-
Notifications
You must be signed in to change notification settings - Fork 1
/
run_once_before_2-configure-system-darwin.sh.tmpl
133 lines (119 loc) · 8.42 KB
/
run_once_before_2-configure-system-darwin.sh.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
{{ if (eq .chezmoi.os "darwin") -}}
osascript -e 'tell application "System Preferences" to quit'
# ---------------------------------------------------------------------------------------------------------------------
# Global settings
# ---------------------------------------------------------------------------------------------------------------------
# Set default screenshot location
defaults write com.apple.screencapture "location" -string "~/Documents/Screenshots" && killall SystemUIServer
# Do not autogather large files when submitting a feedback report
defaults write com.apple.appleseed.FeedbackAssistant "Autogather" -bool "false"
# Disable automatic capitalization
defaults write -g NSAutomaticCapitalizationEnabled -bool false
# Enable smart dashes
defaults write -g NSAutomaticDashSubstitutionEnabled -bool true
# Prevent Photos from opening automatically when devices are plugged in
defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool true && killall Photos
# Save/Print modals are auto-expanded by default
defaults write NSGlobalDomain PMPrintingExpandedStateForPrint -bool true
defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode -bool true
# Trackpad: enable tap to click for this user and for the login screen
defaults write com.apple.driver.AppleBluetoothMultitouch.trackpad Clicking -bool true
defaults -currentHost write NSGlobalDomain com.apple.mouse.tapBehavior -int 1
defaults write NSGlobalDomain com.apple.mouse.tapBehavior -int 1
# ---------------------------------------------------------------------------------------------------------------------
# Security settings
# ---------------------------------------------------------------------------------------------------------------------
# Enable TouchID for sudo
! grep -q pam_tid.so /etc/pam.d/sudo && sudo gsed -i '2iauth sufficient pam_tid.so' /etc/pam.d/sudo
# Disable Gatekeeper
sudo spctl --master-disable
# Disable Airplay receiver
# https://www.tenable.com/audits/items/CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit:7ec4f921542292406e0217a0e1a6cad6
defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
# Ensure Secure Keyboard Entry in Terminal is enabled
defaults write -app Terminal SecureKeyboardEntry -bool true
# ---------------------------------------------------------------------------------------------------------------------
# AuthorizationDB settings
# The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file
# ---------------------------------------------------------------------------------------------------------------------
# Export AuthorizationDB settings to temporary file
sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist
# Require an administrator password to access system-wide preferences
# https://www.tenable.com/audits/CIS_Apple_macOS_11_v2.0.0_L1
sudo defaults write /tmp/system.preferences.plist shared -bool false
# Import AuthorizationDB settings from temporary file
sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist
# ---------------------------------------------------------------------------------------------------------------------
# Dock settings
# ---------------------------------------------------------------------------------------------------------------------
# Set dock position
defaults write com.apple.dock orientation -string "right"
# Set the icon size of Dock items in pixels
defaults write com.apple.dock "tilesize" -int 43
# Minimize windows into their application’s icon
defaults write com.apple.dock minimize-to-application -bool false
# Enable launch animation
defaults write com.apple.dock launchanim -bool true
# Show indicator lights for open applications in the Dock
defaults write com.apple.dock show-process-indicators -bool true
# Don’t show recent applications in Dock
defaults write com.apple.dock show-recents -bool false
# Clear Dock of all default icons and set my own
defaults write com.apple.dock persistent-others -array
defaults write com.apple.dock persistent-apps -array\
'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Applications/Firefox.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'\
'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/System/Applications/Mail.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'\
'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Applications/Visual Studio Code.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'\
'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/System/Applications/Utilities/Terminal.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'\
'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/Applications/XMind.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
killall Dock
# ---------------------------------------------------------------------------------------------------------------------
# Finder settings
# ---------------------------------------------------------------------------------------------------------------------
# Show hidden files in the Finder
defaults write com.apple.Finder "AppleShowAllFiles" -bool "true"
# Allowing text selection in Quick Look/Preview in Finder by default
defaults write com.apple.finder QLEnableTextSelection -bool true
# When performing a search, search the current folder by default
defaults write com.apple.finder FXDefaultSearchScope -string "SCcf"
# Use list view in all Finder windows by default
defaults write com.apple.finder FXPreferredViewStyle -string "Nlsv"
defaults write com.apple.finder SearchRecentsSavedViewStyle -string "Nlsv"
# Disable creation of metadata files on external volumes
defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true
# Empty Trash securely by default
defaults write com.apple.finder EmptyTrashSecurely -bool true
# Remove CMD+Space shortcut for Spotlight (So Alfred can use it)
/usr/libexec/PlistBuddy ~/Library/Preferences/com.apple.symbolichotkeys.plist -c "Delete :AppleSymbolicHotKeys:64"
/usr/libexec/PlistBuddy ~/Library/Preferences/com.apple.symbolichotkeys.plist -c "Add :AppleSymbolicHotKeys:64:enabled bool false"
killall Finder
# ---------------------------------------------------------------------------------------------------------------------
# Firewall settings
# ---------------------------------------------------------------------------------------------------------------------
# Enable firewall
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
#launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
#sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
#sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
#launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
# ---------------------------------------------------------------------------------------------------------------------
# Software Update settings
# ---------------------------------------------------------------------------------------------------------------------
# Automatically check for updates
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
# Download updates automatically in the background
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
# Install macos updates automatically
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true
# Install system data file updates automatically
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
# Install critical security updates automatically
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
# Check for software updates daily, not just once per week
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ScheduleFrequency -int 1
# Install app updates automatically
defaults write com.apple.commerce AutoUpdate -bool true
{{ end -}}