EUD Security Guidance: OS X 10.11 Provisioning Script

For use with our guidance on the secure configuration of OS X 10.11 devices

function get_user_pass {
local MATCH=false
while [ $MATCH == false ] ; do
read -s -p “Password: ” PASS_1
echo “”
read -s -p “Repeat Password: ” PASS_2
echo “”
if [ $PASS_1 == $PASS_2 ] ; then
function get_encryption_pass {
local MATCH=false
while [ $MATCH == false ] ; do
read -s -p “Passphrase: ” PASS_1
echo “”
read -s -p “Repeat: ” PASS_2
echo “”
if [ $PASS_1 == $PASS_2 ]; then
if ; then
echo “This script needs to be run as root (with sudo)”
exit 1
echo “[I] Beginning local provisioning now”
read -p “[!] Enter a name for this device: ” DEVNAME
systemsetup -setcomputername “$DEVNAME”
scutil –set HostName “$DEVNAME”
echo “[I] Creating a standard user account”
while [ “$CONFIRM” != “y” ] ; do
echo “[!] Enter username to create (e.g. jsmith):”
read -p “Username: ” USERNAME
echo “[!] Enter user’s full name (e.g. John Smith):”
read -p “Real Name: ” REALNAME
echo “[!] Please provide a password for this account”
echo “[!] Please provide a disk encryption passphrase”
echo “[ ] This could include a second-factor password entry token component”
echo ” ”
echo “[?] Are the following details correct?”
echo ” Username: $USERNAME”
echo ” Real Name: $REALNAME”
read -p “[y/n]: ” CONFIRM
echo “[I] Turning off iCloud login prompt”
defaults write /System/Library/User Template/English.lproj/Library/Preferences/ DidSeeCloudSetup -bool TRUE
defaults write /System/Library/User Template/English.lproj/Library/Preferences/ GestureMovieSeen none
defaults write /System/Library/User Template/English.lproj/Library/Preferences/ LastSeenCloudProductVersion “10.11”
echo “[I] Creating user $USERNAME”
MAXID=$(dscl . -list /Users UniqueID | awk ‘{print $2}’ | sort -ug | tail -1)
dscl . -create /Users/$USERNAME
dscl . -create /Users/$USERNAME RealName “$REALNAME”
dscl . -passwd /Users/$USERNAME $PASS
dscl . -create /Users/$USERNAME UserShell “/bin/bash -r”
dscl . -create /Users/$USERNAME NFSHomeDirectory /Users/$USERNAME
dscl . -create /Users/$USERNAME PrimaryGroupID 20
dscl . -create /Users/$USERNAME UniqueID “$USERID”
cp -R /System/Library/User Template/English.lproj /Users/$USERNAME
chown -R $USERNAME:staff /Users/$USERNAME
chmod go-rx /Users/$USERNAME
echo “[I] Locking down Terminal/Shell access”
mkdir /Users/”$USERNAME”/Bash
echo “set -r” > /Users/”$USERNAME”/.bash_profile
echo “unset PATH” >> /Users/”$USERNAME”/.bash_profile
echo “export PATH=/Users/”$USERNAME”/Bash” >> /Users/”$USERNAME”/.bash_profile
ln -s /usr/bin/clear /Users/”$USERNAME”/Bash
ln -s /bin/df /Users/”$USERNAME”/Bash
ln -s /usr/bin/egrep /Users/”$USERNAME”/Bash
ln -s /usr/bin/env /Users/”$USERNAME”/Bash
ln -s /usr/bin/fgrep /Users/”$USERNAME”/Bash
ln -s /usr/bin/rview /Users/”$USERNAME”/Bash
ln -s /usr/bin/rvim /Users/”$USERNAME”/Bash
ln -s /usr/bin/sudo /Users/”$USERNAME”/Bash
ln -s /usr/bin/tail /Users/”$USERNAME”/Bash
ln -s /usr/bin/wc /Users/”$USERNAME”/Library/Bash
echo “[I] Enabling FileVault2 full disk encryption”
dscl . -create /Users/filevault
dscl . -create /Users/filevault RealName “Disk Encryption Password”
dscl . -passwd /Users/filevault $DISKPASS
dscl . -create /Users/filevault UserShell /usr/bin/false
dscl . -create /Users/filevault UniqueID “$DISKID”
defaults write HiddenUsersList -array-add filevault
defaults write /Library/Preferences/ SHOWFULLNAME -int 1
DISKPASS=$DISKPASS expect -c ‘spawn /usr/bin/fdesetup enable -user filevault; expect “:”; send “$env(DISKPASS)n”; expect eof’
pmset destroyfvkeyonstandby 1 hibernatemode 25
echo “[I] Disabling IPv6”
networksetup -setv6off Wi-Fi >/dev/null
networksetup -setv6off Ethernet >/dev/null
echo “[I] Disabling infrared receiver”
defaults write DeviceEnabled -bool FALSE
echo “[I] Disabling Bluetooth”
defaults write /Library/Preferences/ ControllerPowerState -int 0
echo “[I] Turning off WiFi”
networksetup -setairportpower airport off > /dev/null
echo “[I] Enabling scheduled updates”
softwareupdate –schedule on
defaults write /Library/Preferences/ AutomaticCheckEnabled -bool true
defaults write /Library/Preferences/ AutomaticDownload -bool true
defaults write /Library/Preferences/ AutoUpdateRestartRequired -bool true
defaults write /Library/Preferences/ AutoUpdate -bool true
echo “[I] Disabling password hints on lock screen”
defaults write RetriesUntilHint -int 0
echo “[I] Enabling password-protected screen lock after 5 minutes”
systemsetup -setdisplaysleep 5
defaults write askForPassword -int 1
defaults write askForPasswordDelay -int 0
echo “[I] Enabling firewall”
/usr/libexec/ApplicationFirewall/socketfilterfw –setloggingmode on
/usr/libexec/ApplicationFirewall/socketfilterfw –setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw –setglobalstate on
echo “[I] Launching firmware password utility (this may take a moment)”
diskutil mount Recovery HD
RECOVERY=$(hdiutil attach /Volumes/Recovery HD/ | grep -i Base | cut -f 3)
open “$RECOVERY/Applications/Utilities/Firmware Password”
echo “[!] Follow the prompts on the utility to set a strong unique firmware password”
echo “[!] Press enter when done”
read DONE

Read more here:: NCSC Guidance