# SilverMetal Enhanced β€” macOS **Status**: Phase 3M (planning, post-Linux v1) πŸ›‘οΈ **SilverMetal Enhanced product line** β€” we harden macOS in place. Apple's signed boot chain prevents an OS replacement. Tier C-D β€” signed configuration profile + setup script + Stack ports. We configure everything Apple exposes. ## Scope (v1) - Signed `.mobileconfig` profile that: - Enforces FileVault - Disables analytics, Siri uploads, advertising identifiers - Configures application firewall - Restricts iCloud to absolute minimum - Enables Lockdown Mode (per-user opt-in guidance) - Idempotent setup script for non-MDM hardening (default-app changes, Safariβ†’SilverBrowser, etc.) - Stack ports for macOS (universal binaries, notarised, signed) - SilverVPN MAUI macOS client from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) - Setup guide for hardware-key 2FA, anti-forensics ## Out of scope - Anything requiring kernel extension or system extension privileges beyond what Apple sanctions - Anything that disables SIP / Gatekeeper (we keep both ON) - Anything that requires bypassing Apple's signing chain ## Directory layout To be populated in Phase 3M: ``` macos/ β”œβ”€β”€ profile/ # .mobileconfig sources, signing β”œβ”€β”€ setup/ # idempotent setup script β”œβ”€β”€ stack-installer/ # native macOS Stack package builders (.pkg) └── docs/ # setup guide, recommended apps ``` ## Verification gates - Profile signature verifies under Apple's signing chain - FileVault confirmed enabled post-install - Stack apps install via signed `.pkg`, run sandboxed where supported - Setup script idempotent (verified by re-run with no changes) ## Upstream we depend on - **Apple macOS** β€” base, unmodified - **macOS Privacy Guide / privacy.sexy** β€” reference for hardening configs - **Lockdown Mode** β€” Apple-provided, documented and enabled - **`SilverLABS/SilverVPN`** β€” MAUI macOS client (existing)