This repository contains a collection of Z shell scripts for securing macOS.

1. Download the latest package. Note: Download the tar.gz source code.

2. Use Finder to open your Downloads folder.

3. Double-click on the downloaded tar archive to extract its contents.

4. Hold down the control ⌃ key and click on the extracted folder.

5. Select "New Terminal at Folder" from the menu.
   
   This will open Terminal at the location of the extracted folder and display a shell prompt %.

6. Enter the following command to remove the quarantine attribute. This is an attribute that is added to all files downloaded from the Internet.
   
   xattr -r -d com.apple.quarantine .

7. [Optional] Move the extracted folder to your Desktop folder for convenient access.

This script ensures that passwords for all active accounts meet our secure requirements and that FileVault encryption is active. The script provides two security levels: HIGH and EXTREME.

The HIGH level of security ensures that each active account on the computer is using a 16 character password that contains a combination of upper and lower case characters, digits and special characters and that each account has access to unlock the FileVault encryption.

The EXTREME level of security ensures that encryption is active and that only a special "Pre-Boot Authentication", aka preboot, account is able to unlock the FileVault encryption. It also ensures that the password for this special preboot account is at least 30 characters long and that the passwords for all other active accounts on the computer are at least 8 characters long.

If FileVault has been enabled during the execution of the script you will be prompted to backup your recovery key. Do not skip this step!

On the initial release of macOS 14 Sonoma, it appears that a bug has been introduced to the user login screen. This has caused "Pre-Boot Authentication" to be displayed for the user name instead of the actual account being signed into. Rest assured it really is requesting the password for your user account and not the pre-boot password. The user account icon that is displayed is at least correct. Our hope is that Apple will fix this in a subsequent update.

1. Double-click the script 1-ensure-secure-passwords-and-active-encryption.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Select the security level, HIGH or EXTREME, that you want to use based on the security at your location.
4. Follow the displayed instructions and respond to the questions and password requests.
   
   Important: Do not skip backing up the recovery key file if prompted!
   
   
5. Once the script has finished, you will be ask if you want to reboot the computer. You are strongly encouraged to reboot the computer and go through the new sign in process while these changes are fresh in your mind.

This script ensures that system-wide settings are set to values appropriate for keeping the computer secure. Most of the changes can be automated but some require manual intervention.

1. Double-click the script 2-configure-system-wide-security-settings.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted and follow the displayed instructions.
4. Press any key after reviewing the script results to close "Terminal".

This script ensures that user-specific settings are set to values appropriate for keeping the computer secure. Most of the changes can be automated but some require manual intervention. This script must be run for each account on the computer.

1. Double-click the script 3-configure-user-specific-security-settings.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted and follow the displayed instructions.
4. Press any key after reviewing the script results to close "Terminal".

This script allows a user to change the password of the "Pre-Boot Authentication", aka preboot, account.

1. Double-click the script u1-change-preboot-password.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted.
4. Once the script has finished. Press Command + Q to close "Terminal".

This script is used to grant the current user privileges to unlock FileVault. This is needed for performing system updates. After system updates are completed the u2b-post-update-cleanup.command script should then be run to restore the system to a secure state.

Other tasks may also require this script to be run in order to work. For example, enabling or disabling Find My Mac. In general this script may need to be run if you are prompted for the current user password and after entering it the system fails to accept the authentication as if the password is incorrect.

This script also may need to be run if you are prompted for the preboot password when performing a task so that instead the computer will prompt you for the current user password for authorization.

1. Double-click the script u2a-pre-update-prep.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted.
4. Once the script has opened System Settings to the Software Update pane, you may proceed to install available updates.
5. If any of the updates require the system to restart, proceed with the restart and authenticate using your user account.
6. After all updates and required system restarts have completed you need to run the u2b-post-update-cleanup.command script to restore the system to a secure state.

This script is used to remove privileges for unlocking FileVault from the current user. This is needed for restoring the system to a secure state after system updates have been performed.

1. Double-click the script u2b-post-update-cleanup.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted.
4. Once the script has finished, the system will have been restored to a secure state.

This script is used to remove the Pre-Boot Authentication account from the computer. If FileVault is enabled, it will remain enabled and grant all accounts for which a password has been provided with privileges to unlock FileVault. Accounts for which a password has not been provided will not be granted privileges to unlocking FileVault and will be disabled from logging in.

1. Double-click the script u3-remove-preboot-from-system.command.
2. If you are prompted with a dialog asking for permission to allow "Terminal" access to the files in the folder containing the script, click OK.
3. Provide the requested passwords as prompted.
4. Once the script has finished, the Pre-Boot Authentication account will no longer exist.