Disable DVD/CD Sharing

What the DVD/CD Sharing Disabler does

This Automox Worklet™ disables the DVD and CD sharing service on macOS endpoints. DVD/CD sharing allows other computers on the network to access the optical drive remotely, which was designed for Macs without built-in optical drives to share drives with Macs that have them.

The Worklet disables the com.apple.ODSAgent service using launchctl, preventing remote access to the optical drive while leaving local DVD/CD use unaffected.

Why block optical media sharing

DVD and CD sharing services allow remote macOS systems to access optical drives over the network. Attackers who compromise one endpoint can use this feature to mount optical drives from other endpoints, potentially accessing sensitive data stored on physical media or exploiting the sharing service for lateral movement within your network.

Organizations that prohibit unauthorized network file sharing should disable DVD/CD sharing as part of their endpoint security configuration. Even though optical drives are less common in modern endpoints, legacy systems may still have this service enabled by default, creating an unnecessary attack vector for network-based exploitation.

Disabling unused network services reduces your attack surface and simplifies endpoint security management. Endpoints with DVD/CD sharing disabled present fewer targets for network reconnaissance and reduce the complexity of firewall rules needed to protect your macOS fleet.

How DVD/CD sharing management works

1. Evaluation phase: The Worklet runs launchctl print-disabled system and searches for the com.apple.ODSAgent service in the disabled state. If the service is not marked as disabled (true), the endpoint is flagged for remediation.

2. Remediation phase: The Worklet executes launchctl disable system/com.apple.ODSAgent to disable the DVD/CD sharing service. The GUI in System Preferences may still show the checkbox as selected until after a reboot, but the service is immediately disabled.

DVD/CD sharing requirements

• macOS endpoint (workstation or server)

• Administrative privileges for modifying launchd services

• Reboot may be required for GUI to reflect the change in System Preferences

Expected optical drive sharing state

After remediation, macOS endpoints no longer advertise DVD or CD sharing services on the network. Remote systems cannot access the endpoint's optical drive even if one is connected. The local user can still use optical drives normally for their own purposes.

The Worklet confirms successful remediation through its evaluation check. You can verify DVD/CD sharing is disabled by reviewing System Preferences or checking Worklet execution results in the Automox console.

How to validate disable dvd/cd sharing changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable dvd/cd sharing.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as launchctl, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable dvd/cd sharing. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as launchctl, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.