SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a0075ce66ed83893d8542424fb074ff213b2b68
SilverMetal/macos/README.md
SysAdmin 0a0075ce66 docs(naming): adopt OS / Enhanced product-line framing + align with existing repos 
Two product lines, named to make scope obvious to buyers:
- 🔒 SilverMetal OS — we ship the operating system or ROM
  (Linux, Pixel, Samsung-unlocked, Motorola-unlocked)
- 🛡️ SilverMetal Enhanced — we harden the OS the device already runs
  (Windows, macOS, iOS, generic Android)

Repo alignment:
- SilverVPN already exists as a SilverLABS product (server + MAUI client +
  Linux client + tunnel service). stack/vpn/ is now an integration pointer
  rather than a re-scaffold; per-platform READMEs reference it.
- SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it.
  Migration step added as roadmap milestone 3I.1.
- SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL
  AppStore Android client, not an Android ROM).
- SilverChat may overlap with SilverVPN.Client.Chat; alignment decision
  added as roadmap milestone 1.1.1.

Roadmap restructured: phases now track the OS/Enhanced split.
Platform matrix re-sectioned and decision flowchart updated.
README rewritten around the two-product-line framing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:30:45 +01:00

53 lines
1.9 KiB
Markdown
Raw Blame History

# SilverMetal Enhanced — macOS
**Status**: Phase 3M (planning, post-Linux v1)
🛡️ **SilverMetal Enhanced product line** — we harden macOS in place. Apple's signed boot chain prevents an OS replacement.
Tier C-D — signed configuration profile + setup script + Stack ports. We configure everything Apple exposes.
## Scope (v1)
- Signed `.mobileconfig` profile that:
- Enforces FileVault
- Disables analytics, Siri uploads, advertising identifiers
- Configures application firewall
- Restricts iCloud to absolute minimum
- Enables Lockdown Mode (per-user opt-in guidance)
- Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.)
- Stack ports for macOS (universal binaries, notarised, signed)
- SilverVPN MAUI macOS client from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
- Setup guide for hardware-key 2FA, anti-forensics
## Out of scope
- Anything requiring kernel extension or system extension privileges beyond what Apple sanctions
- Anything that disables SIP / Gatekeeper (we keep both ON)
- Anything that requires bypassing Apple's signing chain
## Directory layout
To be populated in Phase 3M:
```
macos/
├── profile/ # .mobileconfig sources, signing
├── setup/ # idempotent setup script
├── stack-installer/ # native macOS Stack package builders (.pkg)
└── docs/ # setup guide, recommended apps
```
## Verification gates
- Profile signature verifies under Apple's signing chain
- FileVault confirmed enabled post-install
- Stack apps install via signed `.pkg`, run sandboxed where supported
- Setup script idempotent (verified by re-run with no changes)
## Upstream we depend on
- **Apple macOS** — base, unmodified
- **macOS Privacy Guide / privacy.sexy** — reference for hardening configs
- **Lockdown Mode** — Apple-provided, documented and enabled
- **`SilverLABS/SilverVPN`** — MAUI macOS client (existing)
Reference in New Issue View Git Blame Copy Permalink