Disable DVD/CD Sharing

What the macOS DVD and CD sharing disabler does

This Automox Worklet™ turns off the macOS DVD and CD Sharing service on every endpoint it runs against. The service ships under the bundle identifier com.apple.ODSAgent (Optical Disk Sharing Agent) and is managed by launchd as a system-level launch daemon. When the daemon is loaded, any other Mac on the same network can browse to the endpoint in Finder and mount its DVD or CD drive without any user prompt on the host.

The Worklet reads the current daemon state with launchctl print-disabled system and looks for the literal string "com.apple.ODSAgent" => true. If that token is absent, the endpoint is flagged for remediation. The remediation step runs launchctl disable system/com.apple.ODSAgent, which writes the disabled flag into the per-system launchd overrides and stops the daemon from loading on the next boot.

Local users can still burn or read optical media on an attached drive. Only the network-facing sharing path is shut down. The System Settings checkbox under Sharing may continue to display as enabled in the GUI until the endpoint is rebooted, which is a known macOS cosmetic lag and not an indication that the daemon is still listening.

Why disable macOS DVD and CD sharing

DVD and CD Sharing is a legacy convenience feature built for the MacBook Air era, when many Macs shipped without an optical drive and needed to borrow one over the LAN. On a modern fleet the service is almost never used, but it stays enabled on older imaging baselines and on any endpoint that has ever had the Sharing pane toggled on. An attacker on the same broadcast domain can enumerate the ODSAgent listener, mount the optical drive without authentication, and read whatever physical media happens to be inserted – installers, signed disk images, backup discs, or vendor media that an admin left in the tray. CIS Apple macOS Benchmarks call this out under the Sharing services section and recommend disabling DVD or CD Sharing on every endpoint.

This Worklet runs launchctl disable system/com.apple.ODSAgent on every Mac in scope, stopping the LaunchDaemon and removing the listener from netstat. The change is idempotent: endpoints already in the hardened state finish in milliseconds, and any Mac where an end user re-enables sharing from System Settings reverts at the next evaluation. The activity log captures the hostname and the prior service state so the CIS macOS Benchmark Sharing-services control has fleet-wide evidence on demand.

How macOS optical drive sharing gets disabled

1. Evaluation phase: The script runs launchctl print-disabled system and pipes the output through grep -c '"com.apple.ODSAgent" => true'. A count of zero means the daemon is not in the disabled override list, so the endpoint is flagged with exit code 1 and the message "DVD/CD Sharing is enabled. Exiting for remediation." A count of one or more means the override is already in place and the script exits 0 with no further action.

2. Remediation phase: The remediation script repeats the same launchctl print-disabled check, then runs launchctl disable system/com.apple.ODSAgent on any endpoint where the daemon is still loadable. The disable subcommand writes the override into /var/db/com.apple.xpc.launchd/disabled.plist, which persists across reboots and is read by launchd before any system daemon loads. The next evaluation run returns exit 0 without modifying anything else.

macOS DVD and CD sharing requirements

• macOS workstation or server endpoint with the Automox agent installed (the Worklet is marked compatible with both device types)

• Root context for launchctl print-disabled system and launchctl disable system/com.apple.ODSAgent; the Automox agent runs as root by default and already meets this

• No additional Worklet parameters – the script targets the com.apple.ODSAgent service label directly and takes no inputs

• Reboot recommended after first remediation so the System Settings Sharing pane reflects the disabled state; the daemon itself stops loading immediately

• Optional: schedule on a recurring policy so any endpoint that re-enables DVD or CD Sharing through the GUI is rolled back on the next evaluation

Expected macOS ODSAgent state after remediation

After remediation, launchctl print-disabled system reports "com.apple.ODSAgent" => true and the daemon no longer answers on the network. Remote Macs that previously saw the endpoint under their Finder sidebar with a "Connect As" optical drive entry will no longer see it. Local optical drive use is unaffected; users can still mount media physically inserted into a connected drive and the Disk Utility tools continue to function.

For audit evidence, capture the launchctl print-disabled system output and store it with the Automox policy run identifier. The Worklet exits 0 on a clean evaluation, so the next scheduled run produces a compliant endpoint report without re-applying the override. If an administrator manually re-enables DVD or CD Sharing through System Settings, the next evaluation flags the endpoint and remediation re-applies the launchctl disable on the same agent cycle, holding the baseline in place across reboots, OS updates, and user changes.