44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d328f0895244d998e885ad8df335b6444b9ac66b
privacy.sexy/src/application/collections/macos.yaml
undergroundwires 67c3677621 win, linux, mac: fix typos and improve naming 
- Use instruction format such as "do this, do that" to provide clear,
  direct instructions. This format minimize confusion and is easy to
  follow. They are specific and leave no room for interpretation,
  stating precisely what needs to be done without ambiguity.
- Fix typos and grammar issues.
- Improve consistency in script and category names.
- Revise sentences for more natural English language flow.
- Change brand name casing to match official branding.
- Change title case (all words start capitalized) to sentence case.
- Prioritize consistency over variations.
- Add minor documentation to explain scripts where the names are not
  clear.
- Add naming guidelines.
2023-10-13 20:14:33 +02:00

1271 lines
85 KiB
YAML
Raw Blame History

# Structure is documented in "docs/collection-files.md"
os: macos
scripting:
language: shellscript
startCode: |-
#!/usr/bin/env bash
# {{ $homepage }} — v{{ $version }} — {{ $date }}
if [ "$EUID" -ne 0 ]; then
script_path=$([[ "$0" = /* ]] && echo "$0" || echo "$PWD/${0#./}")
sudo "$script_path" || (
echo 'Administrator privileges are required.'
exit 1
)
exit 0
fi
endCode: |-
echo 'Your privacy and security is now hardened 🎉💪'
echo 'Press any key to exit.'
read -n 1 -s
actions:
-
category: Privacy cleanup
children:
-
category: Clear terminal history
children:
-
name: Clear bash history
recommend: standard
code: rm -f ~/.bash_history
-
name: Clear zsh history
recommend: standard
code: rm -f ~/.zsh_history
-
name: Clear CUPS printer job cache
recommend: strict
code: |-
sudo rm -rfv /var/spool/cups/c0*
sudo rm -rfv /var/spool/cups/tmp/*
sudo rm -rfv /var/spool/cups/cache/job.cache*
-
name: Empty trash on all volumes
recommend: strict
code: |-
# on all mounted volumes
sudo rm -rfv /Volumes/*/.Trashes/* &>/dev/null
# on main HDD
sudo rm -rfv ~/.Trash/* &>/dev/null
-
name: Clear system cache
recommend: strict
code: |-
sudo rm -rfv /Library/Caches/* &>/dev/null
sudo rm -rfv /System/Library/Caches/* &>/dev/null
sudo rm -rfv ~/Library/Caches/* &>/dev/null
-
category: Clear operating system logs
recommend: strict
children:
-
category: Clear unified diagnostic logs
docs: https://developer.apple.com/documentation/os/logging
children:
-
name: Clear diagnostics logs
docs: https://eclecticlight.co/2017/10/10/inside-the-macos-log-logd-and-the-files-that-it-manages/
code: |-
sudo rm -rfv /private/var/db/diagnostics/*
sudo rm -rfv /var/db/diagnostics/*
-
name: Clear shared cache strings data
docs:
- https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent-and-a-valuable-log-log/
- https://github.com/privacysexy-forks/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc
code: |-
sudo rm -rfv /private/var/db/uuidtext/
sudo rm -rfv /var/db/uuidtext/
-
category: Clear system logs
children:
-
name: Clear Apple System Logs (ASL)
docs:
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
- https://apple.stackexchange.com/questions/98197/is-it-safe-to-delete-system-logs
code: |-
sudo rm -rfv /private/var/log/asl/*
sudo rm -rfv /var/log/asl/*
sudo rm -fv /var/log/asl.log # Legacy ASL (10.4)
sudo rm -fv /var/log/asl.db
-
name: Clear install logs
docs: https://discussions.apple.com/thread/1829842
code: sudo rm -fv /var/log/install.log
-
name: Clear all system logs in `/var/log/` directory
docs: https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/
code: sudo rm -rfv /var/log/* # Clears including /var/log/system.log
-
name: Clear system application logs
docs: https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
code: sudo rm -rfv /Library/Logs/*
-
name: Clear Mail logs
code: rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/*
-
name: Clear user activity audit logs (login, logout, authentication, etc.)
