Automated macOS Sequoia Hardening & Cleanup Bash Script – Disable Telemetry, Turn Off Spotlight Indexing, Purge Caches & Logs for Privacy and Security (sysadmin, macOS harden, privacy, disable telemetry, cleanup script)

cleanup_and_harden_macos.sh

#!/usr/bin/env bash
###############################################################################
# Author: ph33nx
# URL:    https://github.com/ph33nx
#
# Description:
#   This bash script automates the process to harden macOS (tested on Sequoia 15.5) by disabling
#   or minimizing telemetry, turning off Spotlight indexing, and performing
#   routine cleanup of caches, logs, temporary files, and the Trash. It is ideal
#   for sysadmins, power users, and privacy-focused developers who want to:
#     • Harden macOS against data leakage
#     • Remove telemetry and analytics submissions
#     • Disable Spotlight indexing (if you don’t use Spotlight for file search)
#     • Schedule periodic cleanup via launchd (daily or weekly)
#
#   By running this “disable telemetry” script, you will:
#     – Prevent macOS from sending diagnostic & usage data to Apple
#     – Disable Crash Reporter dialogs and auto‐submissions
#     – Turn off Siri and related voice/analytics services
#     – Stop Spotlight indexing on all volumes
#     – Purge user and system caches, logs, and temporary directories
#     – Empty your Trash and remove old iOS firmware updates
#
#   This is a sysadmin-friendly, automation-ready shell script that can be
#   loaded as a LaunchDaemon or run manually via sudo. It’s optimized for:
#     • macOS Sequoia 15.5 (but should work on other recent macOS versions)
#     • Privacy & security-conscious environments
#     • Automated “cleanup macOS” workflows
#
# Key Features:
#   • Disable both user‐level and system‐level macOS telemetry (analytics, crash reporting)
#   • Turn off Spotlight indexing completely (mdutil -i off && -E)
#   • Purge ~/Library/Caches, /Library/Caches, /private/var/log, /private/var/folders, /tmp, and more
#   • Remove old iOS Software Updates from ~/Library/iTunes
#   • Empty the user’s Trash automatically
#   • Write a detailed log file to verify each step (~/logs/cleanup_and_harden.log)
#   • Designed for automation via launchd (LaunchDaemon or LaunchAgent)
#
# SEO Keywords:
#   harden macos, remove telemetry, disable telemetry script, sysadmin, cleanup macos,
#   macos sequoia, spot index disable, launchd automation, privacy script, disable siri,
#   disable analytics, kill caches, clear logs, security hardening
#
# Requirements:
#   • macOS (tested on Sequoia 15.5, should work on most recent versions)
#   • Bash (Built-in on macOS)
#   • sudo access (to modify system defaults and remove system caches/logs)
#
# Installation:
#   1. Copy this file to a convenient directory, e.g. /usr/local/bin/cleanup_and_harden.sh
#   2. Make it executable:
#        sudo chmod +x /usr/local/bin/cleanup_and_harden.sh
#
# Usage (Manual):
#   • To run immediately (with root privileges), execute:
#       sudo /usr/local/bin/cleanup_and_harden.sh
#
#   • To verify the log file after running:
#       tail -n 20 ~/logs/cleanup_and_harden.log
#
#   • If you plan to schedule this as a LaunchDaemon (unattended), place it in
#     /usr/local/bin/, then create a matching plist under /Library/LaunchDaemons/
#     that points to this script (see examples in the repository).
#
# Usage (Automatic via launchd):
#   1. Copy the script to /usr/local/bin/cleanup_and_harden.sh and chmod +x it.
#   2. Create a LaunchDaemon at /Library/LaunchDaemons/com.ph33nx.cleanup_and_harden.plist:
#
#        <?xml version="1.0" encoding="UTF-8"?>
#        <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
#          "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
#        <plist version="1.0">
#          <dict>
#            <key>Label</key>
#            <string>com.ph33nx.cleanup_and_harden</string>
#
#            <key>ProgramArguments</key>
#            <array>
#              <string>/usr/local/bin/cleanup_and_harden.sh</string>
#            </array>
#
#            <!-- Run daily at 3:00 AM local time. Change to weekly by specifying Weekday. -->
#            <key>StartCalendarInterval</key>
#            <array>
#              <dict>
#                <key>Hour</key>
#                <integer>3</integer>
#                <key>Minute</key>
#                <integer>0</integer>
#              </dict>
#            </array>
#
#            <key>RunAtLoad</key>
#            <false/>
#
#            <key>StandardOutPath</key>
#            <string>/var/log/cleanup_and_harden.out</string>
#            <key>StandardErrorPath</key>
#            <string>/var/log/cleanup_and_harden.err</string>
#          </dict>
#        </plist>
#
#   3. Set correct permissions on the plist:
#        sudo chown root:wheel /Library/LaunchDaemons/com.ph33nx.cleanup_and_harden.plist
#        sudo chmod 644 /Library/LaunchDaemons/com.ph33nx.cleanup_and_harden.plist
#
#   4. Load the LaunchDaemon to schedule the job:
#        sudo launchctl load /Library/LaunchDaemons/com.ph33nx.cleanup_and_harden.plist
#
#   5. Verify it’s loaded:
#        sudo launchctl list | grep com.ph33nx.cleanup_and_harden
#
#   6. At the scheduled time, the script will run automatically as root and log output
#      to /var/log/cleanup_and_harden.out and cleanup_and_harden.err.
#
# Notes:
#   • Always inspect the log at ~/logs/cleanup_and_harden.log to confirm each step.
#   • If you want to keep automatic macOS updates enabled, comment out or remove the
#     SoftwareUpdate defaults commands in the “Disable Analytics & Crash Reporter” section.
#   • Customize any “rm -rf” lines as needed; they are destructive.
#   • To disable only parts of this script, comment out the corresponding blocks.
#
###############################################################################

