File and Folder Open Management on macOS
Efficiently manage file and folder opening operations across your MacFleet deployment with enterprise-grade security features, application control, and comprehensive audit capabilities. This tutorial transforms basic open commands into robust file access management solutions.
Understanding Enterprise File Open Operations
Enterprise file opening requires more than basic access, demanding:
- Security validation to prevent unauthorized file access
- Application control to enforce approved software usage
- Permission verification before file operations
- Audit logging for compliance tracking
- Malware scanning integration for file safety
- Business rules enforcement for data protection
Core Open Operations
Basic File Opening
#!/bin/bash
# Simple file open with validation
open_file() {
local file_path="$1"
# Validate file exists
if [[ ! -f "$file_path" ]]; then
echo "Error: File '$file_path' not found"
return 1
fi
# Open file with default application
if open "$file_path"; then
echo "Successfully opened '$file_path'"
return 0
else
echo "Failed to open '$file_path'"
return 1
fi
}
# Usage example
# open_file "/Users/admin/document.pdf"Application-Specific File Opening
#!/bin/bash
# Open file with specific application
open_with_app() {
local file_path="$1"
local bundle_id="$2"
# Validate file exists
if [[ ! -f "$file_path" ]]; then
echo "Error: File '$file_path' not found"
return 1
fi
# Open file with specified application
if open -b "$bundle_id" "$file_path"; then
echo "Successfully opened '$file_path' with $bundle_id"
return 0
else
echo "Failed to open '$file_path' with $bundle_id"
return 1
fi
}
# Usage examples
# open_with_app "/Users/admin/document.txt" "com.apple.TextEdit"
# open_with_app "/Users/admin/presentation.pptx" "com.microsoft.PowerPoint"Folder Opening
#!/bin/bash
# Open folder in Finder
open_folder() {
local folder_path="$1"
# Validate folder exists
if [[ ! -d "$folder_path" ]]; then
echo "Error: Folder '$folder_path' not found"
return 1
fi
# Open folder in Finder
if open "$folder_path"; then
echo "Successfully opened folder '$folder_path'"
return 0
else
echo "Failed to open folder '$folder_path'"
return 1
fi
}
# Usage example
# open_folder "/Users/admin/Documents"Enterprise Open Management System
#!/bin/bash
# MacFleet Enterprise File Open Management System
# Comprehensive file and folder opening with enterprise features
# Configuration
SCRIPT_NAME="MacFleet Open Manager"
VERSION="1.0.0"
LOG_FILE="/var/log/macfleet_open_operations.log"
QUARANTINE_DIR="/var/quarantine/macfleet"
TEMP_DIR="/tmp/macfleet_open"
ALLOWED_EXTENSIONS=(".pdf" ".docx" ".xlsx" ".pptx" ".txt" ".png" ".jpg" ".gif" ".mp4" ".mov" ".pages" ".numbers" ".keynote")
RESTRICTED_PATHS=("/System" "/usr/bin" "/usr/sbin" "/private/var" "/Library/LaunchDaemons" "/Library/LaunchAgents")
APPROVED_APPLICATIONS=(
"com.apple.TextEdit"
"com.apple.Preview"
"com.apple.QuickTimePlayerX"
"com.microsoft.Word"
"com.microsoft.Excel"
"com.microsoft.PowerPoint"
"com.adobe.Reader"
"com.apple.iWork.Pages"
"com.apple.iWork.Numbers"
"com.apple.iWork.Keynote"
)
BUSINESS_HOURS_START=9
BUSINESS_HOURS_END=17
MAX_FILE_SIZE="100M"
# Create necessary directories
mkdir -p "$TEMP_DIR"
mkdir -p "$QUARANTINE_DIR"
mkdir -p "$(dirname "$LOG_FILE")"
# Logging function
log_operation() {
local level="$1"
local message="$2"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
local username=$(whoami)
echo "[$timestamp] [$level] [$username] $message" | tee -a "$LOG_FILE"
}
# Check if current time is within business hours
is_business_hours() {
local current_hour=$(date +%H)
if [[ $current_hour -ge $BUSINESS_HOURS_START && $current_hour -lt $BUSINESS_HOURS_END ]]; then
return 0
else
return 1
fi
}
# Validate file extension
is_allowed_extension() {
local file="$1"
local extension="${file##*.}"
extension=".$extension"
for allowed in "${ALLOWED_EXTENSIONS[@]}"; do
if [[ "$extension" == "$allowed" ]]; then
return 0
fi
done
return 1
}
# Check if path is restricted
is_restricted_path() {
local path="$1"
for restricted in "${RESTRICTED_PATHS[@]}"; do
if [[ "$path" == "$restricted"* ]]; then
return 0
fi
done
return 1
}
# Check if application is approved
is_approved_application() {
