44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aae54344511ec51d17ad0420a92cb5a064e0e7bb
privacy.sexy/src/application/collections/macos.yaml
undergroundwires a3343205b1 Fix win execution with whitespace in username #351 
This commit addresses the issue where scripts fail to execute on Windows
environments with usernames containing spaces. The problem stemmed from
PowerShell and cmd shell's handling of spaces in quoted arguments.

The solution involves encoding PowerShell commands before execution,
which mitigates the quoting issues previously causing script failures.
This approach is now integrated into the execution flow, ensuring that
commands are correctly handled irrespective of user names or other
variables that may include spaces.

Changes:

- Implement encoding for PowerShell commands to handle spaces in usernames
  and other similar scenarios.
- Update script documentation URLs to reflect changes in directory
  structure.

Fixes #351
2024-05-07 13:57:19 +02:00

1783 lines
128 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Structure is documented in "docs/collection-files.md"
os: macos
scripting:
language: shellscript
startCode: |-
#!/usr/bin/env bash
# {{ $homepage }} — v{{ $version }} — {{ $date }}
if [ "$EUID" -ne 0 ]; then
script_path=$([[ "$0" = /* ]] && echo "$0" || echo "$PWD/${0#./}")
sudo "$script_path" || (
echo 'Administrator privileges are required.'
exit 1
)
exit 0
fi
endCode: |-
echo 'Your privacy and security is now hardened 🎉💪'
echo 'Press any key to exit.'
read -n 1 -s
actions:
-
category: Privacy cleanup
children:
-
category: Clear terminal history
children:
-
name: Clear bash history
recommend: standard
code: rm -f ~/.bash_history
-
name: Clear zsh history
recommend: standard
code: rm -f ~/.zsh_history
-
name: Clear CUPS printer job cache
recommend: strict
code: |-
sudo rm -rfv /var/spool/cups/c0*
sudo rm -rfv /var/spool/cups/tmp/*
sudo rm -rfv /var/spool/cups/cache/job.cache*
-
name: Empty trash on all volumes
recommend: strict
code: |-
# on all mounted volumes
sudo rm -rfv /Volumes/*/.Trashes/* &>/dev/null
# on main HDD
sudo rm -rfv ~/.Trash/* &>/dev/null
-
name: Clear system cache
recommend: strict
code: |-
sudo rm -rfv /Library/Caches/* &>/dev/null
sudo rm -rfv /System/Library/Caches/* &>/dev/null
sudo rm -rfv ~/Library/Caches/* &>/dev/null
-
category: Clear operating system logs
recommend: strict
children:
-
category: Clear unified diagnostic logs
docs: https://developer.apple.com/documentation/os/logging
children:
-
name: Clear diagnostics logs
docs: https://eclecticlight.co/2017/10/10/inside-the-macos-log-logd-and-the-files-that-it-manages/
code: |-
sudo rm -rfv /private/var/db/diagnostics/*
sudo rm -rfv /var/db/diagnostics/*
-
name: Clear shared cache strings data
docs:
- https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent-and-a-valuable-log-log/
- https://github.com/privacysexy-forks/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc
code: |-
sudo rm -rfv /private/var/db/uuidtext/
sudo rm -rfv /var/db/uuidtext/
-
category: Clear system logs
children:
-
name: Clear Apple System Logs (ASL)
docs:
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
- https://apple.stackexchange.com/questions/98197/is-it-safe-to-delete-system-logs
code: |-
sudo rm -rfv /private/var/log/asl/*
sudo rm -rfv /var/log/asl/*
sudo rm -fv /var/log/asl.log # Legacy ASL (10.4)
sudo rm -fv /var/log/asl.db
-
name: Clear install logs
docs: https://discussions.apple.com/thread/1829842
code: sudo rm -fv /var/log/install.log
-
name: Clear all system logs in `/var/log/` directory
docs: https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/
code: sudo rm -rfv /var/log/* # Clears including /var/log/system.log
-
name: Clear system application logs
docs: https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
code: sudo rm -rfv /Library/Logs/*
-
name: Clear Mail logs
code: rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/*
-
name: Clear user activity audit logs (login, logout, authentication, etc.)
docs:
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
- https://web.archive.org/web/20240314054514/https://bpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2016/06/psumac2016-19-osxlogs_macadmins_2016.pdf
code: |-
sudo rm -rfv /var/audit/*
sudo rm -rfv /private/var/audit/*
-
name: Clear user report logs
docs:
- https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/
- https://apple.stackexchange.com/questions/272929/is-it-safe-to-delete-the-content-of-library-logs
code: sudo rm -rfv ~/Library/Logs/*
-
name: Clear daily logs
docs: https://salt4n6.com/2018/12/11/mac-os-daily-logs/
code: sudo rm -fv /System/Library/LaunchDaemons/com.apple.periodic-*.plist
-
name: Clear receipt logs for installed packages/apps
docs:
- https://apple.stackexchange.com/questions/327174/whats-the-purpose-of-directory-private-var-db-receipts
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
code: |-
sudo rm -rfv /var/db/receipts/*
sudo rm -vf /Library/Receipts/InstallHistory.plist
-
category: Clear browser history
children:
-
category: Clear Chrome history
children:
-
name: Clear Chrome browsing history
code: |-
rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null
rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/null
-
name: Clear Chrome cache
code: sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/null
-
category: Clear Safari history
children:
-
name: Clear Safari browsing history
docs:
- https://discussions.apple.com/thread/7586106?answerId=30314600022#30314600022
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: |-
rm -f ~/Library/Safari/History.db
rm -f ~/Library/Safari/History.db-lock
rm -f ~/Library/Safari/History.db-shm
rm -f ~/Library/Safari/History.db-wal
# For older versions of Safari
rm -f ~/Library/Safari/History.plist # URL, visit count, webpage title, last visited timestamp, redirected URL, autocomplete
rm -f ~/Library/Safari/HistoryIndex.sk # History index
-
name: Clear Safari downloads history
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/Downloads.plist
-
name: Clear Safari frequently visited sites
docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: rm -f ~/Library/Safari/TopSites.plist
-
name: Clear Safari last session (open tabs) history
docs:
- https://web.archive.org/web/20240314061752/https://apple.stackexchange.com/questions/374099/where-does-safari-store-the-open-tabs/374116#374116
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7127
code: rm -f ~/Library/Safari/LastSession.plist
-
category: Clear Safari caches
children:
-
name: Clear Safari cached blobs, URLs and timestamps
docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: rm -f ~/Library/Caches/com.apple.Safari/Cache.db
-
name: Clear Safari URL bar web page icons
docs:
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
- https://lifehacker.com/safaris-private-browsing-mode-saves-urls-in-an-easily-a-1691944343
code: rm -f ~/Library/Safari/WebpageIcons.db
-
name: Clear Safari webpage previews (thumbnails)
docs:
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
- https://archive.ph/2024.03.14-100910/https://www.reddit.com/r/apple/comments/18lp92/your_apple_computer_keeps_a_screen_shot_of_nearly/?rdt=59921
code: rm -rfv ~/Library/Caches/com.apple.Safari/Webpage\ Previews
-
name: Clear Safari history copy
docs: https://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-history-spotlight-webhistory.html
code: rm -rfv ~/Library/Caches/Metadata/Safari/History
-
name: Clear search term history embedded in Safari preferences
docs: https://krypted.com/tag/recentsearchstrings/
code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )'
-
name: Clear Safari cookies
docs:
- https://web.archive.org/web/20240314132018/https://community.spiceworks.com/t/understanding-the-safari-cookies-binarycookies-file-format/928827
- https://web.archive.org/web/20240314060318/https://link.springer.com/content/pdf/10.1007/0-387-36891-4_13.pdf
code: |-
rm -f ~/Library/Cookies/Cookies.binarycookies
# Used before Safari 5.1
rm -f ~/Library/Cookies/Cookies.plist
-
name: Clear Safari zoom level preferences per site
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/PerSiteZoomPreferences.plist
-
name: Clear allowed URLs for Safari notifications
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/UserNotificationPreferences.plist
-
name: Clear Safari preferences for downloads, geolocation, pop-ups, and autoplay per site
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/PerSitePreferences.db
-
category: Clear Firefox history
children:
-
name: Clear Firefox cache
code: |-
sudo rm -rf ~/Library/Caches/Mozilla/
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqlite
-
name: Clear Firefox form history
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.dat
-
name: Clear Firefox site preferences
code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqlite
-
name: Clear Firefox session restore data (loads after the browser closes or crashes)
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20*
-
name: Clear Firefox passwords
docs: https://web.archive.org/web/20210425202923/http://kb.mozillazine.org/Password_Manager
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons2.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons3.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.json
-
name: Clear Firefox HTML5 cookies
code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqlite
-
name: Clear Firefox crash reports
code: |-
rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmp
-
name: Clear Firefox backup files
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4
-
name: Clear Firefox cookies
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-shm
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal
rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http*
-
category: Clear third-party application data
children:
