Disable Siri

What the Disable Siri Worklet does

This Automox Worklet™ disables Apple Siri and the related voice assistant features on macOS endpoints. The Worklet targets the primary Siri activation flag in the com.apple.assistant.support preference domain and then disables Hey Siri voice activation, lock-screen Siri access, and menu-bar visibility through the com.apple.Siri domain.

The Worklet iterates every account in /Users (skipping Shared and .localized) and rewrites each user's plist files under /Users/[username]/Library/Preferences/ so the disabled state applies per user rather than relying on a single global toggle.

When the change affects the currently logged-in console user, the Worklet sends killall -HUP cfprefsd and killall SystemUIServer so the new values take effect immediately and the menu-bar Siri icon disappears without a logout.

Why disable Apple Siri on managed Macs

Apple Siri is a voice service that transmits audio snippets, transcripts, and contextual signals to Apple servers for processing. On a managed workstation that handles regulated data, that transmission is an uncontrolled data path. Disabling Siri removes a continuous outbound channel that sits outside normal application allow-listing and proxy inspection.

CIS Benchmark for macOS section 2.4.x recommends turning Siri off on enterprise endpoints, and assessors operating under HIPAA, PCI-DSS, and SOC 2 commonly flag always-listening voice assistants as an unacceptable risk in workspaces where regulated data is discussed, displayed, or screen-shared. Lock-screen Siri also exposes calendar, contacts, and messaging surface area to anyone with physical access to the endpoint, even when the account is locked.

Disabling Siri also eliminates a class of accidental-disclosure incidents: Hey Siri triggers during conference calls, screen recordings that capture Siri overlays, and inadvertent dictation of customer data into Siri queries. Removing the menu-bar icon and the lock-screen entry point also stops nudging end users toward the service in the first place.

How Siri enforcement works on each endpoint

1. Evaluation phase: The Worklet lists every account under /Users, excludes Shared and .localized, then reads com.apple.assistant.support.plist 'Assistant Enabled' for each user. If any account returns 1, the script exits with code 1 and Automox queues remediation.

2. Remediation phase: For every account where 'Assistant Enabled' is 1, the Worklet runs defaults write /Users/<user>/Library/Preferences/com.apple.assistant.support.plist 'Assistant Enabled' -bool false and then inspects com.apple.Siri.plist for the LockscreenEnabled, StatusMenuVisible, and VoiceTriggerUserEnabled keys, writing each one to false when its current value is 1. When the affected account matches the value returned by stat -f %Su /dev/console, the Worklet calls killall -HUP cfprefsd and killall SystemUIServer so the change takes effect on the live session without a restart.

Siri policy requirements

• macOS endpoints with Siri support (macOS 10.12 Sierra or later, including Apple Silicon Macs)

• Automox agent installed and running with its default root execution context

• Ability to run sudo -u <username> defaults against each local user account

• Write access to /Users/[username]/Library/Preferences/com.apple.assistant.support.plist and com.apple.Siri.plist

• No conflicting MDM configuration profile that re-enables Siri (managed preferences override Worklet writes)

• FixNow compatible for immediate, on-demand enforcement against a target group

Expected Siri state after remediation

After remediation completes, Siri is disabled for every existing local user account on the endpoint. Hey Siri stops listening, the menu-bar Siri icon disappears, and the lock-screen Siri button no longer renders. Spotlight no longer surfaces Ask Siri as a result type.

You can validate the state with sudo -u <user> defaults read com.apple.assistant.support.plist 'Assistant Enabled' (expected value: 0) and sudo -u <user> defaults read com.apple.Siri.plist StatusMenuVisible (expected value: 0). The Worklet exits with code 0 on the next evaluation, and the endpoint reports compliant against CIS macOS 2.4.x Siri controls. The change persists across logouts and restarts until a user re-enables Siri in System Settings or an MDM profile overrides the preference.