Tutorial

Protect critical files and applications across your MacFleet devices using advanced file protection techniques, immutable flags, and enterprise security policies. This tutorial provides comprehensive tools for implementing organizational file security standards.

Understanding macOS File Protection Methods

macOS offers several file protection mechanisms:

• Immutable Flags - System-level protection preventing modification or deletion
• File Permissions - User and group-based access controls
• Extended Attributes - Additional metadata for security enforcement
• System Integrity Protection (SIP) - Built-in protection for system files

Basic File Protection Commands

Lock Single File

#!/bin/bash

# Lock a file using immutable flag
FILE_PATH="/Applications/WhatsApp.app"

chflags schg "$FILE_PATH"
echo "File locked: $FILE_PATH"

Unlock Single File

#!/bin/bash

# Unlock a file by removing immutable flag
FILE_PATH="/Applications/WhatsApp.app"

chflags noschg "$FILE_PATH"
echo "File unlocked: $FILE_PATH"

Check File Protection Status

#!/bin/bash

# Check if file is protected
FILE_PATH="/Applications/WhatsApp.app"

if ls -lO "$FILE_PATH" | grep -q "schg"; then
    echo "File is protected: $FILE_PATH"
else
    echo "File is not protected: $FILE_PATH"
fi

Enterprise File Protection System

#!/bin/bash

# MacFleet Enterprise File Protection System
# Comprehensive file security and protection management

# Configuration
MACFLEET_DIR="/etc/macfleet"
POLICIES_DIR="$MACFLEET_DIR/file_policies"
REPORTS_DIR="$MACFLEET_DIR/reports"
COMPLIANCE_DIR="$MACFLEET_DIR/compliance"
AUDIT_DIR="$MACFLEET_DIR/audit"
LOG_FILE="/var/log/macfleet_file_protection.log"
BACKUP_DIR="$MACFLEET_DIR/backups"

# Create directory structure
create_directories() {
    local dirs=("$MACFLEET_DIR" "$POLICIES_DIR" "$REPORTS_DIR" "$COMPLIANCE_DIR" "$AUDIT_DIR" "$BACKUP_DIR")
    for dir in "${dirs[@]}"; do
        [[ ! -d "$dir" ]] && mkdir -p "$dir"
    done
}

# Logging function
log_action() {
    local message="$1"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    echo "[$timestamp] $message" | tee -a "$LOG_FILE"
}

# File Categories for Enterprise Protection
declare -A FILE_CATEGORIES=(
    ["critical_apps"]="/Applications/System Preferences.app,/Applications/Terminal.app,/Applications/Utilities"
    ["business_apps"]="/Applications/Microsoft Office,/Applications/Slack.app,/Applications/Zoom.app"
    ["system_configs"]="/etc/hosts,/etc/sudoers,/etc/ssh/sshd_config"
    ["security_tools"]="/Applications/1Password.app,/Applications/Keychain Access.app"
    ["development_tools"]="/Applications/Xcode.app,/Applications/Visual Studio Code.app"
    ["admin_utilities"]="/Applications/Activity Monitor.app,/Applications/Console.app"
)

# Protection Levels
declare -A PROTECTION_LEVELS=(
    ["maximum"]="schg,uappnd,uchg"        # System immutable, user append-only, user immutable
    ["high"]="schg,uchg"                  # System immutable, user immutable
    ["moderate"]="uchg"                   # User immutable only
    ["minimal"]="uappnd"                  # User append-only
    ["readonly"]="ro"                     # Read-only access
)

# Security Policies
declare -A SECURITY_POLICIES=(
    ["enterprise_lockdown"]="critical_apps:maximum,business_apps:high,system_configs:maximum,security_tools:high"
    ["standard_protection"]="critical_apps:high,system_configs:high,security_tools:moderate"
    ["development_safe"]="critical_apps:moderate,system_configs:high,development_tools:minimal"
    ["minimal_security"]="system_configs:moderate,security_tools:minimal"
    ["maintenance_mode"]="system_configs:readonly"
)

# Apply protection to file or directory
protect_file() {
    local file_path="$1"
    local protection_level="$2"
    local policy="$3"
    
    if [[ ! -e "$file_path" ]]; then
        log_action "ERROR: File not found: $file_path"
        return 1
    fi
    
    # Backup current flags
    local current_flags=$(ls -lO "$file_path" 2>/dev/null | awk '{print $5}' || echo "none")
    echo "$file_path:$current_flags:$(date)" >> "$BACKUP_DIR/file_flags_backup.log"
    
    # Apply protection based on level
    local flags="${PROTECTION_LEVELS[$protection_level]}"
    if [[ -z "$flags" ]]; then
        log_action "ERROR: Unknown protection level: $protection_level"
        return 1
    fi
    
    # Split flags and apply each one
    IFS=',' read -ra flag_array <<< "$flags"
    for flag in "${flag_array[@]}"; do
        if chflags "$flag" "$file_path" 2>/dev/null; then
            log_action "Applied protection flag '$flag' to: $file_path (Policy: $policy)"
        else
            log_action "ERROR: Failed to apply flag '$flag' to: $file_path"
        fi
    done
    
    # Set restrictive permissions if needed
    if [[ "$protection_level" == "maximum" || "$protection_level" == "high" ]]; then
        chmod 644 "$file_path" 2>/dev/null
        log_action "Set restrictive permissions for: $file_path"
    fi
    
    # Save protection metadata
    echo "file=$file_path,protection=$protection_level,policy=$policy,timestamp=$(date),user=$(whoami)" >> "$POLICIES_DIR/applied_protections.log"
}

# Remove protection from file
unprotect_file() {
    local file_path="$1"
    local reason="$2"
    
    if [[ ! -e "$file_path" ]]; then
        log_action "ERROR: File not found: $file_path"
        return 1
    fi
    
    # Remove all common protection flags
    local flags_to_remove=("schg" "uchg" "uappnd" "ro")
    
    for flag in "${flags_to_remove[@]}"; do
        if chflags "no$flag" "$file_path" 2>/dev/null; then
            log_action "Removed protection flag '$flag' from: $file_path (Reason: $reason)"
        fi
    done
    
    # Restore standard permissions
    if [[ -f "$file_path" ]]; then
        chmod 644 "$file_path" 2>/dev/null
    elif [[ -d "$file_path" ]]; then
        chmod 755 "$file_path" 2>/dev/null
    fi
    
    log_action "File unprotected: $file_path (Reason: $reason)"
}

# Apply protection to file category
protect_category() {
    local category="$1"
    local protection_level="$2"
    local policy="$3"
    
    if [[ -z "${FILE_CATEGORIES[$category]}" ]]; then
        log_action "ERROR: Unknown file category: $category"
        return 1
    fi
    
    log_action "Protecting category: $category with level: $protection_level (Policy: $policy)"
    
    # Split comma-separated file paths
    IFS=',' read -ra files <<< "${FILE_CATEGORIES[$category]}"
    
    for file_path in "${files[@]}"; do
        # Handle wildcard patterns
        if [[ "$file_path" == *"*"* ]]; then
            # Use find for pattern matching
            find "${file_path%/*}" -name "${file_path##*/}" 2>/dev/null | while read -r found_file; do
                protect_file "$found_file" "$protection_level" "$policy"
            done
        else
            protect_file "$file_path" "$protection_level" "$policy"
        fi
    done
}

# Apply comprehensive security policy
apply_security_policy() {
    local policy="$1"
    
    if [[ -z "${SECURITY_POLICIES[$policy]}" ]]; then
        log_action "ERROR: Unknown security policy: $policy"
        return 1
    fi
    
    log_action "Applying security policy: $policy"
    
    # Parse policy string: "category:level,category:level"
    IFS=',' read -ra policy_items <<< "${SECURITY_POLICIES[$policy]}"
    
    for item in "${policy_items[@]}"; do
        IFS=':' read -ra parts <<< "$item"
        local category="${parts[0]}"
        local protection_level="${parts[1]}"
        
        protect_category "$category" "$protection_level" "$policy"
    done
    
    log_action "Security policy '$policy' applied successfully"
    