docs:
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
- http://macadmins.psu.edu/wp-content/uploads/sites/24696/2016/06/psumac2016-19-osxlogs_macadmins_2016.pdf
code: |-
sudo rm -rfv /var/audit/*
sudo rm -rfv /private/var/audit/*
-
name: Clear user report logs
docs:
- https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/
- https://apple.stackexchange.com/questions/272929/is-it-safe-to-delete-the-content-of-library-logs
code: sudo rm -rfv ~/Library/Logs/*
-
name: Clear daily logs
docs: https://salt4n6.com/2018/12/11/mac-os-daily-logs/
code: sudo rm -fv /System/Library/LaunchDaemons/com.apple.periodic-*.plist
-
name: Clear receipt logs for installed packages/apps
docs:
- https://apple.stackexchange.com/questions/327174/whats-the-purpose-of-directory-private-var-db-receipts
- https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf
code: |-
sudo rm -rfv /var/db/receipts/*
sudo rm -vf /Library/Receipts/InstallHistory.plist
-
category: Clear browser history
children:
-
category: Clear Chrome history
children:
-
name: Clear Chrome browsing history
code: |-
rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null
rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/null
-
name: Clear Chrome cache
code: sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/null
-
category: Clear Safari history
children:
-
name: Clear Safari browsing history
docs:
- https://discussions.apple.com/thread/7586106?answerId=30314600022#30314600022
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: |-
rm -f ~/Library/Safari/History.db
rm -f ~/Library/Safari/History.db-lock
rm -f ~/Library/Safari/History.db-shm
rm -f ~/Library/Safari/History.db-wal
# For older versions of Safari
rm -f ~/Library/Safari/History.plist # URL, visit count, webpage title, last visited timestamp, redirected URL, autocomplete
rm -f ~/Library/Safari/HistoryIndex.sk # History index
-
name: Clear Safari downloads history
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/Downloads.plist
-
name: Clear Safari frequently visited sites
docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: rm -f ~/Library/Safari/TopSites.plist
-
name: Clear Safari last session (open tabs) history
docs:
- https://apple.stackexchange.com/a/374116
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7127
code: rm -f ~/Library/Safari/LastSession.plist
-
category: Clear Safari caches
children:
-
name: Clear Safari cached blobs, URLs and timestamps
docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
code: rm -f ~/Library/Caches/com.apple.Safari/Cache.db
-
name: Clear Safari URL bar web page icons
docs:
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
- https://lifehacker.com/safaris-private-browsing-mode-saves-urls-in-an-easily-a-1691944343
code: rm -f ~/Library/Safari/WebpageIcons.db
-
name: Clear Safari webpage previews (thumbnails)
docs:
- https://davidkoepi.wordpress.com/2013/04/20/safariforensic/
- https://www.reddit.com/r/apple/comments/18lp92/your_apple_computer_keeps_a_screen_shot_of_nearly/
code: rm -rfv ~/Library/Caches/com.apple.Safari/Webpage\ Previews
-
name: Clear Safari history copy
docs: https://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-history-spotlight-webhistory.html
code: rm -rfv ~/Library/Caches/Metadata/Safari/History
-
name: Clear search term history embedded in Safari preferences
docs: https://krypted.com/tag/recentsearchstrings/
code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )'
-
name: Clear Safari cookies
docs:
- https://www.toolbox.com/tech/operating-systems/blogs/understanding-the-safari-cookiesbinarycookies-file-format-010712/
- https://link.springer.com/content/pdf/10.1007/0-387-36891-4_13.pdf
code: |-
rm -f ~/Library/Cookies/Cookies.binarycookies
# Used before Safari 5.1
rm -f ~/Library/Cookies/Cookies.plist
-
name: Clear Safari zoom level preferences per site
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/PerSiteZoomPreferences.plist
-
name: Clear allowed URLs for Safari notifications
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/UserNotificationPreferences.plist
-
name: Clear Safari preferences for downloads, geolocation, pop-ups, and autoplay per site
docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html
code: rm -f ~/Library/Safari/PerSitePreferences.db
-
category: Clear Firefox history
children:
-
name: Clear Firefox cache
code: |-
sudo rm -rf ~/Library/Caches/Mozilla/
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqlite
-
name: Clear Firefox form history
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.dat
-
name: Clear Firefox site preferences
code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqlite
-
name: Clear Firefox session restore data (loads after the browser closes or crashes)
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.js*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak*
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20*
-
name: Clear Firefox passwords
docs: https://web.archive.org/web/20210425202923/http://kb.mozillazine.org/Password_Manager
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons2.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons3.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.json
-
name: Clear Firefox HTML5 cookies
code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqlite
-
name: Clear Firefox crash reports
code: |-
rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmp
-
name: Clear Firefox backup files
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4
-
name: Clear Firefox cookies
code: |-
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-shm
rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal
rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http*
-
category: Clear third-party application data
children:
-
name: Clear Adobe cache
recommend: standard
code: sudo rm -rfv ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* &>/dev/null
-
name: Clear Gradle cache
recommend: strict
code: |-
if [ -d "~/.gradle/caches" ]; then
rm -rfv ~/.gradle/caches/ &> /dev/null
fi
-
name: Clear Dropbox cache
recommend: standard
code: |-
if [ -d "~/Dropbox/.dropbox.cache" ]; then
sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null
fi
-
name: Clear Google Drive File Stream cache
recommend: standard
code: |-
killall "Google Drive File Stream"
rm -rfv ~/Library/Application\ Support/Google/DriveFS/[0-9a-zA-Z]*/content_cache &>/dev/null
-
name: Clear Composer cache
recommend: strict
code: |-
if type "composer" &> /dev/null; then
composer clearcache &> /dev/null
fi
-
name: Clear Homebrew cache
recommend: strict
code: |-
if type "brew" &>/dev/null; then
brew cleanup -s &>/dev/null
rm -rfv $(brew --cache) &>/dev/null
brew tap --repair &>/dev/null
fi
-
name: Clear old Ruby gem versions
recommend: strict
code: |-
if type "gem" &> /dev/null; then
gem cleanup &>/dev/null
fi
-
name: Clear unused Docker data
recommend: strict
docs: |-
This script frees up disk space, but also improves user privacy by:
1. **Removal of stopped containers**: Containers often run applications or services that might process sensitive
or personal data. Even if a container is stopped, its filesystem remains intact, and potentially sensitive data inside
it can be accessed. By removing stopped containers, we eliminate this potential privacy risk.
