Generate a macOS security baseline script in a few clicks.

Pick the protections you want in your script.

Profiles blend severity and compatibility. Relaxed focuses on safer changes that rarely break modern Macs. Strict adds opinionated crypto tightening and remote access restrictions that can affect legacy workflows. Custom lets you hand-pick every item. There are no low-severity items in this set.

Relaxed applies critical items plus medium controls that are unlikely to clash with everyday apps. Strict layers on stronger SSH and file sharing changes that can impact older workflows. Use Custom when you want full control over each STIG item.

• Enforce FileVault full disk encryption Critical Profile / policy

  Adds a check to confirm FileVault is enabled and notes that enforcement is normally managed through the com.apple.MCX configuration profile or MDM. The script does not attempt to turn FileVault on automatically for safety.
• Verify System Integrity Protection (SIP) is enabled Critical Recovery mode change

  Checks SIP status and logs a warning if it is disabled. Enabling or disabling SIP requires booting to Recovery and is documented as a manual step inside the script.
• Limit SSHD to FIPS-compliant connections Critical Crypto hardening

  Adds a commented STIG snippet and helper commands for tightening /etc/ssh/sshd_config.d to FIPS-aligned ciphers and algorithms. You are prompted to review settings and test connectivity before applying.
• Limit SSH client to FIPS-compliant connections Critical Remote access behavior

  Documents checks for macOS SSH client configuration and shows how to align per-user or system SSH configs to FIPS-validated algorithms, while warning about breakage with older appliances.
• Disable password-based SSH authentication Critical Requires key-based auth

  Configures SSHD to require key-based or MFA-backed authentication by setting PasswordAuthentication no and KbdInteractiveAuthentication no via the SSHD include directory, matching the STIG pattern. This can lock users out if keys are not in place.
• Disable Trivial File Transfer Protocol (TFTP) service Critical

  Uses launchctl to stop and permanently disable the legacy TFTP daemon, matching the STIG guidance for systems that do not require TFTP support.
• Ensure Gatekeeper is enabled Critical Profile / policy

  Runs a JavaScript-for-Automation (JXA) check to confirm that Gatekeeper assessment is enabled and documents that enforcement is normally handled by the com.apple.systempolicy.control configuration profile or MDM.
• Block apps from unidentified developers Critical Profile / policy

  Documents the STIG requirement to allow only App Store and identified developers using Gatekeeper settings, and notes that override behavior and enforcement should be driven by a configuration profile, not ad-hoc shell edits.
• Require admin password for systemwide preferences Critical Authorization DB

  Adds a helper block that inspects the authorization database entries for key System Settings panes and provides a STIG-aligned template using security authorizationdb and PlistBuddy, while reminding you to test in a lab first.
• Audit log files: remove ACLs Medium

  Uses chmod -RN on the audit log path so log files do not carry additional ACLs, aligning with STIG requirements that only administrators manage audit content.
• Audit log folder: remove ACLs Medium

  Clears ACLs on /var/audit itself so that only privileged users can manage audit log folders, as required by the STIG.
• Disable root login at the local login window Medium

  Checks whether the root account is effectively disabled and reminds you that direct root logins remove individual accountability. The script does not turn root on or off automatically, but shows how to verify the state.
• Configure sudo to log privileged command events Medium

  Reviews /etc/sudoers and any include files for a logging configuration, and provides a STIG-style snippet for adding a dedicated sudo logfile through visudo or config management, rather than editing in place.
• Disable root login for SSH Medium Remote access behavior

  Uses the SSH include directory to create or update a small configuration fragment that sets PermitRootLogin no, aligning with the STIG requirement to prevent remote root logins over SSH.
• Disable Server Message Block (SMB) file sharing Medium File sharing services

  Stops and disables the SMB daemon using launchctl, which can affect Finder file sharing and Windows clients. Only use this when you do not rely on SMB services.
• Disable the built-in web server Medium

  Stops and disables the built-in Apache HTTP daemon if present. This is safe for most users but can affect local development stacks that rely on the system web server.
• Disable sending diagnostic and usage data to Apple Medium

  Checks the diagnostic submission preferences and reminds you that fleets should enforce this via profiles or MDM. Telemetry changes can affect AppleCare-style support expectations.
• Disable sending Siri audio recordings and transcripts Medium

  Reviews Siri and dictation logging preferences and documents how to keep audio and transcript sharing turned off according to the STIG, with a reminder to enforce centrally in managed environments.
• Disable Spotlight search data sharing with Apple Medium

  Adds a JXA-based check and notes for configuring the Spotlight and Siri settings so that search queries are not shared with Apple, per STIG privacy guidance.
• Require minimum password length of 14 characters Medium Profile / policy

  Uses the STIG-supplied pwpolicy query as a verification step and documents that enforcement belongs in the com.apple.mobiledevice.passwordpolicy configuration profile or your identity provider.
• Enable macOS Application Firewall Medium

  Checks and optionally enables the built-in Application Firewall, while reminding you that detailed per-app rules and pop-up behavior should be managed via profile or MDM.
• Verify Secure Boot level is set to “full” Medium Recovery mode change

  Uses /usr/libexec/mdmclient QuerySecurityInfo to verify the Secure Boot level on T2 or Apple silicon Macs and logs a reminder that changes must be made from Recovery and often via MDM for fleets.
• Enforce XProtect Remediator and Gatekeeper auto updates Medium

  Adds a JXA-based check for the com.apple.SoftwareUpdate configuration that controls security data updates and describes how to pin this behavior with a profile in managed environments.

Caveats: Several controls above are designed to be enforced via configuration profiles or MDM. This script focuses on checks and safe local changes where possible and leaves profile deployment to your management stack. Some items, such as SMB, SSH, and web server changes, can break existing workflows. Always compare the output with the official DISA macOS STIG for your version before widespread rollout.