Apple tracking - ok-john
On MacOS
Your Mac holds tons of uniquely identifying information, most of which is used to track you for "targeted advertising."
A solid amount of the UII used to target your device's lives under the plist defaults, this article will show you how to find, scrub and block the surveillance.
Honorable mentions
Before we move on, there are a few honorable mentions that aren't in the defaults, but are worth bringing up for their absurdity.
Each one of these warrants an entire article, but I'm just going
to quickly drop them here for you to do your own digging‚ perhaps
I will follow up on some of these in the future.
1. networkextension.tracker-info
$ strings /private/var/db/com.apple.networkextension.tracker-info
2. Knowledge
$ sqlite3 ~/Library/Application\ Support/Knowledge/knowledgeC.db
sqlite> .show
sqlite> .dump
3. Biome
$ ls /private/var/db/biome/
You can find out a bit about the running process by:
- Find the daemon process id:
$ launchctl list | grep biome
> 14115 -9 com.apple.biomesyncd
or
$ pgrep biome
> 12643
> 14115
- Then show their usage of file descriptors:
$ lsof -p 14115
biomesync 14115 cwd DIR 1,17 640 2 /
biomesync 14115 txt REG 1,17 1199728 1152921500312425134 /usr/libexec/biomesyncd
biomesync 14115 txt REG 1,17 51388 2605432 /Library/Preferences/Logging/.plist-cache.OpZUTkew
biomesync 14115 txt REG 1,17 32768 288642 /Users/cat/Library/Biome/sync/sync.db-shm
biomesync 14115 0r CHR 3,2 0t0 340 /dev/null
biomesync 14115 1u CHR 3,2 0t0 340 /dev/null
biomesync 14115 2u CHR 3,2 0t0 340 /dev/null
biomesync 14115 3u REG 1,17 131072 288639 /Users/cat/Library/Biome/sync/sync.db
biomesync 14115 4u REG 1,17 700432 288641 /Users/cat/Library/Biome/sync/sync.db-wal
biomesync 14115 5u REG 1,17 32768 288642 /Users/cat/Library/Biome/sync/sync.db-shm
Okay, now onto defaults.
Defaults
What are they
Seemingly harmless and hidden from most users view, defaults are plist formatted stores of arbitrary data that are pervasive and persistent. Defaults are organized by domains, which is a domain string identifier for a given store of data.
Defaults are specific to your user's namespace, so root will have an entirely different set of defaults in comparison to your user. Look at these values from both user perspectives.
User defaults belong to domains, which typically correspond to individual applications and follow the syntax of.
[tld].[company].[application]
For example, the app store lives under the domain:
com.apple.AppStore
Each domain has a dictionary of keys and values representing its defaults; for example, the App Store domain looks like:
$ defaults read com.apple.AppStore
{
ASAcknowledgedOnboardingVersion = 5;
ASKIncomingDeepLinks = (
{
refApp = "com.apple.finder";
refKind = unspecified;
}
);
AutoPlayVideoSetting = on;
UserSetAutoPlayVideoSetting = 0;
lastBootstrapTimeZone = "UTC";
}
Viewing all defaults and domains
If you want to view ALL your defaults, you can run:
$ defaults read
And if you want to view all of your domains run:
$ defaults domains
Quality of life defaults
On a side note, this is a list of Quality of Life defaults that I set on any mac.
sudo defaults write com.apple.desktopservices DSDontWriteNetworkStores true
defaults write com.apple.screencapture "disable-shadow" -bool "true"
defaults write com.apple.screencapture "include-date" -bool "false"
defaults write com.apple.screencapture "location" -string "$(MACOS_MEDIA_PATHDIR)" && killall SystemUIServer
defaults write com.apple.finder "AppleShowAllFiles" -bool "true" && killall Finder
defaults write com.apple.finder "ShowPathbar" -bool "true" && killall Finder
defaults write com.apple.finder "FXPreferredViewStyle" -string "Nlsv" && killall Finder
defaults write com.apple.finder "FXDefaultSearchScope" -string "SCcf" && killall Finder
defaults write NSGlobalDomain "NSDocumentSaveNewDocumentsToCloud" -bool "false"
defaults write com.apple.dock "mru-spaces" -bool "false" && killall Dock
defaults write com.apple.appleseed.FeedbackAssistant "Autogather" -bool "false"
defaults write com.apple.dock "orientation" -string "right" && killall Dock
defaults write com.apple.dock "autohide" -bool "true" && killall Dock
defaults write com.apple.dock "autohide-time-modifier" -float "0.1" && killall Dock
Apple servers
Before we look at the more concerning aspects of defaults, and how
you can scrub this data (automatically, regularly) to keep yourself
from being aggresively tracked by apple (and others), let's talk about
where this data is going - for the most part.
init.push.apple.com
mesu.apple.com
gateway.icloud.com
mask-api.icloud.com
api.apple-cloudkit.com
configuration.ls.apple.com
init.itunes.apple.com
bag.itunes.apple.com
weather-data.apple.com
fbs.smoot.apple.com
gdmf.apple.com
guzzoni.apple.com
xp.apple.com
swscan.apple.com
appleid.apple.com
swallow.apple.com
gspe35-ssl.ls.apple.com
init-p01md.apple.com
init.ess.apple.com
iadsdk.apple.com
gsa.apple.com
captive.apple.com
weather-edge.apple.com
pds-init.ess.apple.com
caldav.icloud.com
humb.apple.com
valid.apple.com
Blocking network traffic
There are more domains, but these are some of the top consumers of your private and
identifiable information stored in the defaults, I highly suggested you run some
form of a firewall, and block these domains. If you don't have that option, I will
show you an easy way to block traffic to those domains, it's a classic solution
that's been around for ages: /etc/hosts. If you're rolling your eyes right now just skip
this section.