    # Generate compliance report
    generate_compliance_report "$policy"
}

# Bulk file protection operations
bulk_protect_files() {
    local file_list="$1"
    local protection_level="$2"
    local policy="$3"
    
    if [[ ! -f "$file_list" ]]; then
        log_action "ERROR: File list not found: $file_list"
        return 1
    fi
    
    log_action "Starting bulk protection operation from list: $file_list"
    local protected_count=0
    local failed_count=0
    
    while IFS= read -r file_path; do
        [[ -z "$file_path" || "$file_path" =~ ^#.*$ ]] && continue
        
        if protect_file "$file_path" "$protection_level" "$policy"; then
            ((protected_count++))
        else
            ((failed_count++))
        fi
    done < "$file_list"
    
    log_action "Bulk protection completed: $protected_count protected, $failed_count failed"
}

# Critical system file protection
protect_system_files() {
    local protection_mode="$1"
    
    log_action "Applying system file protection: $protection_mode"
    
    # Define critical system files
    local critical_files=(
        "/etc/hosts"
        "/etc/sudoers"
        "/etc/ssh/sshd_config"
        "/etc/passwd"
        "/etc/group"
        "/System/Library/LaunchDaemons"
        "/Library/LaunchDaemons"
        "/usr/bin/sudo"
        "/bin/sh"
        "/bin/bash"
    )
    
    case "$protection_mode" in
        "lockdown")
            for file in "${critical_files[@]}"; do
                if [[ -e "$file" ]]; then
                    protect_file "$file" "maximum" "system_lockdown"
                fi
            done
            ;;
        "standard")
            for file in "${critical_files[@]}"; do
                if [[ -e "$file" ]]; then
                    protect_file "$file" "high" "system_standard"
                fi
            done
            ;;
        "minimal")
            for file in "${critical_files[@]}"; do
                if [[ -e "$file" ]]; then
                    protect_file "$file" "moderate" "system_minimal"
                fi
            done
            ;;
    esac
    
    log_action "System file protection applied: $protection_mode"
}

# File integrity monitoring
monitor_file_integrity() {
    local monitoring_mode="$1"
    local monitor_file="$POLICIES_DIR/integrity_monitor.log"
    
    log_action "Starting file integrity monitoring: $monitoring_mode"
    
    # Get list of protected files
    local protected_files=()
    if [[ -f "$POLICIES_DIR/applied_protections.log" ]]; then
        while IFS=',' read -r entry; do
            if [[ "$entry" =~ file=([^,]+) ]]; then
                protected_files+=("${BASH_REMATCH[1]}")
            fi
        done < "$POLICIES_DIR/applied_protections.log"
    fi
    
    # Monitor files for changes
    for file in "${protected_files[@]}"; do
        if [[ -e "$file" ]]; then
            local current_hash=$(shasum -a 256 "$file" 2>/dev/null | cut -d' ' -f1)
            local current_flags=$(ls -lO "$file" 2>/dev/null | awk '{print $5}' || echo "none")
            local timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)
            
            echo "$timestamp:$file:$current_hash:$current_flags" >> "$monitor_file"
        fi
    done
    
    log_action "File integrity monitoring completed: $monitoring_mode"
}

# Emergency unlock procedures
emergency_unlock() {
    local reason="$1"
    local unlock_scope="$2"
    
    log_action "EMERGENCY UNLOCK INITIATED - Reason: $reason, Scope: $unlock_scope"
    
    case "$unlock_scope" in
        "all")
            # Unlock all protected files
            if [[ -f "$POLICIES_DIR/applied_protections.log" ]]; then
                while IFS=',' read -r entry; do
                    if [[ "$entry" =~ file=([^,]+) ]]; then
                        unprotect_file "${BASH_REMATCH[1]}" "emergency_unlock"
                    fi
                done < "$POLICIES_DIR/applied_protections.log"
            fi
            ;;
        "system")
            # Unlock only system files
            local system_files=("/etc/hosts" "/etc/sudoers" "/etc/ssh/sshd_config")
            for file in "${system_files[@]}"; do
                if [[ -e "$file" ]]; then
                    unprotect_file "$file" "emergency_system_unlock"
                fi
            done
            ;;
        "applications")
            # Unlock application files
            find /Applications -name "*.app" -exec chflags noschg {} \; 2>/dev/null
            log_action "Emergency unlock completed for applications"
            ;;
    esac
    
    # Create emergency unlock record
    echo "emergency_unlock:$reason:$unlock_scope:$(date):$(whoami)" >> "$AUDIT_DIR/emergency_operations.log"
    log_action "Emergency unlock completed: $unlock_scope"
}

# Generate comprehensive compliance report
generate_compliance_report() {
    local policy="$1"
    local report_file="$REPORTS_DIR/file_protection_compliance_$(date +%Y%m%d_%H%M%S).json"
    
    local protected_files_count=0
    local total_files_checked=0
    
    # Count protected files
    if [[ -f "$POLICIES_DIR/applied_protections.log" ]]; then
        protected_files_count=$(wc -l < "$POLICIES_DIR/applied_protections.log")
    fi
    
    # Count total files in categories
    for category in "${!FILE_CATEGORIES[@]}"; do
        IFS=',' read -ra files <<< "${FILE_CATEGORIES[$category]}"
        total_files_checked=$((total_files_checked + ${#files[@]}))
    done
    
    cat > "$report_file" << EOF
{
  "report_metadata": {
    "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
    "hostname": "$(hostname)",
    "policy_applied": "$policy",
    "report_version": "1.0"
  },
  "file_protection_status": {
    "protected_files_count": $protected_files_count,
    "total_files_checked": $total_files_checked,
    "protection_coverage": $(echo "scale=2; $protected_files_count * 100 / $total_files_checked" | bc -l 2>/dev/null || echo "0"),
    "emergency_unlocks_recorded": $([ -f "$AUDIT_DIR/emergency_operations.log" ] && wc -l < "$AUDIT_DIR/emergency_operations.log" || echo "0")
  },
  "security_policy": {
    "name": "$policy",
    "categories_protected": $(echo "${!FILE_CATEGORIES[@]}" | wc -w),
    "compliance_frameworks": ["SOX", "HIPAA", "NIST", "ISO27001", "PCI-DSS"]
  },
  "system_status": {
    "sip_enabled": $(csrutil status | grep -q "enabled" && echo "true" || echo "false"),
    "gatekeeper_enabled": $(spctl --status | grep -q "enabled" && echo "true" || echo "false"),
    "filevault_enabled": $(fdesetup status | grep -q "On" && echo "true" || echo "false"),
    "backup_available": $([ -f "$BACKUP_DIR/file_flags_backup.log" ] && echo "true" || echo "false")
  },
  "integrity_monitoring": {
    "active": $([ -f "$POLICIES_DIR/integrity_monitor.log" ] && echo "true" || echo "false"),
    "last_check": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
    "monitored_files": $([ -f "$POLICIES_DIR/integrity_monitor.log" ] && wc -l < "$POLICIES_DIR/integrity_monitor.log" || echo "0")
  }
}
EOF
    
    log_action "Compliance report generated: $report_file"
    echo "Report saved to: $report_file"
}

# Health check and validation
perform_health_check() {
    echo "=== MacFleet File Protection Health Check ==="
    
    # Check system integrity protection
    local sip_status=$(csrutil status 2>/dev/null || echo "Unknown")
    echo "✓ System Integrity Protection: $sip_status"
    
    # Check protected files
    local protected_count=0
    if [[ -f "$POLICIES_DIR/applied_protections.log" ]]; then
        protected_count=$(wc -l < "$POLICIES_DIR/applied_protections.log")
    fi
    echo "✓ Protected files: $protected_count"
    
    # Check critical system files
    local critical_protected=0
    local critical_files=("/etc/hosts" "/etc/sudoers" "/etc/ssh/sshd_config")
    for file in "${critical_files[@]}"; do
        if [[ -e "$file" ]] && ls -lO "$file" | grep -q "schg"; then
            ((critical_protected++))
        fi
    done
    echo "✓ Critical system files protected: $critical_protected/${#critical_files[@]}"
    
    # Check backup availability
    if [[ -f "$BACKUP_DIR/file_flags_backup.log" ]]; then
        local backup_entries=$(wc -l < "$BACKUP_DIR/file_flags_backup.log")
        echo "✓ Backup entries: $backup_entries"
    else
        echo "○ No backup records found"
    fi
    
    # Check integrity monitoring
    if [[ -f "$POLICIES_DIR/integrity_monitor.log" ]]; then
        local monitor_entries=$(wc -l < "$POLICIES_DIR/integrity_monitor.log")
        echo "✓ Integrity monitoring entries: $monitor_entries"
    else
        echo "○ No integrity monitoring active"
    fi
    
