Disable Apple Content Caching on macOS endpoints to stop them from serving updates and iCloud data fleet-wide
This Automox Worklet™ disables Apple Content Caching on macOS endpoints. Content Caching is the built-in macOS service that lets a Mac cache and re-serve Apple software updates, App Store and iOS app downloads, and iCloud data to other Apple devices on the same local network. When the service is active, the endpoint behaves as a local update server and advertises itself over Bonjour to nearby clients.
The Worklet reads the Activated key from /Library/Preferences/com.apple.AssetCache.plist using the defaults command. If the value is 0, the endpoint is already compliant and the evaluation exits cleanly. If the value is 1, the remediation script calls AssetCacheManagerUtil deactivate, which is the Apple-supported path for stopping the service. The utility unloads the com.apple.AssetCache LaunchDaemon and writes the deactivated state back to the preferences file, so the cache stays off across reboots.
When a user with administrative rights re-enables Content Caching from System Settings under Sharing, the next Automox evaluation reads Activated=1 and the remediation script calls AssetCacheManagerUtil deactivate again at the next policy interval, so the baseline self-heals without manual triage.
An active Content Caching service turns the Mac into an unmanaged distribution point. The endpoint allocates disk space to a cache that grows over time, opens a listener on a dynamic TCP port chosen at activation, and answers requests from any Apple device that discovers the cache through Bonjour. On a coffee-shop network, a hotel Wi-Fi, or a shared workspace VLAN, that surface is reachable by clients you do not control. The cached data can include iCloud assets, App Store packages, and macOS update payloads tied to other Apple IDs, which raises both confidentiality and integrity concerns that the CIS Benchmark for macOS recommends mitigating by leaving the service off.
Content Caching can be flipped back on through a single System Settings toggle, so the drift surface is wide: a curious user toggles Sharing, a third-party MDM profile re-applies after a sync, or a major macOS upgrade resets the preference pane. This Worklet shuts down the AssetCache service with AssetCacheManagerUtil deactivate and rewrites the Activated key in /Library/Preferences/com.apple.AssetCache.plist to 0, so the listener closes and the cache stops accepting new requests. Subsequent evaluations report compliant in seconds, and divergent Macs surface in the activity log with the specific plist value that was reset.
Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.AssetCache.plist Activated to fetch the current state. A return value of 0 means Content Caching is off and the endpoint is compliant, so the script exits 0 with the message "Content Caching is already disabled." Any other value, including 1, means the AssetCache service is active and the endpoint is flagged for remediation with exit code 1.
Remediation phase: The Worklet re-reads the Activated key, and when the value is non-zero it runs AssetCacheManagerUtil deactivate. The utility stops the com.apple.AssetCache LaunchDaemon at /System/Library/LaunchDaemons/com.apple.AssetCache.plist, drops the Bonjour advertisement, and updates the AssetCache preferences so Activated reads 0 on the next evaluation. The remediation exits 0 once the deactivate call returns, and the next scheduled run confirms the new state without applying any change.
macOS endpoint running macOS High Sierra 10.13 or later, which is when Apple shipped Content Caching as a built-in service on client macOS
Administrative privileges to invoke AssetCacheManagerUtil and read /Library/Preferences/com.apple.AssetCache.plist (the default Automox agent context meets this requirement)
No additional script parameters; the Worklet ships with the AssetCache preferences path and deactivate command hard-coded for the Apple-supported toggle
Schedule on a recurring policy so the baseline survives user toggles in System Settings under General, Sharing, Content Caching
After remediation runs, defaults read /Library/Preferences/com.apple.AssetCache.plist Activated returns 0, and AssetCacheManagerUtil status reports the service as inactive. The com.apple.AssetCache LaunchDaemon is no longer loaded, launchctl list does not show the asset cache job, and the endpoint stops advertising itself over Bonjour. Disk space previously held by /Library/Application Support/Apple/AssetCache/Data is released over time as macOS prunes the unused cache directory.
Verify the change from the command line with AssetCacheManagerUtil status, which prints a payload whose Activated and Active values read false. The Sharing pane in System Settings reflects the same state, with the Content Caching toggle off and grayed out for non-admin users when a configuration profile is also present. For audit evidence, capture the AssetCacheManagerUtil status output alongside the Automox policy run identifier and store both with the endpoint record. Subsequent policy runs report the endpoint as compliant without applying remediation again, and any user attempt to flip Content Caching back on is reversed at the next evaluation interval.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in