-
category: Clear privacy.sexy data
# Marked: refactor-with-variables, refactor-with-partials
# - Documentation is same across macOS, Linux and Windows, this should be shared and not duplicated.
docs: |-
This category offers scripts to remove data left by the privacy.sexy desktop application,
helping you ensure your privacy by eliminating all traces of use.
The web application version of privacy.sexy does not create or store user data on your device [1],
so this category is applicable to desktop application users only.
These scripts are designed for anyone wanting to ensure their script activities leave no trace on their systems.
> **Caution**:
> Deleting this data might affect security [2] and troubleshooting [1]:
> - Logs are valuable for diagnosing issues and understanding past actions [1].
> - Script files can help review changes made to the system and aid in reverting those changes if needed.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
children:
-
name: Clear privacy.sexy script history
docs: |-
This script removes script files generated by the privacy.sexy desktop application.
The desktop version executes scripts directly on your device [1], saving a script file for execution [1],
troubleshooting [1], and security [2].
By running this script, you remove the executed script files, enhancing your privacy by ensuring that there is no
residual data that could reveal your usage patterns or preferences.
> **Caution**:
> - This action is irreversible. Deleted script files cannot be retrieved.
> - These files might be necessary for troubleshooting if you experience issues after using privacy.sexy scripts.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: "$HOME/Library/Application Support/privacy.sexy/runs"
-
name: Clear privacy.sexy activity logs
docs: |-
This script removes log files generated by the privacy.sexy desktop application.
Different from the web version, the desktop application records logs for troubleshooting [1].
Additionally, these logs offer auditing and transparency for security [2].
Deleting these logs can help maintain your privacy by ensuring there are no records of the application's activities
on your system.
> **Caution**:
> - Removing logs will prevent you from reviewing the application's activities, which could be helpful in diagnosing issues.
> - Logs can contain valuable information for technical support should you need assistance.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: "$HOME/Library/Logs/privacy.sexy"
-
name: Clear Adobe cache
recommend: standard
code: sudo rm -rfv ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* &>/dev/null
-
name: Clear Gradle cache
recommend: strict
code: |-
if [ -d "~/.gradle/caches" ]; then
rm -rfv ~/.gradle/caches/ &> /dev/null
fi
-
name: Clear Dropbox cache
recommend: standard
code: |-
if [ -d "~/Dropbox/.dropbox.cache" ]; then
sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null
fi
-
name: Clear Google Drive File Stream cache
recommend: standard
code: |-
killall "Google Drive File Stream"
rm -rfv ~/Library/Application\ Support/Google/DriveFS/[0-9a-zA-Z]*/content_cache &>/dev/null
-
name: Clear Composer cache
recommend: strict
code: |-
if type "composer" &> /dev/null; then
composer clearcache &> /dev/null
fi
-
name: Clear Homebrew cache
recommend: strict
code: |-
if type "brew" &>/dev/null; then
brew cleanup -s &>/dev/null
rm -rfv $(brew --cache) &>/dev/null
brew tap --repair &>/dev/null
fi
-
name: Clear old Ruby gem versions
recommend: strict
code: |-
if type "gem" &> /dev/null; then
gem cleanup &>/dev/null
fi
-
name: Clear unused Docker data
recommend: strict
docs: |-
This script frees up disk space, but also improves user privacy by:
1. **Removal of stopped containers**: Containers often run applications or services that might process sensitive
or personal data. Even if a container is stopped, its filesystem remains intact, and potentially sensitive data inside
it can be accessed. By removing stopped containers, we eliminate this potential privacy risk.
2. **Deletion of unused images**: Images can sometimes contain sensitive information, especially if they were built
from `Dockerfile`s that copied local files or were used in scenarios where sensitive data was processed. Deleting unused
images ensures that any inadvertent sensitive information embedded in those images is eradicated.
3. **Cleanup of network configurations**: Networks, especially custom ones, can contain configurations that reveal details
about system architecture, inter-container communication, or even hardcoded secrets. Removing unused networks mitigates
risks associated with lingering, outdated, or insecure configurations.
4. **Elimination of build cache**: The Docker build process uses a cache to speed up image creation. This cache can contain
remnants of previous builds, including potentially sensitive data or files. Pruning the build cache ensures that these remnants
are deleted, further safeguarding privacy.
5. **Footprint reduction**: By consistently pruning unused Docker objects, the overall footprint of Docker on the system is
reduced. This makes it harder for malicious actors to exploit any lingering or overlooked vulnerabilities in the system or Docker
itself.
This script runs `docker system prune -af` command to clean up unused Docker data [1].
Specifically, the command will [1]:
- Remove all stopped containers.
- Remove all networks not used by at least one container.
- Remove all images not used by any container.
- Remove all build cache.
[1]: https://web.archive.org/web/20230810171526/https://docs.docker.com/engine/reference/commandline/system_prune/ "docker system prune | Docker Documentation"
code: |-
if type "docker" &> /dev/null; then
docker system prune -af
fi
-
name: Clear Pyenv-Virtualenv cache
recommend: strict
code: |-
if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then
rm -rfv $PYENV_VIRTUALENV_CACHE_PATH &>/dev/null
fi
-
name: Clear NPM cache
recommend: strict
code: |-
if type "npm" &> /dev/null; then
npm cache clean --force
fi
-
name: Clear Yarn cache
recommend: strict
code: |-
if type "yarn" &> /dev/null; then
echo 'Cleanup Yarn Cache...'
yarn cache clean --force
fi
-
category: Clear iOS usage data
children:
-
name: Clear iOS app copies from iTunes
recommend: strict
code: rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/null
-
name: Clear iOS photo cache
recommend: standard
code: rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/*
-
name: Clear iOS Device Backups
recommend: strict
code: rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/null
-
name: Clear iOS simulators
recommend: strict
code: |-
if type "xcrun" &>/dev/null; then
osascript -e 'tell application "com.apple.CoreSimulator.CoreSimulatorService" to quit'
osascript -e 'tell application "iOS Simulator" to quit'
osascript -e 'tell application "Simulator" to quit'
xcrun simctl shutdown all
xcrun simctl erase all
fi
-
name: Clear list of connected iOS devices
recommend: strict
code: |-
sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices
sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices
sudo rm -rfv /var/db/lockdown/*
-
name: Clear Xcode's derived data and archives
recommend: strict
code: |-
rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null
rm -rfv ~/Library/Developer/Xcode/Archives/* &>/dev/null
rm -rfv ~/Library/Developer/Xcode/iOS Device Logs/* &>/dev/null
-
name: Clear DNS cache
recommend: standard
code: |-
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
-
name: Clear inactive memory
recommend: standard
code: sudo purge
-
category: Clear application privacy permissions
docs: |-
This category provides scripts to reset privacy permissions for a variety of applications on your device,
helping you to re-establish control over your personal data. Each script targets a specific permission type such
as camera, microphone, contacts, or accessibility services enabling you to revoke permissions that have previously
been granted to applications.
