Disable Internet Sharing

What the Internet Sharing disabler does

This Automox Worklet™ disables the macOS Internet Sharing service on workstation and server endpoints. Internet Sharing lets a Mac act as a NAT gateway, bridging its primary network connection to a Wi-Fi, Bluetooth, Thunderbolt Bridge, or secondary Ethernet interface so that other endpoints can route through it. The Worklet inspects the NAT preference file the SystemConfiguration framework reads at boot and forces the gateway off when it is active.

Internally, macOS keeps Internet Sharing state in /Library/Preferences/SystemConfiguration/com.apple.nat. The Enabled key inside the NAT dictionary is what com.apple.InternetSharing reads at launch. The remediation script writes that key back to 0 using defaults, which is the same path System Preferences uses when an admin unticks the Internet Sharing box in System Settings → General → Sharing.

The Worklet does not touch the bootpd or natd binaries, the firewall rules under pf, or the user-facing Wi-Fi service. It only flips the Enabled flag and exits, which keeps the change reversible and low-risk on managed Mac fleets.

Why disable Internet Sharing on macOS

A Mac running Internet Sharing is a rogue access point on your network. When a user enables Wi-Fi hotspot mode from the Sharing pane, the endpoint advertises an SSID, hands out DHCP leases on 192.168.2.0/24 via bootpd, and NATs traffic from any joined device out to the corporate LAN. That traffic bypasses the web filter, the EDR network sensor, and the firewall egress policy you applied to the Mac itself, because the joined devices appear to originate from the Mac’s IP. Endpoint logging treats one host where there are now five, and the joined devices are invisible to MDM and Automox.

CIS Benchmark control 2.4.4 (Disable Internet Sharing) maps directly to this remediation, which makes the Automox activity log useful as audit evidence for SOC 2, HIPAA, and PCI-DSS environments that inherit the CIS macOS baseline. The state check is idempotent, so repeat runs are cheap on hardened endpoints, and any Mac where a user re-enables Internet Sharing reverts at the next evaluation.

How macOS Internet Sharing disablement works

1. Evaluation phase: The Worklet runs defaults read /Library/Preferences/SystemConfiguration/com.apple.nat and greps for the Enabled key. If the returned value contains 1, the NAT gateway is active and the endpoint is flagged non-compliant. The check is read-only and safe to schedule at a high cadence, so a recurring policy can detect a user re-enabling the hotspot within one evaluation interval.

2. Remediation phase: When the evaluation reports Enabled = 1, the Worklet runs defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 to overwrite the NAT dictionary with Enabled set to 0. The change applies on the next launch of com.apple.InternetSharing. If the NAT dictionary already reports Enabled = 0, the remediation script exits without writing, keeping the run idempotent and quiet in the activity log.

Internet Sharing disablement requirements

• macOS endpoint running Big Sur, Monterey, Ventura, Sonoma, or Sequoia on Intel or Apple Silicon hardware

• Root or admin privileges for the Automox agent so defaults can write to /Library/Preferences/SystemConfiguration/

• No additional policy parameters; the Worklet is parameterless and idempotent

• System Integrity Protection enabled on the endpoint (the default; the Worklet does not require SIP to be disabled)

• Compatible with FixNow for immediate one-shot remediation when an incident response team needs to drop a rogue hotspot mid-shift

Expected state after disabling Internet Sharing

After the remediation runs, com.apple.nat reports Enabled = 0 and the System Settings → General → Sharing pane shows the Internet Sharing toggle in the off position. Devices currently joined to the Mac’s shared Wi-Fi network lose their DHCP lease the next time com.apple.InternetSharing restarts, and the rogue SSID stops broadcasting. The Mac’s own primary network connection is untouched, so the user keeps full internet access on their laptop without any reconfiguration.

Validate the change by running sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat and confirming the NAT dictionary shows Enabled = 0. For fleet-wide audit evidence, capture the evaluation exit code across the policy run (0 indicates the endpoint was already compliant, 1 indicates the evaluation flagged Internet Sharing as enabled and remediation was triggered) and archive it with the CIS Benchmark 2.4.4 control reference. Subsequent policy runs report the endpoint as compliant without applying remediation again, and any user who re-enables Internet Sharing through the Sharing pane is caught by the next evaluation cycle without manual intervention.