SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3
SilverMetal/macos/README.md
SysAdmin 7d5f9cc246 chore(scaffold): initial SilverMetal program scaffold 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00

49 lines
1.7 KiB
Markdown
Raw Blame History

# SilverMetal macOS
**Status**: Phase 4 (planning, post-Windows v1)
Tier C-D — signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes.
## Scope (v1)
- Signed `.mobileconfig` profile that:
- Enforces FileVault
- Disables analytics, Siri uploads, advertising identifiers
- Configures application firewall
- Restricts iCloud to absolute minimum
- Enables Lockdown Mode (per-user opt-in guidance)
- Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.)
- Stack ports for macOS (universal binaries, notarised, signed)
- Setup guide for hardware-key 2FA, anti-forensics
## Out of scope
- Anything requiring kernel extension or system extension privileges beyond what Apple sanctions
- Anything that disables SIP / Gatekeeper (we keep both ON)
- Anything that requires bypassing Apple's signing chain
## Directory layout
To be populated in Phase 4:
```
macos/
├── profile/ # .mobileconfig sources, signing
├── setup/ # idempotent setup script
├── stack-installer/ # native macOS Stack package builders (.pkg)
└── docs/ # setup guide, recommended apps
```
## Verification gates
- Profile signature verifies under Apple's signing chain
- FileVault confirmed enabled post-install
- Stack apps install via signed `.pkg`, run sandboxed where supported
- Setup script idempotent (verified by re-run with no changes)
## Upstream we depend on
- **Apple macOS** — base, unmodified
- **macOS Privacy Guide / privacy.sexy** — reference for hardening configs
- **Lockdown Mode** — Apple-provided, documented and enabled
Reference in New Issue View Git Blame Copy Permalink