Change Hostname to Serial Number

What the macOS hostname enforcer does

This Automox Worklet™ enforces the three macOS naming properties so all three match the endpoint's hardware serial number. The properties are HostName (the BSD network hostname), LocalHostName (the Bonjour name visible on the local network), and ComputerName (the friendly name shown in Sharing preferences and Finder). The serial number is read directly from IOKit using ioreg, which makes it a stable, unique identifier that survives reimaging, OS upgrades, and reassignment between users.

The Worklet is idempotent. Each evaluation reads the current values with scutil --get and compares them against the serial number captured from the IOPlatformSerialNumber registry property. Endpoints that already match are reported compliant and skipped. Endpoints that have drifted are flagged for remediation on the next policy run. Drift cases include a laptop renamed by a user in System Settings, or a reset to a default like Johns-MacBook-Pro after a Migration Assistant restore.

Remediation iterates the three name properties, writes the serial number to each mismatched property with scutil --set, and flushes the DNS resolver cache with dscacheutil -flushcache. The change takes effect immediately, with no reboot or user session restart required. The script logs each name it touches and exits 0 once all three match, which lands a clean record in the Automox activity log.

Why enforce serial-number hostnames at fleet scale

User-assigned hostnames like Johns-MacBook-Pro or MacBook-Pro-12 break asset correlation across the systems IT actually relies on. Jamf, Kandji, Mosyle, CrowdStrike, SentinelOne, Splunk, and an internal CMDB all key off the hostname or ComputerName field, so two laptops with overlapping names produce duplicate or stale records. A network log that says MacBook-Pro accessed a sensitive share tells the SOC nothing on a fleet of 800 Macs. The serial number, exposed through IOPlatformSerialNumber, is unique per chassis and is already the identifier on the AppleCare invoice, the MDM enrollment record, and the Apple Business Manager assignment.

Hostname drift compounds in three predictable ways on macOS: users rename their machines in System Settings after a coffee-shop conversation, Migration Assistant restores a name from a five-year-old backup, and a poorly written onboarding script rewrites ComputerName without touching HostName or LocalHostName. This Worklet enforces the naming baseline against all three scutil keys on every evaluation, so the next policy run catches the drift before it lands in an audit finding, a stale MDM record, or a Splunk search that quietly misses half the population.

How macOS hostname enforcement works

1. Evaluation phase: The script reads the serial number with ioreg -l | awk '/IOPlatformSerialNumber/ { print $4 }' | sed 's/"//g'. It then walks the array (HostName LocalHostName ComputerName) and calls scutil --get on each property. If any one of the three values does not equal the serial number, the script echoes a diagnostic line naming the mismatched property and exits 1. The non-zero exit flags the endpoint for remediation in the Automox console.

2. Remediation phase: The remediation script repeats the comparison, then runs scutil --set HostName <serial>, scutil --set LocalHostName <serial>, and scutil --set ComputerName <serial> on each property still out of compliance. After the rename loop completes, it runs dscacheutil -flushcache so Bonjour and DNS clients pick up the new LocalHostName without waiting for a TTL. The script exits 0 with a confirmation line, and the next evaluation reports the endpoint compliant.

macOS hostname enforcement requirements

• macOS endpoint (workstation or server), Intel or Apple Silicon. Validated on Big Sur, Monterey, Ventura, Sonoma, and Sequoia.

• Root privileges, which the Automox Agent already provides. scutil --set requires elevation; running it as a standard user silently fails.

• A populated IOPlatformSerialNumber. Stock Macs always return one. Virtual machines on UTM, VMware Fusion, or Parallels may return an empty string, so test the Worklet against your VM templates before scheduling broadly.

• LocalHostName is limited to ASCII letters, digits, and hyphens by Bonjour. Apple serial numbers satisfy this constraint, so no transformation is needed inside the script.

• If you bind macOS endpoints to Active Directory or to a Jamf Cloud Identity Provider, confirm that the directory tolerates the serial-number hostname before fleet-wide rollout. Most directories do, but a few legacy NetBIOS environments truncate hostnames to 15 characters.

Expected state after macOS hostname enforcement

After remediation, scutil --get HostName, scutil --get LocalHostName, and scutil --get ComputerName all return the same value: the endpoint's hardware serial number. The hostname command returns the same string. System Settings → General → Sharing reflects the new ComputerName, and Bonjour-advertised services on the local network resolve to <serial>.local. The change persists across reboots, OS updates, user logouts, and FileVault unlock cycles. The serial number itself does not change for the life of the chassis, so the Worklet stays compliant on subsequent evaluations and adds no further state to the endpoint.

Validate a representative endpoint by running scutil --get ComputerName, scutil --get LocalHostName, and scutil --get HostName in Terminal and confirming each returns the serial number. Cross-reference the value against ioreg -l | awk '/IOPlatformSerialNumber/ { print $4 }' | sed 's/"//g' to confirm the source of truth. For fleet-wide audit evidence, capture the Automox activity log entry for the Worklet run, which records the policy run identifier, the endpoint identifier, the previous names, and exit code 0. Asset management, MDM, and SIEM queries that previously returned duplicate or generic names will resolve to a single serial-number record per endpoint on the next data refresh.