v0.10.0

Add tor-proxy: Tor-based SOCKS proxy anonymizer for macOS

v0.7.0

What's new

Audit enhancements (4 new checks)

• Bluetooth state — flags Bluetooth on as Medium when detected via system_profiler
• Developer mode — checks DevToolsSecurity -status; flags enabled as Medium on non-dev machines
• World-readable sensitive files — scans ~/.ssh, ~/.aws, ~/.gnupg, ~/.config/op for files readable by others; flags as High
• Sudoers NOPASSWD — greps /etc/sudoers and /etc/sudoers.d/ for NOPASSWD entries; flags as High

New scripts

brew-upgrade.sh (mac-deploy-upgrade) — Homebrew upgrade with logging

• brew update → captures outdated list → brew upgrade → brew cleanup
• Logs dated upgrade summary to private/machines/<hostname>/brew-upgrades.log
• --dry-run shows what would be upgraded without installing
• --no-casks skips cask upgrades

apply-defaults.sh (mac-deploy-defaults) — macOS system preferences hardening

• Screen lock: require password immediately, 5-minute screensaver idle
• Screenshots: redirect to ~/Documents/Screenshots
• Finder: show extensions, hidden files, full path in title bar
• AirDrop: contacts only
• Mail: disable remote image loading (tracking pixel protection)
• Safari: no auto-open downloads, fraud warnings, full URL in address bar
• Software Update: auto-check and auto-download (requires sudo)
• --dry-run prints every defaults write command without applying

v0.6.0

What's new

Application config templating

A new templating system for rendering and deploying application configs with per-machine variable substitution.

scripts/apply-configs.sh (mac-deploy-configs) — the core engine:

• Renders ${VAR} placeholders in template files using values from settings files
• Loads configs/settings/defaults.env as the base, then overlays private/machines/<hostname>/configs.env for machine-specific overrides
• Diffs rendered output against the existing destination before writing
• Backs up destination files before overwriting
• SSH config safety guard: never silently overwrites ~/.ssh/config — writes to ~/.ssh/config.mac-deploy for manual merge
• --dry-run: show diffs without writing anything
• --list: show all templates, manifest entries, and current settings values

Templates included:

• git/gitconfig.tmpl — git config with name, email, editor, default branch, aliases
• ssh/config.tmpl — SSH client config with ControlMaster, keepalive settings, lab host blocks
• zsh/zshrc-base.tmpl — zsh base: history, completion, prompt, common aliases, local override sourcing
• starship/starship.toml.tmpl — Starship prompt with git status, command duration, hostname

Per-machine settings:
Create private/machines/<hostname>/configs.env with KEY=VALUE pairs to override defaults for a specific machine. Values are substituted into all templates at render time.

v0.5.0

What's new

Hardening scripts

• harden-sshd.sh — one command applies SSH hardening: disables password auth, root login, sets MaxAuthTries 3, validates config, reloads sshd. Supports --dry-run.
• enable-stealth-firewall.sh — enables Application Firewall with stealth mode. --with-pf configures pf for port-level blocking (allow SSH, block everything else inbound). Supports --dry-run.
• first-run.sh — full interactive bootstrap for a new Mac: installs Homebrew, taps mac-deploy, runs audit, applies hardening, re-audits to confirm baseline. Supports --auto and --audit-only.

Install via Homebrew

```bash
brew tap davidwhittington/mac-deploy
brew install mac-deploy
```

v0.4.0

What's in this release

• Full macOS security audit script — FileVault, SIP, Gatekeeper, Application Firewall, SSH config, sharing services, open ports, user accounts, update policy
• SSH public key authentication guide
• Firewall guide: Application Firewall vs pf
• SSH fleet key management guide
• Automated security drift detection with launchd
• Guide: removing insecure sharing services
• Scheduled audit LaunchAgent plist
• pf LaunchDaemon plist
• Homebrew package capture and deploy scripts