A shell script that applies security hardening settings to macOS. No dependencies — just bash and sudo.
| Step | What it applies | Why |
|---|---|---|
| 1 | Firewall | Enables the application firewall, stealth mode (no ICMP ping response), and firewall logging |
| 2 | Automatic updates | Enables update checks, automatic downloads, critical update installs, and XProtect/MRT definition updates |
| 3 | Login & screen lock | Requires password immediately on wake, disables guest login and auto-login, shows username/password prompt instead of a user list at the login window |
| 4 | Remote access | Disables Remote Login (SSH) and Remote Apple Events if they are on |
| 5 | Gatekeeper & FileVault | Ensures Gatekeeper is enforcing code signing; reports FileVault status (see below) |
| 6 | Network | Disables AirDrop and the captive portal assistant |
| 7 | System Integrity Protection | Reports SIP status (see below) |
| 8 | Privacy & telemetry | Opts out of crash report auto-submission and third-party diagnostics; enables "show all file extensions" in Finder |
| 9 | Software updates | Runs softwareupdate -ia to install any pending updates |
All changes are logged with timestamps to /var/log/macos-lockdown.log.
- Enable FileVault — requires interactive recovery key setup; the script reports the current state and directs you to System Settings to enable it yourself.
- Enable SIP — can only be toggled from Recovery Mode (
csrutil enable); the script reports the current state. - Disable Bluetooth — too invasive for most workflows.
- Configure DNS-over-HTTPS — requires a third-party resolver or system extension; out of scope.
- Harden SSH config — the script disables SSH entirely. If you need SSH, configure
/etc/ssh/sshd_configseparately (key-only auth,PermitRootLogin no, etc.).
- macOS 12 Monterey or later (tested on Monterey, Ventura, Sonoma, Sequoia)
- Must be run as root
# Apply all hardening steps
sudo ./macos_lockdown.sh
# Audit current settings without making any changes
sudo ./macos_lockdown.sh --check
# Show help
sudo ./macos_lockdown.sh --helpThe --check flag runs a read-only audit and prints PASS/FAIL for each key setting. Useful for verifying the script was applied, or checking a machine you didn't configure.
Every run appends timestamped output to /var/log/macos-lockdown.log:
[macos_lockdown.sh][2025-01-15 09:32:11] Starting macOS hardening...
[macos_lockdown.sh][2025-01-15 09:32:11] [########----------------] (1/9) Configuring firewall
[macos_lockdown.sh][2025-01-15 09:32:11] Firewall enabled via socketfilterfw.
...
MIT — see LICENSE.