By resetting these permissions, you not only enhance your privacy but also improve your device's security. After
running these scripts, applications will require your explicit permission again to access these services or
information. This means the next time an app attempts to use a service like your camera or access your contacts,
you'll be prompted to grant or deny permission. It's a proactive step to ensure that your sensitive information
or system services are accessed only with your current and informed consent.
children:
# Main documentation: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services
-
name: Clear **"All"** permissions
docs: |-
This script resets all permissions for applications.
It revokes all previously granted permissions, enhancing privacy and security by ensuring no application has unauthorized access to system services or user data.
call:
function: ResetServicePermissions
parameters:
serviceId: All
-
name: Clear "Camera" permissions
docs: |-
This script resets permissions for camera access [1].
It ensures no application can access the system camera without explicit user permission, protecting against unauthorized surveillance and data breaches.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Camera
-
name: Clear "Microphone" permissions
docs: |-
This script resets permissions for microphone access [1].
It revokes all granted access to the microphone, protecting against eavesdropping and unauthorized audio recording by applications.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Microphone
-
name: Clear "Accessibility" permissions
docs: |-
This script resets permissions for accessibility features [1].
It revokes application access to accessibility services, preventing misuse and ensuring these features are used only with user consent.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Accessibility
-
name: Clear "Screen Capture" permissions
docs: |-
This script resets permissions for screen capture [1].
It ensures applications cannot capture screen content without user authorization, protecting sensitive information displayed on the screen.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: ScreenCapture
-
name: Clear "Reminders" permissions
docs: |-
This script resets permissions for accessing reminders information managed by the Reminders app [1].
It ensures applications cannot access or modify reminders data without explicit user permission, maintaining the privacy of personal reminders.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Reminders
-
name: Clear "Photos" permissions
docs: |-
This script resets permissions for accessing the pictures managed by the Photos app [1].
It revokes all permissions granted to applications, safeguarding personal photos and media from unauthorized access.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Photos
-
name: Clear "Calendar" permissions
docs: |-
This script resets permissions for accessing the calendar information managed by the Calendar app [1].
It ensures that applications cannot access calendar data without user consent, protecting personal and sensitive calendar information.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: Calendar
-
name: Clear "Full Disk Access" permissions
docs: |-
This script resets permissions for full disk access.
Full disk access allows the application access to all protected files, including system administration files [1].
It revokes broad file access from applications, significantly reducing the risk of data exposure and enhancing overall system security.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyAllFiles
-
name: Clear "Contacts" permissions
docs: |-
This script resets permissions for accessing contacts.
The contact information managed by the Contacts app [1].
It ensures that applications cannot access the user's contact list without explicit permission, maintaining the confidentiality of personal contacts.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: AddressBook
-
name: Clear "Desktop Folder" permissions
docs: |-
This script resets permissions for accessing the Desktop folder [1].
It revokes application access to files on the desktop, protecting personal and work-related documents from unauthorized access.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyDesktopFolder
-
name: Clear "Documents Folder" permissions
docs: |-
This script resets permissions for accessing the Documents folder [1].
It prevents applications from accessing files in this folder without user consent, safeguarding important and private documents.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyDocumentsFolder
-
name: Clear "Downloads Folder" permissions
docs: |-
This script resets permissions for accessing the Downloads folder [1].
It ensures that applications cannot access downloaded files without user authorization, protecting downloaded content from misuse.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyDownloadsFolder
-
name: Clear "Apple Events" permissions
docs: |-
This script resets permissions for Apple Events [1].
It revokes permissions for applications to send restricted Apple Events to other processes [1], enhancing privacy and security.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: AppleEvents
-
name: Clear "File Provider Presence" permissions
docs: |-
This script resets permissions for File Provider Presence [1].
It revokes the ability of File Provider applications to know when the user is accessing their managed files [1], enhancing user privacy.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: FileProviderPresence
-
name: Clear "Listen Events" permissions
docs: |-
This script resets "ListenEvent" permissions [1].
It revokes application access to listen to system events [1], preventing unauthorized monitoring of user interactions with the system.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: ListenEvent
-
name: Clear "Media Library" permissions
docs: |-
This script resets permissions for accessing the Media Library [1].
It ensures that applications cannot access Apple Music, music and video activity, and the media library [1] without user consent.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: MediaLibrary
-
name: Clear "Post Event" permissions
docs: |-
This script resets permissions for sending "PostEvent" [1].
It prevents applications from using CoreGraphics APIs to send system events [1], safeguarding against potential misuse.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: PostEvent
-
name: Clear "Speech Recognition" permissions
recommend: strict
docs: |-
This script resets permissions for using Speech Recognition [1].
It revokes application access to the speech recognition facility and sending speech data to Apple [1], protecting user privacy.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SpeechRecognition
-
name: Clear "App Modification" permissions
docs: |-
This script resets permissions for modifying other apps [1].
It prevents applications from updating or deleting other apps [1], maintaining system integrity and user control.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyAppBundles
-
name: Clear "Application Data" permissions
docs: |-
This script resets permissions for accessing application data [1].
It revokes application access to specific application data, enhancing privacy and data security.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyAppData
-
name: Clear "Network Volumes" permissions
docs: |-
This script resets permissions for accessing files on network volumes [1].
It ensures applications cannot access network files without user authorization.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyNetworkVolumes
-
name: Clear "Removable Volumes" permissions
docs: |-
This script resets permissions for accessing files on removable volumes [1].
It protects data on external drives from unauthorized application access.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicyRemovableVolumes
-
name: Clear "System Administration Files" permissions
docs: |-
This script resets permissions for accessing system administration files [1].
It enhances system security by restricting application access to critical system files.
[1]: https://archive.ph/2023.11.24-170934/https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services "PrivacyPreferencesPolicyControl.Services | Apple Developer Documentation | apple.com"
call:
function: ResetServicePermissions
parameters:
serviceId: SystemPolicySysAdminFiles
-
category: Configure programs
children:
-
name: Disable Firefox telemetry
recommend: standard
docs: https://github.com/privacysexy-forks/policy-templates/blob/master/README.md
code: |-
# Enable Firefox policies so the telemetry can be configured.
sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUE
# Disable sending usage data
sudo defaults write /Library/Preferences/org.mozilla.firefox DisableTelemetry -bool TRUE
revertCode: |-
sudo defaults delete /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled
sudo defaults delete /Library/Preferences/org.mozilla.firefox DisableTelemetry
-
name: Disable Microsoft Office telemetry
recommend: standard
code: defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticData
revertCode: defaults delete com.microsoft.office DiagnosticDataTypePreference
-
name: Remove Google Software Update service
recommend: strict
code: |-
googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall
if [ -f "$googleUpdateFile" ]; then
$googleUpdateFile --nuke
echo 'Uninstalled Google update'
else
echo 'Google update file does not exist'
fi
-
name: Disable Homebrew user behavior analytics
recommend: standard
docs: https://docs.brew.sh/Analytics
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export HOMEBREW_NO_ANALYTICS=1
-
name: Disable NET Core CLI telemetry
recommend: standard
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export DOTNET_CLI_TELEMETRY_OPTOUT=1
-
name: Disable PowerShell Core telemetry
recommend: standard
docs: https://github.com/privacysexy-forks/PowerShell/blob/v7.1.5/README.md#telemetry
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export POWERSHELL_TELEMETRY_OPTOUT=1
-
category: Configure Parallels Desktop
docs: |-
Parallels Desktop for Mac is software providing hardware virtualization for macOS [1].
