Disable Bonjour

What the Bonjour Disabler does

This Automox Worklet™ disables Bonjour multicast advertisements by setting the NoMulticastAdvertisements flag in the mDNSResponder preferences. Bonjour is Apple's zero-configuration networking protocol that automatically advertises available services (file sharing, screen sharing, AirDrop, etc.) to other endpoints on the local network.

When disabled, the endpoint stops broadcasting its services via multicast DNS but can still discover and connect to other Bonjour-advertised services. This provides a security benefit while maintaining network functionality.

When disabled, the endpoint stops broadcasting its services via multicast DNS but can still discover and connect to other Bonjour-advertised services.

Why disable Bonjour advertisements

On untrusted networks such as public Wi-Fi, coffee shops, or conferences, Bonjour broadcasts detailed information about available services on the endpoint, including computer name, available shares, and running services. This information aids attackers in reconnaissance and target selection.

Attackers can use Bonjour service discovery to identify endpoints running specific services, locate file shares, or find systems with remote management enabled. Disabling advertisements reduces the information exposed to potential adversaries.

For endpoints used primarily outside the corporate network, disabling Bonjour reduces exposure without significant functionality loss. Users on trusted internal networks may want to keep Bonjour enabled for convenient service discovery.

How Bonjour configuration works

1. Evaluation phase: The Worklet reads the NoMulticastAdvertisements value from /Library/Preferences/com.apple.mDNSResponder.plist. If the value is not set to 1 (advertisements are still enabled), the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses defaults write to set NoMulticastAdvertisements to true in the mDNSResponder preferences. The change takes effect on the next mDNSResponder restart or system reboot.

Bonjour configuration requirements

• macOS endpoint (workstation or server)

• Administrative privileges for modifying system preferences

• System restart or mDNSResponder restart for changes to take full effect

Expected network behavior after remediation

After running, the endpoint stops advertising its services via Bonjour. Other endpoints on the network cannot discover this endpoint through mDNS queries. You can verify this change by running "defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" which should return 1.

Services like file sharing and screen sharing continue to work when accessed directly by IP address or hostname. The endpoint can still discover and connect to other Bonjour-advertised services. AirDrop functionality may be affected as it relies on Bonjour for peer discovery. Users requiring AirDrop should have Bonjour enabled or use alternative file transfer methods.

How to validate disable bonjour changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable bonjour.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable bonjour. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as defaults, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.