automatic updates docs: |- This category contains scripts to disable automatic operating system updates. Disabling automatic updates gives users full control over when and which updates are applied to their system. It improves privacy by preventing unwanted data collection, new vulnerabilities and unapproved changes to system settings. > **Caution**: > Disabling automatic updates can leave your system vulnerable to unpatched exploits. > Manually check and and apply updates to stay protected. children: - name: Disable automatic checks for updates docs: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool false revertCode: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool true - name: Disable automatic downloads for updates docs: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool false revertCode: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool true - name: Disable automatic installation of macOS updates docs: |- This script stops macOS from automatically installing updates. This script improves privacy by reducing unwanted data collection and ensuring updates don't change settings or data without your approval. The Center for Internet Security (CIS) advises against automatic updates in scenarios where changes require thorough testing and approval processes to avoid operational disruptions [1] [2] [3] [4]. This script configures following to stop macOS from installing updates automatically: 1. `/Library/Preferences/com.apple.commerce!AutoUpdateRestartRequired`: This preference stops the system from automatically installing macOS updates [1] [2] [3] [4] [5] [6] [7] [8]. By doing this, updates will only be installed when you decide, giving you a chance to check them first [1] [2] [3] [4] [5] [6] [7] [8]. This setting applies to OS X Yosemite through macOS High Sierra [7] [9]. 2. `/Library/Preferences/com.apple.commerce!AutomaticallyInstallMacOSUpdates`: Changing this setting stops macOS from installing updates automatically [3] [5] [9] [10], giving you control over when to update. If restricts the *Install macOS Updates* option and prevents the user from changing the option [10]. While this setting enhances privacy, it's generally not advised by NIST due to potential security risks [9]. This setting applies to macOS Mojave and newer versions [9]. > **Caution**: Disabling automatic updates requires you to manually check and apply updates to stay protected against security threats [1] [2] [3] [4]. [1]: https://web.archive.org/web/20240321165149/https://www.tenable.com/audits/items/CIS_Apple_macOS_10.12_v1.1.0_Level_1.audit:e02dfdd6bec9556a3ce537f60b91b549 "CIS Apple macOS 10.12 L1 v1.1.0 | 1.5 Enable OS X update installs | Tenable®" [2]: https://web.archive.org/web/20240321165851/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_13_Benchmark_v1_1_0---PDF.pdf "CIS Apple macOS 10.13 Benchmark v1.1.0 | paper.bobylive.com" [3]: https://web.archive.org/web/20240321170400/https://www.tenable.com/audits/items/CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit:fe03c59a39c7c949507ff20d07f89993 "1.4 Ensure Install of macOS Updates Is Enabled | Tenable® | www.tenable.com" [4]: https://web.archive.org/web/20240321170036/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_14_Benchmark_v1_4_0_PDF.pdf "CIS Apple macOS 10.14 Benchmark v1.4.0 | paper.bobylive.com" [5]: https://web.archive.org/web/20240321164917/https://www.ncsc.gov.uk/files/macos_provisioning_script.sh_.txt "macOS provisioning script | UK National Cyber Security Centre | www.ncsc.gov.uk" [6]: https://web.archive.org/web/20240321165118/https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html "macOS Updates — MacAdmins Community Documentation documentation | macadminsdoc.readthedocs.io" [7]: https://web.archive.org/web/20240321165304/https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installation-on-yosemite/ "Managing automatic App Store and OS X update installation on Yosemite | Der Flounder | derflounder.wordpress.com" [8]: https://web.archive.org/web/20240321170034/https://krypted.com/mac-os-x/app-store-preferences-set-server-5-4-macos-high-sierra/ "App Store Preferences To Set In On Server 5.4 for macOS High Sierra – krypted | krypted.com" [9]: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ "Enabling automatic macOS software updates for OS X Yosemite through macOS Mojave | Der Flounder | derflounder.wordpress.com" [10]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com" [11]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov" code: |- # For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool false # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool false revertCode: |- # For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool true # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool true - name: Disable automatic app updates from the App Store docs: |- This script disables automatic app updates [1] [2] [3] [4] from the App Store [5] [6] [7] [8] [9] [10] [11] [12] [13]. It prevents automatic installation of application updates as soon as they become available from Apple [2] [3] [6] [9] [11] [12] [13]. Thus, applications are updated only when you choose to do so [5]. Disabling automatic updates prevents unexpected app behavior or settings changes. It helps you to maintain your current app configurations and privacy settings. It also protects against potential zero-day vulnerabilities in your apps. This gives you the ability to choose which updates to install and when, enabling you to review the details of updates before deciding to proceed. The script modifies the following settings: 1. `/Library/Preferences/com.apple.commerce!AutoUpdate`: Disables automated app updates [1] [2] [3] [6] [9] [10] [13] from the App Store [7] [8]. This setting applies to OS X Yosemite and newer versions [1]. 