When you use it, it collects and shares your personal data to third parties [2]. Personal
data include IP address of your device, your broad geographical location (country, state
(if applicable), and city) and used product [2].
It includes third-party advertisements [3] and automatic check for updates [4] by default.
Both of these behaviors communicate with online services that reveal personal data about you.
[1]: https://web.archive.org/web/20221012155943/https://en.wikipedia.org/wiki/Parallels_Desktop_for_Mac "Parallels Desktop for Mac - Wikipedia | en.wikipedia.org"
[2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com"
[3]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com"
[4]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com"
children:
-
name: Disable Parallels Desktop advertisements
recommend: standard
docs: |-
Parallels Desktop in-product notifications to show ads from Parallels or other third
party companies [1].
The main setting is `ProductPromo.ForcePromoOff` [1] that you can check using:
1. `defaults read 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff'`
2. `defaults read 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff'`
By default, on clean installations the value is `0` which is equivalent of `no`.
There is also `WelcomeScreenPromo.PromoOff` setting that's pre-configured to `1` (`no` as
default). It's undocumented but still kept disabled by this script.
[1]: https://web.archive.org/web/20240314062932/https://forum.parallels.com/threads/unable-to-process-the-upgrade-request.345603/ "Unable to process the upgrade request | Parallels Forums | forum.parallels.com"
[2]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com"
code: |-
defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool yes
defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes
revertCode: |-
defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool no
defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes
-
category: Disable Parallels Desktop automatic updates
docs: |-
Parallels Desktop by default checks for updates frequently and automatically downloads them [1].
This reveal personal data about you [2] without your control.
[1]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com"
[2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com"
children:
-
name: Disable automatic downloads for Parallels Desktop updates
docs: |-
Automatic downloads are enabled by default, and this script disables automatic downloads.
Automatic downloads are configured using the `Application preferences.Download updates automatically` property [1].
- Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically'`
- Values: 0 - Disabled, 1 - Enabled (default)
[1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com"
code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool no
revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool yes
-
name: Disable automatic checks for Parallels Desktop updates
docs: |-
Automatic checks are weekly by default, and this script disables the checks completely.
Frequency to check for updates can be configured using `Application preferences.Check for updates` property [1].
- Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates'`
- Values: 0 - Never, 1 - Once a day, 2 - Once a week (default), 3 - Once a month
[1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com"
code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 0
revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 2
-
category: Configure OS
children:
-
category: Configure Apple Remote Desktop
children:
-
name: Disable remote management service
recommend: strict
code: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
revertCode: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console
-
name: Remove Apple Remote Desktop Settings
recommend: strict
code: |-
sudo rm -rf /var/db/RemoteManagement
sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist
defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist
sudo rm -rf /Library/Application\ Support/Apple/Remote\ Desktop/
rm -r ~/Library/Application\ Support/Remote\ Desktop/
rm -r ~/Library/Containers/com.apple.RemoteDesktop
-
name: Disable online spell correction
code: defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool false
revertCode: defaults delete NSGlobalDomain WebAutomaticSpellingCorrectionEnabled
-
name: Disable remote Apple events
recommend: strict
code: sudo systemsetup -setremoteappleevents off
revertCode: sudo systemsetup -setremoteappleevents on
-
name: Disable automatic storage of documents in iCloud Drive
docs: https://macos-defaults.com/finder/nsdocumentsavenewdocumentstocloud.html
recommend: standard
code: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
revertCode: defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud
-
name: Disable display of recent applications on Dock
docs: https://developer.apple.com/documentation/devicemanagement/dock
code: defaults write com.apple.dock show-recents -bool false
revertCode: defaults delete com.apple.dock show-recents
-
name: Disable AirDrop file sharing
recommend: strict
code: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
revertCode: defaults write com.apple.NetworkBrowser DisableAirDrop -bool false
-
category: Configure Siri
children:
-
name: Disable participation in Siri data collection
recommend: standard
code: defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2
revertCode: defaults delete com.apple.assistant.support 'Siri Data Sharing Opt-In Status'
-
category: Disable Siri
children:
-
name: Disable "Ask Siri"
recommend: strict
docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/
code: defaults write com.apple.assistant.support 'Assistant Enabled' -bool false
revertCode: defaults write com.apple.assistant.support 'Assistant Enabled' -bool true
-
name: Disable Siri voice feedback
recommend: strict
docs:
- https://github.com/privacysexy-forks/starter/blob/master/system/siri.sh
- https://web.archive.org/web/20201002133713/https://machippie.github.io/system/
code: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 3
revertCode: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 2
-
name: Disable Siri services (Siri and assistantd)
recommend: strict
docs:
- https://web.archive.org/web/20240314060540/https://apple.stackexchange.com/questions/57514/what-is-assistantd
- https://archive.ph/2024.03.14-055010/https://community.jamf.com/t5/jamf-pro/kill-siri/td-p/171543
- https://web.archive.org/web/20240314060501/https://apple.stackexchange.com/questions/258816/how-to-completely-disable-siri-on-sierra/370426#370426
# To see status: • `launchctl print-disabled system` • `launchctl print-disabled user/$UID` • `launchctl print-disabled gui/$UID`
code: |-
launchctl disable "user/$UID/com.apple.assistantd"
launchctl disable "gui/$UID/com.apple.assistantd"
sudo launchctl disable 'system/com.apple.assistantd'
launchctl disable "user/$UID/com.apple.Siri.agent"
launchctl disable "gui/$UID/com.apple.Siri.agent"
sudo launchctl disable 'system/com.apple.Siri.agent'
if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then
>&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'
fi
revertCode: |-
launchctl enable "user/$UID/com.apple.assistantd"
launchctl enable "gui/$UID/com.apple.assistantd"
sudo launchctl enable 'system/com.apple.assistantd'
launchctl enable "user/$UID/com.apple.Siri.agent"
launchctl enable "gui/$UID/com.apple.Siri.agent"
sudo launchctl enable 'system/com.apple.Siri.agent'
if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then
>&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'
fi
-
name: Disable "Do you want to enable Siri?" pop-up
docs: |-
This script stops the "Enable Siri" pop-up [1] from appearing the first time a user logs into macOS [2].
Introduced in macOS version 10.12 [2], this pop-up asks, "Do you want to enable Siri?" [1]
which could lead to Siri being enabled unintentionally.
This script configures the `com.apple.SetupAssistant!DidSeeSiriSetup` setting to suppress this pop-up [1] [2] [3] [4].
This command tells the system that the Siri setup is complete, preventing the pop-up in future sessions and
enhancing privacy by avoiding unintended Siri activation.
