# SilverMetal macOS

**Status**: Phase 4 (planning, post-Windows v1)

Tier C-D — signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes.

## Scope (v1)

- Signed `.mobileconfig` profile that:
  - Enforces FileVault
  - Disables analytics, Siri uploads, advertising identifiers
  - Configures application firewall
  - Restricts iCloud to absolute minimum
  - Enables Lockdown Mode (per-user opt-in guidance)
- Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.)
- Stack ports for macOS (universal binaries, notarised, signed)
- Setup guide for hardware-key 2FA, anti-forensics

## Out of scope

- Anything requiring kernel extension or system extension privileges beyond what Apple sanctions
- Anything that disables SIP / Gatekeeper (we keep both ON)
- Anything that requires bypassing Apple's signing chain

## Directory layout

To be populated in Phase 4:

```
macos/
├── profile/         # .mobileconfig sources, signing
├── setup/           # idempotent setup script
├── stack-installer/ # native macOS Stack package builders (.pkg)
└── docs/            # setup guide, recommended apps
```

## Verification gates

- Profile signature verifies under Apple's signing chain
- FileVault confirmed enabled post-install
- Stack apps install via signed `.pkg`, run sandboxed where supported
- Setup script idempotent (verified by re-run with no changes)

## Upstream we depend on

- **Apple macOS** — base, unmodified
- **macOS Privacy Guide / privacy.sexy** — reference for hardening configs
- **Lockdown Mode** — Apple-provided, documented and enabled