Skip to content

Commit ecc56f8

Browse files
Docs/pl 241 macos host hardening updates (#1248)
* remove unnecessary infos and rename the script * change curl command output * docs(release-notes): add macOS guest VM and host hardening notes to 3.31.0 Note that guest build VM images are hardened by default, and that a host hardening guide and harden-macos-host.sh script are available for self-hosted users.
1 parent 05014b6 commit ecc56f8

2 files changed

Lines changed: 12 additions & 23 deletions

File tree

docs/release-notes.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,8 @@ import RedisDomainCaution from '@site/docs/self-hosted-appcircle/install-server/
8383
- A UI improvement has been made on the Apple Profiles list regarding an incorrect name. <SigningIdentitiesBadge/> <CloudBadge/> <SelfHostedBadge/>
8484
- Character limitations and validation checks have been implemented for Publish and Build Variable Group key values on the UI. <EnvironmentVariablesBadge/> <CloudBadge/> <SelfHostedBadge/>
8585
- The [Appcircle Standard macOS Pool (arm64)](/infrastructure/ios-build-infrastructure) has the latest RC release of Xcode 26.6 installed on runners. We strongly recommend extensive testing of your workflows to ensure compatibility and stability with this release. <InfrastructureBadge/> <CloudBadge/>
86+
- Appcircle macOS build VM (guest) images are now hardened by default. The disposable runner VM images apply a SIP-safe security and debloat baseline that lowers idle CPU/RAM usage and outbound telemetry while keeping Xcode, code signing, and notarization fully functional. No action is required to benefit from this change. <InfrastructureBadge/> <CloudBadge/> <SelfHostedBadge/>
87+
- A [macOS host hardening](/self-hosted-appcircle/self-hosted-runner/configure-runner/macos-host-hardening) guide and `harden-macos-host.sh` script have been added for self-hosted users to apply a safe security baseline to the physical macOS machine that runs their build VMs. Based on a subset of the CIS macOS Level 1 benchmark, the script tightens the firewall, login window, sharing services, and telemetry without breaking runner connectivity or code signing. <InfrastructureBadge/> <SelfHostedBadge/>
8688

8789
### 🐞 Fixes
8890

docs/self-hosted-appcircle/self-hosted-runner/configure-runner/macos-host-hardening.md

Lines changed: 10 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: Hardening the macOS Host
3-
description: Use the harden-host.sh script to apply a safe security baseline to the physical macOS machine that runs your Appcircle self-hosted runner VMs.
3+
description: Use the harden-macos-host.sh script to apply a safe security baseline to the physical macOS machine that runs your Appcircle self-hosted runner VMs.
44
tags:
55
[
66
self-hosted runner,
@@ -15,7 +15,7 @@ sidebar_position: 6
1515

1616
When you run iOS builds on a self-hosted runner, the physical macOS machine (the host) runs your build VMs with Tart. The host is long-lived and reachable on your network, so it is the part of the setup worth securing first. The build VMs are disposable and re-created for each build.
1717

18-
The `harden-host.sh` script applies a safe security baseline to that host. It is based on a subset of the CIS macOS Level 1 benchmark and is designed not to break your runner's connectivity.
18+
The `harden-macos-host.sh` script applies a safe security baseline to that host. It is based on a subset of the CIS macOS Level 1 benchmark and is designed not to break your runner's connectivity.
1919

2020
This page explains what the script does, why it does it, and how to run it.
2121

@@ -62,11 +62,11 @@ Restrict it instead of turning it off: limit access to trusted users and reach t
6262

6363
## Download the Script
6464

65-
On the host, download `harden-host.sh` from the Appcircle CDN and make it executable:
65+
On the host, download `harden-macos-host.sh` from the Appcircle CDN and make it executable:
6666

6767
```bash
68-
curl -fsSL https://cdn.appcircle.io/self-hosted/harden-macos-host.sh -o harden-host.sh && \
69-
chmod +x harden-host.sh
68+
curl -fsSL -O https://cdn.appcircle.io/self-hosted/harden-macos-host.sh && \
69+
chmod +x harden-macos-host.sh
7070
```
7171

7272
## How to Use It
@@ -76,45 +76,38 @@ Run the script as an administrator on the host. It supports three modes.
7676
Review the current security posture without changing anything:
7777

7878
```bash
79-
sudo ./harden-host.sh --audit-only
79+
sudo ./harden-macos-host.sh --audit-only
8080
```
8181

8282
Preview the exact changes the script would make, without applying them:
8383

8484
```bash
85-
sudo ./harden-host.sh --dry-run
85+
sudo ./harden-macos-host.sh --dry-run
8686
```
8787

8888
Apply the baseline:
8989

9090
```bash
91-
sudo ./harden-host.sh
91+
sudo ./harden-macos-host.sh
9292
```
9393

9494
To apply the baseline and also disable Remote Login:
9595

9696
```bash
97-
sudo ./harden-host.sh --disable-ssh
97+
sudo ./harden-macos-host.sh --disable-ssh
9898
```
9999

100-
:::caution
101-
102-
Run `--audit-only` first and review the report. If SIP, FileVault, or Gatekeeper is reported as off, enable it before relying on the host for production builds.
103-
104-
:::
105-
106100
Some changes (limiting ad tracking and disabling the Siri, Apple Intelligence, and suggestion agents) apply to a specific user account. The script uses the account that invoked `sudo`, falling back to the current console user. To target a different account, set `ADMIN_USER`:
107101

108102
```bash
109-
sudo ADMIN_USER=ci-admin ./harden-host.sh
103+
sudo ADMIN_USER=ci-admin ./harden-macos-host.sh
110104
```
111105

112106
## What You Still Need to Do Manually
113107

114108
A few protections cannot be enabled from a script and require your action:
115109

116110
- **SIP:** If reported as disabled, re-enable it from recoveryOS with `csrutil enable`.
117-
- **FileVault:** If reported as off, enable full-disk encryption and store the recovery key safely (ideally through your MDM). For unattended reboots, use `fdesetup authrestart` so the host can come back online without someone entering the password at the screen.
118111

119112
## After Running the Script
120113

@@ -124,9 +117,3 @@ Confirm the host is still reachable and the runner still works:
124117
- Run a test build to confirm the runner connects and completes a job.
125118

126119
Re-run the script (or at least re-check the audit report) after every macOS update, because updates can reset some of these settings.
127-
128-
## Managing a Fleet with MDM
129-
130-
The script is a good fit for a single host or for preparing a host before it joins a managed fleet. For several hosts, the more durable approach is to enroll them in a Mobile Device Management (MDM) solution and push the security settings as a configuration profile. Profile-based settings are enforced and cannot be removed locally, which keeps every host consistent.
131-
132-
The recommended baseline for this is a CIS Level 1 profile generated with the macOS Security Compliance Project (mSCP), with SSH left enabled for runner access.

0 commit comments

Comments
 (0)