[1]: https://archive.ph/2024.03.14-053325/https://discussions.apple.com/thread/7694127?answerId=30752577022&sortBy=best%2330752577022 "macOS keeps nagging me about enabling Siri - Apple Community | discussions.apple.com"
[2]: https://web.archive.org/web/20240314052600/https://derflounder.wordpress.com/2016/09/20/supressing-siri-pop-up-windows-on-macos-sierra/ "Suppressing Siri pop-up windows on macOS Sierra | Der Flounder"
[3]: https://web.archive.org/web/20240314052901/https://windowsreport.com/mac/siri-keeps-popping-up/ "Siri keeps popping up on Mac? Here's how to easily fix that • MacTips | windowsreport.com"
[4]: https://web.archive.org/web/20240314052247/https://community.jamf.com/t5/jamf-pro/disable-siri-setup-assistant-in-macos-sierra/m-p/205836/highlight/true#M194536 "Solved: Re: Disable Siri setup assistant in macOS Sierra - Jamf Nation Community - 205834 | community.jamf.com"
code: defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool True
revertCode: defaults delete com.apple.SetupAssistant 'DidSeeSiriSetup'
-
category: Remove Siri from user interface
children:
-
name: Remove Siri from menu bar
recommend: strict
code: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0
revertCode: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 1
-
name: Remove Siri from status menu
recommend: strict
docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/
code: |-
defaults write com.apple.Siri 'StatusMenuVisible' -bool false
defaults write com.apple.Siri 'UserHasDeclinedEnable' -bool true
revertCode: |-
defaults delete com.apple.Siri 'StatusMenuVisible'
defaults delete com.apple.Siri 'UserHasDeclinedEnable'
-
name: Disable Spotlight indexing
code: sudo mdutil -i off -d /
revertCode: sudo mdutil -i on /
-
name: Disable personalized advertisements and identifier tracking
recommend: standard
docs: |-
This script enhances your privacy by deactivating Personalized Ads and disabling the collection
of identifiers related to your device. The process involves modifying certain key configurations,
which prevents Apple's advertising platform from using your personal information to deliver targeted
ads [1].
When Personalized Ads is enabled, your information may be used to provide ads that closely align
with your interests [1]. You might occasionally encounter such targeted ads in Apple News, Stocks,
and the Mac App Store [2]. Disabling Personalized Ads will prevent Apple from using your data for
ad targeting [2]. Although this does not necessarily decrease the quantity of ads you receive,
it may result in the ads being less relevant to your interests [2].
The primary keys to deactivating personalized ads are:
- **`allowApplePersonalizedAdvertising`**: If set to false, this restricts Apple's personalized
advertising [3]. This is applicable on macOS 12 and subsequent versions [3].
- **`allowIdentifierForAdvertising`**: The `advertisingIdentifier` is a unique string assigned
to each device [5]. Apple uses this identifier and recommends its use in third-party
applications for tasks like frequency capping, attribution, conversion events, estimating the
number of unique users, detecting advertising fraud, and debugging [5]. Although there is no
official documentation on it, a discussion on JAMF.com corroborates its existence [6].
My tests show that disabling any of the keys mentioned above results in the
"System Preferences > Apple Advertising > Personalized ads" option being deactivated in the GUI,
starting from macOS Monterey.
Please note: The `forceLimitAdTracking` key limits ad tracking [3] [4] and is found in CIS
benchmarks for macOS [4]. However, the official macOS documentation specifies that it is
applicable only to iOS 7 and newer versions, not to macOS [3]. The key does not exist on the OS
by default.
[1]: https://web.archive.org/web/20230731152633/https://www.apple.com/legal/privacy/data/en/apple-advertising/ "Legal - Apple Advertising & Privacy - Apple"
[2]: https://web.archive.org/web/20220805052411/https://support.apple.com/en-sg/guide/mac-help/mh32356/mac "Change Privacy preferences on Mac - Apple Support (SG)"
[3]: https://web.archive.org/web/20230731155827/https://developer.apple.com/documentation/devicemanagement/restrictions "Restrictions | Apple Developer Documentation"
[4]: https://web.archive.org/web/20230731155653/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_11_0_Big_Sur_Benchmark_v2_0_0.pdf "CIS Apple macOS 11.0 Big Sur Benchmark"
[5]: https://web.archive.org/web/20230731155131/https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier "advertisingIdentifier | Apple Developer Documentation"
[6]: https://web.archive.org/web/20230731154840/https://community.jamf.com/t5/jamf-pro/macos-quot-limit-ad-tracking-quot/td-p/217001 'Solved: macOS "Limit Ad Tracking" - Jamf Nation Community - 217001'
code: |-
defaults write com.apple.AdLib allowIdentifierForAdvertising -bool false
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool false
defaults write com.apple.AdLib forceLimitAdTracking -bool true
# Default: (`defaults read com.apple.AdLib`)
# - `defaults read com.apple.AdLib allowApplePersonalizedAdvertising`: true (1)
# - `defaults read com.apple.AdLib allowIdentifierForAdvertising`: true (1)
# - `defaults read com.apple.AdLib forceLimitAdTracking`: non-existing
revertCode: |-
defaults write com.apple.AdLib allowIdentifierForAdvertising -bool true
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool true
sudo defaults delete com.apple.AdLib forceLimitAdTracking
-
category: Security improvements
children:
-
category: Configure macOS Application Firewall
children:
-
name: Enable application firewall
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681
- https://daiderd.com/nix-darwin/manual/index.html
- https://developer.apple.com/documentation/devicemanagement/firewall
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true
defaults write com.apple.security.firewall EnableFirewall -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool false
defaults write com.apple.security.firewall EnableFirewall -bool false
-
name: Enable firewall logging
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671
- https://daiderd.com/nix-darwin/manual/index.html
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool false
-
name: Enable stealth mode
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327
- https://daiderd.com/nix-darwin/manual/index.html
- https://developer.apple.com/documentation/devicemanagement/firewall
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
defaults write com.apple.security.firewall EnableStealthMode -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false
defaults write com.apple.security.firewall EnableStealthMode -bool false
-
category: Disable automatic permission for incoming traffic in applications
children:
-
name: Disable automatic incoming connections for signed apps
docs: https://daiderd.com/nix-darwin/manual/index.html
recommend: strict
code: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool true
-
name: Disable automatic incoming connections for downloaded signed apps
docs: https://daiderd.com/nix-darwin/manual/index.html
recommend: strict
code: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false
revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool true
-
name: Disable Captive portal
# An attacker could trigger the utility and direct a Mac to a site with malware without user interaction,
# so it's best to disable this feature and log in to captive portals using regular Web browser instead.
recommend: standard
docs:
# Risks with captive portals:
- https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
# More about apple Captive portal:
- https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y
- https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html
- https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/
code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
revertCode: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active
-
category: Enable protective screen saver
children:
-
name: Enable password requirement for waking from sleep or screen saver
# The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230744
code: sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true
revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword
-
name: Enable session lock five seconds after screen saver initiation
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230745
# An unattended system with an excessive grace period is vulnerable to a malicious user.
code: sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5
revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay'
-
category: Disable guest accounts
docs:
- https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615
children:
-
name: Disable guest sign-in from login screen
code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES
-
name: Disable guest access to file shares over AF
code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES
-
name: Disable guest access to file shares over SMB
code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES
-
category: Disable unauthorized connections
children:
