MacOS
View all Worklets
MacOSmacOS

Turn on Filename Extensions

Reveal hidden file extensions in macOS Finder to block extension spoofing and disguised malware payloads

Worklet Details

What the Finder extension visibility Worklet does

This Automox Worklet™ reveals filename extensions in the macOS Finder application on every local user account on the endpoint. By default, Finder hides the trailing extension on most files, so a file named report.pdf.dmg renders to the user as report.pdf with a PDF-style icon. The Worklet flips the AppleShowAllExtensions preference to true so the real extension is always visible at the point of click.

The remediation writes AppleShowAllExtensions to true directly in each user's .GlobalPreferences.plist at /Users/<name>/Library/Preferences/ using sudo -u <user> defaults write /Users/<name>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true. Writing to each user's plist covers every existing account on the endpoint whose preferences have already been initialized.

Once the preferences are written, the Worklet executes killall Finder against the active console session so the running Finder process restarts and picks up the new setting immediately. Users do not need to log out, reboot, or close any windows. On subsequent policy runs, the evaluation phase reads the plist values back, finds them already set to true, and reports the endpoint as compliant without re-running remediation.

Why reveal file extensions on macOS endpoints

Hidden file extensions are one of the oldest deception primitives on macOS, and they still work. An attacker drops a file named invoice.pdf.dmg, contract.docx.app, or update.mp3.command into a phishing email or a watering-hole download. Finder strips the trailing .dmg, .app, or .command and shows the user invoice.pdf with the PDF icon. The user double-clicks expecting a document, and the disk image, app bundle, or shell payload runs instead. The same trick lands signed dropper bundles, Mach-O binaries renamed to look like media files, and AppleScript .scpt droppers that masquerade as text. Gatekeeper and XProtect catch some of these, but extension spoofing closes the human-decision loop before any signature check fires.

Enabling AppleShowAllExtensions on one Mac is a five-second defaults command. Enforcing it on a thousand machines, including the contractor laptop that joined last week, the lab Mac that gets re-imaged every Friday, and the marketing iMac that nobody has remoted into in months, is what this Worklet automates. The remediation walks every user home directory, writes the preference to each .GlobalPreferences.plist, and bumps NSGlobalDomain so new accounts inherit the safe default. The next phishing email that lands a report.pdf.dmg payload on any of those endpoints reveals the trailing .dmg before the user double-clicks.

How the Finder extension Worklet works

  1. Evaluation phase: The Worklet enumerates the /Users/ directory for valid local user home folders, then reads the AppleShowAllExtensions key from each user's Library/Preferences/.GlobalPreferences.plist using the defaults read command. It also checks the NSGlobalDomain value for the root context. If any user account or the global domain returns 0, false, or an unset value, the endpoint is flagged non-compliant and remediation is scheduled. Output for each user is captured so the policy log shows which accounts were drift sources.

  2. Remediation phase: The Worklet runs sudo defaults write NSGlobalDomain AppleShowAllExtensions -bool true to set the global default for any new accounts. It then loops through every user home directory and runs sudo -u <user> defaults write NSGlobalDomain AppleShowAllExtensions -bool true so each existing account writes its own .GlobalPreferences.plist. After the writes complete, the Worklet identifies the active console user with stat -f "%Su" /dev/console and executes killall Finder under that user's session so Finder relaunches with the new setting. The script exits 0 on success or non-zero with a stderr message if a write fails.

Finder extension policy requirements

  • macOS 10.12 Sierra or later, including macOS 14 Sonoma and macOS 15 Sequoia (Intel and Apple Silicon)

  • Automox agent running with root privileges, which is the default agent context

  • Read and write access to each user's Library/Preferences/.GlobalPreferences.plist; FileVault-encrypted home directories must be unlocked, which is true once the user has logged in at least once

  • Endpoint type set to Workstation or Server in the Automox console policy

  • No MDM configuration profile pinning AppleShowAllExtensions to false; an MDM-enforced false value will override the defaults write and the endpoint will re-flag on the next evaluation

Expected Finder behavior after remediation

After the Worklet completes, every Finder window on the endpoint displays the full filename for every file regardless of file type. A file named installer.dmg shows as installer.dmg, an AppleScript file named cleanup.scpt shows the .scpt suffix, and a renamed Mach-O binary like report.pdf.app shows the trailing .app that betrays the deception. Validate by opening any folder containing mixed file types in Finder and confirming extensions like .pdf, .dmg, .app, .pkg, .command, .scpt, and .zip are all visible. Users can still hide an extension on a single file through File > Get Info > Hide extension, but the global default no longer hides them.

To validate at the shell, run defaults read NSGlobalDomain AppleShowAllExtensions and confirm the value returns 1. Repeat the read for each user with sudo -u <user> defaults read NSGlobalDomain AppleShowAllExtensions; every user should return 1. The Automox activity log records exit code 0 and the names of any user accounts that required a write during this run. Subsequent policy runs hit the evaluation phase only, log the endpoint as compliant, and skip remediation. If a user reverts the setting through System Settings or by editing their plist, the next evaluation will catch the drift and the Worklet will re-enforce visibility on the following policy run.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets