System Preferences Management on macOS
Manage and control System Preferences access on your MacFleet devices with comprehensive preference pane management, user restriction controls, and enterprise configuration solutions. This tutorial covers hiding, disabling, and controlling System Preferences for enhanced security and compliance.
Understanding System Preferences Management
System Preferences on macOS provides access to system configuration settings:
- Preference Panes - Individual configuration modules (Network, Security, Users, etc.)
- Bundle Identifiers - Unique identifiers for each preference pane
- Hidden vs Disabled - Different levels of access restriction
- Enterprise Control - Centralized management of user access to system settings
Enterprise Use Cases
System Preferences management benefits enterprise environments:
- Security Hardening - Prevent unauthorized configuration changes
- Compliance - Ensure devices meet regulatory requirements
- User Experience - Simplify interfaces by hiding irrelevant options
- Administrative Control - Centralize configuration management
- Data Protection - Restrict access to sensitive system settings
Basic System Preferences Control
Hide Profiles Pane
#!/bin/bash
# Hide Profiles pane from System Preferences
hide_profiles_pane() {
echo "=== Hiding Profiles Pane ==="
# Check macOS version (hiding requires macOS 13.0+)
local macos_version=$(sw_vers -productVersion | cut -d. -f1)
if [[ $macos_version -lt 13 ]]; then
echo "Warning: Hiding panes requires macOS 13.0 or later"
echo "Current version: $(sw_vers -productVersion)"
echo "Using disable instead of hide..."
disable_profiles_pane
return
fi
# Hide the Profiles pane
defaults write "/Library/Preferences/com.apple.systempreferences" \
HiddenPreferencePanes -array "com.apple.preferences.configurationprofiles"
if [[ $? -eq 0 ]]; then
echo "✓ Profiles pane hidden successfully"
echo "Users will no longer see the Profiles pane in System Preferences"
else
echo "✗ Failed to hide Profiles pane"
return 1
fi
}
# Disable Profiles pane (alternative for older macOS)
disable_profiles_pane() {
echo "=== Disabling Profiles Pane ==="
# Disable the Profiles pane (works on macOS 10.2+)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "com.apple.preferences.configurationprofiles"
if [[ $? -eq 0 ]]; then
echo "✓ Profiles pane disabled successfully"
echo "Profiles pane will appear greyed out in System Preferences"
else
echo "✗ Failed to disable Profiles pane"
return 1
fi
}
# Usage
hide_profiles_paneUnhide/Re-enable Profiles Pane
#!/bin/bash
# Restore Profiles pane access
restore_profiles_pane() {
echo "=== Restoring Profiles Pane Access ==="
# Remove from hidden panes
local hidden_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null)
if [[ -n "$hidden_panes" ]]; then
echo "Removing from hidden panes..."
defaults delete "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null
fi
# Remove from disabled panes
local disabled_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null)
if [[ -n "$disabled_panes" ]]; then
echo "Removing from disabled panes..."
defaults delete "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null
fi
echo "✓ Profiles pane access restored"
echo "Users can now access the Profiles pane in System Preferences"
}
# Usage
restore_profiles_paneMultiple Preference Panes Management
#!/bin/bash
# Manage multiple preference panes simultaneously
manage_multiple_panes() {
local action="${1:-hide}" # hide, disable, or restore
local panes=("${@:2}") # Array of pane identifiers
if [[ ${#panes[@]} -eq 0 ]]; then
echo "Usage: manage_multiple_panes [hide|disable|restore] <pane1> [pane2] ..."
echo "Example: manage_multiple_panes hide profiles bluetooth network"
return 1
fi
echo "=== Managing Multiple Preference Panes ==="
echo "Action: $action"
echo "Panes: ${panes[*]}"
echo ""
# Convert friendly names to bundle identifiers
local bundle_ids=()
for pane in "${panes[@]}"; do
local bundle_id=$(get_bundle_identifier "$pane")
if [[ -n "$bundle_id" ]]; then
bundle_ids+=("$bundle_id")
echo "✓ $pane -> $bundle_id"
else
echo "✗ Unknown pane: $pane"
fi
done
if [[ ${#bundle_ids[@]} -eq 0 ]]; then
echo "No valid panes specified"
return 1
fi
# Apply the action
case "$action" in
"hide")
defaults write "/Library/Preferences/com.apple.systempreferences" \
HiddenPreferencePanes -array "${bundle_ids[@]}"
echo "✓ Panes hidden successfully"
;;
"disable")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${bundle_ids[@]}"
echo "✓ Panes disabled successfully"
;;
"restore")
defaults delete "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null
defaults delete "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null
echo "✓ All panes restored"
;;
*)
echo "Invalid action: $action"
return 1
;;
esac
}
# Convert friendly names to bundle identifiers
get_bundle_identifier() {
local pane_name="$1"
case "$pane_name" in
"profiles") echo "com.apple.preferences.configurationprofiles" ;;
"bluetooth") echo "com.apple.preferences.Bluetooth" ;;
"network") echo "com.apple.preference.network" ;;
"security") echo "com.apple.preference.security" ;;
"users") echo "com.apple.preferences.users" ;;
"sharing") echo "com.apple.preferences.sharing" ;;
"timemachine") echo "com.apple.prefs.backup" ;;
"energy") echo "com.apple.preference.energysaver" ;;
"displays") echo "com.apple.preference.displays" ;;
"sound") echo "com.apple.preference.sound" ;;
"keyboard") echo "com.apple.preference.keyboard" ;;
"mouse") echo "com.apple.preference.mouse" ;;
"trackpad") echo "com.apple.preference.trackpad" ;;
"printers") echo "com.apple.preference.printfax" ;;
"software_update") echo "com.apple.preferences.softwareupdate" ;;
"date_time") echo "com.apple.preference.datetime" ;;
"startup_disk") echo "com.apple.preference.startupdisk" ;;
"accessibility") echo "com.apple.preference.universalaccess" ;;
"screen_time") echo "com.apple.preference.screentime" ;;
"extensions") echo "com.apple.preferences.extensions" ;;
*) echo "" ;;
esac
}
# Usage examples
# manage_multiple_panes hide profiles bluetooth network
# manage_multiple_panes disable security users sharing
# manage_multiple_panes restoreAdvanced System Preferences Management
Policy-Based Preference Management
#!/bin/bash
# Policy-based system preferences management
apply_preference_policy() {
local policy_name="${1:-standard_office}"
local user_role="${2:-standard_user}"
echo "=== Applying Preference Policy ==="
echo "Policy: $policy_name"
echo "User Role: $user_role"
echo ""
# Define policies
case "$policy_name" in
"kiosk_mode")
apply_kiosk_policy "$user_role"
;;
"locked_down")
apply_locked_down_policy "$user_role"
;;
"standard_office")
apply_standard_office_policy "$user_role"
;;
"developer_workstation")
apply_developer_policy "$user_role"
;;
"educational")
apply_educational_policy "$user_role"
;;
"healthcare")
apply_healthcare_policy "$user_role"
;;
"financial")
apply_financial_policy "$user_role"
;;
"public_terminal")
apply_public_terminal_policy "$user_role"
;;
"executive")
apply_executive_policy "$user_role"
;;
"contractor")
apply_contractor_policy "$user_role"
;;
*)
echo "Unknown policy: $policy_name"
return 1
;;
esac
}
# Kiosk mode policy (maximum restrictions)
apply_kiosk_policy() {
echo "Applying kiosk mode policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.prefs.backup"
"com.apple.preferences.softwareupdate"
"com.apple.preference.datetime"
"com.apple.preference.startupdisk"
"com.apple.preferences.extensions"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
HiddenPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Kiosk policy applied - most preferences hidden"
}
# Locked down policy (high security)
apply_locked_down_policy() {
echo "Applying locked down policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.prefs.backup"
"com.apple.preferences.softwareupdate"
"com.apple.preference.startupdisk"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Locked down policy applied - security-sensitive panes disabled"
}
# Standard office policy (moderate restrictions)
apply_standard_office_policy() {
echo "Applying standard office policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preferences.sharing"
"com.apple.preference.startupdisk"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Standard office policy applied - minimal restrictions"
}
# Developer workstation policy (minimal restrictions)
apply_developer_policy() {
echo "Applying developer workstation policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Developer policy applied - profile management restricted only"
}
# Educational policy (student-appropriate restrictions)
apply_educational_policy() {
echo "Applying educational policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.preferences.softwareupdate"
"com.apple.preference.startupdisk"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
HiddenPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Educational policy applied - student-safe configuration"
}
# Healthcare policy (HIPAA compliance focused)
apply_healthcare_policy() {
echo "Applying healthcare policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.prefs.backup"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Healthcare policy applied - HIPAA compliance focused"
}
# Financial policy (enhanced security)
apply_financial_policy() {
echo "Applying financial policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.prefs.backup"
"com.apple.preferences.extensions"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Financial policy applied - enhanced security restrictions"
}
# Public terminal policy (maximum protection)
apply_public_terminal_policy() {
echo "Applying public terminal policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.prefs.backup"
"com.apple.preferences.softwareupdate"
"com.apple.preference.datetime"
"com.apple.preference.startupdisk"
"com.apple.preferences.extensions"
"com.apple.preference.energysaver"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
HiddenPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Public terminal policy applied - maximum protection"
}
# Executive policy (minimal restrictions, full access)
apply_executive_policy() {
echo "Applying executive policy..."
# Remove all restrictions for executives
defaults delete "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null
defaults delete "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null
echo "✓ Executive policy applied - full access granted"
}
# Contractor policy (temporary access restrictions)
apply_contractor_policy() {
echo "Applying contractor policy..."
local restricted_panes=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preferences.sharing"
"com.apple.prefs.backup"
"com.apple.preferences.softwareupdate"
"com.apple.preference.startupdisk"
"com.apple.preferences.extensions"
)
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${restricted_panes[@]}"
echo "✓ Contractor policy applied - temporary access restrictions"
}Enterprise System Preferences Management Tool
#!/bin/bash
# MacFleet System Preferences Management Tool
# Comprehensive preference pane control and enterprise policy management
# Configuration
SCRIPT_VERSION="1.0.0"
LOG_FILE="/var/log/macfleet_preferences.log"
REPORT_DIR="/etc/macfleet/reports/preferences"
CONFIG_DIR="/etc/macfleet/preferences"
POLICY_DIR="/etc/macfleet/policies/preferences"
BACKUP_DIR="/etc/macfleet/backups/preferences"
# Create directories if they don't exist
mkdir -p "$REPORT_DIR" "$CONFIG_DIR" "$POLICY_DIR" "$BACKUP_DIR"
# Comprehensive preference pane mapping
declare -A PREFERENCE_PANES=(
["profiles"]="com.apple.preferences.configurationprofiles"
["bluetooth"]="com.apple.preferences.Bluetooth"
["network"]="com.apple.preference.network"
["security"]="com.apple.preference.security"
["users"]="com.apple.preferences.users"
["sharing"]="com.apple.preferences.sharing"
["timemachine"]="com.apple.prefs.backup"