-
name: Disable incoming SSH and SFTP remote logins
recommend: standard
docs: https://osxdaily.com/2016/08/16/enable-ssh-mac-command-line/
# Check if enabled: sudo systemsetup -getremotelogin, returns "Remote Login: On" or "Off"
code: echo 'yes' | sudo systemsetup -setremotelogin off
revertCode: sudo systemsetup -setremotelogin on
-
name: Disable the insecure TFTP service
recommend: standard
# If the system does not require Trivial File Transfer Protocol (TFTP), then support for
# it is non-essential and should be disabled. The information system should be configured to
# provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection
# of devices and the unauthorized transfer of information.
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230813
code: sudo launchctl disable 'system/com.apple.tftpd'
revertCode: sudo launchctl enable 'system/com.apple.tftpd'
-
name: Disable Bonjour multicast advertising
recommend: standard
docs: https://www.stigviewer.com/stig/apple_os_x_10.11/2017-04-06/finding/V-67593
code: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool false
-
name: Disable insecure telnet protocol
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2020-09-11/finding/V-214882
- https://www.stigviewer.com/stig/apple_os_x_10.10_yosemite_workstation/2017-04-06/finding/V-59671
code: sudo launchctl disable system/com.apple.telnetd
revertCode: sudo launchctl enable system/com.apple.telnetd
-
category: Disable printer sharing (IPP, LDP, SMB and Bonjour protocols)
# Used typically for servers
# By default, the CUPS only listens to requests from the machine that it's running on
# cupsctl is a tool to manage the configuration of the CUPS daemon
docs:
- https://www.cups.org/doc/sharing.html
- https://www.cups.org/doc/security.html # Security risks
children:
-
name: Disable local printer sharing with other computers
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-share-printers
revertCode: cupsctl --share-printers
-
name: Disable printing from external addresses, including the internet
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-remote-any
revertCode: cupsctl --remote-any
-
name: Disable remote printer administration
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-remote-admin
revertCode: cupsctl --remote-admin
-
category: Privacy over security
children:
-
category: Disable File Quarantine (tracks downloaded files and warns)
# OS tracks downloaded files with help of quarantine-aware applications
# (such as Safari, Chrome) adding quarantine extended attributes to files.
# then OS warns and asks if you really want to open it
docs: https://web.archive.org/web/20210319081714/https://support.apple.com/en-gb/HT202491
children:
-
category: Clean File Quarantine from downloaded files
children:
-
name: Clear logs of all downloaded files from File Quarantine
recommend: strict
docs:
- https://www.macobserver.com/tips/how-to/your-mac-remembers-everything-you-download-heres-how-to-clear-download-history/
- https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/
- https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/
- https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/
# Query entries using:
# sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select DISTINCT LSQuarantineDataURLString from LSQuarantineEvent'
code: |-
db_file=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
db_query='delete from LSQuarantineEvent'
if [ -f "$db_file" ]; then
echo "Database exists at \"$db_file\""
if ls -lO "$db_file" | grep --silent 'schg'; then
sudo chflags noschg "$db_file"
echo "Found and removed system immutable flag"
has_system_immutable_flag=true
fi
if ls -lO "$db_file" | grep --silent 'uchg'; then
sudo chflags nouchg "$db_file"
echo "Found and removed user immutable flag"
has_user_immutable_flag=true
fi
sqlite3 "$db_file" "$db_query"
echo "Executed the query \"$db_query\""
if [ "$has_system_immutable_flag" = true ] ; then
sudo chflags schg "$db_file"
echo "Added system immutable flag back"
fi
if [ "$has_user_immutable_flag" = true ] ; then
sudo chflags uchg "$db_file"
echo "Added user immutable flag back"
fi
else
echo "No action needed, database does not exist at \"$db_file\""
fi
-
name: Clear File Quarantine attribute from downloaded files
docs: https://superuser.com/questions/28384/what-should-i-do-about-com-apple-quarantine
code: |-
find ~/Downloads \
-type f \
-exec \
sh -c \
'
attr="com.apple.quarantine"
file="{}"
if [[ $(xattr "$file") = *$attr* ]]; then
if xattr -d "$attr" "$file" 2>/dev/null; then
echo "🧹 Cleaned attribute from \"$file\""
else
>&2 echo "❌ Failed to clean attribute from \"$file\""
fi
else
echo "No attribute in \"$file\""
fi
' \
{} \;
-
category: Disable macOS File Quarantine tracking for downloaded files
children:
-
name: Disable downloaded file logging in quarantine
docs:
- https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/
- https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/
- https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/
recommend: strict
code: |-
file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
if [ -f "$file_to_lock" ]; then
sudo chflags schg "$file_to_lock"
echo "Made file immutable at \"$file_to_lock\""
else
echo "No action is needed, file does not exist at \"$file_to_lock\""
fi
revertCode: |-
file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
if [ -f "$file_to_lock" ]; then
sudo chflags noschg "$file_to_lock"
echo "Successfully reverted immutability from \"$file_to_lock\""
else
>&2 echo "Cannot revert immutability, file does not exist at\"$file_to_lock\""
fi
-
name: Disable extended quarantine attribute for downloaded files (disables warning)
# Disables dialogs shown when opening an application for the first time
# i.e. "Application Downloaded from Internet" quarantine warning.
docs:
- https://apple.stackexchange.com/questions/373176/disable-the-use-of-the-com-apple-quarantine-extended-attribute-on-mojave
- https://superuser.com/questions/266176/is-there-some-way-to-disable-the-dialogs-shown-when-opening-an-application-for-t
- https://macos-defaults.com/misc/lsquarantine.html
code: sudo defaults write com.apple.LaunchServices 'LSQuarantine' -bool NO
revertCode: sudo defaults delete com.apple.LaunchServices 'LSQuarantine'
-
category: Disable Gatekeeper (enforces code-signing)
# Built on top of File Quarantine, requires code-signing for apps.
# Warns user if a file is not signed by it's developer with certificate issued by Apple.
# Can protect against unknown threats.
children:
-
name: Disable Gatekeeper's automatic reactivation
docs:
- https://osxdaily.com/2015/11/05/stop-gatekeeper-auto-rearm-mac-os-x/
- https://web.archive.org/web/20230327050142/https://www.cnet.com/tech/computing/how-to-disable-gatekeeper-permanently-on-os-x/
code: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false
-
name: Disable Gatekeeper
docs:
# References for spctl --master-disable
- https://www.manpagez.com/man/8/spctl/
# References for /var/db/SystemPolicy-prefs.plist
- https://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/
- https://community.jamf.com/t5/jamf-pro/users-can-t-change-password-greyed-out/m-p/54228
code: |-
os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}')
os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}')
if [[ $os_major_ver -le 10 \
|| ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \
]]; then
echo "No action needed, Gatekeeper is not available this OS version"
else
gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')"
if [ $gatekeeper_status = "disabled" ]; then
echo "No action needed, Gatekeeper is already disabled"
elif [ $gatekeeper_status = "enabled" ]; then
sudo spctl --master-disable
sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'no'
echo "Disabled Gatekeeper"
else
>&2 echo "Unknown gatekeeper status: $gatekeeper_status"
fi
fi
revertCode: |-
os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}')
os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}')
if [[ $os_major_ver -le 10 \
|| ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \
]]; then
>&2 echo "Gatekeeper is not available in this OS version"
else
gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')"
if [ $gatekeeper_status = "disabled" ]; then
sudo spctl --master-enable
sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'yes'
echo "Enabled Gatekeeper"
elif [ $gatekeeper_status = "enabled" ]; then
echo "No action needed, Gatekeeper is already enabled"
else
>&2 echo "Unknown Gatekeeper status: $gatekeeper_status"
fi
fi
-
name: Disable library validation entitlement (library signature validation)
docs:
- https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation
- https://www.macenhance.com/docs/general/sip-library-validation.html
- https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/
code: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool false
-
category: Disable automatic updates
docs: |-
This category contains scripts to disable automatic operating system updates.
Disabling automatic updates gives users full control over when and which updates are applied to their system.
It improves privacy by preventing unwanted data collection, new vulnerabilities and unapproved changes to system settings.
> **Caution**:
> Disabling automatic updates can leave your system vulnerable to unpatched exploits.
> Manually check and apply updates to stay protected.
children:
-
name: Disable automatic checks for updates
docs: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool true
-
name: Disable automatic downloads for updates
docs: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool true
-
name: Disable automatic installation of macOS updates
docs: |-
This script stops macOS from automatically installing updates.
This script improves privacy by reducing unwanted data collection and ensuring updates don't change
settings or data without your approval.