# -----------------------------------------------------------------------------
# Ensure script is running as root. If not, re‐invoke under sudo
# -----------------------------------------------------------------------------
LOGFILE="${HOME}/logs/cleanup_and_harden.log"
mkdir -p "$(dirname "$LOGFILE")"
echo "========================================" >> "$LOGFILE"
echo "$(date '+%Y-%m-%d %H:%M:%S') Starting cleanup_and_harden.sh (checking for sudo)" >> "$LOGFILE"

if [[ "$EUID" -ne 0 ]]; then
  echo "Not running as root. Attempting to re-launch under sudo..." >> "$LOGFILE"
  exec sudo bash "$0" "$@"
  exit 1
fi
echo "   • Running as root (EUID=$EUID)" >> "$LOGFILE"

# -----------------------------------------------------------------------------
# 1) MINIMIZE TELEMETRY & CRASH‐REPORTING
# -----------------------------------------------------------------------------
echo "-> Disabling Analytics & Crash Reporter..." >> "$LOGFILE"

# 1.1 Disable Diagnostic & Usage Data auto‐submission
defaults write /Library/Preferences/com.apple.SubmitDiagInfo AutoSubmit -bool false
echo "   • /Library/Preferences/com.apple.SubmitDiagInfo AutoSubmit = false" >> "$LOGFILE"

# 1.2 Disable Crash Reporter dialogs
defaults write com.apple.CrashReporter DialogType none
echo "   • com.apple.CrashReporter DialogType = none" >> "$LOGFILE"

# 1.3 Disable Automatic macOS update checks (comment out if you prefer auto‐updates)
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false
echo "   • com.apple.SoftwareUpdate AutomaticCheckEnabled = false" >> "$LOGFILE"
echo "   • com.apple.SoftwareUpdate AutomaticDownload = false" >> "$LOGFILE"

# 1.4 Disable Siri (user‐level defaults; must target original user's domain)
ORIG_USER="${SUDO_USER:-$(whoami)}"
ORIG_HOME=$(eval echo "~$ORIG_USER")

/usr/bin/su - "$ORIG_USER" -c "defaults write com.apple.assistant.support Assistant\ Enabled -bool false"
/usr/bin/su - "$ORIG_USER" -c "defaults write com.apple.Siri StatusMenuVisible -bool false"
echo "   • com.apple.assistant.support Assistant Enabled = false (for $ORIG_USER)" >> "$LOGFILE"
echo "   • com.apple.Siri StatusMenuVisible = false (for $ORIG_USER)" >> "$LOGFILE"

# 1.5 Disable Spotlight Suggestions & Privacy Hints (user domain)
su - "$ORIG_USER" -c "defaults write com.apple.lookup.shared LookupSuggestionsDisabled -bool true"
echo "   • com.apple.lookup.shared LookupSuggestionsDisabled = true (for $ORIG_USER)" >> "$LOGFILE"