["energy"]="com.apple.preference.energysaver"
["displays"]="com.apple.preference.displays"
["sound"]="com.apple.preference.sound"
["keyboard"]="com.apple.preference.keyboard"
["mouse"]="com.apple.preference.mouse"
["trackpad"]="com.apple.preference.trackpad"
["printers"]="com.apple.preference.printfax"
["software_update"]="com.apple.preferences.softwareupdate"
["date_time"]="com.apple.preference.datetime"
["startup_disk"]="com.apple.preference.startupdisk"
["accessibility"]="com.apple.preference.universalaccess"
["screen_time"]="com.apple.preference.screentime"
["extensions"]="com.apple.preferences.extensions"
["spotlight"]="com.apple.preference.spotlight"
["language_region"]="com.apple.Localization"
["desktop_screensaver"]="com.apple.preference.desktopscreeneffect"
["dock"]="com.apple.preference.dock"
["mission_control"]="com.apple.preference.expose"
["notifications"]="com.apple.preference.notifications"
["internet_accounts"]="com.apple.preferences.internetaccounts"
["wallet_apple_pay"]="com.apple.preferences.wallet"
["siri"]="com.apple.preference.speech"
["touch_id"]="com.apple.preferences.password"
)
# Enterprise policy templates
declare -A POLICY_TEMPLATES=(
["kiosk_mode"]="Maximum restrictions for public kiosks and displays"
["locked_down"]="High security restrictions for sensitive environments"
["standard_office"]="Moderate restrictions for typical office environments"
["developer_workstation"]="Minimal restrictions for development environments"
["educational"]="Student-appropriate restrictions for educational institutions"
["healthcare"]="HIPAA-compliant restrictions for healthcare environments"
["financial"]="Enhanced security for financial services environments"
["public_terminal"]="Maximum protection for public access terminals"
["executive"]="Minimal to no restrictions for executive users"
["contractor"]="Temporary access restrictions for contract workers"
)
# Compliance frameworks
declare -A COMPLIANCE_FRAMEWORKS=(
["hipaa"]="Health Insurance Portability and Accountability Act"
["sox"]="Sarbanes-Oxley Act compliance"
["pci_dss"]="Payment Card Industry Data Security Standard"
["ferpa"]="Family Educational Rights and Privacy Act"
["gdpr"]="General Data Protection Regulation"
["nist"]="National Institute of Standards and Technology"
["iso27001"]="International Organization for Standardization 27001"
["cis"]="Center for Internet Security controls"
["fisma"]="Federal Information Security Management Act"
["common_criteria"]="Common Criteria security evaluation standard"
)
# Logging function
log_action() {
local message="$1"
local severity="${2:-INFO}"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [$severity] $message" | tee -a "$LOG_FILE"
}
# Enterprise system preferences management
enterprise_preferences_management() {
local operation="${1:-status}"
local policy_name="${2:-standard_office}"
local target_panes="${3:-}"
local compliance_framework="${4:-}"
log_action "Starting enterprise preferences management" "INFO"
log_action "Operation: $operation, Policy: $policy_name" "INFO"
echo "=== Enterprise System Preferences Management ==="
echo "Operation: $operation"
echo "Policy: $policy_name"
echo "Target Panes: ${target_panes:-all_policy_defined}"
echo "Compliance Framework: ${compliance_framework:-none}"
echo "Management ID: $(uuidgen)"
echo ""
# Backup current configuration
backup_current_configuration
case "$operation" in
"apply_policy")
apply_enterprise_policy "$policy_name" "$compliance_framework"
;;
"hide_panes")
if [[ -n "$target_panes" ]]; then
hide_specific_panes "$target_panes"
else
echo "Error: No target panes specified for hide operation"
return 1
fi
;;
"disable_panes")
if [[ -n "$target_panes" ]]; then
disable_specific_panes "$target_panes"
else
echo "Error: No target panes specified for disable operation"
return 1
fi
;;
"restore_all")
restore_all_preferences
;;
"status")
show_preferences_status
;;
"audit")
perform_preferences_audit "$compliance_framework"
;;
"list_policies")
list_available_policies
;;
"list_panes")
list_available_panes
;;
*)
echo "Unknown operation: $operation"
return 1
;;
esac
# Generate management report
generate_preferences_report "$operation" "$policy_name" "$target_panes" "$compliance_framework"
log_action "preferences management completed" "INFO"
}
# Backup current configuration
backup_current_configuration() {
local backup_file="$BACKUP_DIR/preferences_backup_$(date +%Y%m%d_%H%M%S).plist"
echo "--- Creating Configuration Backup ---"
# Copy current system preferences configuration
if [[ -f "/Library/Preferences/com.apple.systempreferences.plist" ]]; then
cp "/Library/Preferences/com.apple.systempreferences.plist" "$backup_file"
echo "✓ Configuration backed up to: $backup_file"
log_action "Configuration backed up: $backup_file" "INFO"
else
echo "⚠️ No existing configuration file found"
log_action "No existing configuration file to backup" "WARNING"
fi
}
# Apply enterprise policy with compliance considerations
apply_enterprise_policy() {
local policy_name="$1"
local compliance_framework="$2"
echo "--- Applying Enterprise Policy ---"
echo "Policy: $policy_name"
echo "Compliance: ${compliance_framework:-none}"
# Apply base policy
case "$policy_name" in
"kiosk_mode")
apply_kiosk_mode_policy
;;
"locked_down")
apply_locked_down_policy
;;
"standard_office")
apply_standard_office_policy
;;
"developer_workstation")
apply_developer_workstation_policy
;;
"educational")
apply_educational_policy
;;
"healthcare")
apply_healthcare_policy
;;
"financial")
apply_financial_policy
;;
"public_terminal")
apply_public_terminal_policy
;;
"executive")
apply_executive_policy
;;
"contractor")
apply_contractor_policy
;;
*)
echo "Unknown policy: $policy_name"
return 1
;;
esac
# Apply compliance-specific modifications
if [[ -n "$compliance_framework" ]]; then
apply_compliance_modifications "$compliance_framework"
fi
echo "✓ Enterprise policy applied successfully"
}
# Apply compliance-specific modifications
apply_compliance_modifications() {
local framework="$1"
echo "--- Applying Compliance Modifications ---"
echo "Framework: $framework"
case "$framework" in
"hipaa")
apply_hipaa_compliance
;;
"sox")
apply_sox_compliance
;;
"pci_dss")
apply_pci_dss_compliance
;;
"ferpa")
apply_ferpa_compliance
;;
"gdpr")
apply_gdpr_compliance
;;
*)
echo "Unknown compliance framework: $framework"
;;
esac
}
# HIPAA compliance modifications
apply_hipaa_compliance() {
echo "Applying HIPAA compliance modifications..."
# Additional restrictions for healthcare data protection
local hipaa_restricted=(
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.prefs.backup"
"com.apple.preferences.internetaccounts"
)
# Get current disabled panes
local current_disabled=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
# Combine with HIPAA requirements
local combined_disabled=($current_disabled "${hipaa_restricted[@]}")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${combined_disabled[@]}"
echo "✓ HIPAA compliance modifications applied"
}
# SOX compliance modifications
apply_sox_compliance() {
echo "Applying SOX compliance modifications..."
# Financial audit and control requirements
local sox_restricted=(
"com.apple.preferences.configurationprofiles"
"com.apple.preference.security"
"com.apple.preferences.users"
"com.apple.preference.datetime"
)
# Similar pattern for SOX
local current_disabled=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
local combined_disabled=($current_disabled "${sox_restricted[@]}")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${combined_disabled[@]}"
echo "✓ SOX compliance modifications applied"
}
# PCI DSS compliance modifications
apply_pci_dss_compliance() {
echo "Applying PCI DSS compliance modifications..."
# Payment card industry requirements
local pci_restricted=(
"com.apple.preferences.sharing"
"com.apple.preference.network"
"com.apple.preference.security"
"com.apple.preferences.extensions"
)
local current_disabled=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
local combined_disabled=($current_disabled "${pci_restricted[@]}")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${combined_disabled[@]}"
echo "✓ PCI DSS compliance modifications applied"
}
# FERPA compliance modifications
apply_ferpa_compliance() {
echo "Applying FERPA compliance modifications..."
# Educational privacy requirements
local ferpa_restricted=(
"com.apple.preferences.sharing"
"com.apple.preferences.internetaccounts"
"com.apple.prefs.backup"
)
local current_disabled=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
local combined_disabled=($current_disabled "${ferpa_restricted[@]}")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${combined_disabled[@]}"
echo "✓ FERPA compliance modifications applied"
}
# GDPR compliance modifications
apply_gdpr_compliance() {
echo "Applying GDPR compliance modifications..."
# European data protection requirements
local gdpr_restricted=(
"com.apple.preferences.sharing"
"com.apple.prefs.backup"
"com.apple.preferences.internetaccounts"
"com.apple.preference.notifications"
)
local current_disabled=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
local combined_disabled=($current_disabled "${gdpr_restricted[@]}")
defaults write "/Library/Preferences/com.apple.systempreferences" \
DisabledPreferencePanes -array "${combined_disabled[@]}"
echo "✓ GDPR compliance modifications applied"
}
# Show current preferences status
show_preferences_status() {
echo "--- System Preferences Status ---"
# Check hidden panes
local hidden_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null)
if [[ -n "$hidden_panes" ]]; then
echo "Hidden Panes:"
echo "$hidden_panes" | tr -d '(),"' | tr '\n' ' ' | xargs -n1 | while read pane; do
if [[ -n "$pane" ]]; then
local friendly_name=$(get_friendly_name "$pane")
echo " - $friendly_name ($pane)"
fi
done
else
echo "Hidden Panes: None"
fi
echo ""
# Check disabled panes
local disabled_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null)
if [[ -n "$disabled_panes" ]]; then
echo "Disabled Panes:"
echo "$disabled_panes" | tr -d '(),"' | tr '\n' ' ' | xargs -n1 | while read pane; do
if [[ -n "$pane" ]]; then
local friendly_name=$(get_friendly_name "$pane")
echo " - $friendly_name ($pane)"
fi
done
else
echo "Disabled Panes: None"
fi
}
# Get friendly name from bundle identifier
get_friendly_name() {
local bundle_id="$1"
for friendly_name in "${!PREFERENCE_PANES[@]}"; do
if [[ "${PREFERENCE_PANES[$friendly_name]}" == "$bundle_id" ]]; then
echo "$friendly_name"
return
fi
done
echo "unknown"
}
# Generate comprehensive preferences report
generate_preferences_report() {
local operation="$1"
local policy_name="$2"
local target_panes="$3"
local compliance_framework="$4"
local report_file="$REPORT_DIR/preferences_report_$(date +%Y%m%d_%H%M%S).json"
# Get current configuration
local hidden_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" HiddenPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
local disabled_panes=$(defaults read "/Library/Preferences/com.apple.systempreferences" DisabledPreferencePanes 2>/dev/null | tr -d '(),"' | tr '\n' ' ')
cat > "$report_file" << EOF
{
"preferences_report": {
"report_metadata": {
"report_id": "$(uuidgen)",
"generated_date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"hostname": "$(hostname)",
"script_version": "$SCRIPT_VERSION",
"macos_version": "$(sw_vers -productVersion)"
},
"operation_details": {
"operation": "$operation",
"policy_name": "$policy_name",
"target_panes": "$target_panes",
"compliance_framework": "$compliance_framework"
},
"current_configuration": {
"hidden_panes": "$hidden_panes",
"disabled_panes": "$disabled_panes",
"total_restrictions": $(echo "$hidden_panes $disabled_panes" | wc -w)
},
"system_information": {
"total_preference_panes": ${#PREFERENCE_PANES[@]},
"available_policies": ${#POLICY_TEMPLATES[@]},
"compliance_frameworks": ${#COMPLIANCE_FRAMEWORKS[@]}
}
}
}
EOF