The Center for Internet Security (CIS) advises against automatic updates in scenarios where changes require
thorough testing and approval processes to avoid operational disruptions [1] [2] [3] [4].
This script configures following to stop macOS from installing updates automatically:
1. `/Library/Preferences/com.apple.commerce!AutoUpdateRestartRequired`:
This preference stops the system from automatically installing macOS updates [1] [2] [3] [4] [5] [6] [7] [8].
By doing this, updates will only be installed when you decide, giving you a chance to check them first [1] [2] [3] [4] [5] [6] [7] [8].
This setting applies to OS X Yosemite through macOS High Sierra [7] [9].
2. `/Library/Preferences/com.apple.commerce!AutomaticallyInstallMacOSUpdates`:
Changing this setting stops macOS from installing updates automatically [3] [5] [9] [10], giving you control over when to update.
If restricts the *Install macOS Updates* option and prevents the user from changing the option [10].
While this setting enhances privacy, it's generally not advised by NIST due to potential security risks [9].
This setting applies to macOS Mojave and newer versions [9].
> **Caution**: Disabling automatic updates requires you to manually check and apply updates to stay protected against security threats [1] [2] [3] [4].
[1]: https://web.archive.org/web/20240321165149/https://www.tenable.com/audits/items/CIS_Apple_macOS_10.12_v1.1.0_Level_1.audit:e02dfdd6bec9556a3ce537f60b91b549 "CIS Apple macOS 10.12 L1 v1.1.0 | 1.5 Enable OS X update installs | Tenable®"
[2]: https://web.archive.org/web/20240321165851/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_13_Benchmark_v1_1_0---PDF.pdf "CIS Apple macOS 10.13 Benchmark v1.1.0 | paper.bobylive.com"
[3]: https://web.archive.org/web/20240321170400/https://www.tenable.com/audits/items/CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit:fe03c59a39c7c949507ff20d07f89993 "1.4 Ensure Install of macOS Updates Is Enabled | Tenable® | www.tenable.com"
[4]: https://web.archive.org/web/20240321170036/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_14_Benchmark_v1_4_0_PDF.pdf "CIS Apple macOS 10.14 Benchmark v1.4.0 | paper.bobylive.com"
[5]: https://web.archive.org/web/20240321164917/https://www.ncsc.gov.uk/files/macos_provisioning_script.sh_.txt "macOS provisioning script | UK National Cyber Security Centre | www.ncsc.gov.uk"
[6]: https://web.archive.org/web/20240321165118/https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html "macOS Updates — MacAdmins Community Documentation documentation | macadminsdoc.readthedocs.io"
[7]: https://web.archive.org/web/20240321165304/https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installation-on-yosemite/ "Managing automatic App Store and OS X update installation on Yosemite | Der Flounder | derflounder.wordpress.com"
[8]: https://web.archive.org/web/20240321170034/https://krypted.com/mac-os-x/app-store-preferences-set-server-5-4-macos-high-sierra/ "App Store Preferences To Set In On Server 5.4 for macOS High Sierra krypted | krypted.com"
[9]: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ "Enabling automatic macOS software updates for OS X Yosemite through macOS Mojave | Der Flounder | derflounder.wordpress.com"
[10]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com"
[11]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov"
code: |-
# For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool false
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool false
revertCode: |-
# For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool true
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool true
-
name: Disable automatic app updates from the App Store
docs: |-
This script disables automatic app updates [1] [2] [3] [4] from the App Store [5] [6] [7] [8] [9] [10] [11] [12] [13].
It prevents automatic installation of application updates as soon as they become available from Apple [2] [3] [6] [9] [11] [12] [13].
Thus, applications are updated only when you choose to do so [5].
Disabling automatic updates prevents unexpected app behavior or settings changes.
It helps you to maintain your current app configurations and privacy settings.
It also protects against potential zero-day vulnerabilities in your apps.
This gives you the ability to choose which updates to install and when, enabling you to review the details of updates before deciding to proceed.
The script modifies the following settings:
1. `/Library/Preferences/com.apple.commerce!AutoUpdate`:
Disables automated app updates [1] [2] [3] [6] [9] [10] [13] from the App Store [7] [8].
This setting applies to OS X Yosemite and newer versions [1].
2. `/Library/Preferences/com.apple.SoftwareUpdate!AutomaticallyInstallAppUpdates`:
Stops the automatic installation of app updates [1] [4] from App Store [9] [10] [11] [12] [13].
It deselects the *Install app updates from the App Store* option and prevents the user from changing the option [10].
While this setting enhances privacy, it's generally not advised by NIST due to potential security risks [4].
This setting applies to macOS Mojave and newer versions [1].
> **Caution**:
> Disabling app updates means you should manually check for and install important security patches for every application
> to protect against vulnerabilities [2] [3] [5] [6] [9] [11] [12] [13].
[1]: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ "Enabling automatic macOS software updates for OS X Yosemite through macOS Mojave | Der Flounder | derflounder.wordpress.com"
[2]: https://web.archive.org/web/20240321190032/https://www.irs.gov/pub/irs-utl/safeguards-scsem-macosx-v6-1-093021.xlsx "SCSEM OSX 10.14 | Internal Revenue Service Office of Safeguards | www.irs.gov"
[3]: https://web.archive.org/web/20240321170036/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_10_14_Benchmark_v1_4_0_PDF.pdf "CIS Apple macOS 10.14 Benchmark v1.4.0 | paper.bobylive.com"
[5]: https://web.archive.org/web/20240321190244/https://github-wiki-see.page/m/edamametechnologies/threatmodels/wiki/threatmodel-macOS-EN "threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki | github-wiki-see.page"
[6]: https://web.archive.org/web/20240321190315/https://www.tenable.com/audits/items/CIS_Apple_macOS_14.0_Sonoma_v1.0.0_L1.audit:66d3b86318384ba7947a3409e0c6e902 "1.5 Ensure Install Application Updates from the App Store Is E... | Tenable® | www.tenable.com"
[7]: https://web.archive.org/web/20240321165304/https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installation-on-yosemite/ "Managing automatic App Store and OS X update installation on Yosemite | Der Flounder | derflounder.wordpress.com"
[8]: https://web.archive.org/web/20240321190410/https://krypted.com/mac-security/app-store-preferences-set-server-5-2-macos-sierra/ "App Store Preferences To Set In On Server 5.2 for macOS Sierra krypted | krypted.com"
[4]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov"
[9]: https://web.archive.org/web/20240321190114/https://www.irs.gov/pub/irs-utl/safeguards-scsem-macosx.xlsx "SCSEM OSX 13.0 | Internal Revenue Service Office of Safeguards | www.irs.gov"
[10]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com"
[11]: https://web.archive.org/web/20240321190122/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_12_0_Monterey_Benchmark_v1_0_0.pdf "CIS Apple macOS 12.0 Monterey | CIS Benchmarks | paper.bobylive.com"
[12]: https://web.archive.org/web/20240321190537/https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v2.0.0_L1.audit:55e8759872dce781b8dbc5a3f42e23b9 "1.4 Ensure Installation of App Update Is Enabled | Tenable® | www.tenable.com"
[13]: https://web.archive.org/web/20240321164917/https://www.ncsc.gov.uk/files/macos_provisioning_script.sh_.txt "macOS provisioning script | UK National Cyber Security Centre | www.ncsc.gov.uk"
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool false
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool false
revertCode: |-
# For OS X Yosemite and newer
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool true
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool true
-
name: Disable macOS beta release installation
docs: https://web.archive.org/web/20170106103856/https://support.apple.com/en-gb/HT203018
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool true
-
name: Disable automatic installation for configuration data (e.g. XProtect, Gatekeeper, MRT)
docs: https://web.archive.org/web/20240321170251/https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool true
-
name: Disable automatic installation for system data files and security updates
docs: |-
This script stops automatic installations of critical updates [1],
including security [1] [2] [3] [4] [5] [6] [7] and system data file [1] [8] updates.