    # Check for emergency operations
    if [[ -f "$AUDIT_DIR/emergency_operations.log" ]]; then
        local emergency_count=$(wc -l < "$AUDIT_DIR/emergency_operations.log")
        echo "⚠️  Emergency operations recorded: $emergency_count"
    else
        echo "✓ No emergency operations recorded"
    fi
}

# Fleet deployment function
deploy_to_fleet() {
    local policy="$1"
    local fleet_file="$2"
    
    if [[ ! -f "$fleet_file" ]]; then
        log_action "ERROR: Fleet file not found: $fleet_file"
        return 1
    fi
    
    log_action "Starting fleet deployment of policy: $policy"
    
    while IFS= read -r host; do
        [[ -z "$host" || "$host" =~ ^#.*$ ]] && continue
        
        echo "Deploying to: $host"
        
        # Copy this script to remote host and execute
        ssh "$host" "bash -s" << EOF
#!/bin/bash
# Remote deployment of file protection policy: $policy

# Create directories
mkdir -p /etc/macfleet/{file_policies,reports,compliance,audit,backups}

# Apply the policy (simplified for remote execution)
$(declare -p FILE_CATEGORIES)
$(declare -p PROTECTION_LEVELS)
$(declare -p SECURITY_POLICIES)
$(type apply_security_policy | sed '1d')

apply_security_policy "$policy"
EOF
        
        if [[ $? -eq 0 ]]; then
            log_action "Successfully deployed to: $host"
        else
            log_action "Failed to deploy to: $host"
        fi
        
    done < "$fleet_file"
    
    log_action "Fleet deployment completed"
}

# Main execution function
main() {
    create_directories
    
    case "${1:-}" in
        "apply_policy")
            apply_security_policy "$2"
            ;;
        "protect_file")
            protect_file "$2" "${3:-moderate}" "manual"
            ;;
        "unprotect_file")
            unprotect_file "$2" "${3:-manual_unlock}"
            ;;
        "protect_category")
            protect_category "$2" "${3:-moderate}" "manual"
            ;;
        "bulk_protect")
            bulk_protect_files "$2" "${3:-moderate}" "bulk_operation"
            ;;
        "protect_system")
            protect_system_files "${2:-standard}"
            ;;
        "monitor_integrity")
            monitor_file_integrity "${2:-standard}"
            ;;
        "emergency_unlock")
            emergency_unlock "${2:-manual}" "${3:-all}"
            ;;
        "health_check")
            perform_health_check
            ;;
        "report")
            generate_compliance_report "${2:-manual}"
            ;;
        "deploy")
            deploy_to_fleet "$2" "$3"
            ;;
        "help"|*)
            echo "MacFleet Enterprise File Protection System"
            echo ""
            echo "Usage: $0 <command> [options]"
            echo ""
            echo "Commands:"
            echo "  apply_policy <policy>           - Apply security policy (enterprise_lockdown|standard_protection|development_safe|minimal_security|maintenance_mode)"
            echo "  protect_file <path> [level]     - Protect single file (maximum|high|moderate|minimal|readonly)"
            echo "  unprotect_file <path> [reason]  - Remove protection from file"
            echo "  protect_category <category> [level] - Protect file category (critical_apps|business_apps|system_configs|security_tools|development_tools|admin_utilities)"
            echo "  bulk_protect <file_list> [level] - Protect files from list"
            echo "  protect_system [mode]           - Protect system files (lockdown|standard|minimal)"
            echo "  monitor_integrity [mode]        - Monitor file integrity (standard|strict)"
            echo "  emergency_unlock <reason> [scope] - Emergency unlock (all|system|applications)"
            echo "  health_check                    - Perform system health check"
            echo "  report [policy]                 - Generate compliance report"
            echo "  deploy <policy> <fleet_file>    - Deploy policy to fleet"
            echo ""
            echo "Examples:"
            echo "  $0 apply_policy enterprise_lockdown"
            echo "  $0 protect_file /Applications/Terminal.app maximum"
            echo "  $0 protect_system lockdown"
            echo "  $0 emergency_unlock 'maintenance required' system"
            echo "  $0 health_check"
            ;;
    esac
}

# Execute main function
main "$@"

Protection Levels Explained

File Protection Use Cases

Protect Critical Applications

# Protect system utilities from modification
./file_protection.sh protect_category critical_apps maximum

# Protect business applications
./file_protection.sh protect_category business_apps high

System Configuration Protection

# Lock down system configuration files
./file_protection.sh protect_system lockdown

# Standard system protection
./file_protection.sh protect_system standard

Development Environment Safety

# Apply development-safe policy
./file_protection.sh apply_policy development_safe

# Protect development tools with minimal restrictions
./file_protection.sh protect_category development_tools minimal

Emergency Procedures

Complete System Unlock

# Emergency unlock all files
./file_protection.sh emergency_unlock "critical_maintenance" all

# Unlock only system files
./file_protection.sh emergency_unlock "system_update" system

File Recovery

# Check protection status
ls -lO /Applications/Terminal.app

# Remove specific protection
./file_protection.sh unprotect_file /Applications/Terminal.app "maintenance"

Important Security Considerations

• System Integrity Protection (SIP) provides additional layer beyond file flags
• Root privileges required for system immutable flags (schg)
• Backup protection state before making changes
• Emergency procedures should be tested and documented
• File integrity monitoring helps detect unauthorized changes

Compliance and Auditing

The enterprise system provides comprehensive audit trails for:

• SOX Compliance - Financial data protection requirements
• HIPAA Requirements - Healthcare information security
• PCI-DSS Standards - Payment card industry data security
• NIST Framework - Cybersecurity standards compliance
• ISO 27001 - Information security management

Testing and Validation

Before enterprise deployment:

1. Test protection levels on non-critical files first
2. Verify emergency unlock procedures work correctly
3. Confirm business applications remain functional
4. Test integrity monitoring accuracy
5. Validate compliance reporting completeness

This comprehensive system transforms basic file locking into an enterprise-grade protection platform with advanced security policies, compliance monitoring, and fleet management capabilities.

Master file and folder ownership operations on your MacFleet devices using powerful command-line tools. This tutorial covers ownership changes, permission management, group assignments, and advanced ownership policies for secure file system administration.

Understanding macOS File Ownership

macOS file ownership system consists of several key concepts:

• Owner (User) - The user who owns the file/folder and has primary control
• Group - A collection of users who share specific permissions
• Others - All other users on the system
• Permissions - Read (r), Write (w), Execute (x) permissions for each category

Basic File Ownership Operations

Change File Owner

#!/bin/bash

# Change ownership of a specific file
USERNAME="Daniel"
FILE_PATH="/Users/Alex/Desktop/Dustin"

chown "$USERNAME" "$FILE_PATH"

echo "File ownership changed to $USERNAME successfully"

Change Folder Owner

#!/bin/bash

# Change ownership of a folder
USERNAME="Daniel"
FOLDER_PATH="/Users/Alex/Desktop/ProjectFolder"

chown "$USERNAME" "$FOLDER_PATH"

echo "Folder ownership changed to $USERNAME successfully"

Recursive Ownership Change

#!/bin/bash

# Change ownership recursively for all files and subfolders
USERNAME="Daniel"
FOLDER_PATH="/Users/Alex/Desktop/ProjectFolder"

chown -R "$USERNAME" "$FOLDER_PATH"

echo "Recursive ownership change completed for $USERNAME"

Advanced Ownership Management

Change Owner and Group

#!/bin/bash

# Change both owner and group
USERNAME="Daniel"
GROUPNAME="developers"
FILE_PATH="/Users/Alex/Desktop/project.txt"

chown "$USERNAME:$GROUPNAME" "$FILE_PATH"

echo "Ownership changed to $USERNAME:$GROUPNAME"

Ownership with Permission Verification

#!/bin/bash

# Change ownership and verify permissions
change_ownership_safe() {
    local username="$1"
    local file_path="$2"
    
    # Verify file exists
    if [[ ! -e "$file_path" ]]; then
        echo "Error: File or folder not found: $file_path"
        return 1
    fi
    
    # Verify user exists
    if ! id "$username" &>/dev/null; then
        echo "Error: User '$username' does not exist"
        return 1
    fi
    
