feat(privacy): expand macOS Privacy Shield from 20 to 35 settings#56
feat(privacy): expand macOS Privacy Shield from 20 to 35 settings#56
Conversation
Add 15 new macOS privacy settings across 5 previously empty categories (ads, search, sync, ai, browser) and re-categorize 3 existing settings for better organization. This brings macOS much closer to parity with the 57 Windows settings. New categories: - Ads: personalized ads, App Store Siri suggestions - Search: Spotlight internet results, Safari preload top hit - Sync: Handoff/Universal Clipboard, iCloud analytics, Safari iCloud tabs - AI: Siri, dictation, Apple Intelligence (macOS 15+) - Browser: Safari DNT, Chrome/Firefox telemetry via managed preferences Also adds health data sharing (telemetry), AirDrop discoverability (services) to existing categories. Feature-disabling settings (Siri, Handoff, AirDrop, dictation, iCloud tabs) include clear descriptions of what stops working so users make informed choices, especially when using "Protect All". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: aefa28f42c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…detection
- Remove macos-spotlight-internet-results: was wired to Safari's
SuppressSearchSuggestions key, not an actual Spotlight setting,
which double-counted Safari search privacy and left Spotlight
web queries unaddressed. The existing macos-spotlight-suggestions
(com.apple.lookup.shared/LookupSuggestionsDisabled) already covers
Spotlight web suggestions.
- Replace path-based isAppInstalled('/Applications/...') with
isBrowserInstalled(bundleId) using mdfind to query the Spotlight
metadata database by bundle identifier. This detects Chrome/Firefox
installs in ~/Applications, other volumes, or renamed bundles,
preventing false "already protected" results that hid settings
and inflated the privacy score.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 92102ea03d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| }, | ||
| async apply() { | ||
| await elevatedExec('/bin/mkdir', ['-p', MANAGED_PREFS]) | ||
| await elevatedDefaultsWrite(`${MANAGED_PREFS}/org.mozilla.firefox`, 'DisableTelemetry', 'bool', 'true') |
There was a problem hiding this comment.
Write Firefox policies to the supported macOS plist
Firefox's macOS policy support does not consume ad-hoc keys written here: Mozilla's own macOS policy template says command-line policies must go under /Library/Preferences/org.mozilla.firefox and EnterprisePoliciesEnabled must be set first. In the current apply()/check() flow, Kudu can report success while Firefox ignores the policy, because check() reads back the same unsupported location and marks the machine protected anyway.
Useful? React with 👍 / 👎.
| const val = await defaultsRead('com.apple.finder', 'FXRecentFolders') | ||
| return val === '0' || val === '()' |
There was a problem hiding this comment.
Stop treating Finder's recent list as a disable switch
FXRecentFolders is Finder's current MRU data, not a persistent “recent files disabled” preference. This check() treats an empty or missing list as protected, and apply() only deletes the list, so Protect All can claim success even though Finder will start tracking recents again as soon as the user opens more items.
Useful? React with 👍 / 👎.
Summary
ad-tracking→ ads,safari-suggestions/spotlight-suggestions→ search) for better organizationisAppInstalledhelper for browser detection (Chrome/Firefox) using the same guard pattern as Windows/Library/Managed Preferences/) for Chrome/Firefox telemetry — the equivalent of Windows HKLM registry policiesdefaults -currentHostfor correct per-host preference domainNew settings by category:
No UI or type changes needed — the UI auto-hides empty categories, so these populate automatically.
Test plan
npm test— 767 tests pass, zero regressionsnpx tsc --noEmit— no type errors in modified filenpm run devon macOS, open Privacy Shield, verify new categories appeardefaults readfor individual settings🤖 Generated with Claude Code