You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* remove unnecessary infos and rename the script
* change curl command output
* docs(release-notes): add macOS guest VM and host hardening notes to 3.31.0
Note that guest build VM images are hardened by default, and that a
host hardening guide and harden-macos-host.sh script are available for
self-hosted users.
Copy file name to clipboardExpand all lines: docs/release-notes.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -83,6 +83,8 @@ import RedisDomainCaution from '@site/docs/self-hosted-appcircle/install-server/
83
83
- A UI improvement has been made on the Apple Profiles list regarding an incorrect name. <SigningIdentitiesBadge/> <CloudBadge/> <SelfHostedBadge/>
84
84
- Character limitations and validation checks have been implemented for Publish and Build Variable Group key values on the UI. <EnvironmentVariablesBadge/> <CloudBadge/> <SelfHostedBadge/>
85
85
- The [Appcircle Standard macOS Pool (arm64)](/infrastructure/ios-build-infrastructure) has the latest RC release of Xcode 26.6 installed on runners. We strongly recommend extensive testing of your workflows to ensure compatibility and stability with this release. <InfrastructureBadge/> <CloudBadge/>
86
+
- Appcircle macOS build VM (guest) images are now hardened by default. The disposable runner VM images apply a SIP-safe security and debloat baseline that lowers idle CPU/RAM usage and outbound telemetry while keeping Xcode, code signing, and notarization fully functional. No action is required to benefit from this change. <InfrastructureBadge/> <CloudBadge/> <SelfHostedBadge/>
87
+
- A [macOS host hardening](/self-hosted-appcircle/self-hosted-runner/configure-runner/macos-host-hardening) guide and `harden-macos-host.sh` script have been added for self-hosted users to apply a safe security baseline to the physical macOS machine that runs their build VMs. Based on a subset of the CIS macOS Level 1 benchmark, the script tightens the firewall, login window, sharing services, and telemetry without breaking runner connectivity or code signing. <InfrastructureBadge/> <SelfHostedBadge/>
Copy file name to clipboardExpand all lines: docs/self-hosted-appcircle/self-hosted-runner/configure-runner/macos-host-hardening.md
+10-23Lines changed: 10 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Hardening the macOS Host
3
-
description: Use the harden-host.sh script to apply a safe security baseline to the physical macOS machine that runs your Appcircle self-hosted runner VMs.
3
+
description: Use the harden-macos-host.sh script to apply a safe security baseline to the physical macOS machine that runs your Appcircle self-hosted runner VMs.
4
4
tags:
5
5
[
6
6
self-hosted runner,
@@ -15,7 +15,7 @@ sidebar_position: 6
15
15
16
16
When you run iOS builds on a self-hosted runner, the physical macOS machine (the host) runs your build VMs with Tart. The host is long-lived and reachable on your network, so it is the part of the setup worth securing first. The build VMs are disposable and re-created for each build.
17
17
18
-
The `harden-host.sh` script applies a safe security baseline to that host. It is based on a subset of the CIS macOS Level 1 benchmark and is designed not to break your runner's connectivity.
18
+
The `harden-macos-host.sh` script applies a safe security baseline to that host. It is based on a subset of the CIS macOS Level 1 benchmark and is designed not to break your runner's connectivity.
19
19
20
20
This page explains what the script does, why it does it, and how to run it.
21
21
@@ -62,11 +62,11 @@ Restrict it instead of turning it off: limit access to trusted users and reach t
62
62
63
63
## Download the Script
64
64
65
-
On the host, download `harden-host.sh` from the Appcircle CDN and make it executable:
65
+
On the host, download `harden-macos-host.sh` from the Appcircle CDN and make it executable:
@@ -76,45 +76,38 @@ Run the script as an administrator on the host. It supports three modes.
76
76
Review the current security posture without changing anything:
77
77
78
78
```bash
79
-
sudo ./harden-host.sh --audit-only
79
+
sudo ./harden-macos-host.sh --audit-only
80
80
```
81
81
82
82
Preview the exact changes the script would make, without applying them:
83
83
84
84
```bash
85
-
sudo ./harden-host.sh --dry-run
85
+
sudo ./harden-macos-host.sh --dry-run
86
86
```
87
87
88
88
Apply the baseline:
89
89
90
90
```bash
91
-
sudo ./harden-host.sh
91
+
sudo ./harden-macos-host.sh
92
92
```
93
93
94
94
To apply the baseline and also disable Remote Login:
95
95
96
96
```bash
97
-
sudo ./harden-host.sh --disable-ssh
97
+
sudo ./harden-macos-host.sh --disable-ssh
98
98
```
99
99
100
-
:::caution
101
-
102
-
Run `--audit-only` first and review the report. If SIP, FileVault, or Gatekeeper is reported as off, enable it before relying on the host for production builds.
103
-
104
-
:::
105
-
106
100
Some changes (limiting ad tracking and disabling the Siri, Apple Intelligence, and suggestion agents) apply to a specific user account. The script uses the account that invoked `sudo`, falling back to the current console user. To target a different account, set `ADMIN_USER`:
107
101
108
102
```bash
109
-
sudo ADMIN_USER=ci-admin ./harden-host.sh
103
+
sudo ADMIN_USER=ci-admin ./harden-macos-host.sh
110
104
```
111
105
112
106
## What You Still Need to Do Manually
113
107
114
108
A few protections cannot be enabled from a script and require your action:
115
109
116
110
-**SIP:** If reported as disabled, re-enable it from recoveryOS with `csrutil enable`.
117
-
-**FileVault:** If reported as off, enable full-disk encryption and store the recovery key safely (ideally through your MDM). For unattended reboots, use `fdesetup authrestart` so the host can come back online without someone entering the password at the screen.
118
111
119
112
## After Running the Script
120
113
@@ -124,9 +117,3 @@ Confirm the host is still reachable and the runner still works:
124
117
- Run a test build to confirm the runner connects and completes a job.
125
118
126
119
Re-run the script (or at least re-check the audit report) after every macOS update, because updates can reset some of these settings.
127
-
128
-
## Managing a Fleet with MDM
129
-
130
-
The script is a good fit for a single host or for preparing a host before it joins a managed fleet. For several hosts, the more durable approach is to enroll them in a Mobile Device Management (MDM) solution and push the security settings as a configuration profile. Profile-based settings are enforced and cannot be removed locally, which keeps every host consistent.
131
-
132
-
The recommended baseline for this is a CIS Level 1 profile generated with the macOS Security Compliance Project (mSCP), with SSH left enabled for runner access.
0 commit comments