/etc/hosts, by no means is a correct/proffesional solution to this problem, is a
far better than nothing and immediately actionable way to mitigate network traffic
to a particular host.
How does it work? Simple, it lets you define the IP address that is associated
with any domain name, overriding (in some/most cases) the IP addresss that is
stored in the global domain name system. Confused? take a look
$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost
Here is my etc hosts file, it's mapping the private domain localhost to my loop
back interface on addres 127.0.0.1, that means this:
$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.039 ms
Is the exact same thing as this:
$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.039 ms
Well not the exact same thing, but close enough for this discussion, now
why is this relevant? Well, we can take a domain like mesu.apple.com which
has the following DNS records:
$ dig +noall +answer +multiline +all mesu.apple.com
mesu.apple.com. 1272 IN CNAME mesu-cdn.apple.com.akadns.net.
mesu-cdn.apple.com.akadns.net. 180 IN CNAME mesu-cdn.origin-apple.com.akadns.net.
mesu-cdn.origin-apple.com.akadns.net. 60 IN CNAME mesu.g.aaplimg.com.
mesu.g.aaplimg.com. 30 IN A 17.253.21.202
mesu.g.aaplimg.com. 30 IN A 17.253.21.204
And we can kinda just use /etc/hosts to go haha, yeah no." Pick an IP in the private subnet ranges (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/16)
I'll pick 10.10.0.0.
$ vim /etc/hosts
10.10.0.0 mesu.apple.com
10.10.0.0 mesu-cdn.apple.com.akadns.net
10.10.0.0 mesu-cdn.origin-apple.com.akadns.net
10.10.0.0 mesu-cdn.origin-apple.com.akadns.net
10.10.0.0 mesu.g.aaplimg.com
Now, let's try to talk to mesu.apple.com now
$ ping mesu.apple.com
PING mesu.apple.com (10.10.0.0) 56(84) bytes of data.
--- mesu.apple.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4085ms
So we know where the data is going (for the most part) and how to block it, but
you can't always restrict access to everything that might potentially leak this
identifying information, perfectly, forever. Thinking you can do so is silly,
a more realistic solution is to both block access to the domains collecting this
info and to scrub the info regularly from your device to prevent and accidental
leaks from exposing sensitive identifying information.
Here are a handful of domains that contain information you may want to wipe.
Spoofing UUIDs
Okay, there are tons of domains which hold sensitive information. I'm going to
use one example here and then provide you a few more domains to check out,
but to do a complete job here, you need to look through all defaults.
Let's find some UUIDs, this will get all UUID strings
$ defaults read | grep -E '[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}'
"__BaseURL" = "https://updates.cdn-apple.com/2022/mobileassets/012-35363/00000000-0000-0000-0000-000000000000/";
"00000000-0000-0000-0000-000000000000" = (
"00000000-0000-0000-0000-000000000000",
currentNote = "00000000-0000-0000-0000-000000000000";
"00000000-0000-0000-0000-000000000000.1373801" = {
"00000000-0000-0000-0000-000000000000.1393948" = {
"00000000-0000-0000-0000-000000000000.1712177" = {
"00000000-0000-0000-0000-000000000000.1712185" = {
"00000000-0000-0000-0000-000000000000.1718035" = {
"00000000-0000-0000-0000-000000000000.1731090" = {
"00000000-0000-0000-0000-000000000000.1844564" = {
"00000000-0000-0000-0000-000000000000.2573495" = {
"00000000-0000-0000-0000-000000000000.2718273" = {
"00000000-0000-0000-0000-000000000000.2718320" = {
"00000000-0000-0000-0000-000000000000.2718324" = {
"00000000-0000-0000-0000-000000000000.2718345" = {
"00000000-0000-0000-0000-000000000000.2718437" = {
"00000000-0000-0000-0000-000000000000.2718495" = {
"00000000-0000-0000-0000-000000000000.2718536" = {
"00000000-0000-0000-0000-000000000000.2718543" = {
"00000000-0000-0000-0000-000000000000.2718571" = {
"00000000-0000-0000-0000-000000000000.2718598" = {
"00000000-0000-0000-0000-000000000000.2722475" = {
"00000000-0000-0000-0000-000000000000.2722595" = {
"00000000-0000-0000-0000-000000000000.2722770" = {
"00000000-0000-0000-0000-000000000000.2730343" = {
"00000000-0000-0000-0000-000000000000.2730664" = {
"00000000-0000-0000-0000-000000000000.2734486" = {
"00000000-0000-0000-0000-000000000000.2734492" = {
"00000000-0000-0000-0000-000000000000.2734493" = {
"00000000-0000-0000-0000-000000000000.2734515" = {
"00000000-0000-0000-0000-000000000000.2734516" = {
"00000000-0000-0000-0000-000000000000.2734599" = {
"00000000-0000-0000-0000-000000000000.2734600" = {
"00000000-0000-0000-0000-000000000000.2734604" = {