    # Get current ownership
    local current_owner=$(stat -f "%Su" "$file_path")
    echo "Current owner: $current_owner"
    
    # Change ownership
    if chown "$username" "$file_path"; then
        echo "Ownership successfully changed from $current_owner to $username"
        
        # Display new permissions
        echo "New permissions:"
        ls -la "$file_path"
        return 0
    else
        echo "Error: Failed to change ownership"
        return 1
    fi
}

# Usage example
change_ownership_safe "Daniel" "/Users/Alex/Desktop/document.txt"

Bulk Ownership Management

#!/bin/bash

# Change ownership for multiple files/folders
bulk_ownership_change() {
    local username="$1"
    shift
    local paths=("$@")
    
    echo "Starting bulk ownership change to user: $username"
    
    for path in "${paths[@]}"; do
        if [[ -e "$path" ]]; then
            if chown "$username" "$path"; then
                echo "✓ Changed ownership: $path"
            else
                echo "✗ Failed to change ownership: $path"
            fi
        else
            echo "✗ File not found: $path"
        fi
    done
    
    echo "Bulk ownership change completed"
}

# Usage example
bulk_ownership_change "Daniel" "/Users/Alex/Desktop/file1.txt" "/Users/Alex/Desktop/file2.txt" "/Users/Alex/Desktop/folder1"

Permission Management

Set Specific Permissions

#!/bin/bash

# Change ownership and set specific permissions
set_ownership_and_permissions() {
    local username="$1"
    local file_path="$2"
    local permissions="$3"
    
    echo "Setting ownership and permissions for: $file_path"
    
    # Change ownership
    chown "$username" "$file_path"
    
    # Set permissions
    chmod "$permissions" "$file_path"
    
    echo "Ownership: $username, Permissions: $permissions"
    ls -la "$file_path"
}

# Usage examples
set_ownership_and_permissions "Daniel" "/Users/Alex/Desktop/script.sh" "755"
set_ownership_and_permissions "Daniel" "/Users/Alex/Desktop/document.txt" "644"

Permission Analysis

#!/bin/bash

# Analyze current permissions and ownership
analyze_permissions() {
    local file_path="$1"
    
    if [[ ! -e "$file_path" ]]; then
        echo "File or folder not found: $file_path"
        return 1
    fi
    
    echo "=== Permission Analysis for: $file_path ==="
    
    # Get detailed information
    local owner=$(stat -f "%Su" "$file_path")
    local group=$(stat -f "%Sg" "$file_path")
    local permissions=$(stat -f "%Sp" "$file_path")
    local octal_permissions=$(stat -f "%A" "$file_path")
    local size=$(stat -f "%z" "$file_path")
    local modified=$(stat -f "%Sm" "$file_path")
    
    echo "Owner: $owner"
    echo "Group: $group"
    echo "Permissions: $permissions"
    echo "Octal: $octal_permissions"
    echo "Size: $size bytes"
    echo "Modified: $modified"
    
    # Check if writable by others
    if [[ "$permissions" =~ .*w.*w.*w.* ]]; then
        echo "⚠️  WARNING: File is world-writable"
    fi
    
    # Check if executable
    if [[ "$permissions" =~ .*x.* ]]; then
        echo "ℹ️  File is executable"
    fi
}

# Usage
analyze_permissions "/Users/Alex/Desktop/document.txt"

Enterprise Ownership Management System

#!/bin/bash

# MacFleet File Ownership Management Tool
# Comprehensive ownership and permission management for fleet devices

# Configuration
SCRIPT_VERSION="1.0.0"
LOG_FILE="/var/log/macfleet_ownership.log"
REPORT_DIR="/etc/macfleet/reports/ownership"
CONFIG_DIR="/etc/macfleet/ownership"
POLICY_DIR="$CONFIG_DIR/policies"

# Create directories if they don't exist
mkdir -p "$REPORT_DIR" "$CONFIG_DIR" "$POLICY_DIR"

# Ownership categories for different file types
declare -A OWNERSHIP_CATEGORIES=(
    ["system_files"]="root:wheel"
    ["application_data"]="root:admin"
    ["user_documents"]="user:staff"
    ["shared_resources"]="shared:staff"
    ["development_files"]="developer:developer"
    ["web_content"]="www:www"
    ["log_files"]="root:wheel"
    ["configuration_files"]="root:wheel"
    ["temporary_files"]="user:staff"
    ["backup_files"]="backup:backup"
)

# Ownership policies for different security levels
declare -A OWNERSHIP_POLICIES=(
    ["public_access"]="644,755,user:staff,world_readable"
    ["restricted_access"]="600,700,user:staff,owner_only"
    ["shared_collaboration"]="664,775,user:staff,group_writable"
    ["system_secure"]="644,755,root:wheel,admin_managed"
    ["development_team"]="664,775,developer:developer,team_access"
    ["confidential_data"]="600,700,secure:secure,encrypted_required"
)

# Logging function
log_action() {
    local message="$1"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    echo "[$timestamp] $message" | tee -a "$LOG_FILE"
}

# User and group validation
validate_user_group() {
    local user="$1"
    local group="$2"
    
    # Check if user exists
    if ! id "$user" &>/dev/null; then
        log_action "ERROR: User '$user' does not exist"
        return 1
    fi
    
    # Check if group exists (if specified)
    if [[ -n "$group" ]] && ! dscl . -read /Groups/"$group" &>/dev/null; then
        log_action "ERROR: Group '$group' does not exist"
        return 1
    fi
    
    return 0
}

# Advanced ownership change with backup and rollback
change_ownership_advanced() {
    local target_path="$1"
    local new_owner="$2"
    local new_group="${3:-}"
    local recursive="${4:-false}"
    local backup_metadata="${5:-true}"
    
    log_action "Starting advanced ownership change: $target_path -> $new_owner:$new_group"
    
    if [[ ! -e "$target_path" ]]; then
        log_action "ERROR: Target path does not exist: $target_path"
        return 1
    fi
    
    # Validate user and group
    if ! validate_user_group "$new_owner" "$new_group"; then
        return 1
    fi
    
    # Create backup of current metadata
    local backup_file=""
    if [[ "$backup_metadata" == "true" ]]; then
        backup_file="$REPORT_DIR/ownership_backup_$(date +%Y%m%d_%H%M%S).json"
        create_ownership_backup "$target_path" "$backup_file" "$recursive"
    fi
    
    # Construct chown command
    local chown_target="$new_owner"
    if [[ -n "$new_group" ]]; then
        chown_target="$new_owner:$new_group"
    fi
    
    local chown_cmd="chown"
    if [[ "$recursive" == "true" ]]; then
        chown_cmd="chown -R"
    fi
    
    # Execute ownership change
    if $chown_cmd "$chown_target" "$target_path"; then
        log_action "SUCCESS: Ownership changed to $chown_target for $target_path"
        
        # Create post-change report
        local report_file="$REPORT_DIR/ownership_change_$(date +%Y%m%d_%H%M%S).json"
        create_ownership_report "$target_path" "$report_file" "$recursive"
        
        echo "$report_file"
        return 0
    else
        log_action "ERROR: Failed to change ownership for $target_path"
        return 1
    fi
}

# Create ownership backup
create_ownership_backup() {
    local target_path="$1"
    local backup_file="$2"
    local recursive="$3"
    
    cat > "$backup_file" << EOF
{
    "backup_info": {
        "target_path": "$target_path",
        "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
        "hostname": "$(hostname)",
        "recursive": $recursive
    },
    "original_ownership": []
}
EOF
    
    if [[ "$recursive" == "true" ]]; then
        # Recursive backup
        find "$target_path" -exec stat -f '{"path":"%N","owner":"%Su","group":"%Sg","permissions":"%Sp","octal":"%A"}' {} \; | \
        jq -s '.' | \
        jq --slurpfile backup "$backup_file" '.backup_info = $backup[0].backup_info | .original_ownership = .' > "${backup_file}.tmp" && \
        mv "${backup_file}.tmp" "$backup_file"
    else
        # Single file backup
        local owner=$(stat -f "%Su" "$target_path")
        local group=$(stat -f "%Sg" "$target_path")
        local permissions=$(stat -f "%Sp" "$target_path")
        local octal=$(stat -f "%A" "$target_path")
        
        jq --arg path "$target_path" \
           --arg owner "$owner" \
           --arg group "$group" \
           --arg permissions "$permissions" \
           --arg octal "$octal" \
           '.original_ownership = [{"path": $path, "owner": $owner, "group": $group, "permissions": $permissions, "octal": $octal}]' \
           "$backup_file" > "${backup_file}.tmp" && mv "${backup_file}.tmp" "$backup_file"
    fi
    
    log_action "Ownership backup created: $backup_file"
}

# Create ownership report
create_ownership_report() {
    local target_path="$1"
    local report_file="$2"
    local recursive="$3"
    
    cat > "$report_file" << EOF
{
    "report_info": {
        "target_path": "$target_path",
        "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
        "hostname": "$(hostname)",
        "recursive": $recursive,
        "script_version": "$SCRIPT_VERSION"
    },
    "current_ownership": [],
    "security_analysis": {},
    "recommendations": []
}
EOF
    
