#!/bin/bash function get_user_pass { local MATCH=false while [ $MATCH == false ] ; do read -s -p "Password: " PASS_1 echo "" read -s -p "Repeat Password: " PASS_2 echo "" if [ $PASS_1 == $PASS_2 ] ; then PASS="$PASS_1" MATCH=true fi done return } function get_encryption_pass { local MATCH=false while [ $MATCH == false ] ; do read -s -p "Passphrase: " PASS_1 echo "" read -s -p "Repeat: " PASS_2 echo "" if [ $PASS_1 == $PASS_2 ]; then DISKPASS="$PASS_1" MATCH=true fi done return } if [[ $UID -ne 0 ]]; then echo "This script needs to be run as root (with sudo)" exit 1 fi echo "[I] Beginning local provisioning now" read -p "[!] Enter a name for this device: " DEVNAME systemsetup -setcomputername "$DEVNAME" scutil --set HostName "$DEVNAME" echo "[I] Creating a standard user account" CONFIRM="n" while [ "$CONFIRM" != "y" ] ; do echo "[!] Enter username to create (e.g. jsmith):" read -p "Username: " USERNAME echo "[!] Enter user's full name (e.g. John Smith):" read -p "Real Name: " REALNAME echo "[!] Please provide a password for this account" get_user_pass echo "[!] Please provide a disk encryption passphrase" echo "[ ] This could include a second-factor password entry token component" get_encryption_pass echo " " echo "[?] Are the following details correct?" echo " Username: $USERNAME" echo " Real Name: $REALNAME" read -p "[y/n]: " CONFIRM done echo "[I] Turning off iCloud login prompt" defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.11" echo "[I] Creating user $USERNAME" MAXID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1) USERID=$((MAXID+1)) DISKID=$((MAXID+2)) dscl . -create /Users/$USERNAME dscl . -create /Users/$USERNAME RealName "$REALNAME" dscl . -passwd /Users/$USERNAME $PASS dscl . -create /Users/$USERNAME UserShell "/bin/bash -r" dscl . -create /Users/$USERNAME NFSHomeDirectory /Users/$USERNAME dscl . -create /Users/$USERNAME PrimaryGroupID 20 dscl . -create /Users/$USERNAME UniqueID "$USERID" cp -R /System/Library/User\ Template/English.lproj /Users/$USERNAME chown -R $USERNAME:staff /Users/$USERNAME chmod go-rx /Users/$USERNAME echo "[I] Locking down Terminal/Shell access" mkdir /Users/"$USERNAME"/Bash echo "set -r" > /Users/"$USERNAME"/.bash_profile echo "unset PATH" >> /Users/"$USERNAME"/.bash_profile echo "export PATH=/Users/"$USERNAME"/Bash" >> /Users/"$USERNAME"/.bash_profile ln -s /usr/bin/clear /Users/"$USERNAME"/Bash ln -s /bin/df /Users/"$USERNAME"/Bash ln -s /usr/bin/egrep /Users/"$USERNAME"/Bash ln -s /usr/bin/env /Users/"$USERNAME"/Bash ln -s /usr/bin/fgrep /Users/"$USERNAME"/Bash ln -s /usr/bin/rview /Users/"$USERNAME"/Bash ln -s /usr/bin/rvim /Users/"$USERNAME"/Bash ln -s /usr/bin/sudo /Users/"$USERNAME"/Bash ln -s /usr/bin/tail /Users/"$USERNAME"/Bash ln -s /usr/bin/wc /Users/"$USERNAME"/Library/Bash echo "[I] Enabling FileVault2 full disk encryption" dscl . -create /Users/filevault dscl . -create /Users/filevault RealName "Disk Encryption Password" dscl . -passwd /Users/filevault $DISKPASS dscl . -create /Users/filevault UserShell /usr/bin/false dscl . -create /Users/filevault UniqueID "$DISKID" defaults write com.apple.loginwindow HiddenUsersList -array-add filevault defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -int 1 DISKPASS=$DISKPASS expect -c 'spawn /usr/bin/fdesetup enable -user filevault; expect ":"; send "$env(DISKPASS)\n"; expect eof' pmset destroyfvkeyonstandby 1 hibernatemode 25 echo "[I] Disabling IPv6" networksetup -setv6off Wi-Fi >/dev/null networksetup -setv6off Ethernet >/dev/null echo "[I] Disabling infrared receiver" defaults write com.apple.driver.AppleIRController DeviceEnabled -bool FALSE echo "[I] Disabling Bluetooth" defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 echo "[I] Turning off WiFi" networksetup -setairportpower airport off > /dev/null echo "[I] Enabling scheduled updates" softwareupdate --schedule on defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool true defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true echo "[I] Disabling password hints on lock screen" defaults write com.apple.loginwindow RetriesUntilHint -int 0 echo "[I] Enabling password-protected screen lock after 5 minutes" systemsetup -setdisplaysleep 5 defaults write com.apple.screensaver askForPassword -int 1 defaults write com.apple.screensaver askForPasswordDelay -int 0 echo "[I] Enabling firewall" /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on echo "[I] Launching firmware password utility (this may take a moment)" diskutil mount Recovery\ HD RECOVERY=$(hdiutil attach /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg | grep -i Base | cut -f 3) open "$RECOVERY/Applications/Utilities/Firmware Password Utility.app" echo "[!] Follow the prompts on the utility to set a strong unique firmware password" echo "[!] Press enter when done" read DONE