local bundle_id="$1"
for approved in "${APPROVED_APPLICATIONS[@]}"; do
if [[ "$bundle_id" == "$approved" ]]; then
return 0
fi
done
return 1
}
# Get file size
get_file_size() {
local file="$1"
if [[ -f "$file" ]]; then
stat -f%z "$file" 2>/dev/null
else
echo "0"
fi
}
# Convert size string to bytes
size_to_bytes() {
local size="$1"
local number="${size%[A-Za-z]*}"
local unit="${size#$number}"
case "$unit" in
"K"|"KB") echo $((number * 1024)) ;;
"M"|"MB") echo $((number * 1024 * 1024)) ;;
"G"|"GB") echo $((number * 1024 * 1024 * 1024)) ;;
*) echo "$number" ;;
esac
}
# Check file signature/magic number
check_file_signature() {
local file="$1"
local expected_extension="${file##*.}"
if [[ ! -f "$file" ]]; then
return 1
fi
# Get file signature
local signature=$(file -b --mime-type "$file" 2>/dev/null)
# Basic signature validation
case "$expected_extension" in
"pdf")
if [[ "$signature" == "application/pdf" ]]; then
return 0
fi
;;
"txt")
if [[ "$signature" == "text/plain" ]]; then
return 0
fi
;;
"docx")
if [[ "$signature" == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" ]]; then
return 0
fi
;;
"xlsx")
if [[ "$signature" == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" ]]; then
return 0
fi
;;
"pptx")
if [[ "$signature" == "application/vnd.openxmlformats-officedocument.presentationml.presentation" ]]; then
return 0
fi
;;
"png")
if [[ "$signature" == "image/png" ]]; then
return 0
fi
;;
"jpg"|"jpeg")
if [[ "$signature" == "image/jpeg" ]]; then
return 0
fi
;;
*)
# Allow other extensions without strict validation
return 0
;;
esac
log_operation "WARNING" "File signature mismatch: $file (expected: $expected_extension, detected: $signature)"
return 1
}
# Scan file for malware (placeholder for integration)
scan_file_malware() {
local file="$1"
# Placeholder for malware scanning integration
# This would integrate with enterprise antivirus solutions
# Basic checks
if [[ -f "$file" ]]; then
# Check for suspicious extensions
local extension="${file##*.}"
case "$extension" in
"exe"|"bat"|"cmd"|"scr"|"com"|"pif"|"vbs"|"js")
log_operation "SECURITY" "Blocked suspicious file type: $file"
return 1
;;
esac
# Check file size (extremely large files could be suspicious)
local file_size=$(get_file_size "$file")
if [[ $file_size -gt 1073741824 ]]; then # 1GB
log_operation "WARNING" "Large file detected: $file ($(format_size $file_size))"
fi
fi
return 0
}
# Format file size
format_size() {
local bytes="$1"
local sizes=("B" "KB" "MB" "GB" "TB")
local unit=0
while [[ $bytes -gt 1024 && $unit -lt 4 ]]; do
bytes=$((bytes / 1024))
((unit++))
done
echo "${bytes}${sizes[$unit]}"
}
# Get application info
get_app_info() {
local bundle_id="$1"
# Get application path
local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
if [[ -n "$app_path" ]]; then
local app_name=$(basename "$app_path" .app)
local app_version=$(defaults read "$app_path/Contents/Info.plist" CFBundleShortVersionString 2>/dev/null)
echo "$app_name v$app_version ($app_path)"
else
echo "Unknown application ($bundle_id)"
fi
}
# Enhanced file open with enterprise features
enterprise_open_file() {
local file_path="$1"
local bundle_id="${2:-}"
local force_open="${3:-false}"
local operation_id=$(date +%s)
log_operation "INFO" "Starting file open operation [$operation_id]: $file_path"
# Pre-flight validations
if [[ ! -f "$file_path" ]]; then
log_operation "ERROR" "File not found: $file_path"
return 1
fi
# Check if file path is restricted
if is_restricted_path "$file_path"; then
log_operation "SECURITY" "Blocked access to restricted path: $file_path"
return 1
fi
# Validate file extension
if ! is_allowed_extension "$file_path"; then
log_operation "SECURITY" "Blocked file with unauthorized extension: $file_path"
return 1
fi
# Check file size
local file_size=$(get_file_size "$file_path")
local max_size_bytes=$(size_to_bytes "$MAX_FILE_SIZE")
if [[ $file_size -gt $max_size_bytes ]]; then
log_operation "ERROR" "File too large: $(format_size $file_size) > $MAX_FILE_SIZE"
return 1
fi
# Check file signature
if ! check_file_signature "$file_path"; then
if [[ "$force_open" != "true" ]]; then
log_operation "SECURITY" "File signature validation failed: $file_path"
return 1
else
log_operation "WARNING" "File signature validation failed but force_open enabled: $file_path"