    # Get current ownership information
    if [[ "$recursive" == "true" ]]; then
        find "$target_path" -exec stat -f '{"path":"%N","owner":"%Su","group":"%Sg","permissions":"%Sp","octal":"%A","size":%z,"modified":"%Sm"}' {} \; | \
        jq -s '.' | \
        jq --slurpfile report "$report_file" '.report_info = $report[0].report_info | .current_ownership = .' > "${report_file}.tmp" && \
        mv "${report_file}.tmp" "$report_file"
    else
        local owner=$(stat -f "%Su" "$target_path")
        local group=$(stat -f "%Sg" "$target_path")
        local permissions=$(stat -f "%Sp" "$target_path")
        local octal=$(stat -f "%A" "$target_path")
        local size=$(stat -f "%z" "$target_path")
        local modified=$(stat -f "%Sm" "$target_path")
        
        jq --arg path "$target_path" \
           --arg owner "$owner" \
           --arg group "$group" \
           --arg permissions "$permissions" \
           --arg octal "$octal" \
           --arg size "$size" \
           --arg modified "$modified" \
           '.current_ownership = [{"path": $path, "owner": $owner, "group": $group, "permissions": $permissions, "octal": $octal, "size": $size, "modified": $modified}]' \
           "$report_file" > "${report_file}.tmp" && mv "${report_file}.tmp" "$report_file"
    fi
    
    # Perform security analysis
    perform_security_analysis "$target_path" "$report_file" "$recursive"
    
    log_action "Ownership report created: $report_file"
}

# Security analysis
perform_security_analysis() {
    local target_path="$1"
    local report_file="$2"
    local recursive="$3"
    
    local world_writable_count=0
    local world_readable_count=0
    local executable_count=0
    local setuid_count=0
    local security_issues=()
    
    if [[ "$recursive" == "true" ]]; then
        world_writable_count=$(find "$target_path" -type f -perm -002 2>/dev/null | wc -l)
        world_readable_count=$(find "$target_path" -type f -perm -004 2>/dev/null | wc -l)
        executable_count=$(find "$target_path" -type f -perm -111 2>/dev/null | wc -l)
        setuid_count=$(find "$target_path" -type f -perm -4000 2>/dev/null | wc -l)
    else
        local perms=$(stat -f "%A" "$target_path")
        [[ $((perms & 002)) -ne 0 ]] && world_writable_count=1
        [[ $((perms & 004)) -ne 0 ]] && world_readable_count=1
        [[ $((perms & 111)) -ne 0 ]] && executable_count=1
        [[ $((perms & 4000)) -ne 0 ]] && setuid_count=1
    fi
    
    # Identify security issues
    [[ $world_writable_count -gt 0 ]] && security_issues+=("World-writable files detected")
    [[ $setuid_count -gt 0 ]] && security_issues+=("SETUID files detected")
    
    # Update report with security analysis
    jq --argjson world_writable "$world_writable_count" \
       --argjson world_readable "$world_readable_count" \
       --argjson executable "$executable_count" \
       --argjson setuid "$setuid_count" \
       --argjson issues "$(printf '%s\n' "${security_issues[@]}" | jq -R . | jq -s .)" \
       '.security_analysis = {
           "world_writable_files": $world_writable,
           "world_readable_files": $world_readable,
           "executable_files": $executable,
           "setuid_files": $setuid,
           "security_issues": $issues
       }' "$report_file" > "${report_file}.tmp" && mv "${report_file}.tmp" "$report_file"
}

# Apply ownership policy
apply_ownership_policy() {
    local target_path="$1"
    local policy_name="$2"
    local recursive="${3:-false}"
    
    log_action "Applying ownership policy '$policy_name' to $target_path"
    
    if [[ -z "${OWNERSHIP_POLICIES[$policy_name]}" ]]; then
        log_action "ERROR: Unknown ownership policy: $policy_name"
        return 1
    fi
    
    # Parse policy
    IFS=',' read -ra POLICY_PARTS <<< "${OWNERSHIP_POLICIES[$policy_name]}"
    local file_perms="${POLICY_PARTS[0]}"
    local dir_perms="${POLICY_PARTS[1]}"
    local ownership="${POLICY_PARTS[2]}"
    local access_level="${POLICY_PARTS[3]}"
    
    # Extract user and group
    IFS=':' read -ra OWNER_PARTS <<< "$ownership"
    local user="${OWNER_PARTS[0]}"
    local group="${OWNER_PARTS[1]:-}"
    
    # Apply ownership
    change_ownership_advanced "$target_path" "$user" "$group" "$recursive" "true"
    
    # Apply permissions
    if [[ -d "$target_path" ]]; then
        chmod "$dir_perms" "$target_path"
    else
        chmod "$file_perms" "$target_path"
    fi
    
    if [[ "$recursive" == "true" ]]; then
        find "$target_path" -type f -exec chmod "$file_perms" {} \;
        find "$target_path" -type d -exec chmod "$dir_perms" {} \;
    fi
    
    log_action "Policy '$policy_name' applied successfully"
}

# Fleet ownership management
manage_fleet_ownership() {
    local action="$1"
    local target_pattern="$2"
    local ownership_spec="$3"
    
    log_action "Fleet ownership management: $action on $target_pattern"
    
    case "$action" in
        "audit")
            audit_fleet_ownership "$target_pattern"
            ;;
        "standardize")
            standardize_fleet_ownership "$target_pattern" "$ownership_spec"
            ;;
        "policy-apply")
            apply_fleet_policy "$target_pattern" "$ownership_spec"
            ;;
        "report")
            generate_fleet_ownership_report
            ;;
    esac
}

# Audit fleet ownership
audit_fleet_ownership() {
    local target_pattern="$1"
    
    echo "Auditing fleet ownership for pattern: $target_pattern"
    
    # Find files matching pattern
    local files=($(find / -path "$target_pattern" 2>/dev/null | head -100))
    
    local audit_report="$REPORT_DIR/fleet_ownership_audit_$(date +%Y%m%d_%H%M%S).json"
    
    cat > "$audit_report" << EOF
{
    "audit_info": {
        "pattern": "$target_pattern",
        "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
        "hostname": "$(hostname)",
        "files_found": ${#files[@]}
    },
    "ownership_summary": {},
    "security_findings": [],
    "recommendations": []
}
EOF
    
    # Analyze ownership patterns
    local owners=()
    local groups=()
    local permissions=()
    
    for file in "${files[@]}"; do
        if [[ -e "$file" ]]; then
            owners+=($(stat -f "%Su" "$file"))
            groups+=($(stat -f "%Sg" "$file"))
            permissions+=($(stat -f "%A" "$file"))
        fi
    done
    
    # Generate summary
    local unique_owners=($(printf '%s\n' "${owners[@]}" | sort -u))
    local unique_groups=($(printf '%s\n' "${groups[@]}" | sort -u))
    
    jq --argjson owners "$(printf '%s\n' "${unique_owners[@]}" | jq -R . | jq -s .)" \
       --argjson groups "$(printf '%s\n' "${unique_groups[@]}" | jq -R . | jq -s .)" \
       '.ownership_summary = {
           "unique_owners": $owners,
           "unique_groups": $groups,
           "total_files": '${#files[@]}'
       }' "$audit_report" > "${audit_report}.tmp" && mv "${audit_report}.tmp" "$audit_report"
    
    log_action "Fleet ownership audit completed: $audit_report"
    echo "$audit_report"
}

