Disable Bluetooth

What the Bluetooth Disabler does

This Automox Worklet™ checks whether any Bluetooth endpoints are actively connected to the macOS endpoint and disables the Bluetooth radio if no endpoints are in use. The Worklet uses system_profiler to count connected Bluetooth peripherals and reads the ControllerPowerState from Bluetooth preferences to determine the current radio status.

When Bluetooth is enabled but no endpoints are connected, the Worklet writes a new power state to disable the radio and terminates the bluetoothd process to apply the change immediately.

apple.Bluetooth".

Why disable Bluetooth when not actively used

Bluetooth is susceptible to various attacks including BlueBorne, KNOB, and BIAS vulnerabilities that allow remote code execution, man-in-the-middle attacks, and unauthorized endpoint pairing. An enabled Bluetooth radio presents an attack surface even when no endpoints are paired.

Endpoints that do not actively use Bluetooth peripherals have no legitimate need for an enabled radio. Disabling Bluetooth on these systems eliminates the wireless attack vector without impacting user productivity.

Security frameworks including CIS Benchmarks recommend disabling Bluetooth when not required. This Worklet provides automated compliance with this control while accommodating users who rely on Bluetooth keyboards, mice, or headsets.

How Bluetooth management works

1. Evaluation phase: The Worklet queries system_profiler SPBluetoothDataType to count endpoints with "Connected: Yes" status. It also reads ControllerPowerState from /Library/Preferences/com.apple.Bluetooth to check if the radio is powered on. If Bluetooth is disabled or endpoints are connected, the endpoint is compliant. If Bluetooth is enabled with no connected endpoints, remediation is triggered.

2. Remediation phase: The Worklet uses defaults write to set ControllerPowerState to 0 (disabled) in the Bluetooth preferences. It then executes killall -9 bluetoothd to terminate the Bluetooth daemon and apply the new power state immediately without requiring a restart.

Bluetooth management requirements

• macOS endpoint (workstation or server)

• Administrative privileges for modifying Bluetooth preferences and terminating system processes

• No active Bluetooth endpoint connections at the time of remediation

Expected Bluetooth radio state after configuration

After running on endpoints without connected endpoints, the Bluetooth radio is disabled. The Bluetooth menu bar icon (if visible) shows the disabled state. Users can manually re-enable Bluetooth through System Preferences if they connect a Bluetooth endpoint. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Endpoints with connected Bluetooth endpoints remain unchanged. Users relying on Bluetooth peripherals experience no disruption. Schedule this Worklet to run periodically to catch endpoints where users have disabled but later re-enabled Bluetooth without connecting endpoints.

How to validate disable bluetooth changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable bluetooth.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, elif, else.

4. Validate remediation effects from script operations such as set, elif, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable bluetooth. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, elif, else and remediation operations such as set, elif, else. Use these indicators to verify that endpoint changes match intended policy outcomes.