Disable File Sharing

What the file sharing disablement Worklet does

This Automox Worklet™ disables all macOS file sharing services including Apple File Protocol (AFP), Server Message Block (SMB), and File Transfer Protocol (FTP). The Worklet uses the sharing command to stop active file sharing services and modifies system launch daemons to prevent automatic service restart.

The Worklet removes file sharing configuration from System Preferences and blocks network access to local file systems. All active file sharing sessions are terminated immediately when the Worklet executes.

Why disable file sharing on macOS endpoints

Enabled file sharing services expose local file systems to network access, creating attack vectors for lateral movement and data exfiltration. Users frequently enable file sharing for temporary needs and forget to disable it, leaving endpoints vulnerable to unauthorized access from compromised network segments.

Security frameworks including CIS Benchmarks and NIST guidelines recommend disabling unnecessary network services. File sharing protocols like AFP and SMB have been exploited in attacks such as EternalBlue and similar network-based vulnerabilities that scan for exposed file shares.

Organizations with centralized file servers have no need for peer-to-peer file sharing on individual endpoints. Disabling these services reduces the attack surface while maintaining productivity through sanctioned file storage solutions. You maintain compliance with security policies while preventing shadow IT file sharing practices.

How file sharing disablement works

1. Evaluation phase: The Worklet checks the status of AFP, SMB, and FTP services using the sharing -l command. It queries whether any file sharing protocols are currently enabled and identifies which services need to be disabled.

2. Remediation phase: The Worklet executes sharing -r afp, sharing -r smb, and sharing -r ftp commands to disable each file sharing protocol. It then verifies that the services have been stopped and removes their startup configurations to prevent automatic re-enablement after system restarts.

File sharing disablement requirements

• macOS endpoint (any supported version)

• Administrative privileges to modify sharing settings

• No active file sharing dependencies required by approved applications

• User notification if file sharing is currently in use for legitimate business purposes

Expected file sharing state after disablement

After the Worklet completes, all file sharing services are disabled and the endpoint no longer responds to AFP, SMB, or FTP connection requests from the network. System Preferences shows File Sharing as turned off, and the sharing indicator in System Preferences is inactive.

Users attempting to connect to the endpoint via file sharing protocols will receive connection refused errors. The endpoint remains accessible through approved remote access methods such as SSH or approved remote desktop solutions. You can verify the disabled state by running sharing -l in the Terminal, which will show all file sharing protocols as inactive.

How to validate disable file sharing changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable file sharing.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as launchctl, else, exit, then rerun evaluation for compliance.