Turn on Filename Extensions

What the filename extension enabler does

This Automox Worklet™ enables the display of filename extensions in the Finder application across all user accounts on macOS endpoints. By default, macOS hides file extensions from users, which can allow attackers to disguise malicious executables with misleading filenames.

The Worklet modifies the AppleShowAllExtensions setting in each user's Finder preferences, writing to the.GlobalPreferences.plist file. This maintains that all file extensions are visible by default, allowing users to identify the actual file type before opening or executing any file.

For users currently logged in when the Worklet runs, the Worklet restarts Finder to apply the changes immediately without requiring a logout or restart.

Why show filename extensions on macOS

File extension visibility is a critical security control for endpoint protection. Hiding extensions allows attackers to disguise malicious files by giving them misleading names. For example, an attacker could name a malware executable "document.pdf.exe" but configure Finder to hide the.exe extension, making users believe they are opening a PDF document when they are actually executing malware.

By enabling filename extensions across your endpoints, you help your users quickly identify file types and make informed decisions about whether to open files. This defense-in-depth measure reduces the likelihood of users accidentally executing malicious code through social engineering attacks.

How filename extension enforcement works

1. Evaluation phase: The Worklet checks each user account on the endpoint by reading the AppleShowAllExtensions value from each user's.GlobalPreferences.plist file in the Library/Preferences directory. If any user account does not have this setting enabled, the Worklet proceeds to remediation.

2. Remediation phase: The Worklet uses the defaults command to write the AppleShowAllExtensions preference set to true for each user account that requires the change. For the currently logged-in user, the Worklet restarts the Finder process to apply the changes immediately without requiring the user to log out.

Filename extension requirement

• macOS 10.12 (Sierra) or later

• Administrative privileges to execute the Worklet and modify user preferences

• Access to each user's Library/Preferences directory structure

• Workstation or server endpoint type

Expected Finder behavior after remediation

After the Worklet completes, all users on the endpoint will see filename extensions displayed by default in Finder. This includes common extensions like .pdf, .exe, .doc, .dmg, and others. Verify by opening Finder and confirming files display their extensions (e.g., "document.pdf" instead of just "document"). Users can still manually hide extensions for specific files using File > Get Info, but the default behavior will now show extensions.

For the currently logged-in user, Finder will restart automatically, and the change takes effect immediately. For other user accounts, the setting is applied and will take effect the next time that user logs in. On subsequent Worklet runs, the evaluation phase will pass if all users have the setting enabled, and no remediation actions will be performed.

How to validate turn on filename extensions changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for turn on filename extensions.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as sudo, killall, else, then rerun evaluation for compliance.