2. **Deletion of unused images**: Images can sometimes contain sensitive information, especially if they were built
from `Dockerfile`s that copied local files or were used in scenarios where sensitive data was processed. Deleting unused
images ensures that any inadvertent sensitive information embedded in those images is eradicated.
3. **Cleanup of network configurations**: Networks, especially custom ones, can contain configurations that reveal details
about system architecture, inter-container communication, or even hardcoded secrets. Removing unused networks mitigates
risks associated with lingering, outdated, or insecure configurations.
4. **Elimination of build cache**: The Docker build process uses a cache to speed up image creation. This cache can contain
remnants of previous builds, including potentially sensitive data or files. Pruning the build cache ensures that these remnants
are deleted, further safeguarding privacy.
5. **Footprint reduction**: By consistently pruning unused Docker objects, the overall footprint of Docker on the system is
reduced. This makes it harder for malicious actors to exploit any lingering or overlooked vulnerabilities in the system or Docker
itself.
This script runs `docker system prune -af` command to clean up unused Docker data [1].
Specifically, the command will [1]:
- Remove all stopped containers.
- Remove all networks not used by at least one container.
- Remove all images not used by any container.
- Remove all build cache.
[1]: https://web.archive.org/web/20230810171526/https://docs.docker.com/engine/reference/commandline/system_prune/ "docker system prune | Docker Documentation"
code: |-
if type "docker" &> /dev/null; then
docker system prune -af
fi
-
name: Clear Pyenv-Virtualenv cache
recommend: strict
code: |-
if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then
rm -rfv $PYENV_VIRTUALENV_CACHE_PATH &>/dev/null
fi
-
name: Clear NPM cache
recommend: strict
code: |-
if type "npm" &> /dev/null; then
npm cache clean --force
fi
-
name: Clear Yarn cache
recommend: strict
code: |-
if type "yarn" &> /dev/null; then
echo 'Cleanup Yarn Cache...'
yarn cache clean --force
fi
-
category: Clear iOS usage data
children:
-
name: Clear iOS app copies from iTunes
recommend: strict
code: rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/null
-
name: Clear iOS photo cache
recommend: standard
code: rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/*
-
name: Clear iOS Device Backups
recommend: strict
code: rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/null
-
name: Clear iOS simulators
recommend: strict
code: |-
if type "xcrun" &>/dev/null; then
osascript -e 'tell application "com.apple.CoreSimulator.CoreSimulatorService" to quit'
osascript -e 'tell application "iOS Simulator" to quit'
osascript -e 'tell application "Simulator" to quit'
xcrun simctl shutdown all
xcrun simctl erase all
fi
-
name: Clear list of connected iOS devices
recommend: strict
code: |-
sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices
sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices
sudo rm -rfv /var/db/lockdown/*
-
name: Clear Xcode's derived data and archives
recommend: strict
code: |-
rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null
rm -rfv ~/Library/Developer/Xcode/Archives/* &>/dev/null
rm -rfv ~/Library/Developer/Xcode/iOS Device Logs/* &>/dev/null
-
name: Clear DNS cache
recommend: standard
code: |-
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
-
name: Clear inactive memory
recommend: standard
code: sudo purge
-
category: Clear all privacy permissions for applications
children:
-
name: Clear "camera" permissions
code: tccutil reset Camera
-
name: Clear "microphone" permissions
code: tccutil reset Microphone
-
name: Clear "accessibility" permissions
code: tccutil reset Accessibility
-
name: Clear "screen capture" permissions
code: tccutil reset ScreenCapture
-
name: Clear "reminders" permissions
code: tccutil reset Reminders
-
name: Clear "photos" permissions
code: tccutil reset Photos
-
name: Clear "calendar" permissions
code: tccutil reset Calendar
-
name: Clear "full disk access" permissions
code: tccutil reset SystemPolicyAllFiles
-
name: Clear "contacts" permissions
code: tccutil reset SystemPolicyAllFiles
-
name: Clear "desktop folder" permissions
code: tccutil reset SystemPolicyDesktopFolder
-
name: Clear "documents folder" permissions
code: tccutil reset SystemPolicyDocumentsFolder
-
name: Clear "downloads" permissions
code: tccutil reset SystemPolicyDownloadsFolder
-
name: Clear all app permissions
code: tccutil reset All
-
category: Configure programs
children:
-
name: Disable Firefox telemetry
recommend: standard
docs: https://github.com/privacysexy-forks/policy-templates/blob/master/README.md
code: |-
# Enable Firefox policies so the telemetry can be configured.
sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUE
# Disable sending usage data
sudo defaults write /Library/Preferences/org.mozilla.firefox DisableTelemetry -bool TRUE
revertCode: |-
sudo defaults delete /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled
sudo defaults delete /Library/Preferences/org.mozilla.firefox DisableTelemetry
-
name: Disable Microsoft Office telemetry
recommend: standard
code: defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticData
revertCode: defaults delete com.microsoft.office DiagnosticDataTypePreference
-
name: Remove Google Software Update service
recommend: strict
code: |-
googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall
if [ -f "$googleUpdateFile" ]; then
$googleUpdateFile --nuke
echo 'Uninstalled Google update'
else
echo 'Google update file does not exist'
fi
-
name: Disable Homebrew user behavior analytics
recommend: standard
docs: https://docs.brew.sh/Analytics
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export HOMEBREW_NO_ANALYTICS=1
-
name: Disable NET Core CLI telemetry
recommend: standard
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export DOTNET_CLI_TELEMETRY_OPTOUT=1
-
name: Disable PowerShell Core telemetry
recommend: standard
docs: https://github.com/privacysexy-forks/PowerShell/blob/v7.1.5/README.md#telemetry
call:
-
function: PersistUserEnvironmentConfiguration
parameters:
configuration: export POWERSHELL_TELEMETRY_OPTOUT=1
-
category: Configure Parallels Desktop
docs: |-
Parallels Desktop for Mac is software providing hardware virtualization for macOS [1].
When you use it, it collects and shares your personal data to third parties [2]. Personal
data include IP address of your device, your broad geographical location (country, state
(if applicable), and city) and used product [2].
It includes third-party advertisements [3] and automatic check for updates [4] by default.
Both of these behaviors communicate with online services that reveal personal data about you.
[1]: https://web.archive.org/web/20221012155943/https://en.wikipedia.org/wiki/Parallels_Desktop_for_Mac "Parallels Desktop for Mac - Wikipedia | en.wikipedia.org"
[2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com"
[3]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com"
[4]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com"
children:
-
name: Disable Parallels Desktop advertisements
recommend: standard
docs: |-
Parallels Desktop in-product notifications to show ads from Parallels or other third
party companies [1].
The main setting is `ProductPromo.ForcePromoOff` [1] that you can check using:
1. `defaults read 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff'`
2. `defaults read 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff'`
By default, on clean installations the value is `0` which is equivalent of `no`.
There is also `WelcomeScreenPromo.PromoOff` setting that's pre-configured to `1` (`no` as
default). It's undocumented but still kept disabled by this script.
[1]: https://web.archive.org/save/https://forum.parallels.com/threads/unable-to-process-the-upgrade-request.345603/ "Unable to process the upgrade request | Parallels Forums | forum.parallels.com"
[2]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com"
code: |-
defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool yes
defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes
revertCode: |-
defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool no
defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes
-
category: Disable Parallels Desktop automatic updates
docs: |-
Parallels Desktop by default checks for updates frequently and automatically downloads them [1].
This reveal personal data about you [2] without your control.
[1]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com"
[2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com"
children:
-
name: Disable automatic downloads for Parallels Desktop updates
docs: |-
Automatic downloads are enabled by default, and this script disables automatic downloads.
Automatic downloads are configured using the `Application preferences.Download updates automatically` property [1].
- Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically'`
- Values: 0 - Disabled, 1 - Enabled (default)
[1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com"
code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool no
revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool yes
-
name: Disable automatic checks for Parallels Desktop updates
docs: |-
Automatic checks are weekly by default, and this script disables the checks completely.
Frequency to check for updates can be configured using `Application preferences.Check for updates` property [1].
- Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates'`
- Values: 0 - Never, 1 - Once a day, 2 - Once a week (default), 3 - Once a month
[1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com"
code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 0
revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 2
-
category: Configure OS
children:
-
category: Configure Apple Remote Desktop
children:
-
name: Disable remote management service
recommend: strict
code: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
revertCode: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console
-
name: Remove Apple Remote Desktop Settings
recommend: strict
code: |-
sudo rm -rf /var/db/RemoteManagement
sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist
defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist
sudo rm -rf /Library/Application\ Support/Apple/Remote\ Desktop/
rm -r ~/Library/Application\ Support/Remote\ Desktop/
rm -r ~/Library/Containers/com.apple.RemoteDesktop
-
name: Disable online spell correction
code: defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool false
revertCode: defaults delete NSGlobalDomain WebAutomaticSpellingCorrectionEnabled
-
name: Disable remote Apple events
recommend: strict
code: sudo systemsetup -setremoteappleevents off
revertCode: sudo systemsetup -setremoteappleevents on
-
name: Disable automatic storage of documents in iCloud Drive
docs: https://macos-defaults.com/finder/nsdocumentsavenewdocumentstocloud.html
recommend: standard
code: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
revertCode: defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud
-
name: Disable display of recent applications on Dock
docs: https://developer.apple.com/documentation/devicemanagement/dock
code: defaults write com.apple.dock show-recents -bool false
revertCode: defaults delete com.apple.dock show-recents
-
name: Disable AirDrop file sharing
recommend: strict
code: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
revertCode: defaults write com.apple.NetworkBrowser DisableAirDrop -bool false
-
category: Configure Siri
children:
-
name: Disable participation in Siri data collection
recommend: standard
code: defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2
revertCode: defaults delete com.apple.assistant.support 'Siri Data Sharing Opt-In Status'
-
category: Disable Siri
children:
-
name: Disable "Ask Siri"
recommend: strict
docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/
code: defaults write com.apple.assistant.support 'Assistant Enabled' -bool false
revertCode: defaults write com.apple.assistant.support 'Assistant Enabled' -bool true
-
name: Disable Siri voice feedback
recommend: strict
docs:
- https://github.com/privacysexy-forks/starter/blob/master/system/siri.sh
- https://machippie.github.io/system/
code: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 3
revertCode: defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 2
-
name: Disable Siri services (Siri and assistantd)
recommend: strict
docs:
- https://apple.stackexchange.com/questions/57514/what-is-assistantd
- https://www.jamf.com/jamf-nation/discussions/22757/kill-siri#responseChild137563
- https://apple.stackexchange.com/a/370426
# To see status: • `launchctl print-disabled system` • `launchctl print-disabled user/$UID` • `launchctl print-disabled gui/$UID`
code: |-
launchctl disable "user/$UID/com.apple.assistantd"
launchctl disable "gui/$UID/com.apple.assistantd"
sudo launchctl disable 'system/com.apple.assistantd'
launchctl disable "user/$UID/com.apple.Siri.agent"
launchctl disable "gui/$UID/com.apple.Siri.agent"
sudo launchctl disable 'system/com.apple.Siri.agent'
if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then
>&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'
fi
revertCode: |-
launchctl enable "user/$UID/com.apple.assistantd"
launchctl enable "gui/$UID/com.apple.assistantd"
sudo launchctl enable 'system/com.apple.assistantd'
launchctl enable "user/$UID/com.apple.Siri.agent"
launchctl enable "gui/$UID/com.apple.Siri.agent"
sudo launchctl enable 'system/com.apple.Siri.agent'
if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then
>&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'
fi
-
name: Disable "Do you want to enable Siri?" pop-up
docs:
- https://discussions.apple.com/thread/7694127?answerId=30752577022#30752577022
- https://windowsreport.com/mac/siri-keeps-popping-up/
- https://www.jamf.com/jamf-nation/discussions/21783/disable-siri-setup-assistant-in-macos-sierra#responseChild131588
code: defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool True
revertCode: defaults delete com.apple.SetupAssistant 'DidSeeSiriSetup'
-
category: Remove Siri from user interface
children:
-
name: Remove Siri from menu bar
recommend: strict
code: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0
revertCode: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 1
-
name: Remove Siri from status menu
recommend: strict
docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/
code: |-
defaults write com.apple.Siri 'StatusMenuVisible' -bool false
defaults write com.apple.Siri 'UserHasDeclinedEnable' -bool true
revertCode: |-
defaults delete com.apple.Siri 'StatusMenuVisible'
defaults delete com.apple.Siri 'UserHasDeclinedEnable'
-
name: Disable Spotlight indexing
code: sudo mdutil -i off -d /
revertCode: sudo mdutil -i on /
-
name: Disable personalized advertisements and identifier tracking
recommend: standard
docs: |-
This script enhances your privacy by deactivating Personalized Ads and disabling the collection
of identifiers related to your device. The process involves modifying certain key configurations,
which prevents Apple's advertising platform from using your personal information to deliver targeted
ads [1].
When Personalized Ads is enabled, your information may be used to provide ads that closely align
with your interests [1]. You might occasionally encounter such targeted ads in Apple News, Stocks,
and the Mac App Store [2]. Disabling Personalized Ads will prevent Apple from using your data for
ad targeting [2]. Although this does not necessarily decrease the quantity of ads you receive,
it may result in the ads being less relevant to your interests [2].
The primary keys to deactivating personalized ads are:
- **`allowApplePersonalizedAdvertising`**: If set to false, this restricts Apple's personalized
advertising [3]. This is applicable on macOS 12 and subsequent versions [3].
- **`allowIdentifierForAdvertising`**: The `advertisingIdentifier` is a unique string assigned
to each device [5]. Apple uses this identifier and recommends its use in third-party
applications for tasks like frequency capping, attribution, conversion events, estimating the
number of unique users, detecting advertising fraud, and debugging [5]. Although there is no
official documentation on it, a discussion on JAMF.com corroborates its existence [6].
My tests show that disabling any of the keys mentioned above results in the
"System Preferences > Apple Advertising > Personalized ads" option being deactivated in the GUI,
starting from macOS Monterey.
