SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3
SilverMetal/macos/README.md
SysAdmin 7d5f9cc246 chore(scaffold): initial SilverMetal program scaffold 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00

1.7 KiB
Raw Blame History

SilverMetal macOS

Status: Phase 4 (planning, post-Windows v1)

Tier C-D — signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes.

Scope (v1)

  • Signed .mobileconfig profile that:
    • Enforces FileVault
    • Disables analytics, Siri uploads, advertising identifiers
    • Configures application firewall
    • Restricts iCloud to absolute minimum
    • Enables Lockdown Mode (per-user opt-in guidance)
  • Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.)
  • Stack ports for macOS (universal binaries, notarised, signed)
  • Setup guide for hardware-key 2FA, anti-forensics

Out of scope

  • Anything requiring kernel extension or system extension privileges beyond what Apple sanctions
  • Anything that disables SIP / Gatekeeper (we keep both ON)
  • Anything that requires bypassing Apple's signing chain

Directory layout

To be populated in Phase 4:

macos/
├── profile/         # .mobileconfig sources, signing
├── setup/           # idempotent setup script
├── stack-installer/ # native macOS Stack package builders (.pkg)
└── docs/            # setup guide, recommended apps

Verification gates

  • Profile signature verifies under Apple's signing chain
  • FileVault confirmed enabled post-install
  • Stack apps install via signed .pkg, run sandboxed where supported
  • Setup script idempotent (verified by re-run with no changes)

Upstream we depend on

  • Apple macOS — base, unmodified
  • macOS Privacy Guide / privacy.sexy — reference for hardening configs
  • Lockdown Mode — Apple-provided, documented and enabled
Reference in New Issue View Git Blame Copy Permalink