Disable Bluetooth

What the macOS Bluetooth disabler does

This Automox Worklet™ disables the Bluetooth radio on macOS endpoints that have no active peripheral connections. The Worklet inspects the runtime state of Bluetooth before touching anything, so it never disconnects a paired keyboard, mouse, trackpad, or headset that a user is actually relying on.

Evaluation queries system_profiler SPBluetoothDataType for any peripheral reporting Connected: Yes, then reads ControllerPowerState from /Library/Preferences/com.apple.Bluetooth to confirm the radio is currently powered on. Remediation writes a new ControllerPowerState value of 0 with the defaults command and terminates bluetoothd so the change takes effect immediately, with no reboot or user session restart required.

Endpoints that already have Bluetooth disabled, or that have a peripheral paired and connected, exit with no change. The Worklet is safe to run against mixed populations where some Macs use Bluetooth peripherals and others do not.

Why disable Bluetooth on idle macOS endpoints

An enabled Bluetooth radio is reachable to anyone in physical proximity, even when nothing is paired. Public research has documented BlueBorne remote code execution, the KNOB key negotiation downgrade, and the BIAS impersonation flaw against Bluetooth stacks at the protocol layer. Each of these attacks targets the radio itself, not a specific paired peripheral, so a Mac sitting on a desk with Bluetooth on but unused still exposes the listener. Disabling the radio when peripherals are absent eliminates that exposure window.

The CIS Benchmark for macOS calls out Bluetooth disablement on endpoints that do not require it (control 2.4.1 in recent revisions), and NIST 800-53 control AC-18 covers wireless access restrictions more broadly. This Worklet automates the evidence side of that control without requiring a per-laptop check by an administrator.

Users frequently toggle Bluetooth on through Control Center to pair a borrowed peripheral and never disable it afterward. Schedule the Worklet against the macOS hardening policy so the next evaluation catches re-enabled radios before they become an audit finding or an unsupervised attack surface.

How idle Bluetooth shutdown works

1. Evaluation phase: The script runs system_profiler SPBluetoothDataType and counts lines matching Connected: Yes to determine how many Bluetooth peripherals are currently paired and active. It then runs defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState to read the radio power state. If ControllerPowerState is 0, the radio is already off and the Worklet exits 0. If at least one peripheral reports Connected: Yes, the radio is in legitimate use and the Worklet also exits 0. Only when the radio is on (ControllerPowerState = 1) and the connected device count is 0 does evaluation exit 1 and hand off to remediation.

2. Remediation phase: The script re-checks the radio and peripheral state to guard against a peripheral connecting between scans, then writes ControllerPowerState back to 0 with defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0. It calls killall -9 bluetoothd to terminate the Bluetooth daemon, which launchd respawns against the new preference value. The radio is off within seconds, no reboot or user logout is required, and the Bluetooth menu bar icon reflects the disabled state on next refresh.

macOS Bluetooth disablement requirements

• macOS endpoint enrolled in Automox (workstation or server device_type).

• Root or administrator privileges so the agent can write to /Library/Preferences/com.apple.Bluetooth and signal bluetoothd. The Automox agent runs with the required privileges by default.

• No active Bluetooth peripheral at evaluation time. Endpoints with a paired keyboard, mouse, trackpad, or audio device showing Connected: Yes will be left alone by design.

• system_profiler and defaults available on the endpoint, which is standard on every supported macOS release.

Expected Bluetooth radio state after remediation

On any macOS endpoint that entered remediation, the Bluetooth radio is off and ControllerPowerState in com.apple.Bluetooth is 0. The bluetoothd process is restarted against the new preference value, so System Settings and Control Center reflect the disabled state without requiring a logout. Users can still re-enable Bluetooth manually through System Settings if they pair a new peripheral. Endpoints that had Bluetooth disabled or actively in use at evaluation time exit unchanged.

To verify the change after a policy run, you can read the preference value directly with defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState (expected output: 0) or inspect the Automox Activity Log for the Worklet's exit code on each endpoint. Scheduling the Worklet on a recurring policy keeps the radio off across Macs whose users have toggled Bluetooth back on through Control Center without pairing anything, which is the most common drift pattern on this control.