Disable Allow Guests to Connect to Shared Folders

What the Guest Sharing Disabler does

This Automox Worklet™ disables guest access to network file shares on macOS endpoints by configuring both AFP and SMB sharing preferences. The Worklet modifies com.apple.AppleFileServer to disable AFP guest access and com.apple.smb.server to disable SMB guest access, blocking anonymous connections to shared folders.

Authenticated users can still access shared folders with valid credentials. The Worklet only blocks anonymous, unauthenticated access that could expose sensitive files to unauthorized parties on the network.

apple.AppleFileServer", "/Library/Preferences/SystemConfiguration/com.apple.smb.server".

Why disable guest access to shared folders

Guest access to shared folders allows anyone on the network to connect without authentication. This creates security risks including unauthorized data access, reconnaissance of file structures, and potential data exfiltration. Attackers can use guest shares to gather information about your environment.

Compliance frameworks and security benchmarks such as CIS macOS Benchmarks recommend disabling guest access to shared folders. Implementing this control demonstrates adherence to security best practices and reduces your attack surface.

In enterprise environments, file access should be controlled through proper authentication. Guest access bypasses identity management controls and audit logging, making it impossible to track who accessed what files.

How guest access disabling works

1. Evaluation phase: The Worklet reads the current guest access settings from /Library/Preferences/com.apple.AppleFileServer (AFP) and /Library/Preferences/SystemConfiguration/com.apple.smb.server (SMB). If either guestAccess or AllowGuestAccess is set to 1 (enabled), the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses the defaults write command to set guestAccess to false in the AFP preferences and AllowGuestAccess to false in the SMB preferences. Both changes take effect immediately without requiring a service restart.

Guest access configuration requirements

• macOS endpoint (workstation or server)

• Administrative privileges for modifying system preferences

• File sharing may be enabled or disabled; the Worklet only affects guest access permissions

Expected file sharing state after remediation

After running, guests can no longer connect to shared folders on the endpoint. Users attempting to access shares without credentials receive an authentication prompt or connection refused error. Legitimate users with valid credentials continue to access shared folders normally. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

You can verify the configuration in System Preferences > Sharing > File Sharing > Options, where the checkboxes for allowing guest access to SMB and AFP should now be unchecked.

How to validate disable allow guests to connect to shared folders changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable allow guests to connect to shared folders.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable allow guests to connect to shared folders. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as defaults, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.