# Main execution function
main() {
    local action="${1:-change}"
    local target="${2:-}"
    local owner="${3:-}"
    local group="${4:-}"
    local options="${5:-}"
    
    log_action "=== MacFleet Ownership Management Started ==="
    log_action "Action: $action, Target: $target, Owner: $owner, Group: $group"
    
    case "$action" in
        "change")
            if [[ -z "$target" || -z "$owner" ]]; then
                echo "Usage: $0 change <target_path> <owner> [group] [recursive]"
                exit 1
            fi
            change_ownership_advanced "$target" "$owner" "$group" "$options"
            ;;
        "policy")
            if [[ -z "$target" || -z "$owner" ]]; then
                echo "Usage: $0 policy <target_path> <policy_name> [recursive]"
                exit 1
            fi
            apply_ownership_policy "$target" "$owner" "$group"
            ;;
        "audit")
            audit_fleet_ownership "${target:-/Users/*}"
            ;;
        "fleet")
            manage_fleet_ownership "$owner" "$target" "$group"
            ;;
        "help")
            echo "Usage: $0 [action] [options...]"
            echo "Actions:"
            echo "  change <path> <owner> [group] [recursive] - Change ownership"
            echo "  policy <path> <policy> [recursive] - Apply ownership policy"
            echo "  audit [pattern] - Audit ownership across fleet"
            echo "  fleet <action> <pattern> <spec> - Fleet management"
            echo "  help - Show this help"
            echo ""
            echo "Available policies: ${!OWNERSHIP_POLICIES[*]}"
            ;;
        *)
            log_action "ERROR: Unknown action: $action"
            exit 1
            ;;
    esac
    
    log_action "=== Ownership management completed ==="
}

# Execute main function
main "$@"

Common Ownership Scenarios

Employee Role Change

#!/bin/bash

# Transfer ownership when employee changes roles
transfer_employee_files() {
    local old_user="$1"
    local new_user="$2"
    local base_path="$3"
    
    echo "Transferring files from $old_user to $new_user in $base_path"
    
    # Find all files owned by old user
    local files=($(find "$base_path" -user "$old_user" 2>/dev/null))
    
    echo "Found ${#files[@]} files owned by $old_user"
    
    for file in "${files[@]}"; do
        if chown "$new_user" "$file"; then
            echo "✓ Transferred: $file"
        else
            echo "✗ Failed: $file"
        fi
    done
    
    echo "Transfer completed"
}

# Usage
transfer_employee_files "john.doe" "jane.smith" "/Users/Shared/Projects"

Project Handover

#!/bin/bash

# Complete project handover with ownership and permissions
project_handover() {
    local project_path="$1"
    local new_owner="$2"
    local team_group="$3"
    
    echo "Starting project handover: $project_path"
    
    # Change ownership recursively
    chown -R "$new_owner:$team_group" "$project_path"
    
    # Set appropriate permissions
    find "$project_path" -type d -exec chmod 775 {} \;  # Directories
    find "$project_path" -type f -exec chmod 664 {} \;  # Files
    find "$project_path" -name "*.sh" -exec chmod 755 {} \;  # Scripts
    
    echo "Project handover completed"
    echo "New owner: $new_owner"
    echo "Team group: $team_group"
    ls -la "$project_path"
}

# Usage
project_handover "/Users/Shared/ProjectAlpha" "daniel" "developers"

Security Compliance Check

#!/bin/bash

# Check ownership compliance across critical directories
compliance_check() {
    local directories=("/etc" "/usr/local" "/Applications" "/Users/Shared")
    
    echo "=== Ownership Compliance Check ==="
    
    for dir in "${directories[@]}"; do
        if [[ -d "$dir" ]]; then
            echo -e "\nChecking: $dir"
            
            # Find world-writable files
            local world_writable=$(find "$dir" -type f -perm -002 2>/dev/null | head -5)
            if [[ -n "$world_writable" ]]; then
                echo "⚠️  World-writable files found:"
                echo "$world_writable"
            fi
            
            # Find files with unusual ownership
            local unusual_owners=$(find "$dir" -maxdepth 2 ! -user root ! -user "$(whoami)" 2>/dev/null | head -5)
            if [[ -n "$unusual_owners" ]]; then
                echo "ℹ️  Non-standard ownership:"
                echo "$unusual_owners" | xargs ls -la
            fi
        fi
    done
}

# Run compliance check
compliance_check

Important Notes

• Admin privileges required for changing ownership of files not owned by current user
• User validation - Always verify target user exists before changing ownership
• Backup metadata before making bulk ownership changes
• Test scripts on sample files before production deployment
• Monitor permissions after ownership changes to ensure proper access
• Use recursive options carefully to avoid unintended changes
• Group membership affects file access even with proper ownership

Efficiently manage file and folder opening operations across your MacFleet deployment with enterprise-grade security features, application control, and comprehensive audit capabilities. This tutorial transforms basic open commands into robust file access management solutions.

Understanding Enterprise File Open Operations

Enterprise file opening requires more than basic access, demanding:

• Security validation to prevent unauthorized file access
• Application control to enforce approved software usage
• Permission verification before file operations
• Audit logging for compliance tracking
• Malware scanning integration for file safety
• Business rules enforcement for data protection

Core Open Operations

Basic File Opening

#!/bin/bash

# Simple file open with validation
open_file() {
    local file_path="$1"
    
    # Validate file exists
    if [[ ! -f "$file_path" ]]; then
        echo "Error: File '$file_path' not found"
        return 1
    fi
    
    # Open file with default application
    if open "$file_path"; then
        echo "Successfully opened '$file_path'"
        return 0
    else
        echo "Failed to open '$file_path'"
        return 1
    fi
}

# Usage example
# open_file "/Users/admin/document.pdf"

Application-Specific File Opening

#!/bin/bash

# Open file with specific application
open_with_app() {
    local file_path="$1"
    local bundle_id="$2"
    
    # Validate file exists
    if [[ ! -f "$file_path" ]]; then
        echo "Error: File '$file_path' not found"
        return 1
    fi
    
    # Open file with specified application
    if open -b "$bundle_id" "$file_path"; then
        echo "Successfully opened '$file_path' with $bundle_id"
        return 0
    else
        echo "Failed to open '$file_path' with $bundle_id"
        return 1
    fi
}

# Usage examples
# open_with_app "/Users/admin/document.txt" "com.apple.TextEdit"
# open_with_app "/Users/admin/presentation.pptx" "com.microsoft.PowerPoint"

Folder Opening

#!/bin/bash

# Open folder in Finder
open_folder() {
    local folder_path="$1"
    
    # Validate folder exists
    if [[ ! -d "$folder_path" ]]; then
        echo "Error: Folder '$folder_path' not found"
        return 1
    fi
    
    # Open folder in Finder
    if open "$folder_path"; then
        echo "Successfully opened folder '$folder_path'"
        return 0
    else
        echo "Failed to open folder '$folder_path'"
        return 1
    fi
}

# Usage example
# open_folder "/Users/admin/Documents"

Enterprise Open Management System

#!/bin/bash

# MacFleet Enterprise File Open Management System
# Comprehensive file and folder opening with enterprise features

# Configuration
SCRIPT_NAME="MacFleet Open Manager"
VERSION="1.0.0"
LOG_FILE="/var/log/macfleet_open_operations.log"
QUARANTINE_DIR="/var/quarantine/macfleet"
TEMP_DIR="/tmp/macfleet_open"
ALLOWED_EXTENSIONS=(".pdf" ".docx" ".xlsx" ".pptx" ".txt" ".png" ".jpg" ".gif" ".mp4" ".mov" ".pages" ".numbers" ".keynote")
RESTRICTED_PATHS=("/System" "/usr/bin" "/usr/sbin" "/private/var" "/Library/LaunchDaemons" "/Library/LaunchAgents")
APPROVED_APPLICATIONS=(
    "com.apple.TextEdit"
    "com.apple.Preview"
    "com.apple.QuickTimePlayerX"
    "com.microsoft.Word"
    "com.microsoft.Excel"
    "com.microsoft.PowerPoint"
    "com.adobe.Reader"
    "com.apple.iWork.Pages"
    "com.apple.iWork.Numbers"
    "com.apple.iWork.Keynote"
)
BUSINESS_HOURS_START=9
BUSINESS_HOURS_END=17
MAX_FILE_SIZE="100M"

# Create necessary directories
mkdir -p "$TEMP_DIR"
mkdir -p "$QUARANTINE_DIR"
mkdir -p "$(dirname "$LOG_FILE")"

# Logging function
log_operation() {
    local level="$1"
    local message="$2"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    local username=$(whoami)
    echo "[$timestamp] [$level] [$username] $message" | tee -a "$LOG_FILE"
}