It improves privacy by providing:
- **Control Over Update Timing**:
Users can review updates before installation to ensure they meet privacy standards and do not introduce
unwanted telemetry or changes.
- **Reduced External Communications**:
Reduces how often it connects to update servers, potentially protection user information.
The script configures the `/Library/Preferences/com.apple.SoftwareUpdate!CriticalUpdateInstall` setting [1] [4] [5] [7] [8].
This action prevents automatic downloads and installations of updates [1].
It also prevents users from changing the Install system data files and security updates option manually [1].
This script is compatible with OS X Yosemite and later versions [6] [8].
The revert script triggers `softwareupdate --background-critical` to install any pending critical updates directly [2] [9].
> **Caution:**
> Only disable automatic updates if you're committed to manually installing them quickly to maintain your computer's security [4] [5] [8].
> It's important to install updates soon to protect your computer. [4] [5] [8].
>
> This script disables:
>
> - Definition updates for **XProtect** and **Gatekeeper** that keep your computer safe from new threats [5].
> - **Rapid Security Response** [10] [11].
> **Rapid Security Responses** are software releases providing important security improvements between standard updates [12].
[1]: https://archive.ph/2024.03.21-180353/https://developer.apple.com/documentation/devicemanagement/softwareupdate "SoftwareUpdate | Apple Developer Documentation | developer.apple.com"
[2]: https://web.archive.org/web/20240321201417/https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/ "Managing OS Xs automatic security updates | Der Flounder | derflounder.wordpress.com"
[3]: https://web.archive.org/web/20240321165118/https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html "macOS Updates — MacAdmins Community Documentation documentation | macadminsdoc.readthedocs.io"
[4]: https://web.archive.org/web/20240321165931/https://csrc.nist.gov/CSRC/media/Projects/national-vulnerability-database/documents/CCE/CCE-macos_monterey.xls "CCE-91129-7 | CCE-macos_monterey.xls | Sheet 1 - NIST Computer Security Resource Center | csrc.nist.gov"
[5]: https://web.archive.org/web/20240321201450/https://paper.bobylive.com/Security/CIS/CIS_Apple_OSX_10_9_Benchmark_v1_3_0.pdf "CIS Apple OSX 10.9 Benchmark | paper.bobylive.com"
[6]: https://web.archive.org/web/20240321201643/https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-security-software-updates-on-yosemite/ "Managing automatic installation of ConfigData and security software updates on Yosemite | Der Flounder | derflounder.wordpress.com"
[7]: https://web.archive.org/web/20240321201652/https://ss64.com/mac/syntax-defaults.html "System preference settings for macOS - macOS - SS64.com | ss64.com"
[8]: https://web.archive.org/web/20240321201436/https://www.tenable.com/audits/items/CIS_OSX_10.10_v1.2.0_L1.audit:97f36c2eaa06045e85a1beff1a76a088 "1.4 Enable system data files and security update installs - 'C... | Tenable® | www.tenable.com"
[9]: https://web.archive.org/web/20240321201406/https://managingosx.wordpress.com/2013/04/30/undocumented-options/ "Undocumented options Managing OS X | managingosx.wordpress.com"
[10]: https://web.archive.org/web/20240321201558/https://www.intuneirl.com/rapid-security-response/ "Managing Rapid Security Response on Apple Devices | www.intuneirl.com"
[11]: https://web.archive.org/web/20240321201614/https://onsitegroup.co.za/rapid-security-response/ "Rapid security response - Onsite | onsitegroup.co.za"
[12]: https://web.archive.org/web/20240321201623/https://support.apple.com/en-us/102657 "About Rapid Security Responses for iOS, iPadOS, and macOS - Apple Support | support.apple.com"
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool true
# Trigger background check with normal scan (critical updates only)
sudo softwareupdate --background-critical
functions:
-
name: PersistUserEnvironmentConfiguration
parameters:
- name: configuration
code: |-
command='{{ $configuration }}'
declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile")
for profile_file in "${profile_files[@]}"
do
touch "$profile_file"
if ! grep -q "$command" "${profile_file}"; then
echo "$command" >> "$profile_file"
echo "[$profile_file] Configured"
else
echo "[$profile_file] No need for any action, already configured"
fi
done
revertCode: |-
command='{{ $configuration }}'
declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile")
for profile_file in "${profile_files[@]}"
do
if grep -q "$command" "${profile_file}" 2>/dev/null; then
sed -i '' "/$command/d" "$profile_file"
echo "[$profile_file] Reverted configuration"
else
echo "[$profile_file] No need for any action, configuration does not exist"
fi
done
-
name: RunIfCommandExists # Skips if command does not exist
# Marked: refactor-with-partials
# Same function as Linux
parameters:
- name: command
- name: code
- name: revertCode
optional: true
code: |-
if ! command -v '{{ $command }}' &> /dev/null; then
echo 'Skipping because "{{ $command }}" is not found.'
else
{{ $code }}
fi
revertCode: |-
{{ with $revertCode }}
if ! command -v '{{ $command }}' &> /dev/null; then
>&2 echo 'Cannot revert because "{{ $command }}" is not found.'
else
{{ . }}
fi
{{ end }}
-
name: ResetServicePermissions
parameters:
- name: serviceId # Specifies the service ID for which to reset permissions
docs: |-
This function resets the specified service ID permissions.
The `serviceId` parameter allows you to define the specific service ID (e.g., Camera, Microphone,
Accessibility) for which you want to reset all user-granted permissions.
call:
function: RunIfCommandExists
parameters:
command: tccutil
code: |-
declare serviceId='{{ $serviceId }}'
declare reset_output reset_exit_code
{
reset_output=$(tccutil reset "$serviceId" 2>&1)
reset_exit_code=$?
}
if [ $reset_exit_code -eq 0 ]; then
echo "Successfully reset permissions for \"${serviceId}\"."
elif [ $reset_exit_code -eq 70 ]; then
echo "Skipping, service ID \"${serviceId}\" is not supported on your operating system version."
elif [ $reset_exit_code -ne 0 ]; then
>&2 echo "Failed to reset permissions for \"${serviceId}\". Exit code: $reset_exit_code."
if [ -n "$reset_output" ]; then
echo "Output from \`tccutil\`: $reset_output."
fi
fi
-
name: RunInlineCode
# Marked: refactor-with-partials
# Same function in macOS, Linux, Windows
parameters:
- name: code
- name: revertCode
optional: true
code: '{{ $code }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: Comment
# 💡 Purpose:
# Adds a comment in the executed code for better readability and debugging.
# This function does not affect the execution flow but helps in understanding the purpose of subsequent code.
# Marked: refactor-with-partials
# Same function as Linux
parameters:
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
function: RunInlineCode
parameters:
code: '{{ with $codeComment }}# {{ . }}{{ end }}'
revertCode: '{{ with $revertCodeComment }}# {{ . }}{{ end }}'
-
name: ClearDirectoryContents
parameters:
- name: directoryGlob
- name: grantPermissions
optional: true
call:
-
function: Comment
parameters:
codeComment: 'Clear directory contents: "{{ $directoryGlob }}"'
-
function: RunInlineCode
parameters:
code: |-
glob_pattern="{{ $directoryGlob }}/*"
{{ with $grantPermissions }}sudo {{ end }}rm -rfv $glob_pattern
Reference in New Issue View Git Blame Copy Permalink