Guidance

EUD Security Guidance: macOS 10.12 Provisioning Script

Created:  01 Sep 2016
Updated:  07 May 2018
Auto-provisioning script for OS X 10.12 and 10.13 devices
#!/bin/bash
function get_user_pass {
 local MATCH=false
 while [ $MATCH == false ] ; do
 read -s -p "Password: " PASS_1
 echo ""
 read -s -p "Repeat Password: " PASS_2
 echo ""
 if [ $PASS_1 == $PASS_2 ] ; then
 PASS="$PASS_1"
 MATCH=true
 fi
 done
 return
}
function get_encryption_pass {
 local MATCH=false
 while [ $MATCH == false ] ; do
 read -s -p "Passphrase: " PASS_1
 echo ""
 read -s -p "Repeat: " PASS_2
 echo ""
 if [ $PASS_1 == $PASS_2 ]; then
 DISKPASS="$PASS_1"
 MATCH=true
 fi
 done
 return
}
if [[ $UID -ne 0 ]]; then
 echo "This script needs to be run as root (with sudo)"
 exit 1
fi
echo "[I] Beginning local provisioning now"
read -p "[!] Enter a name for this device: " DEVNAME
systemsetup -setcomputername "$DEVNAME"
scutil --set HostName "$DEVNAME"
echo "[I] Creating a standard user account"
CONFIRM="n"
while [ "$CONFIRM" != "y" ] ; do
 echo "[!] Enter username to create (e.g. jsmith):"
 read -p "Username: " USERNAME
 echo "[!] Enter user's full name (e.g. John Smith):"
 read -p "Real Name: " REALNAME
 echo "[!] Please provide a password for this account"
 get_user_pass
 echo "[!] Please provide a disk encryption passphrase"
 echo "[ ] This could include a second-factor password entry token component"
 get_encryption_pass
 echo " "
 echo "[?] Are the following details correct?"
 echo " Username: $USERNAME"
 echo " Real Name: $REALNAME"
 read -p "[y/n]: " CONFIRM
done
echo "[I] Turning off iCloud login prompt"
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.12"
echo "[I] Creating user $USERNAME"
MAXID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)
USERID=$((MAXID+1))
DISKID=$((MAXID+2))
dscl . -create /Users/$USERNAME
dscl . -create /Users/$USERNAME RealName "$REALNAME"
dscl . -passwd /Users/$USERNAME $PASS
dscl . -create /Users/$USERNAME UserShell "/bin/bash -r"
dscl . -create /Users/$USERNAME NFSHomeDirectory /Users/$USERNAME
dscl . -create /Users/$USERNAME PrimaryGroupID 20
dscl . -create /Users/$USERNAME UniqueID "$USERID"
cp -R /System/Library/User\ Template/English.lproj /Users/$USERNAME
chown -R $USERNAME:staff /Users/$USERNAME
chmod go-rx /Users/$USERNAME
echo "[I] Locking down Terminal/Shell access"
mkdir /Users/"$USERNAME"/Bash
echo "set -r" > /Users/"$USERNAME"/.bash_profile
echo "unset PATH" >> /Users/"$USERNAME"/.bash_profile
echo "export PATH=/Users/"$USERNAME"/Bash" >> /Users/"$USERNAME"/.bash_profile
ln -s /usr/bin/clear /Users/"$USERNAME"/Bash
ln -s /bin/df /Users/"$USERNAME"/Bash
ln -s /usr/bin/egrep /Users/"$USERNAME"/Bash
ln -s /usr/bin/env /Users/"$USERNAME"/Bash
ln -s /usr/bin/fgrep /Users/"$USERNAME"/Bash
ln -s /usr/bin/rview /Users/"$USERNAME"/Bash
ln -s /usr/bin/rvim /Users/"$USERNAME"/Bash
ln -s /usr/bin/sudo /Users/"$USERNAME"/Bash
ln -s /usr/bin/tail /Users/"$USERNAME"/Bash
ln -s /usr/bin/wc /Users/"$USERNAME"/Library/Bash
echo "[I] Enabling FileVault2 full disk encryption"
dscl . -create /Users/filevault
dscl . -create /Users/filevault RealName "Disk Encryption Password"
dscl . -passwd /Users/filevault $DISKPASS
dscl . -create /Users/filevault UserShell /usr/bin/false
dscl . -create /Users/filevault UniqueID "$DISKID"
defaults write com.apple.loginwindow HiddenUsersList -array-add filevault
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -int 1
DISKPASS=$DISKPASS expect -c 'spawn /usr/bin/fdesetup enable -user filevault; expect ":"; send "$env(DISKPASS)\n"; expect eof'
pmset destroyfvkeyonstandby 1 hibernatemode 25
echo "[I] Disabling IPv6"
networksetup -setv6off Wi-Fi >/dev/null
networksetup -setv6off Ethernet >/dev/null
echo "[I] Disabling infrared receiver"
defaults write com.apple.driver.AppleIRController DeviceEnabled -bool FALSE
echo "[I] Disabling Bluetooth"
defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
echo "[I] Turning off WiFi"
networksetup -setairportpower airport off > /dev/null
echo "[I] Enabling scheduled updates"
softwareupdate --schedule on
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool true
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true
echo "[I] Disabling password hints on lock screen"
defaults write com.apple.loginwindow RetriesUntilHint -int 0
echo "[I] Enabling password-protected screen lock after 5 minutes"
systemsetup -setdisplaysleep 5
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
echo "[I] Enabling firewall"
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
echo "[I] Launching firmware password utility (this may take a moment)"
diskutil mount Recovery\ HD
RECOVERY=$(hdiutil attach /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg | grep -i Base | cut -f 3)
open "$RECOVERY/Applications/Utilities/Firmware Password Utility.app"
echo "[!] Follow the prompts on the utility to set a strong unique firmware password"
echo "[!] Press enter when done"
read DONE

 

Was this guidance helpful?

We need your feedback to improve this content.

Yes No