macOS-Setup-Script/primary.sh

#!/bin/zsh
# shellcheck disable=SC1071

# Comment this line out if you don't have Touch ID
awk 'NR==2 {print "auth       sufficient     pam_tid.so"} 1' /etc/pam.d/sudo | sudo tee /etc/pam.d/sudo

# Protect Home
for user in $(ls /Users | grep -v 'Shared'); do
sudo chmod 700 /Users/"$user"
done

# Verify SSH Fingerprints
echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf

umask 022

# Disable cups
sudo launchctl unload /System/Library/LaunchDaemons/org.cups.cupsd.plist
sudo launchctl remove /System/Library/LaunchDaemons/org.cups.cupsd.plist

# Firewall rules
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/bin/python3
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/bin/ruby
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/remoted
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/sharingd
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/sshd-keygen-wrapper
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/sbin/cupsd
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/sbin/smbd

# Setup Edge Enterprise Policies
sudo mkdir -p '/Library/Tomster Corporation/scripts/' '/Library/Tomster Corporation/prefs/' '/Library/Managed Preferences'
curl https://raw.githubusercontent.com/TommyTran732/macOS-Setup-Script/etc/Library/Tomster%20Corporation/apply_prefs.sh | sudo tee '/etc/Library/Tomster Corporation/apply_prefs.sh'
sudo chmod 744 '/Library/Tomster Corporation/scripts/apply_prefs.sh'
curl https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/macOS/Managed%20Preferences/com.microsoft.Edge.plist | sudo tee '/Library/Tomster Corporation/prefs/com.microsoft.Edge.plist'
curl https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/macOS/Preferences/com.microsoft.Edge.plist | sudo tee /Library/Preferences/com.microsoft.Edge.plist
curl https://raw.githubusercontent.com/TommyTran732/macOS-Setup-Script/main/etc/Library/LaunchDaemons/io.tommytran.prefs.plist | sudo tee /etc/Library/LaunchDaemons/io.tommytran.prefs.list
sudo launchctl load -w /Library/LaunchDaemons/io.tommytran.prefs.plist
Update and rename install.sh to administrator.sh Signed-off-by: Tommy <contact@tommytran.io> 2023-06-02 16:37:07 -04:00			`#!/bin/zsh`
Disable shellcheck Signed-off-by: Tommy <contact@tommytran.io> 2024-04-09 04:06:43 -04:00			`# shellcheck disable=SC1071`
Update and rename install.sh to administrator.sh Signed-off-by: Tommy <contact@tommytran.io> 2023-06-02 16:37:07 -04:00
Consistency fix Signed-off-by: Tommy <contact@tommytran.io> 2023-11-07 03:42:21 -05:00			`# Comment this line out if you don't have Touch ID`
Update and rename install.sh to administrator.sh Signed-off-by: Tommy <contact@tommytran.io> 2023-06-02 16:37:07 -04:00			`awk 'NR==2 {print "auth sufficient pam_tid.so"} 1' /etc/pam.d/sudo \| sudo tee /etc/pam.d/sudo`

Protect home Signed-off-by: Tommy <contact@tommytran.io> 2023-11-11 16:51:43 -05:00			`# Protect Home`
Update Home protection command Signed-off-by: Tommy <contact@tommytran.io> 2023-11-13 15:22:32 -05:00			`for user in $(ls /Users \| grep -v 'Shared'); do`
Quoting Signed-off-by: Tommy <contact@tommytran.io> 2024-06-26 02:35:51 -04:00			`sudo chmod 700 /Users/"$user"`
Update Home protection command Signed-off-by: Tommy <contact@tommytran.io> 2023-11-13 15:22:32 -05:00			`done`
Protect home Signed-off-by: Tommy <contact@tommytran.io> 2023-11-11 16:51:43 -05:00
Update and rename install.sh to administrator.sh Signed-off-by: Tommy <contact@tommytran.io> 2023-06-02 16:37:07 -04:00			`# Verify SSH Fingerprints`
			`echo "VerifyHostKeyDNS yes" \| sudo tee /etc/ssh/ssh_config.d/10-custom.conf`
			`sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf`
Hide administrator user Signed-off-by: Tommy <contact@tommytran.io> 2023-06-02 22:41:21 -04:00
Add Edge Enterprise Policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-20 02:36:00 -05:00			`umask 022`

Disable cups & partially configure firewall 2024-09-29 02:37:27 -04:00			`# Disable cups`
			`sudo launchctl unload /System/Library/LaunchDaemons/org.cups.cupsd.plist`
			`sudo launchctl remove /System/Library/LaunchDaemons/org.cups.cupsd.plist`

			`# Firewall rules`
Add missing sudo 2024-09-29 02:37:51 -04:00			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on`
Disable cups & partially configure firewall 2024-09-29 02:37:27 -04:00			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/bin/python3`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/bin/ruby`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/remoted`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/sharingd`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/sshd-keygen-wrapper`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/sbin/cupsd`
			`sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/sbin/smbd`

Add Edge Enterprise Policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-20 02:36:00 -05:00			`# Setup Edge Enterprise Policies`
			`sudo mkdir -p '/Library/Tomster Corporation/scripts/' '/Library/Tomster Corporation/prefs/' '/Library/Managed Preferences'`
			`curl https://raw.githubusercontent.com/TommyTran732/macOS-Setup-Script/etc/Library/Tomster%20Corporation/apply_prefs.sh \| sudo tee '/etc/Library/Tomster Corporation/apply_prefs.sh'`
			`sudo chmod 744 '/Library/Tomster Corporation/scripts/apply_prefs.sh'`
			`curl https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/macOS/Managed%20Preferences/com.microsoft.Edge.plist \| sudo tee '/Library/Tomster Corporation/prefs/com.microsoft.Edge.plist'`
			`curl https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/macOS/Preferences/com.microsoft.Edge.plist \| sudo tee /Library/Preferences/com.microsoft.Edge.plist`
Typo fix Signed-off-by: Tommy <contact@tommytran.io> 2024-01-20 02:38:18 -05:00			`curl https://raw.githubusercontent.com/TommyTran732/macOS-Setup-Script/main/etc/Library/LaunchDaemons/io.tommytran.prefs.plist \| sudo tee /etc/Library/LaunchDaemons/io.tommytran.prefs.list`
Use load -w instead of load Signed-off-by: Tommy <contact@tommytran.io> 2024-04-09 04:12:58 -04:00			`sudo launchctl load -w /Library/LaunchDaemons/io.tommytran.prefs.plist`