"00000000-0000-0000-0000-000000000000.2734607" = {
"00000000-0000-0000-0000-000000000000.2734608" = {
"00000000-0000-0000-0000-000000000000.2734614" = {
"00000000-0000-0000-0000-000000000000.2734615" = {
"00000000-0000-0000-0000-000000000000.2734617" = {
"00000000-0000-0000-0000-000000000000.2734618" = {
"00000000-0000-0000-0000-000000000000.2734758" = {
"00000000-0000-0000-0000-000000000000.740205" = {
"00000000-0000-0000-0000-000000000000.137693" = {
"00000000-0000-0000-0000-000000000000.31690" = {
"00000000-0000-0000-0000-000000000000.31714" = {
"00000000-0000-0000-0000-000000000000.430752" = {
"00000000-0000-0000-0000-000000000000.431180" = {
"00000000-0000-0000-0000-000000000000.431214" = {
"00000000-0000-0000-0000-000000000000.431287" = {
"00000000-0000-0000-0000-000000000000.431390" = {
"00000000-0000-0000-0000-000000000000.431589" = {
"00000000-0000-0000-0000-000000000000.431624" = {
"00000000-0000-0000-0000-000000000000.431637" = {
"00000000-0000-0000-0000-000000000000.431737" = {
"00000000-0000-0000-0000-000000000000.62152" = {
ArcadeDeviceID = "00000000-0000-0000-0000-000000000000";
ArcadePayoutDeviceID = "00000000-0000-0000-0000-000000000000";
"00000000-0000-0000-0000-000000000000" = {
"Experiment Identifierinvocation_feedback_experiment" = "00000000-0000-0000-0000-000000000000";
"Experiment Identifiersiri_vox_sounds_experiment" = "00000000-0000-0000-0000-000000000000";
"Experiment Identifiersiri_vox_tap_to_siri_behavior_experiment" = "00000000-0000-0000-0000-000000000000";
lastLaunchBootSessionUUID = "00000000-0000-0000-0000-000000000000";
"allowClassroomLockDevice-00000000-0000-0000-0000-000000000000:0" = 1;
"allowClassroomLockDevice-00000000-0000-0000-0000-000000000000:0-ask" = 0;
"allowClassroomOpenApp-00000000-0000-0000-0000-000000000000:0" = 1;
"allowClassroomOpenApp-00000000-0000-0000-0000-000000000000:0-ask" = 0;
"allowClassroomOpenURL-00000000-0000-0000-0000-000000000000:0" = 1;
"allowClassroomOpenURL-00000000-0000-0000-0000-000000000000:0-ask" = 0;
"allowClassroomScreenObservation-00000000-0000-0000-0000-000000000000:0" = 1;
"allowClassroomScreenObservation-00000000-0000-0000-0000-000000000000:0-ask" = 0;
"forceUnpromptedRemoteScreenObservation-00000000-0000-0000-0000-000000000000:0" = 1;
"forceUnpromptedRemoteScreenObservation-00000000-0000-0000-0000-000000000000:0-ask" = 0;
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
UUID = "00000000-0000-0000-0000-000000000000";
lastLaunchBootSessionUUID = "00000000-0000-0000-0000-000000000000";
"local://00000000-0000-0000-0000-000000000000/"
"local://00000000-0000-0000-0000-000000000000/"
MTTimerID = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
"widget_assigned_user_id" = "00000000-0000-0000-0000-000000000000";
"00000000-0000-0000-0000-000000000000" = (
"00000000-0000-0000-0000-000000000000",
"search.coreSpotlight.lastKnownSPLDatabaseUUID" = "00000000-0000-0000-0000-000000000000";
preferredDefaultListID = "x-apple-reminderkit://REMCDList/00000000-0000-0000-0000-000000000000";
preferredDefaultListObjectIDUrl = "x-coredata://00000000-0000-0000-0000-000000000000/REMCDList/p2";
KeyAccountUUID = "00000000-0000-0000-0000-000000000000";
"com.apple.pivtoken" = "00000000-0000-0000-0000-000000000000";
AirDropRandomHashUUIDKey1 = "00000000-0000-0000-0000-000000000000";
AirDropRandomHashUUIDKey2 = "00000000-0000-0000-0000-000000000000";
AirDropRandomHashUUIDKey3 = "00000000-0000-0000-0000-000000000000";
AirDropRandomHashUUIDKey4 = "00000000-0000-0000-0000-000000000000";
VCLSDatabaseUUIDKey = "00000000-0000-0000-0000-000000000000";
fromSpace = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
fromSpace = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
fromSpace = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
uuid = "00000000-0000-0000-0000-000000000000";
"Display Identifier" = "00000000-0000-0000-0000-000000000000";
name = "00000000-0000-0000-0000-000000000000";
name = "00000000-0000-0000-0000-000000000000";
name = "00000000-0000-0000-0000-000000000000";
"user_id" = "00000000-0000-0000-0000-000000000000";
"user_id" = "00000000-0000-0000-0000-000000000000";
DeviceIdentifier = "00000000-0000-0000-0000-000000000000";
privateUserIdentifier = "00000000-0000-0000-0000-000000000000";
reportWeatherIdentifier = "00000000-0000-0000-0000-000000000000";
userIdentifier = "00000000-0000-0000-0000-000000000000";
BugsnagUserName = "00000000-0000-0000-0000-000000000000";
BugsnagUserUserId = "00000000-0000-0000-0000-000000000000";
You can see that all of my UUIDs are zero'd out here, but yours will show the actual uuid.