Please note: The `forceLimitAdTracking` key limits ad tracking [3] [4] and is found in CIS
benchmarks for macOS [4]. However, the official macOS documentation specifies that it is
applicable only to iOS 7 and newer versions, not to macOS [3]. The key does not exist on the OS
by default.
[1]: https://web.archive.org/web/20230731152633/https://www.apple.com/legal/privacy/data/en/apple-advertising/ "Legal - Apple Advertising & Privacy - Apple"
[2]: https://web.archive.org/web/20220805052411/https://support.apple.com/en-sg/guide/mac-help/mh32356/mac: "Change Privacy preferences on Mac - Apple Support (SG)"
[3]: https://web.archive.org/web/20230731155827/https://developer.apple.com/documentation/devicemanagement/restrictions "Restrictions | Apple Developer Documentation"
[4]: https://web.archive.org/web/20230731155653/https://paper.bobylive.com/Security/CIS/CIS_Apple_macOS_11_0_Big_Sur_Benchmark_v2_0_0.pdf "CIS Apple macOS 11.0 Big Sur Benchmark"
[5]: https://web.archive.org/web/20230731155131/https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier "advertisingIdentifier | Apple Developer Documentation"
[6]: https://web.archive.org/web/20230731154840/https://community.jamf.com/t5/jamf-pro/macos-quot-limit-ad-tracking-quot/td-p/217001 'Solved: macOS "Limit Ad Tracking" - Jamf Nation Community - 217001'
code: |-
defaults write com.apple.AdLib allowIdentifierForAdvertising -bool false
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool false
defaults write com.apple.AdLib forceLimitAdTracking -bool true
# Default: (`defaults read com.apple.AdLib`)
# - `defaults read com.apple.AdLib allowApplePersonalizedAdvertising`: true (1)
# - `defaults read com.apple.AdLib allowIdentifierForAdvertising`: true (1)
# - `defaults read com.apple.AdLib forceLimitAdTracking`: non-existing
revertCode: |-
defaults write com.apple.AdLib allowIdentifierForAdvertising -bool true
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool true
sudo defaults delete com.apple.AdLib forceLimitAdTracking
-
category: Security improvements
children:
-
category: Configure macOS Application Firewall
children:
-
name: Enable application firewall
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681
- https://daiderd.com/nix-darwin/manual/index.html
- https://developer.apple.com/documentation/devicemanagement/firewall
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true
defaults write com.apple.security.firewall EnableFirewall -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool false
defaults write com.apple.security.firewall EnableFirewall -bool false
-
name: Enable firewall logging
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671
- https://daiderd.com/nix-darwin/manual/index.html
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool false
-
name: Enable stealth mode
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327
- https://daiderd.com/nix-darwin/manual/index.html
- https://developer.apple.com/documentation/devicemanagement/firewall
code: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
defaults write com.apple.security.firewall EnableStealthMode -bool true
revertCode: |-
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false
defaults write com.apple.security.firewall EnableStealthMode -bool false
-
category: Disable automatic permission for incoming traffic in applications
children:
-
name: Disable automatic incoming connections for signed apps
docs: https://daiderd.com/nix-darwin/manual/index.html
recommend: strict
code: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool true
-
name: Disable automatic incoming connections for downloaded signed apps
docs: https://daiderd.com/nix-darwin/manual/index.html
recommend: strict
code: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false
revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool true
-
name: Disable Captive portal
# An attacker could trigger the utility and direct a Mac to a site with malware without user interaction,
# so it's best to disable this feature and log in to captive portals using regular Web browser instead.
recommend: standard
docs:
# Risks with captive portals:
- https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
# More about apple Captive portal:
- https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y
- https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html
- https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/
code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
revertCode: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active
-
category: Enable protective screen saver
children:
-
name: Enable password requirement for waking from sleep or screen saver
# The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230744
code: sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true
revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword
-
name: Enable session lock five seconds after screen saver initiation
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230745
# An unattended system with an excessive grace period is vulnerable to a malicious user.
code: sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5
revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay'
-
category: Disable guest accounts
docs:
- https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615
children:
-
name: Disable guest sign-in from login screen
code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES
-
name: Disable guest access to file shares over AF
code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES
-
name: Disable guest access to file shares over SMB
code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES
-
category: Disable unauthorized connections
children:
-
name: Disable incoming SSH and SFTP remote logins
recommend: standard
docs: https://osxdaily.com/2016/08/16/enable-ssh-mac-command-line/
# Check if enabled: sudo systemsetup -getremotelogin, returns "Remote Login: On" or "Off"
code: echo 'yes' | sudo systemsetup -setremotelogin off
revertCode: sudo systemsetup -setremotelogin on
-
name: Disable the insecure TFTP service
recommend: standard
# If the system does not require Trivial File Transfer Protocol (TFTP), then support for
# it is non-essential and should be disabled. The information system should be configured to
# provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection
# of devices and the unauthorized transfer of information.
docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230813
code: sudo launchctl disable 'system/com.apple.tftpd'
revertCode: sudo launchctl enable 'system/com.apple.tftpd'
-
name: Disable Bonjour multicast advertising
recommend: standard
docs: https://www.stigviewer.com/stig/apple_os_x_10.11/2017-04-06/finding/V-67593
code: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool false
-
name: Disable insecure telnet protocol
recommend: standard
docs:
- https://www.stigviewer.com/stig/apple_os_x_10.13/2020-09-11/finding/V-214882
- https://www.stigviewer.com/stig/apple_os_x_10.10_yosemite_workstation/2017-04-06/finding/V-59671
code: sudo launchctl disable system/com.apple.telnetd
revertCode: sudo launchctl enable system/com.apple.telnetd
-
category: Disable printer sharing (IPP, LDP, SMB and Bonjour protocols)
# Used typically for servers
# By default, the CUPS only listens to requests from the machine that it's running on
# cupsctl is a tool to manage the configuration of the CUPS daemon
docs:
- https://www.cups.org/doc/sharing.html
- https://www.cups.org/doc/security.html # Security risks
children:
-
name: Disable local printer sharing with other computers
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-share-printers
revertCode: cupsctl --share-printers
-
name: Disable printing from external addresses, including the internet
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-remote-any
revertCode: cupsctl --remote-any
-
name: Disable remote printer administration
recommend: standard
docs: https://www.cups.org/doc/man-cupsctl.html
code: cupsctl --no-remote-admin
revertCode: cupsctl --remote-admin
-
category: Privacy over security
children:
-
category: Disable File Quarantine (tracks downloaded files and warns)
# OS tracks downloaded files with help of quarantine-aware applications
# (such as Safari, Chrome) adding quarantine extended attributes to files.
# then OS warns and asks if you really want to open it
docs: https://support.apple.com/en-gb/HT202491
children:
-
category: Clean File Quarantine from downloaded files
children:
-
name: Clear logs of all downloaded files from File Quarantine
recommend: strict
docs:
- https://www.macobserver.com/tips/how-to/your-mac-remembers-everything-you-download-heres-how-to-clear-download-history/
- https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/
- https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/
- https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/
# Query entries using:
# sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select DISTINCT LSQuarantineDataURLString from LSQuarantineEvent'
code: |-
db_file=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
db_query='delete from LSQuarantineEvent'
if [ -f "$db_file" ]; then
echo "Database exists at \"$db_file\""
if ls -lO "$db_file" | grep --silent 'schg'; then
sudo chflags noschg "$db_file"
echo "Found and removed system immutable flag"
has_system_immutable_flag=true
fi
if ls -lO "$db_file" | grep --silent 'uchg'; then
sudo chflags nouchg "$db_file"
echo "Found and removed user immutable flag"
has_user_immutable_flag=true
fi
sqlite3 "$db_file" "$db_query"
echo "Executed the query \"$db_query\""
if [ "$has_system_immutable_flag" = true ] ; then
sudo chflags schg "$db_file"
echo "Added system immutable flag back"
fi
if [ "$has_user_immutable_flag" = true ] ; then
sudo chflags uchg "$db_file"
echo "Added user immutable flag back"
fi
else
echo "No action needed, database does not exist at \"$db_file\""
fi
-
name: Clear File Quarantine attribute from downloaded files
docs: https://superuser.com/questions/28384/what-should-i-do-about-com-apple-quarantine
code: |-
find ~/Downloads \
-type f \
-exec \
sh -c \
'
attr="com.apple.quarantine"
file="{}"
if [[ $(xattr "$file") = *$attr* ]]; then
if xattr -d "$attr" "$file" 2>/dev/null; then
echo "🧹 Cleaned attribute from \"$file\""
else
>&2 echo "❌ Failed to clean attribute from \"$file\""
fi
else
echo "No attribute in \"$file\""
fi
' \
{} \;
-
category: Disable macOS File Quarantine tracking for downloaded files
children:
-
name: Disable downloaded file logging in quarantine
docs:
- https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/
- https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/
- https://eclecticlight.co/2017/08/14/show-me-your-metadata-extended-attributes-in-macos-sierra/
recommend: strict
code: |-
file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
if [ -f "$file_to_lock" ]; then
sudo chflags schg "$file_to_lock"
echo "Made file immutable at \"$file_to_lock\""
else
echo "No action is needed, file does not exist at \"$file_to_lock\""
fi
revertCode: |-
file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
if [ -f "$file_to_lock" ]; then
sudo chflags noschg "$file_to_lock"
echo "Successfully reverted immutability from \"$file_to_lock\""
else
>&2 echo "Cannot revert immutability, file does not exist at\"$file_to_lock\""
fi
-
name: Disable extended quarantine attribute for downloaded files (disables warning)
# Disables dialogs shown when opening an application for the first time
# i.e. "Application Downloaded from Internet" quarantine warning.
docs:
- https://apple.stackexchange.com/questions/373176/disable-the-use-of-the-com-apple-quarantine-extended-attribute-on-mojave
- https://superuser.com/questions/266176/is-there-some-way-to-disable-the-dialogs-shown-when-opening-an-application-for-t
- https://macos-defaults.com/misc/lsquarantine.html
code: sudo defaults write com.apple.LaunchServices 'LSQuarantine' -bool NO
revertCode: sudo defaults delete com.apple.LaunchServices 'LSQuarantine'
-
category: Disable Gatekeeper (enforces code-signing)