# Check if current time is within business hours
is_business_hours() {
    local current_hour=$(date +%H)
    if [[ $current_hour -ge $BUSINESS_HOURS_START && $current_hour -lt $BUSINESS_HOURS_END ]]; then
        return 0
    else
        return 1
    fi
}

# Validate file extension
is_allowed_extension() {
    local file="$1"
    local extension="${file##*.}"
    extension=".$extension"
    
    for allowed in "${ALLOWED_EXTENSIONS[@]}"; do
        if [[ "$extension" == "$allowed" ]]; then
            return 0
        fi
    done
    return 1
}

# Check if path is restricted
is_restricted_path() {
    local path="$1"
    for restricted in "${RESTRICTED_PATHS[@]}"; do
        if [[ "$path" == "$restricted"* ]]; then
            return 0
        fi
    done
    return 1
}

# Check if application is approved
is_approved_application() {
    local bundle_id="$1"
    
    for approved in "${APPROVED_APPLICATIONS[@]}"; do
        if [[ "$bundle_id" == "$approved" ]]; then
            return 0
        fi
    done
    return 1
}

# Get file size
get_file_size() {
    local file="$1"
    if [[ -f "$file" ]]; then
        stat -f%z "$file" 2>/dev/null
    else
        echo "0"
    fi
}

# Convert size string to bytes
size_to_bytes() {
    local size="$1"
    local number="${size%[A-Za-z]*}"
    local unit="${size#$number}"
    
    case "$unit" in
        "K"|"KB") echo $((number * 1024)) ;;
        "M"|"MB") echo $((number * 1024 * 1024)) ;;
        "G"|"GB") echo $((number * 1024 * 1024 * 1024)) ;;
        *) echo "$number" ;;
    esac
}

# Check file signature/magic number
check_file_signature() {
    local file="$1"
    local expected_extension="${file##*.}"
    
    if [[ ! -f "$file" ]]; then
        return 1
    fi
    
    # Get file signature
    local signature=$(file -b --mime-type "$file" 2>/dev/null)
    
    # Basic signature validation
    case "$expected_extension" in
        "pdf")
            if [[ "$signature" == "application/pdf" ]]; then
                return 0
            fi
            ;;
        "txt")
            if [[ "$signature" == "text/plain" ]]; then
                return 0
            fi
            ;;
        "docx")
            if [[ "$signature" == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" ]]; then
                return 0
            fi
            ;;
        "xlsx")
            if [[ "$signature" == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" ]]; then
                return 0
            fi
            ;;
        "pptx")
            if [[ "$signature" == "application/vnd.openxmlformats-officedocument.presentationml.presentation" ]]; then
                return 0
            fi
            ;;
        "png")
            if [[ "$signature" == "image/png" ]]; then
                return 0
            fi
            ;;
        "jpg"|"jpeg")
            if [[ "$signature" == "image/jpeg" ]]; then
                return 0
            fi
            ;;
        *)
            # Allow other extensions without strict validation
            return 0
            ;;
    esac
    
    log_operation "WARNING" "File signature mismatch: $file (expected: $expected_extension, detected: $signature)"
    return 1
}

# Scan file for malware (placeholder for integration)
scan_file_malware() {
    local file="$1"
    
    # Placeholder for malware scanning integration
    # This would integrate with enterprise antivirus solutions
    
    # Basic checks
    if [[ -f "$file" ]]; then
        # Check for suspicious extensions
        local extension="${file##*.}"
        case "$extension" in
            "exe"|"bat"|"cmd"|"scr"|"com"|"pif"|"vbs"|"js")
                log_operation "SECURITY" "Blocked suspicious file type: $file"
                return 1
                ;;
        esac
        
        # Check file size (extremely large files could be suspicious)
        local file_size=$(get_file_size "$file")
        if [[ $file_size -gt 1073741824 ]]; then  # 1GB
            log_operation "WARNING" "Large file detected: $file ($(format_size $file_size))"
        fi
    fi
    
    return 0
}

# Format file size
format_size() {
    local bytes="$1"
    local sizes=("B" "KB" "MB" "GB" "TB")
    local unit=0
    
    while [[ $bytes -gt 1024 && $unit -lt 4 ]]; do
        bytes=$((bytes / 1024))
        ((unit++))
    done
    
    echo "${bytes}${sizes[$unit]}"
}

# Get application info
get_app_info() {
    local bundle_id="$1"
    
    # Get application path
    local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
    
    if [[ -n "$app_path" ]]; then
        local app_name=$(basename "$app_path" .app)
        local app_version=$(defaults read "$app_path/Contents/Info.plist" CFBundleShortVersionString 2>/dev/null)
        echo "$app_name v$app_version ($app_path)"
    else
        echo "Unknown application ($bundle_id)"
    fi
}

# Enhanced file open with enterprise features
enterprise_open_file() {
    local file_path="$1"
    local bundle_id="${2:-}"
    local force_open="${3:-false}"
    
    local operation_id=$(date +%s)
    log_operation "INFO" "Starting file open operation [$operation_id]: $file_path"
    
    # Pre-flight validations
    if [[ ! -f "$file_path" ]]; then
        log_operation "ERROR" "File not found: $file_path"
        return 1
    fi
    
    # Check if file path is restricted
    if is_restricted_path "$file_path"; then
        log_operation "SECURITY" "Blocked access to restricted path: $file_path"
        return 1
    fi
    
    # Validate file extension
    if ! is_allowed_extension "$file_path"; then
        log_operation "SECURITY" "Blocked file with unauthorized extension: $file_path"
        return 1
    fi
    
    # Check file size
    local file_size=$(get_file_size "$file_path")
    local max_size_bytes=$(size_to_bytes "$MAX_FILE_SIZE")
    
    if [[ $file_size -gt $max_size_bytes ]]; then
        log_operation "ERROR" "File too large: $(format_size $file_size) > $MAX_FILE_SIZE"
        return 1
    fi
    
    # Check file signature
    if ! check_file_signature "$file_path"; then
        if [[ "$force_open" != "true" ]]; then
            log_operation "SECURITY" "File signature validation failed: $file_path"
            return 1
        else
            log_operation "WARNING" "File signature validation failed but force_open enabled: $file_path"
        fi
    fi
    
    # Malware scanning
    if ! scan_file_malware "$file_path"; then
        log_operation "SECURITY" "File blocked by security scan: $file_path"
        return 1
    fi
    
    # Business hours check for sensitive files
    if [[ "$file_path" =~ (confidential|secret|private) ]] && ! is_business_hours; then
        log_operation "POLICY" "Sensitive file access outside business hours blocked: $file_path"
        return 1
    fi
    
    # Application validation if specified
    if [[ -n "$bundle_id" ]]; then
        if ! is_approved_application "$bundle_id"; then
            log_operation "SECURITY" "Blocked unauthorized application: $bundle_id"
            return 1
        fi
        
        # Check if application is installed
        local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
        if [[ -z "$app_path" ]]; then
            log_operation "ERROR" "Application not found: $bundle_id"
            return 1
        fi
        
        log_operation "INFO" "Opening with application: $(get_app_info "$bundle_id")"
    fi
    
    # Perform the open operation
    local open_command="open"
    if [[ -n "$bundle_id" ]]; then
        open_command="open -b '$bundle_id'"
    fi
    
    if eval "$open_command '$file_path'"; then
        log_operation "SUCCESS" "File opened successfully [$operation_id]: $file_path"
        
        # Log file access for audit
        log_operation "AUDIT" "File accessed: $file_path (size: $(format_size $file_size))"
        
        return 0
    else
        log_operation "ERROR" "Failed to open file [$operation_id]: $file_path"
        return 1
    fi
}

# Enhanced folder open with enterprise features
enterprise_open_folder() {
    local folder_path="$1"
    local reveal_hidden="${2:-false}"
    
    local operation_id=$(date +%s)
    log_operation "INFO" "Starting folder open operation [$operation_id]: $folder_path"
    
    # Pre-flight validations
    if [[ ! -d "$folder_path" ]]; then
        log_operation "ERROR" "Folder not found: $folder_path"
        return 1
    fi
    
    # Check if folder path is restricted
    if is_restricted_path "$folder_path"; then
        log_operation "SECURITY" "Blocked access to restricted folder: $folder_path"
        return 1
    fi
    