(note: if you want to zero out all yours)
defaults read | grep -E '[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}' | sed -E 's/[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/00000000-0000-0000-0000-000000000000/g'
You'll likely want to generate new, random uuids. Here's a bash script to do that:
Open a new file in vim
$ vim uuid-gen
Paste in this script (you might need to adjust the shebang at the top)
#!/opt/homebrew/bin/bash
function __rnd
{
cat /dev/urandom | head -n 10 | xxd -ps -c 200 | tr -d '\n' | cut -c -$1
}
r="$(echo "$( __rnd 8 )-$( __rnd 4 )-$( __rnd 4 )-$( __rnd 4 )-$( __rnd 12 )" | tr '[:lower:]' '[:upper:]')"
echo $r|pbcopy
echo $r
Test it out.
$ ./uuid-gen
D4EBE0AF-3A30-463B-EF27-9976EF5AAD16
Replacing UUIDs
Let's replace the UUIDs used for com.apple.weather.sensitive.
$ defaults read "com.apple.weather.sensitive"
{
privateUserIdentifier = "AAB15B43-1576-6BD9-D5B1-E88A143DD8A1";
privateUserIdentifierLastResetDate = "2023-03-01 00:00:00 +0000";
reportWeatherIdentifier = "4015FD57-D19C-F38F-8F7A-2684D784A55C";
reportWeatherIdentifierLastResetDate = "2023-03-01 00:00:00 +0000";
userIdentifier = "B97BE696-0432-19A1-57E1-FB80A3501427";
userIdentifierLastResetDate = "2023-03-01 00:00:00 +0000";
userStartDate = "2023-03-01 00:00:00 +0000";
}
By the way, the privateUserIdentifier is your devices SUID. This value persists a wipe, so if you reset a laptop the second you turn it on with a new operating system the same SUID will get sent off to Apple (and other companies) and you will be immediately re-identified.
Let's overwrite the privateUserIdentifier.
$ defaults write com.apprivateUserIdentifierple.weather.sensitive privateUserIdentifier -string "$(./uuid-gen)"
You can repeat this for each UUID field here, or run this bash snippet to update all the ones under weather at once.
$ echo -e "\ndefaults write com.apple.weather.sensitive "{privateUserIdentifier,reportWeatherIdentifier,userIdentifier}" -string $(./uuid-gen)"|bash
Nice, now you'll want to rinse and repeat for the rest of them :)
Root namespace
These should be run as root.
1. Router hardware MAC address:
$ defaults read com.apple.CrashReporterSupportHelper
2. Device serial number
$ defaults read com.apple.ASPCarryLog
3. UUID for partitioned boot disk
$ defaults read com.apple.duetactivityscheduler
$ defaults read com.apple.icloud.searchpartyd
$ defaults read com.apple.mediaremote
$ defaults read com.apple.smartcharging.topoffprotection
4. erial number of battery
$ defaults read com.apple.mediaremoted
5. Apple PIV token for payments
$ defaults read com.apple.security.ctkd-db
6. UUIDs seen/assigned by Disk Manager
$ defaults read memoryanalyticsd
Non-root namespace
These commands should be run as a non-root user.
1. Device UUID
$ defaults read com.apple.AMPLibraryAgent
2. Asset & numerous other UUIDs
$ defaults read com.apple.Accessibility.Assets
3. Option to disable targeted ads.
$ defaults read com.apple.AdLib
$ defaults read com.apple.AdPlatforms
5. Device Driver/Disk UUIDs
$ defaults read com.apple.CacheDelete
6. AppleID/iCloud IDs
$ defaults read com.apple.CallHistorySyncHelper
7. Service ID
$ defaults read com.apple.Music
8. Device UUID
$ defaults read com.apple.Notes
9. Numerous device IDs
$ defaults read com.apple.ReportCrash
10. NSUUIDs for all services
$ defaults read com.apple.ServicesMenu.Services
11. Unique IDs for all shared content
$ defaults read com.apple.amp.mediasharingd
13. Biometric UUID, Device GUID, Device ID, Payments Device ID,
$ defaults read com.apple.appstored
14. Experiment UUIDs, iCloud UUIDs
$ defaults read com.apple.assistant
Script for editing defaults
I wrote a script that lets you interactively update the defaults, listing them off one by one.