fi
fi
# Malware scanning
if ! scan_file_malware "$file_path"; then
log_operation "SECURITY" "File blocked by security scan: $file_path"
return 1
fi
# Business hours check for sensitive files
if [[ "$file_path" =~ (confidential|secret|private) ]] && ! is_business_hours; then
log_operation "POLICY" "Sensitive file access outside business hours blocked: $file_path"
return 1
fi
# Application validation if specified
if [[ -n "$bundle_id" ]]; then
if ! is_approved_application "$bundle_id"; then
log_operation "SECURITY" "Blocked unauthorized application: $bundle_id"
return 1
fi
# Check if application is installed
local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
if [[ -z "$app_path" ]]; then
log_operation "ERROR" "Application not found: $bundle_id"
return 1
fi
log_operation "INFO" "Opening with application: $(get_app_info "$bundle_id")"
fi
# Perform the open operation
local open_command="open"
if [[ -n "$bundle_id" ]]; then
open_command="open -b '$bundle_id'"
fi
if eval "$open_command '$file_path'"; then
log_operation "SUCCESS" "File opened successfully [$operation_id]: $file_path"
# Log file access for audit
log_operation "AUDIT" "File accessed: $file_path (size: $(format_size $file_size))"
return 0
else
log_operation "ERROR" "Failed to open file [$operation_id]: $file_path"
return 1
fi
}
# Enhanced folder open with enterprise features
enterprise_open_folder() {
local folder_path="$1"
local reveal_hidden="${2:-false}"
local operation_id=$(date +%s)
log_operation "INFO" "Starting folder open operation [$operation_id]: $folder_path"
# Pre-flight validations
if [[ ! -d "$folder_path" ]]; then
log_operation "ERROR" "Folder not found: $folder_path"
return 1
fi
# Check if folder path is restricted
if is_restricted_path "$folder_path"; then
log_operation "SECURITY" "Blocked access to restricted folder: $folder_path"
return 1
fi
# Business hours check for sensitive folders
if [[ "$folder_path" =~ (confidential|secret|private) ]] && ! is_business_hours; then
log_operation "POLICY" "Sensitive folder access outside business hours blocked: $folder_path"
return 1
fi
# Count files in folder for audit
local file_count=$(find "$folder_path" -type f 2>/dev/null | wc -l)
local folder_size=$(du -sh "$folder_path" 2>/dev/null | awk '{print $1}')
# Perform the open operation
local open_command="open"
if [[ "$reveal_hidden" == "true" ]]; then
open_command="open -R"
fi
if eval "$open_command '$folder_path'"; then
log_operation "SUCCESS" "Folder opened successfully [$operation_id]: $folder_path"
log_operation "AUDIT" "Folder accessed: $folder_path (files: $file_count, size: $folder_size)"
return 0
else
log_operation "ERROR" "Failed to open folder [$operation_id]: $folder_path"
return 1
fi
}
# Bulk file opening with progress monitoring
bulk_open_files() {
local files_list="$1"
local bundle_id="${2:-}"
if [[ ! -f "$files_list" ]]; then
log_operation "ERROR" "Files list not found: $files_list"
return 1
fi
local total_files=$(grep -v '^#\|^$' "$files_list" | wc -l)
local current_file=0
local success_count=0
local failure_count=0
log_operation "INFO" "Starting bulk file open operation - Total files: $total_files"
while IFS= read -r file_path; do
# Skip empty lines and comments
[[ -z "$file_path" || "$file_path" =~ ^#.* ]] && continue
((current_file++))
# Trim whitespace
file_path=$(echo "$file_path" | xargs)
echo "Processing [$current_file/$total_files]: $(basename "$file_path")"
if enterprise_open_file "$file_path" "$bundle_id"; then
((success_count++))
else
((failure_count++))
fi
# Progress update
local progress=$((current_file * 100 / total_files))
echo "Progress: $progress% ($success_count successful, $failure_count failed)"
# Small delay to prevent overwhelming the system
sleep 0.5
done < "$files_list"
log_operation "SUCCESS" "Bulk open completed - Success: $success_count, Failed: $failure_count"
return $failure_count
}
# Generate file access report
generate_access_report() {
local report_file="/tmp/macfleet_access_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "MacFleet File Access Report"
echo "Generated: $(date)"
echo "Hostname: $(hostname)"
echo "User: $(whoami)"
echo "=========================="
echo ""
echo "Recent File Access Operations (Last 24 hours):"
if [[ -f "$LOG_FILE" ]]; then
local yesterday=$(date -v-1d '+%Y-%m-%d')
grep "$yesterday\|$(date '+%Y-%m-%d')" "$LOG_FILE" | grep -E "(AUDIT|SUCCESS)" | tail -50
else
echo "No log file found"
fi
echo ""
echo "Security Events (Last 24 hours):"
if [[ -f "$LOG_FILE" ]]; then
local yesterday=$(date -v-1d '+%Y-%m-%d')
grep "$yesterday\|$(date '+%Y-%m-%d')" "$LOG_FILE" | grep -E "(SECURITY|POLICY)" | tail -20
fi
echo ""
echo "File Access Statistics:"
if [[ -f "$LOG_FILE" ]]; then
echo "Total Operations: $(grep -c "file open operation\|folder open operation" "$LOG_FILE" 2>/dev/null || echo "0")"
echo "Successful: $(grep -c "SUCCESS.*opened successfully" "$LOG_FILE" 2>/dev/null || echo "0")"
echo "Failed: $(grep -c "ERROR.*Failed to open" "$LOG_FILE" 2>/dev/null || echo "0")"
echo "Security Blocks: $(grep -c "SECURITY.*Blocked" "$LOG_FILE" 2>/dev/null || echo "0")"
fi
echo ""
echo "Most Accessed File Types:"
if [[ -f "$LOG_FILE" ]]; then
grep "File accessed:" "$LOG_FILE" | sed 's/.*File accessed: //' | sed 's/ (size:.*//' |
awk -F. '{print $NF}' | sort | uniq -c | sort -nr | head -10
fi
} > "$report_file"
echo "File access report saved to: $report_file"
log_operation "INFO" "Access report generated: $report_file"
}
# Check application permissions
check_app_permissions() {
local bundle_id="$1"
# Check if application has necessary permissions
local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
if [[ -z "$app_path" ]]; then
echo "Application not found: $bundle_id"
return 1
fi
echo "Application: $(get_app_info "$bundle_id")"
echo "Path: $app_path"
# Check code signature
local signature_status=$(codesign -dv "$app_path" 2>&1 | grep -E "(Signature|Authority)")
echo "Code Signature: $signature_status"
# Check if application is notarized
local notarization=$(spctl -a -vv "$app_path" 2>&1 | grep -E "(accepted|source=)")
echo "Notarization: $notarization"
return 0
}
# Main open management function
main() {
local action="${1:-help}"
case "$action" in
"open-file")
local file_path="$2"
local bundle_id="$3"
local force_open="${4:-false}"
if [[ -z "$file_path" ]]; then
echo "Usage: $0 open-file <file_path> [bundle_id] [force_open]"
exit 1
fi
enterprise_open_file "$file_path" "$bundle_id" "$force_open"
;;
"open-folder")
local folder_path="$2"
local reveal_hidden="${3:-false}"
if [[ -z "$folder_path" ]]; then
echo "Usage: $0 open-folder <folder_path> [reveal_hidden]"
exit 1
fi
enterprise_open_folder "$folder_path" "$reveal_hidden"
;;
"bulk-open")
local files_list="$2"
local bundle_id="$3"
if [[ -z "$files_list" ]]; then
echo "Usage: $0 bulk-open <files_list> [bundle_id]"
exit 1
fi
bulk_open_files "$files_list" "$bundle_id"
;;
"check-app")
local bundle_id="$2"
if [[ -z "$bundle_id" ]]; then
echo "Usage: $0 check-app <bundle_id>"
exit 1
fi
check_app_permissions "$bundle_id"
;;
"report")
generate_access_report
;;
"help"|*)
echo "$SCRIPT_NAME v$VERSION"
echo "Enterprise File and Folder Open Management"
echo ""
echo "Usage: $0 <action> [options]"
echo ""
echo "Actions:"
echo " open-file <file_path> [bundle_id] [force_open] - Open single file"
echo " open-folder <folder_path> [reveal_hidden] - Open folder in Finder"
echo " bulk-open <files_list> [bundle_id] - Open multiple files"
echo " check-app <bundle_id> - Check application permissions"
echo " report - Generate access report"
echo " help - Show this help message"
echo ""
echo "Common Bundle IDs:"
echo " com.apple.TextEdit - TextEdit"
echo " com.apple.Preview - Preview"
echo " com.microsoft.Word - Microsoft Word"
echo " com.microsoft.Excel - Microsoft Excel"
echo " com.microsoft.PowerPoint - Microsoft PowerPoint"
echo " com.adobe.Reader - Adobe Reader"
echo " com.apple.iWork.Pages - Pages"
echo " com.apple.iWork.Numbers - Numbers"
echo " com.apple.iWork.Keynote - Keynote"
echo ""
echo "Features:"
echo " • Security validation and malware scanning"
echo " • Application control and approval management"
echo " • File signature verification"
echo " • Business hours compliance checking"
echo " • Comprehensive audit logging"
echo " • Bulk operations with progress monitoring"
echo " • Detailed access reporting"
;;
esac
}
# Execute main function with all arguments
main "$@" 
