Disable macOS .DS_Store file creation on network volumes to stop Finder metadata leakage on shared file systems
This Automox Worklet™ stops Finder from writing .DS_Store files to network-mounted volumes on macOS endpoints. The Worklet reads the DSDontWriteNetworkStores key from /Library/Preferences/com.apple.desktopservices, flags any endpoint where the key is missing or unset, and writes the boolean true value during remediation. The change applies to every Finder process that mounts SMB, AFP, or NFS volumes after the preference takes effect.
A .DS_Store file is a per-folder binary that Finder uses to remember icon positions, view modes, custom backgrounds, sort order, and other UI state. macOS hides these files locally, but they appear as plain files on Windows and Linux clients that browse the same network share. Each one is a small disclosure of folder contents, naming conventions, and user browsing patterns that the share owner did not intend to expose.
The Worklet targets the system-wide preference domain at /Library/Preferences/com.apple.desktopservices, so the policy holds for every user account on the endpoint. Local volumes stay untouched – Finder continues to write .DS_Store on the local disk, preserving view preferences for the signed-in user. Existing .DS_Store files already on the network share remain in place; the Worklet only stops new ones from being created.
Network shares browsed by Mac users accumulate .DS_Store files in every directory Finder visits, and those files carry directory listings, custom labels, and screenshot thumbnails. Security teams have documented cases of public-facing web roots and SMB shares serving .DS_Store payloads that revealed internal folder structures to anyone with directory traversal access. The CIS Benchmark for Apple macOS recommends suppressing this behavior, and the same control supports SOC 2 confidentiality criteria for file shares that store customer or employee data.
DSDontWriteNetworkStores resets in three predictable ways: an engineer reinstalls macOS, a hardware swap pulls in a fresh user profile, or a personalization script wipes the com.apple.desktopservices domain. This Worklet asserts the suppression on every evaluation, so the next policy run catches the drift before a network share starts accumulating Finder metadata again and before an auditor opens the share and sees a directory full of .DS_Store files.
Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores. If the key is missing or unset, defaults read returns a non-zero exit code and an empty value, and the script exits 1 to flag the endpoint as non-compliant. Any endpoint that has not been hardened reports as needing remediation.
Remediation phase: The remediation script runs defaults write /Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores -bool true, which persists the preference to the system domain plist. New Finder sessions and freshly mounted network volumes pick up the suppression immediately. The script logs whether the setting was already in place or was rewritten, then exits cleanly.
macOS endpoint (workstation or server) managed by the Automox agent
Root context for the agent, which is the Automox default and is required to write /Library/Preferences/com.apple.desktopservices.plist
Applies to SMB, AFP, and NFS network mounts; local disks stay unaffected
No parameters to configure; the policy can be deployed to a Mac group as-is
FixNow compatible, so the policy can be triggered immediately during an incident response window without waiting for the next scheduled evaluation
On the next Finder interaction with a network volume, no new .DS_Store files are written to the share. Existing .DS_Store files remain in place; removing them is a separate cleanup step that can be scheduled as a follow-up Worklet or handled by the share owner. Local /Users folders and external USB drives keep their .DS_Store files because the DSDontWriteNetworkStores key only governs network-mounted volumes.
Validate the change on a pilot endpoint by running defaults read /Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores and confirming the value returns 1, which is how macOS stores the boolean true. For end-to-end validation, mount a test SMB share, browse a folder in Finder, then run find /Volumes/<share> -name .DS_Store and confirm no new entries appear. The Worklet only re-applies the preference if an administrator script, a fresh user provisioning flow, or a macOS upgrade resets the desktopservices domain.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in