OUT_FILE=${1:-"auto-change.sh"}
i=0
total="$(defaults domains -g | sed 's/,/\n/g'|wc -l|tr -d ' ')"
echo "TOTAL DOMAINS: $(defaults domains -g | sed 's/,/\n/g'|wc -l)"
echo "OUTPUT WRITING TO: $OUT_FILE"
for domain in $(defaults domains -g | sed 's/,//g'); do
i=$(( i + 1 ))
read -p "$i/$total $domain [y/n]: " inp
if [ "$inp" == "n" ]; then continue; fi
defaults read $domain
read -p "edit any keys for $domain? [d/w/n] " _inp
if [ "$_inp" == "n" ]; then continue; fi
if [ "$_inp" == "d" ]; then
echo "defaults delete $domain" >> $OUT_FILE
fi
if [ "$_inp" == "w" ]; then
for key in $(defaults read $domain | sed 's/=.*/,/g' | tr -d '{} \n' | sed 's/,/\n/g'); do
read -p "edit $key? [y/n]" _inp
if [ "$_inp" == "n" ]; then continue; fi
echo "curr: $key -> $(defaults read $domain $key)"
read -p "type? " _type
read -p "new value? " _new_value
echo "defaults write $domain $key -$_type $_new_value" >> $OUT_FILE
echo "defaults write $domain $key -$_type $_new_value"
done
fi
done
Apple tracking - ok-john
On MacOS
Your Mac holds tons of uniquely identifying information, most of which is used to track you for "targeted advertising."
A solid amount of the UII used to target your device's lives under the plist defaults, this article will show you how to find, scrub and block the surveillance.
Honorable mentions
Before we move on, there are a few honorable mentions that aren't in the defaults, but are worth bringing up for their absurdity.
Each one of these warrants an entire article, but I'm just going
to quickly drop them here for you to do your own digging‚ perhaps
I will follow up on some of these in the future.
1. networkextension.tracker-info
2. Knowledge
3. Biome
$ ls /private/var/db/biome/You can find out a bit about the running process by:
Okay, now onto defaults.
Defaults
What are they
Seemingly harmless and hidden from most users view, defaults are plist formatted stores of arbitrary data that are pervasive and persistent. Defaults are organized by domains, which is a domain string identifier for a given store of data.
Defaults are specific to your user's namespace, so root will have an entirely different set of defaults in comparison to your user. Look at these values from both user perspectives.
User defaults belong to domains, which typically correspond to individual applications and follow the syntax of.
For example, the app store lives under the domain:
Each domain has a dictionary of keys and values representing its defaults; for example, the App Store domain looks like:
Viewing all defaults and domains
If you want to view ALL your defaults, you can run:
And if you want to view all of your domains run:
Quality of life defaults
On a side note, this is a list of Quality of Life defaults that I set on any mac.
# Disables .DS_STORE metadata sudo defaults write com.apple.desktopservices DSDontWriteNetworkStores true # Disables shadow metaadata from screencapture defaults write com.apple.screencapture "disable-shadow" -bool "true" # Disables date/time from screencapture. defaults write com.apple.screencapture "include-date" -bool "false" # Changes the default screencapture folder. defaults write com.apple.screencapture "location" -string "$(MACOS_MEDIA_PATHDIR)" && killall SystemUIServer # Show hidden files in finder defaults write com.apple.finder "AppleShowAllFiles" -bool "true" && killall Finder # Show path bar in finder defaults write com.apple.finder "ShowPathbar" -bool "true" && killall Finder # Set default view in finder to be list mode. defaults write com.apple.finder "FXPreferredViewStyle" -string "Nlsv" && killall Finder # Set the default search scope to the current folder. defaults write com.apple.finder "FXDefaultSearchScope" -string "SCcf" && killall Finder # Disables saving files by default to iCloud defaults write NSGlobalDomain "NSDocumentSaveNewDocumentsToCloud" -bool "false" # Disables reordering spaces by most recent use. defaults write com.apple.dock "mru-spaces" -bool "false" && killall Dock # Disables automatically sending feedback for large files. defaults write com.apple.appleseed.FeedbackAssistant "Autogather" -bool "false" # Places the dock on the right defaults write com.apple.dock "orientation" -string "right" && killall Dock # Autohide the dock defaults write com.apple.dock "autohide" -bool "true" && killall Dock # Make it quick defaults write com.apple.dock "autohide-time-modifier" -float "0.1" && killall DockApple servers
Before we look at the more concerning aspects of defaults, and how
you can scrub this data (automatically, regularly) to keep yourself
from being aggresively tracked by apple (and others), let's talk about
where this data is going - for the most part.