2. `/Library/Preferences/com.apple.SoftwareUpdate!AutomaticallyInstallAppUpdates`: Stops the automatic installation of app updates [1] [4] from App Store [9] [10] [11] [12] [13]. It deselects the *Install app updates from the App Store* option and prevents the user from changing the option [10]. While this setting enhances privacy, it's generally not advised by NIST due to potential security risks [4]. This setting applies to macOS Mojave and newer versions [1]. > **Caution**: > Disabling app updates means you should manually check for and install important security patches for every application > to protect against vulnerabilities [2] [3] [5] [6] [9] [11] [12] [13]. [1]: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ "Enabling automatic macOS software updates for OS X Yosemite through macOS Mojave | Der Flounder | derflounder.wordpress.com" [2]: https://web.archive.org/web/20240321190032/https://www.irs.gov/pub/irs-utl/safeguards-scsem-macosx-v6-1-093021.xlsx "SCSEM OSX 10.14 | Internal Revenue Service Office of Safeguards | www.irs.gov" [3]: https://web.archive.org/web/20240321170036/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_14_Benchmark_v1_4_0_PDF.pdf "CIS Apple macOS 10.14 Benchmark v1.4.0 | paper.bobylive.com" [5]: https://web.archive.org/web/20240321190244/https://github-wiki-see.page/m/edamametechnologies/threatmodels/wiki/threatmodel-macOS-EN "threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki | github-wiki-see.page" [6]: https://web.archive.org/web/20240321190315/https://www.tenable.com/audits/items/CIS_Apple_macOS_14.0_Sonoma_v1.0.0_L1.audit:66d3b86318384ba7947a3409e0c6e902 "1.5 Ensure Install Application Updates from the App Store Is E... | Tenable® | www.tenable.com" [7]: https://web.archive.org/web/20240321165304/https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installation-on-yosemite/ "Managing automatic App Store and OS X update installation on Yosemite | Der Flounder | derflounder.wordpress.com" [8]: https://web.archive.org/web/20240321190410/https://krypted.com/mac-security/app-store-preferences-set-server-5-2-macos-sierra/ "App Store Preferences To Set In On Server 5.2 for macOS Sierra – krypted | krypted.com" [4]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov" [9]: https://web.archive.org/web/20240321190114/https://www.irs.gov/pub/irs-utl/safeguards-scsem-macosx.xlsx "SCSEM OSX 13.0 | Internal Revenue Service Office of Safeguards | www.irs.gov" [10]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com" [11]: https://web.archive.org/web/20240321190122/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_12_0_Monterey_Benchmark_v1_0_0.pdf "CIS Apple macOS 12.0 Monterey | CIS Benchmarks | paper.bobylive.com" [12]: https://web.archive.org/web/20240321190537/https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v2.0.0_L1.audit:55e8759872dce781b8dbc5a3f42e23b9 "1.4 Ensure Installation of App Update Is Enabled | Tenable® | www.tenable.com" [13]: https://web.archive.org/web/20240321164917/https://www.ncsc.gov.uk/files/macos_provisioning_script.sh_.txt "macOS provisioning script | UK National Cyber Security Centre | www.ncsc.gov.uk" code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool false # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool false revertCode: |- # For OS X Yosemite and newer sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool true # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool true - name: Disable macOS beta release installation docs: https://web.archive.org/web/20170106103856/https://support.apple.com/en-gb/HT203018 code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool false revertCode: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool true - name: Disable automatic installation for configuration data (e.g. XProtect, Gatekeeper, MRT) docs: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool false revertCode: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool true - name: Disable automatic installation for system data files and security updates docs: |- This script stops automatic installations of critical updates [1], including security [1] [2] [3] [4] [5] [6] [7] and system data file [1] [8] updates. It improves privacy by providing: - **Control Over Update Timing**: Users can review updates before installation to ensure they meet privacy standards and do not introduce unwanted telemetry or changes. - **Reduced External Communications**: Reduces how often it connects to update servers, potentially protection user information. The script configures the `/Library/Preferences/com.apple.SoftwareUpdate!CriticalUpdateInstall` setting [1] [4] [5] [7] [8]. This action prevents automatic downloads and installations of updates [1]. It also prevents users from changing the Install system data files and security updates option manually [1]. This script is compatible with OS X Yosemite and later versions [6] [8]. The revert script triggers `softwareupdate --background-critical` to install any pending critical updates directly [2] [9]. > **Caution:** > Only disable automatic updates if you're committed to manually installing them quickly to maintain your computer's security [4] [5] [8]. > It's important to install updates soon to protect your computer. [4] [5] [8]. > > This script disables: > > - Definition updates for **XProtect** and **Gatekeeper** that keep your computer safe from new threats [5]. > - **Rapid Security Response** [10] [11]. > **Rapid Security Responses** are software releases providing important security improvements between standard updates [12]. [1]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com" [2]: https://web.archive.org/web/20240321201417/https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/ "Managing OS X’s automatic security updates | Der Flounder | derflounder.wordpress.com" [3]: https://web.archive.org/web/20240321165118/https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html "macOS Updates — MacAdmins Community Documentation documentation | macadminsdoc.readthedocs.io" [4]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov" [5]: https://web.archive.org/web/20240321201450/https://paper.bobylive.com/Security/CIS/CIS_Apple_OSX_10_9_Benchmark_v1_3_0.pdf "CIS Apple OSX 10.9 Benchmark | paper.bobylive.com" [6]: https://web.archive.org/web/20240321201643/https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-security-software-updates-on-yosemite/ "Managing automatic installation of ConfigData and security software updates on Yosemite | Der Flounder | derflounder.wordpress.com" [7]: https://web.archive.org/web/20240321201652/https://ss64.com/mac/syntax-defaults.html "System preference settings for macOS - macOS - SS64.com | ss64.com" [8]: https://web.archive.org/web/20240321201436/https://www.tenable.com/audits/items/CIS_OSX_10.10_v1.2.0_L1.audit:97f36c2eaa06045e85a1beff1a76a088 "1.4 Enable system data files and security update installs - 'C... | Tenable® | www.tenable.com" [9]: https://web.archive.org/web/20240321201406/https://managingosx.wordpress.com/2013/04/30/undocumented-options/ "Undocumented options – Managing OS X | managingosx.wordpress.com" [10]: https://web.archive.org/web/20240321201558/https://www.intuneirl.com/rapid-security-response/ "Managing Rapid Security Response on Apple Devices | www.intuneirl.com" [11]: https://web.archive.org/web/20240321201614/https://onsitegroup.co.za/rapid-security-response/ "Rapid security response - Onsite | onsitegroup.co.za" [12]: https://web.archive.org/web/20240321201623/https://support.apple.com/en-us/102657 "About Rapid Security Responses for iOS, iPadOS, and macOS - Apple Support | support.apple.com" code: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool false revertCode: |- # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool true # Trigger background check with normal scan (critical updates only) sudo softwareupdate --background-critical functions: - name: PersistUserEnvironmentConfiguration parameters: - name: configuration code: |- command='{{ $configuration }}' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do touch "$profile_file" if ! grep -q "$command" "${profile_file}"; then echo "$command" >> "$profile_file" echo "[$profile_file] Configured" else echo "[$profile_file] No need for any action, already configured" fi done revertCode: |- command='{{ $configuration }}' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do if grep -q "$command" "${profile_file}" 2>/dev/null; then sed -i '' "/$command/d" "$profile_file" echo "[$profile_file] Reverted configuration" else echo "[$profile_file] No need for any action, configuration does not exist" fi done - name: RunIfCommandExists # Skips if command does not exist # Marked: refactor-with-partials # Same function as Linux parameters: - name: command - name: code - name: revertCode optional: true code: |- if ! command -v '{{ $command }}' &> /dev/null; then echo 'Skipping because "{{ $command }}" is not found.' else {{ $code }} fi revertCode: |- {{ with $revertCode }} if ! command -v '{{ $command }}' &> /dev/null; then >&2 echo 'Cannot revert because "{{ $command }}" is not found.' else {{ . }} fi {{ end }} - name: ResetServicePermissions parameters: - name: serviceId # Specifies the service ID for which to reset permissions docs: |- This function resets the specified service ID permissions. The `serviceId` parameter allows you to define the specific service ID (e.g., Camera, Microphone, Accessibility) for which you want to reset all user-granted permissions. call: function: RunIfCommandExists parameters: command: tccutil code: |- declare serviceId='{{ $serviceId }}' declare reset_output reset_exit_code { reset_output=$(tccutil reset "$serviceId" 2>&1) reset_exit_code=$? } if [ $reset_exit_code -eq 0 ]; then echo "Successfully reset permissions for \"${serviceId}\"." elif [ $reset_exit_code -eq 70 ]; then echo "Skipping, service ID \"${serviceId}\" is not supported on your operating system version." elif [ $reset_exit_code -ne 0 ]; then >&2 echo "Failed to reset permissions for \"${serviceId}\". Exit code: $reset_exit_code." if [ -n "$reset_output" ]; then echo "Output from \`tccutil\`: $reset_output." fi fi - name: RunInlineCode # Marked: refactor-with-partials # Same function in macOS, Linux, Windows parameters: - name: code - name: revertCode optional: true code: '{{ $code }}' revertCode: '{{ with $revertCode }}{{ . }}{{ end }}' - name: Comment # 💡 Purpose: # Adds a comment in the executed code for better readability and debugging. # This function does not affect the execution flow but helps in understanding the purpose of subsequent code. # Marked: refactor-with-partials # Same function as Linux parameters: - name: codeComment optional: true - name: revertCodeComment optional: true call: function: RunInlineCode parameters: code: '{{ with $codeComment }}# {{ . }}{{ end }}' revertCode: '{{ with $revertCodeComment }}# {{ . }}{{ end }}' - name: ClearDirectoryContents parameters: - name: directoryGlob - name: grantPermissions optional: true call: - function: Comment parameters: codeComment: 'Clear directory contents: "{{ $directoryGlob }}"' - function: RunInlineCode parameters: code: |- glob_pattern="{{ $directoryGlob }}/*" {{ with $grantPermissions }}sudo {{ end }}rm -rfv $glob_pattern