echo "Preferences report generated: $report_file"
log_action "Preferences report generated: $report_file" "INFO"
}
# List available policies
list_available_policies() {
echo "--- Available Enterprise Policies ---"
for policy in "${!POLICY_TEMPLATES[@]}"; do
echo " $policy: ${POLICY_TEMPLATES[$policy]}"
done
}
# List available preference panes
list_available_panes() {
echo "--- Available Preference Panes ---"
for pane in "${!PREFERENCE_PANES[@]}"; do
echo " $pane: ${PREFERENCE_PANES[$pane]}"
done
}
# Main execution function
main() {
local operation="${1:-help}"
local policy="${2:-}"
local panes="${3:-}"
local compliance="${4:-}"
log_action "=== MacFleet System Preferences Management Started ===" "INFO"
log_action "Operation: $operation" "INFO"
case "$operation" in
"apply")
if [[ -z "$policy" ]]; then
echo "Usage: $0 apply <policy_name> [compliance_framework]"
echo "Available policies: ${!POLICY_TEMPLATES[*]}"
exit 1
fi
enterprise_preferences_management "apply_policy" "$policy" "" "$compliance"
;;
"hide")
if [[ -z "$panes" ]]; then
echo "Usage: $0 hide <pane1,pane2,...>"
echo "Available panes: ${!PREFERENCE_PANES[*]}"
exit 1
fi
enterprise_preferences_management "hide_panes" "" "$panes"
;;
"disable")
if [[ -z "$panes" ]]; then
echo "Usage: $0 disable <pane1,pane2,...>"
echo "Available panes: ${!PREFERENCE_PANES[*]}"
exit 1
fi
enterprise_preferences_management "disable_panes" "" "$panes"
;;
"restore")
enterprise_preferences_management "restore_all"
;;
"status")
enterprise_preferences_management "status"
;;
"audit")
enterprise_preferences_management "audit" "" "" "$policy"
;;
"list-policies")
enterprise_preferences_management "list_policies"
;;
"list-panes")
enterprise_preferences_management "list_panes"
;;
"help")
echo "Usage: $0 [operation] [options...]"
echo "Operations:"
echo " apply <policy> [compliance] - Apply enterprise policy"
echo " hide <panes> - Hide specific preference panes"
echo " disable <panes> - Disable specific preference panes"
echo " restore - Restore all preference panes"
echo " status - Show current preferences status"
echo " audit [compliance] - Perform compliance audit"
echo " list-policies - List available policies"
echo " list-panes - List available preference panes"
echo " help - Show this help"
echo ""
echo "Available Policies: ${!POLICY_TEMPLATES[*]}"
echo "Compliance Frameworks: ${!COMPLIANCE_FRAMEWORKS[*]}"
;;
*)
log_action "ERROR: Unknown operation: $operation" "ERROR"
echo "Use '$0 help' for usage information"
exit 1
;;
esac
log_action "=== System preferences management completed ===" "INFO"
}
# Execute main function
main "$@"Important Considerations
macOS Version Compatibility
- Hiding Panes: Requires macOS 13.0 or later (
HiddenPreferencePanes) - Disabling Panes: Works on macOS 10.2 and later (
DisabledPreferencePanes) - Bundle Identifiers: May change between macOS versions
- System Integrity Protection: Some restrictions may not apply with SIP enabled
Enterprise Deployment Notes
- User Impact: Hidden/disabled panes affect all users on the device
- Administrative Access: Changes require administrator privileges
- Policy Testing: Always test policies on non-production devices first
- Backup and Recovery: Maintain configuration backups for policy rollback
Security and Compliance Considerations
- Principle of Least Privilege: Only restrict access to necessary preference panes
- Audit Logging: All preference changes should be logged for compliance
- Compliance Frameworks: Different industries require specific restrictions
- User Training: Inform users about restricted functionality and alternatives