init.push.apple.com mesu.apple.com gateway.icloud.com mask-api.icloud.com api.apple-cloudkit.com configuration.ls.apple.com init.itunes.apple.com bag.itunes.apple.com weather-data.apple.com fbs.smoot.apple.com gdmf.apple.com guzzoni.apple.com xp.apple.com swscan.apple.com appleid.apple.com swallow.apple.com gspe35-ssl.ls.apple.com init-p01md.apple.com init.ess.apple.com iadsdk.apple.com gsa.apple.com captive.apple.com weather-edge.apple.com pds-init.ess.apple.com caldav.icloud.com humb.apple.com valid.apple.comBlocking network traffic
There are more domains, but these are some of the top consumers of your private and
identifiable information stored in the defaults, I highly suggested you run some
form of a firewall, and block these domains. If you don't have that option, I will
show you an easy way to block traffic to those domains, it's a classic solution
that's been around for ages: /etc/hosts. If you're rolling your eyes right now just skip
this section.
/etc/hosts, by no means is a correct/proffesional solution to this problem, is a
far better than nothing and immediately actionable way to mitigate network traffic
to a particular host.
How does it work? Simple, it lets you define the IP address that is associated
with any domain name, overriding (in some/most cases) the IP addresss that is
stored in the global domain name system. Confused? take a look
$ cat /etc/hosts 127.0.0.1 localhost ::1 localhostHere is my etc hosts file, it's mapping the private domain localhost to my loop
back interface on addres 127.0.0.1, that means this:
Is the exact same thing as this:
Well not the exact same thing, but close enough for this discussion, now
why is this relevant? Well, we can take a domain like mesu.apple.com which
has the following DNS records:
And we can kinda just use /etc/hosts to go haha, yeah no." Pick an IP in the private subnet ranges (
192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/16)I'll pick
10.10.0.0.Now, let's try to talk to mesu.apple.com now
So we know where the data is going (for the most part) and how to block it, but
you can't always restrict access to everything that might potentially leak this
identifying information, perfectly, forever. Thinking you can do so is silly,
a more realistic solution is to both block access to the domains collecting this
info and to scrub the info regularly from your device to prevent and accidental
leaks from exposing sensitive identifying information.
Here are a handful of domains that contain information you may want to wipe.
Spoofing UUIDs
Okay, there are tons of domains which hold sensitive information. I'm going to
use one example here and then provide you a few more domains to check out,
but to do a complete job here, you need to look through all defaults.
Let's find some UUIDs, this will get all UUID strings
$ defaults read | grep -E '[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}'"__BaseURL" = "https://updates.cdn-apple.com/2022/mobileassets/012-35363/00000000-0000-0000-0000-000000000000/"; "00000000-0000-0000-0000-000000000000" = ( "00000000-0000-0000-0000-000000000000", currentNote = "00000000-0000-0000-0000-000000000000"; "00000000-0000-0000-0000-000000000000.1373801" = { "00000000-0000-0000-0000-000000000000.1393948" = { "00000000-0000-0000-0000-000000000000.1712177" = { "00000000-0000-0000-0000-000000000000.1712185" = { "00000000-0000-0000-0000-000000000000.1718035" = { "00000000-0000-0000-0000-000000000000.1731090" = { "00000000-0000-0000-0000-000000000000.1844564" = { "00000000-0000-0000-0000-000000000000.2573495" = { "00000000-0000-0000-0000-000000000000.2718273" = { "00000000-0000-0000-0000-000000000000.2718320" = { "00000000-0000-0000-0000-000000000000.2718324" = { "00000000-0000-0000-0000-000000000000.2718345" = { "00000000-0000-0000-0000-000000000000.2718437" = { "00000000-0000-0000-0000-000000000000.2718495" = { "00000000-0000-0000-0000-000000000000.2718536" = { "00000000-0000-0000-0000-000000000000.2718543" = { "00000000-0000-0000-0000-000000000000.2718571" = { "00000000-0000-0000-0000-000000000000.2718598" = { "00000000-0000-0000-0000-000000000000.2722475" = { "00000000-0000-0000-0000-000000000000.2722595" = { "00000000-0000-0000-0000-000000000000.2722770" = { "00000000-0000-0000-0000-000000000000.2730343" = { "00000000-0000-0000-0000-000000000000.2730664" = { "00000000-0000-0000-0000-000000000000.2734486" = { "00000000-0000-0000-0000-000000000000.2734492" = { "00000000-0000-0000-0000-000000000000.2734493" = { "00000000-0000-0000-0000-000000000000.2734515" = { "00000000-0000-0000-0000-000000000000.2734516" = { "00000000-0000-0000-0000-000000000000.2734599" = { "00000000-0000-0000