Enable/Disable Location Services

What the location services configuration Worklet does

This Automox Worklet™ manages location services on macOS endpoints by reading your preferred configuration state and adjusting the system accordingly. The Worklet queries the current location services status through the locationd preference database and compares it against your defined preference setting.

The Worklet uses the locPref variable to control location services state, defaulting to enabled. It applies settings across both the system-level location services configuration and the hardware-UUID-specific configuration to maintain consistent behavior across all user sessions and system services that depend on location data.

Supported on both macOS workstations and servers, this Worklet respects existing endpoint configurations and only takes action when the current state differs from your preference.

Why control location service access

Applications with location service access can track where your macOS endpoints are physically located. For mobile endpoints and laptops used by remote workers, this location data reveals employee movements, home addresses, and travel patterns. Malicious applications or compromised software can exfiltrate this sensitive location information to attackers.

Organizations with privacy requirements need granular control over location services. Some environments require location services completely disabled for security reasons, while others need them enabled for specific applications like endpoint tracking or time zone management. This Worklet provides the flexibility to configure location services according to your organization's security policy.

Location data creates compliance risks under GDPR and other privacy regulations that require organizations to protect personal information. Disabling location services when not operationally necessary reduces your organization's exposure to privacy compliance violations and data breach risks.

How location services configuration works

1. Evaluation phase: The Worklet queries the current location services state from the locationd preference database at /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd by reading the LocationServicesEnabled value. If the current state matches your configured preference, the Worklet exits with no action needed.

2. Remediation phase: If the current state differs from the preference, the Worklet writes the new configuration using the defaults command. It updates both the system-level LocationServicesEnabled setting and the hardware-UUID-specific setting to maintain the location services state is consistently applied across all processes and user sessions.

Location services configuration requirements

• macOS 10.12 or later

• Root or administrator privileges to modify locationd preferences

• Access to defaults command and system preference database

• Optional: Configure locPref variable to 'enabled' or 'disabled' based on your preference (default is 'enabled')

Expected location service behavior

After remediation, location services are either fully enabled or disabled based on your configuration choice. When disabled, all applications lose access to location data and cannot determine the endpoint's physical location. When enabled, location services function according to macOS privacy settings and per-application permissions.

The Worklet confirms the configuration change through its evaluation check. You can verify location services status by checking System Preferences under Security and Privacy or reviewing Worklet execution results in the Automox console.

How to validate enable/disable location services changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable/disable location services.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as elif, function, eval, then rerun evaluation for compliance.