    # Business hours check for sensitive folders
    if [[ "$folder_path" =~ (confidential|secret|private) ]] && ! is_business_hours; then
        log_operation "POLICY" "Sensitive folder access outside business hours blocked: $folder_path"
        return 1
    fi
    
    # Count files in folder for audit
    local file_count=$(find "$folder_path" -type f 2>/dev/null | wc -l)
    local folder_size=$(du -sh "$folder_path" 2>/dev/null | awk '{print $1}')
    
    # Perform the open operation
    local open_command="open"
    if [[ "$reveal_hidden" == "true" ]]; then
        open_command="open -R"
    fi
    
    if eval "$open_command '$folder_path'"; then
        log_operation "SUCCESS" "Folder opened successfully [$operation_id]: $folder_path"
        log_operation "AUDIT" "Folder accessed: $folder_path (files: $file_count, size: $folder_size)"
        return 0
    else
        log_operation "ERROR" "Failed to open folder [$operation_id]: $folder_path"
        return 1
    fi
}

# Bulk file opening with progress monitoring
bulk_open_files() {
    local files_list="$1"
    local bundle_id="${2:-}"
    
    if [[ ! -f "$files_list" ]]; then
        log_operation "ERROR" "Files list not found: $files_list"
        return 1
    fi
    
    local total_files=$(grep -v '^#\|^$' "$files_list" | wc -l)
    local current_file=0
    local success_count=0
    local failure_count=0
    
    log_operation "INFO" "Starting bulk file open operation - Total files: $total_files"
    
    while IFS= read -r file_path; do
        # Skip empty lines and comments
        [[ -z "$file_path" || "$file_path" =~ ^#.* ]] && continue
        
        ((current_file++))
        
        # Trim whitespace
        file_path=$(echo "$file_path" | xargs)
        
        echo "Processing [$current_file/$total_files]: $(basename "$file_path")"
        
        if enterprise_open_file "$file_path" "$bundle_id"; then
            ((success_count++))
        else
            ((failure_count++))
        fi
        
        # Progress update
        local progress=$((current_file * 100 / total_files))
        echo "Progress: $progress% ($success_count successful, $failure_count failed)"
        
        # Small delay to prevent overwhelming the system
        sleep 0.5
        
    done < "$files_list"
    
    log_operation "SUCCESS" "Bulk open completed - Success: $success_count, Failed: $failure_count"
    return $failure_count
}

# Generate file access report
generate_access_report() {
    local report_file="/tmp/macfleet_access_report_$(date +%Y%m%d_%H%M%S).txt"
    
    {
        echo "MacFleet File Access Report"
        echo "Generated: $(date)"
        echo "Hostname: $(hostname)"
        echo "User: $(whoami)"
        echo "=========================="
        echo ""
        
        echo "Recent File Access Operations (Last 24 hours):"
        if [[ -f "$LOG_FILE" ]]; then
            local yesterday=$(date -v-1d '+%Y-%m-%d')
            grep "$yesterday\|$(date '+%Y-%m-%d')" "$LOG_FILE" | grep -E "(AUDIT|SUCCESS)" | tail -50
        else
            echo "No log file found"
        fi
        
        echo ""
        echo "Security Events (Last 24 hours):"
        if [[ -f "$LOG_FILE" ]]; then
            local yesterday=$(date -v-1d '+%Y-%m-%d')
            grep "$yesterday\|$(date '+%Y-%m-%d')" "$LOG_FILE" | grep -E "(SECURITY|POLICY)" | tail -20
        fi
        
        echo ""
        echo "File Access Statistics:"
        if [[ -f "$LOG_FILE" ]]; then
            echo "Total Operations: $(grep -c "file open operation\|folder open operation" "$LOG_FILE" 2>/dev/null || echo "0")"
            echo "Successful: $(grep -c "SUCCESS.*opened successfully" "$LOG_FILE" 2>/dev/null || echo "0")"
            echo "Failed: $(grep -c "ERROR.*Failed to open" "$LOG_FILE" 2>/dev/null || echo "0")"
            echo "Security Blocks: $(grep -c "SECURITY.*Blocked" "$LOG_FILE" 2>/dev/null || echo "0")"
        fi
        
        echo ""
        echo "Most Accessed File Types:"
        if [[ -f "$LOG_FILE" ]]; then
            grep "File accessed:" "$LOG_FILE" | sed 's/.*File accessed: //' | sed 's/ (size:.*//' | 
            awk -F. '{print $NF}' | sort | uniq -c | sort -nr | head -10
        fi
        
    } > "$report_file"
    
    echo "File access report saved to: $report_file"
    log_operation "INFO" "Access report generated: $report_file"
}

# Check application permissions
check_app_permissions() {
    local bundle_id="$1"
    
    # Check if application has necessary permissions
    local app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2>/dev/null | head -1)
    
    if [[ -z "$app_path" ]]; then
        echo "Application not found: $bundle_id"
        return 1
    fi
    
    echo "Application: $(get_app_info "$bundle_id")"
    echo "Path: $app_path"
    
    # Check code signature
    local signature_status=$(codesign -dv "$app_path" 2>&1 | grep -E "(Signature|Authority)")
    echo "Code Signature: $signature_status"
    
    # Check if application is notarized
    local notarization=$(spctl -a -vv "$app_path" 2>&1 | grep -E "(accepted|source=)")
    echo "Notarization: $notarization"
    
    return 0
}

# Main open management function
main() {
    local action="${1:-help}"
    
    case "$action" in
        "open-file")
            local file_path="$2"
            local bundle_id="$3"
            local force_open="${4:-false}"
            
            if [[ -z "$file_path" ]]; then
                echo "Usage: $0 open-file <file_path> [bundle_id] [force_open]"
                exit 1
            fi
            
            enterprise_open_file "$file_path" "$bundle_id" "$force_open"
            ;;
        "open-folder")
            local folder_path="$2"
            local reveal_hidden="${3:-false}"
            
            if [[ -z "$folder_path" ]]; then
                echo "Usage: $0 open-folder <folder_path> [reveal_hidden]"
                exit 1
            fi
            
            enterprise_open_folder "$folder_path" "$reveal_hidden"
            ;;
        "bulk-open")
            local files_list="$2"
            local bundle_id="$3"
            
            if [[ -z "$files_list" ]]; then
                echo "Usage: $0 bulk-open <files_list> [bundle_id]"
                exit 1
            fi
            
            bulk_open_files "$files_list" "$bundle_id"
            ;;
        "check-app")
            local bundle_id="$2"
            
            if [[ -z "$bundle_id" ]]; then
                echo "Usage: $0 check-app <bundle_id>"
                exit 1
            fi
            
            check_app_permissions "$bundle_id"
            ;;
        "report")
            generate_access_report
            ;;
        "help"|*)
            echo "$SCRIPT_NAME v$VERSION"
            echo "Enterprise File and Folder Open Management"
            echo ""
            echo "Usage: $0 <action> [options]"
            echo ""
            echo "Actions:"
            echo "  open-file <file_path> [bundle_id] [force_open]  - Open single file"
            echo "  open-folder <folder_path> [reveal_hidden]       - Open folder in Finder"
            echo "  bulk-open <files_list> [bundle_id]             - Open multiple files"
            echo "  check-app <bundle_id>                           - Check application permissions"
            echo "  report                                          - Generate access report"
            echo "  help                                            - Show this help message"
            echo ""
            echo "Common Bundle IDs:"
            echo "  com.apple.TextEdit          - TextEdit"
            echo "  com.apple.Preview           - Preview"
            echo "  com.microsoft.Word          - Microsoft Word"
            echo "  com.microsoft.Excel         - Microsoft Excel"
            echo "  com.microsoft.PowerPoint    - Microsoft PowerPoint"
            echo "  com.adobe.Reader            - Adobe Reader"
            echo "  com.apple.iWork.Pages       - Pages"
            echo "  com.apple.iWork.Numbers     - Numbers"
            echo "  com.apple.iWork.Keynote     - Keynote"
            echo ""
            echo "Features:"
            echo "  • Security validation and malware scanning"
            echo "  • Application control and approval management"
            echo "  • File signature verification"
            echo "  • Business hours compliance checking"
            echo "  • Comprehensive audit logging"
            echo "  • Bulk operations with progress monitoring"
            echo "  • Detailed access reporting"
            ;;
    esac
}

# Execute main function with all arguments
main "$@"