# 1.6 Disable iCloud Analytics & UsageTracking (user domain)
su - "$ORIG_USER" -c "defaults write com.apple.UsageTracking CoreDonationsEnabled -bool false"
su - "$ORIG_USER" -c "defaults write com.apple.UsageTracking UDCAutomationEnabled -bool false"
echo "   • com.apple.UsageTracking CoreDonationsEnabled = false (for $ORIG_USER)" >> "$LOGFILE"
echo "   • com.apple.UsageTracking UDCAutomationEnabled = false (for $ORIG_USER)" >> "$LOGFILE"

# 1.7 Disable Location Services
defaults write /Library/Preferences/com.apple.locationd.plist LocationServicesEnabled -int 0
echo "   • /Library/Preferences/com.apple.locationd.plist LocationServicesEnabled = 0" >> "$LOGFILE"

# -----------------------------------------------------------------------------
# 2) DISABLE SPOTLIGHT INDEXING FOR ALL VOLUMES
# -----------------------------------------------------------------------------
echo "-> Turning off Spotlight indexing for all volumes..." >> "$LOGFILE"
while IFS= read -r VOLUME; do
    if [ -d "$VOLUME" ]; then
        mdutil -i off "$VOLUME" &>/dev/null
        mdutil -E "$VOLUME"   &>/dev/null
        echo "   • mdutil -i off -E ${VOLUME}" >> "$LOGFILE"
    fi
done < <(df -Hl | awk '/\/Volumes\// { print $9 }')

# Turn off indexing on the boot volume "/"
mdutil -i off / &>/dev/null
mdutil -E / &>/dev/null
echo "   • mdutil -i off -E /" >> "$LOGFILE"

# -----------------------------------------------------------------------------
# 3) PURGE CACHES, LOGS, TEMP FILES, OLD UPDATES, AND TRASH
# -----------------------------------------------------------------------------
echo "-> Purging user and system caches, logs, temp files, and Trash..." >> "$LOGFILE"

# 3.1 Remove user-level caches
echo "   • Removing ${ORIG_HOME}/Library/Caches/*" >> "$LOGFILE"
rm -rf "${ORIG_HOME}/Library/Caches/"* 2>/dev/null

# 3.2 Remove old iOS device firmware updates
echo "   • Removing ${ORIG_HOME}/Library/iTunes/iPhone Software Updates" >> "$LOGFILE"
rm -rf "${ORIG_HOME}/Library/iTunes/iPhone Software Updates/"* 2>/dev/null

# 3.3 Remove system caches
echo "   • Removing /Library/Caches/*" >> "$LOGFILE"
rm -rf /Library/Caches/* 2>/dev/null

# 3.4 Remove system logs
echo "   • Removing /private/var/log/*" >> "$LOGFILE"
rm -rf /private/var/log/* 2>/dev/null

# 3.5 Purge /private/var/folders/ (temporary files stored by apps)
echo "   • Purging /private/var/folders/*" >> "$LOGFILE"
rm -rf /private/var/folders/* 2>/dev/null

# 3.6 Empty user Trash
echo "   • Emptying ${ORIG_HOME}/.Trash/*" >> "$LOGFILE"
rm -rf "${ORIG_HOME}/.Trash/"* 2>/dev/null

# 3.7 Purge system temporary files in /tmp
echo "   • Removing /tmp/*" >> "$LOGFILE"
rm -rf /tmp/* 2>/dev/null

# Uncomment the following lines to remove DMG/ZIP older than 30 days from ~/Downloads
# echo "   • Removing old .dmg and .zip from ${ORIG_HOME}/Downloads (older than 30 days)" >> "$LOGFILE"
# find "${ORIG_HOME}/Downloads" -type f \( -iname "*.dmg" -o -iname "*.zip" \) -mtime +30 -delete

# -----------------------------------------------------------------------------
# 4) OPTIONAL: ADDITIONAL HARDENING STEPS
# -----------------------------------------------------------------------------
echo "-> (Optional) Additional hardening steps..." >> "$LOGFILE"
# Example: Enable built-in Application Firewall
# /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# echo "   • Application Firewall enabled" >> "$LOGFILE"

# Example: Disable Bluetooth if you never use it
# defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
# killall -HUP blued
# echo "   • Bluetooth turned off" >> "$LOGFILE"

# -----------------------------------------------------------------------------
# 5) FINISH
# -----------------------------------------------------------------------------
echo "$(date '+%Y-%m-%d %H:%M:%S') Completed cleanup_and_harden.sh" >> "$LOGFILE"
echo "" >> "$LOGFILE"

exit 0