# Built on top of File Quarantine, requires code-signing for apps.
# Warns user if a file is not signed by it's developer with certificate issued by Apple.
# Can protect against unknown threats.
children:
-
name: Disable Gatekeeper's automatic reactivation
docs:
- https://osxdaily.com/2015/11/05/stop-gatekeeper-auto-rearm-mac-os-x/
- https://www.cnet.com/tech/computing/how-to-disable-gatekeeper-permanently-on-os-x/
code: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false
-
name: Disable Gatekeeper
docs:
# References for spctl --master-disable
- https://www.manpagez.com/man/8/spctl/
# References for /var/db/SystemPolicy-prefs.plist
- https://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/
- https://community.jamf.com/t5/jamf-pro/users-can-t-change-password-greyed-out/m-p/54228
code: |-
os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}')
os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}')
if [[ $os_major_ver -le 10 \
|| ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \
]]; then
echo "No action needed, Gatekeeper is not available this OS version"
else
gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')"
if [ $gatekeeper_status = "disabled" ]; then
echo "No action needed, Gatekeeper is already disabled"
elif [ $gatekeeper_status = "enabled" ]; then
sudo spctl --master-disable
sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'no'
echo "Disabled Gatekeeper"
else
>&2 echo "Unknown gatekeeper status: $gatekeeper_status"
fi
fi
revertCode: |-
os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}')
os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}')
if [[ $os_major_ver -le 10 \
|| ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \
]]; then
>&2 echo "Gatekeeper is not available in this OS version"
else
gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')"
if [ $gatekeeper_status = "disabled" ]; then
sudo spctl --master-enable
sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'yes'
echo "Enabled Gatekeeper"
elif [ $gatekeeper_status = "enabled" ]; then
echo "No action needed, Gatekeeper is already enabled"
else
>&2 echo "Unknown Gatekeeper status: $gatekeeper_status"
fi
fi
-
name: Disable library validation entitlement (library signature validation)
docs:
- https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation
- https://www.macenhance.com/docs/general/sip-library-validation.html
- https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/
code: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool true
revertCode: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool false
-
category: Disable automatic updates
docs:
- https://developer.apple.com/documentation/devicemanagement/deviceinformationresponse/queryresponses/osupdatesettings
- https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html
children:
-
name: Disable automatic checks for updates
docs: https://developer.apple.com/documentation/devicemanagement/softwareupdate
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool true
-
name: Disable automatic downloads for updates
docs: https://developer.apple.com/documentation/devicemanagement/softwareupdate
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool true
-
name: Disable automatic installation of macOS updates
docs:
# References for AutoUpdateRestartRequired
- https://kb.vmware.com/s/article/2960635
- https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/
# References for AutomaticallyInstallMacOSUpdates
- https://developer.apple.com/documentation/devicemanagement/softwareupdate
code: |-
# For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool false
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool false
revertCode: |-
# For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool true
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool true
-
name: Disable automatic app updates from the App Store
docs:
- https://kb.vmware.com/s/article/2960635
- https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool false
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool false
revertCode: |-
# For OS X Yosemite and newer
sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool true
# For Mojave and newer (>= 10.14)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool true
-
name: Disable macOS beta release installation
docs: https://support.apple.com/en-gb/HT203018
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool true
-
name: Disable automatic installation for configuration data (e.g. XProtect, Gatekeeper, MRT)
docs: https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool true
-
name: Disable automatic installation for system data files and security updates
docs:
# References for CriticalUpdateInstall
- https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/
- https://developer.apple.com/documentation/devicemanagement/softwareupdate
# References for softwareupdate --background-critical
- https://managingosx.wordpress.com/2013/04/30/undocumented-options/
code: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool false
revertCode: |-
# For OS X Yosemite and newer (>= 10.10)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool true
# Trigger background check with normal scan (critical updates only)
sudo softwareupdate --background-critical
functions:
-
name: PersistUserEnvironmentConfiguration
parameters:
- name: configuration
code: |-
command='{{ $configuration }}'
declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile")
for profile_file in "${profile_files[@]}"
do
touch "$profile_file"
if ! grep -q "$command" "${profile_file}"; then
echo "$command" >> "$profile_file"
echo "[$profile_file] Configured"
else
echo "[$profile_file] No need for any action, already configured"
fi
done
revertCode: |-
command='{{ $configuration }}'
declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile")
for profile_file in "${profile_files[@]}"
do
if grep -q "$command" "${profile_file}" 2>/dev/null; then
sed -i '' "/$command/d" "$profile_file"
echo "[$profile_file] Reverted configuration"
else
echo "[$profile_file] No need for any action, configuration does not exist"
fi
done
Reference in New Issue View Git Blame Copy Permalink