-0000-000000000000.2734600" = { "00000000-0000-0000-0000-000000000000.2734604" = { "00000000-0000-0000-0000-000000000000.2734607" = { "00000000-0000-0000-0000-000000000000.2734608" = { "00000000-0000-0000-0000-000000000000.2734614" = { "00000000-0000-0000-0000-000000000000.2734615" = { "00000000-0000-0000-0000-000000000000.2734617" = { "00000000-0000-0000-0000-000000000000.2734618" = { "00000000-0000-0000-0000-000000000000.2734758" = { "00000000-0000-0000-0000-000000000000.740205" = { "00000000-0000-0000-0000-000000000000.137693" = { "00000000-0000-0000-0000-000000000000.31690" = { "00000000-0000-0000-0000-000000000000.31714" = { "00000000-0000-0000-0000-000000000000.430752" = { "00000000-0000-0000-0000-000000000000.431180" = { "00000000-0000-0000-0000-000000000000.431214" = { "00000000-0000-0000-0000-000000000000.431287" = { "00000000-0000-0000-0000-000000000000.431390" = { "00000000-0000-0000-0000-000000000000.431589" = { "00000000-0000-0000-0000-000000000000.431624" = { "00000000-0000-0000-0000-000000000000.431637" = { "00000000-0000-0000-0000-000000000000.431737" = { "00000000-0000-0000-0000-000000000000.62152" = { ArcadeDeviceID = "00000000-0000-0000-0000-000000000000"; ArcadePayoutDeviceID = "00000000-0000-0000-0000-000000000000"; "00000000-0000-0000-0000-000000000000" = { "Experiment Identifierinvocation_feedback_experiment" = "00000000-0000-0000-0000-000000000000"; "Experiment Identifiersiri_vox_sounds_experiment" = "00000000-0000-0000-0000-000000000000"; "Experiment Identifiersiri_vox_tap_to_siri_behavior_experiment" = "00000000-0000-0000-0000-000000000000"; lastLaunchBootSessionUUID = "00000000-0000-0000-0000-000000000000"; "allowClassroomLockDevice-00000000-0000-0000-0000-000000000000:0" = 1; "allowClassroomLockDevice-00000000-0000-0000-0000-000000000000:0-ask" = 0; "allowClassroomOpenApp-00000000-0000-0000-0000-000000000000:0" = 1; "allowClassroomOpenApp-00000000-0000-0000-0000-000000000000:0-ask" = 0; "allowClassroomOpenURL-00000000-0000-0000-0000-000000000000:0" = 1; "allowClassroomOpenURL-00000000-0000-0000-0000-000000000000:0-ask" = 0; "allowClassroomScreenObservation-00000000-0000-0000-0000-000000000000:0" = 1; "allowClassroomScreenObservation-00000000-0000-0000-0000-000000000000:0-ask" = 0; "forceUnpromptedRemoteScreenObservation-00000000-0000-0000-0000-000000000000:0" = 1; "forceUnpromptedRemoteScreenObservation-00000000-0000-0000-0000-000000000000:0-ask" = 0; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; UUID = "00000000-0000-0000-0000-000000000000"; lastLaunchBootSessionUUID = "00000000-0000-0000-0000-000000000000"; "local://00000000-0000-0000-0000-000000000000/" "local://00000000-0000-0000-0000-000000000000/" MTTimerID = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; "widget_assigned_user_id" = "00000000-0000-0000-0000-000000000000"; "00000000-0000-0000-0000-000000000000" = ( "00000000-0000-0000-0000-000000000000", "search.coreSpotlight.lastKnownSPLDatabaseUUID" = "00000000-0000-0000-0000-000000000000"; preferredDefaultListID = "x-apple-reminderkit://REMCDList/00000000-0000-0000-0000-000000000000"; preferredDefaultListObjectIDUrl = "x-coredata://00000000-0000-0000-0000-000000000000/REMCDList/p2"; KeyAccountUUID = "00000000-0000-0000-0000-000000000000"; "com.apple.pivtoken" = "00000000-0000-0000-0000-000000000000"; AirDropRandomHashUUIDKey1 = "00000000-0000-0000-0000-000000000000"; AirDropRandomHashUUIDKey2 = "00000000-0000-0000-0000-000000000000"; AirDropRandomHashUUIDKey3 = "00000000-0000-0000-0000-000000000000"; AirDropRandomHashUUIDKey4 = "00000000-0000-0000-0000-000000000000"; VCLSDatabaseUUIDKey = "00000000-0000-0000-0000-000000000000"; fromSpace = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; fromSpace = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; fromSpace = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; uuid = "00000000-0000-0000-0000-000000000000"; "Display Identifier" = "00000000-0000-0000-0000-000000000000"; name = "00000000-0000-0000-0000-000000000000"; name = "00000000-0000-0000-0000-000000000000"; name = "00000000-0000-0000-0000-000000000000"; "user_id" = "00000000-0000-0000-0000-000000000000"; "user_id" = "00000000-0000-0000-0000-000000000000"; DeviceIdentifier = "00000000-0000-0000-0000-000000000000"; privateUserIdentifier = "00000000-0000-0000-0000-000000000000"; reportWeatherIdentifier = "00000000-0000-0000-0000-000000000000"; userIdentifier = "00000000-0000-0000-0000-000000000000"; BugsnagUserName = "00000000-0000-0000-0000-000000000000"; BugsnagUserUserId = "00000000-0000-0000-0000-000000000000";You can see that all of my UUIDs are zero'd out here, but yours will show the actual uuid.
