MacOS
View all Worklets
MacOSmacOS

Disable Media Sharing

Disable Apple Home Sharing on Mac endpoints to stop them from serving music and video on the local network

Worklet Details

What the Mac home sharing disabler does

This Automox Worklet™ disables Apple Home Sharing on every local user account on a Mac endpoint. Home Sharing is the macOS feature that lets other Apple devices on the same network stream music, movies, TV shows, and other content out of an endpoint's Music or iTunes library. When it is on, the endpoint advertises itself as a media server and accepts inbound connections from anyone authenticated to the same Apple ID.

The Worklet walks /Users, skipping Shared and .localized, and checks each user's ~/Library/Preferences/com.apple.amp.mediasharingd.plist for the home-sharing-enabled key. If any user has the key set to 1, the endpoint is flagged for remediation. The remediation script then runs defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0 as that user, wipes the home-sharing-user-id and home-sharing-user-name entries from home-sharing-settings, and calls killall mediasharingd so the daemon reloads with the new preference.

Because evaluation and remediation both iterate per user, the policy works correctly on shared workstations, kiosk Macs, and lab machines where multiple Apple IDs have signed in over time. Users who never opened Music or iTunes have no plist file and are skipped silently, so the same policy applies cleanly to mixed populations of user-facing and server Macs.

Why disable Home Sharing on managed Mac fleets

Home Sharing was designed for a household. It assumes the local network is trusted and that anyone signed into the same Apple ID should be able to read your library. Those assumptions do not hold on a corporate LAN, a coworking floor, or a coffee-shop Wi-Fi. A mediasharingd process running on a managed Mac advertises an inbound service on the local network and exposes the user's media library to anyone who can authenticate against the linked Apple ID.

home-sharing-enabled flips back on in two predictable ways: a user restores from a personal Time Machine backup and inherits the previous Home Sharing state, or a user signs into a personal Apple ID in Music and re-enables the toggle. This Worklet writes home-sharing-enabled to 0 in every user-scoped com.apple.amp.mediasharingd plist on each Mac in scope, blanks the linked Apple ID fields, and terminates the running mediasharingd process. Subsequent policy runs evaluate cleanly because the preference is already 0 for every user on the endpoint.

How Mac Home Sharing remediation works

  1. Evaluation phase: The Worklet lists /Users and filters out Shared and .localized entries. For each remaining account, it checks for /Users/<user>/Library/Preferences/com.apple.amp.mediasharingd.plist. If the file exists, it runs sudo -u <user> defaults read com.apple.amp.mediasharingd home-sharing-enabled. A return value of 1 prints "Media sharing appears to be enabled for user <user>. Moving to remediation." and exits 1, which Automox interprets as non-compliant. Missing plists and 0 values exit 0.

  2. Remediation phase: The remediation script repeats the user enumeration. For any account with home-sharing-enabled set to 1, it runs three defaults write commands as that user via sudo -u. First, home-sharing-enabled is written as -int 0. Then home-sharing-user-id and home-sharing-user-name inside the home-sharing-settings dictionary are blanked with -dict-add (-int "" and -string "" respectively). The script then calls killall mediasharingd to terminate the running daemon so the next launch reads the disabled preference from disk.

Mac Home Sharing remediation requirements

  • macOS endpoint with at least one local user account; the Automox agent runs as root and uses sudo -u to write each user's preferences

  • Full Disk Access for the Automox agent, so defaults read and defaults write succeed against per-user preference plists in ~/Library/Preferences/

  • Bash is available at /bin/bash (the default on every supported macOS release)

  • No parameters to configure on the policy; the Worklet targets the system-wide com.apple.amp.mediasharingd domain

  • Pair with a separate Worklet or MDM profile that blocks users from re-enabling Home Sharing in System Settings if your policy requires hard enforcement rather than periodic re-check

Expected state after Home Sharing is disabled

After remediation, each affected user's com.apple.amp.mediasharingd.plist contains home-sharing-enabled set to 0, with home-sharing-user-id and home-sharing-user-name inside home-sharing-settings blanked out. The mediasharingd process is terminated by killall. When the daemon is next launched, it reads the disabled preference and does not start the Home Sharing service. The Mac no longer appears as a shared library on other Apple devices signed into the same Apple ID on the local network.

Validate by opening System Settings > General > Sharing and confirming the Media Sharing toggle is off for the signed-in user. From a second device on the same network, open Music and check the sidebar; the remediated endpoint should not appear under Library. From the command line, run sudo -u <user> defaults read com.apple.amp.mediasharingd home-sharing-enabled and confirm the value is 0 for each user with the plist. Subsequent Automox policy runs report the endpoint as compliant without re-running remediation because the evaluation phase finds home-sharing-enabled set to 0 for every user with the preference file.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets