I just pushed a new tool I call osxlockdown at https://github.com/SummitRoute/osxlockdown to audit and fix security settings on Apple OS X 10.11 (El Capitan). It’s just a single tool to do all the manual, clicky-clicky steps you’ve seen in security guides, in an automated way. Instead of reading a massive guide and following a bunch of steps, you can now just run sudo ./osxlockdown
and find out what settings you haven’t set. Then to set all1 of them to the secure settings, just run sudo ./osxlockdown --remediate
1 Currently, one of the settings can not be remediated automatically, the FileVault setting, since this requires you to write down down a recovery key.
This was created primarily for those of us with fleets of Apple laptops in our enterprises, but will also work for your personal laptops. If you don’t want to enable some of these rules, either remove it from the commands.json file or set enabled
to false
. It’s really just a bunch of bash commands I tracked down then wrapped in a Go app, for reasons that seemed smart at the time, so feel free to rip those out and put them in your puppet/ansible scripts.