(note: if you want to zero out all yours)
defaults read | grep -E '[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}' | sed -E 's/[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/00000000-0000-0000-0000-000000000000/g'You'll likely want to generate new, random uuids. Here's a bash script to do that:
Open a new file in vim
Paste in this script (you might need to adjust the shebang at the top)
#!/opt/homebrew/bin/bash function __rnd { cat /dev/urandom | head -n 10 | xxd -ps -c 200 | tr -d '\n' | cut -c -$1 } r="$(echo "$( __rnd 8 )-$( __rnd 4 )-$( __rnd 4 )-$( __rnd 4 )-$( __rnd 12 )" | tr '[:lower:]' '[:upper:]')" echo $r|pbcopy echo $rTest it out.
Replacing UUIDs
Let's replace the UUIDs used for
com.apple.weather.sensitive.$ defaults read "com.apple.weather.sensitive" { privateUserIdentifier = "AAB15B43-1576-6BD9-D5B1-E88A143DD8A1"; privateUserIdentifierLastResetDate = "2023-03-01 00:00:00 +0000"; reportWeatherIdentifier = "4015FD57-D19C-F38F-8F7A-2684D784A55C"; reportWeatherIdentifierLastResetDate = "2023-03-01 00:00:00 +0000"; userIdentifier = "B97BE696-0432-19A1-57E1-FB80A3501427"; userIdentifierLastResetDate = "2023-03-01 00:00:00 +0000"; userStartDate = "2023-03-01 00:00:00 +0000"; }Let's overwrite the
privateUserIdentifier.$ defaults write com.apprivateUserIdentifierple.weather.sensitive privateUserIdentifier -string "$(./uuid-gen)"You can repeat this for each UUID field here, or run this bash snippet to update all the ones under weather at once.
$ echo -e "\ndefaults write com.apple.weather.sensitive "{privateUserIdentifier,reportWeatherIdentifier,userIdentifier}" -string $(./uuid-gen)"|bashNice, now you'll want to rinse and repeat for the rest of them :)
Root namespace
These should be run as root.
1. Router hardware MAC address:
$ defaults read com.apple.CrashReporterSupportHelper2. Device serial number
$ defaults read com.apple.ASPCarryLog3. UUID for partitioned boot disk
$ defaults read com.apple.duetactivityscheduler $ defaults read com.apple.icloud.searchpartyd $ defaults read com.apple.mediaremote $ defaults read com.apple.smartcharging.topoffprotection4. erial number of battery
$ defaults read com.apple.mediaremoted5. Apple PIV token for payments
$ defaults read com.apple.security.ctkd-db6. UUIDs seen/assigned by Disk Manager
$ defaults read memoryanalyticsdNon-root namespace
These commands should be run as a non-root user.
1. Device UUID
$ defaults read com.apple.AMPLibraryAgent2. Asset & numerous other UUIDs
$ defaults read com.apple.Accessibility.Assets3. Option to disable targeted ads.
$ defaults read com.apple.AdLib4. Options for ad platforms
$ defaults read com.apple.AdPlatforms5. Device Driver/Disk UUIDs
$ defaults read com.apple.CacheDelete6. AppleID/iCloud IDs
$ defaults read com.apple.CallHistorySyncHelper7. Service ID
$ defaults read com.apple.Music8. Device UUID
$ defaults read com.apple.Notes9. Numerous device IDs
$ defaults read com.apple.ReportCrash10. NSUUIDs for all services
$ defaults read com.apple.ServicesMenu.Services11. Unique IDs for all shared content
$ defaults read com.apple.amp.mediasharingd13. Biometric UUID, Device GUID, Device ID, Payments Device ID,
$ defaults read com.apple.appstored14. Experiment UUIDs, iCloud UUIDs
$ defaults read com.apple.assistantScript for editing defaults
I wrote a script that lets you interactively update the defaults, listing them off one by one.
OUT_FILE=${1:-"auto-change.sh"} i=0 total="$(defaults domains -g | sed 's/,/\n/g'|wc -l|tr -d ' ')" echo "TOTAL DOMAINS: $(defaults domains -g | sed 's/,/\n/g'|wc -l)" echo "OUTPUT WRITING TO: $OUT_FILE" for domain in $(defaults domains -g | sed 's/,//g'); do i=$(( i + 1 )) read -p "$i/$total $domain [y/n]: " inp if [ "$inp" == "n" ]; then continue; fi defaults read $domain read -p "edit any keys for $domain? [d/w/n] " _inp if [ "$_inp" == "n" ]; then continue; fi if [ "$_inp" == "d" ]; then echo "defaults delete $domain" >> $OUT_FILE fi if [ "$_inp" == "w" ]; then for key in $(defaults read $domain | sed 's/=.*/,/g' | tr -d '{} \n' | sed 's/,/\n/g'); do read -p "edit $key? [y/n]" _inp if [ "$_inp" == "n" ]; then continue; fi echo "curr: $key -> $(defaults read $domain $key)" read -p "type? " _type read -p "new value? " _new_value echo "defaults write $domain $key -$_type $_new_value" >> $OUT_FILE echo "defaults write $domain $key -$_type $_new_value" done fi done