Jamf Nation Community

Our Security team was concerned that customer data could easily pop up on non-company-owned computers/devices. We don't prevent our users from enabling iCloud, so the thought was that an email or a document that was in the process of being composed on a work computer could inadvertently get copied to a user's personal Mac or iOS device. Rather than educate our users not to do this, we created a launchdaemon to turn Handoff off on OS X.

While your concerns are valid, there may not be a need to worry.

As handoff relies on both (or multiple) devices being signed in with the same iCloud account AND being in 30 ft proximity of each other with bluetooth enabled (also must support BT LE) AND need to be on the same network/subnet, pretty sure unless all this is met, handoff will not work.

Also documents/mail will not handoff to another device unless the end user interacts with the receiving device to tell it to pick up the document/mail via handoff.

- Sean

@bmarks - How is this working for you? Well? The launchdaemon you used, how often do you have it set to run for it to be effective? Any help would be appreciated.

Does this script work on Yosemite? Has anyone tried an Automator App?

This script seems to be working with some modifications in El Capitan. Our problem is that the first pass through produces a file not found error. Then if handoff is enabled it won't always reliably disable. Not sure what the reason for that is. We set the option to be && and not ||. How is it working in your environment?

(EDIT: Actually, the below info may have always been the case. With that said, I had no issues running it as-is on El Capitan.)

I wonder if you need to run it with elevated privileges since there's a command in the script that's now in a SIP-protected directory. I got the following output just now without sudo'ing first:

2016-02-08 10:12:52.901 defaults[9771:4745243] 
The domain/default pair of (/Users/bmarks/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.A66713F0-EF1E-5CFA-8E9C-60755DFCE01B.plist, ActivityAdvertisingAllowed) does not exist
2016-02-08 10:12:52.960 defaults[9772:4745267] 
The domain/default pair of (/Users/bmarks/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.A66713F0-EF1E-5CFA-8E9C-60755DFCE01B.plist, ActivityReceivingAllowed) does not exist

However, I get the expected results if I elevate to root privileges.

We experienced the exact same issues and elevating privileges helped as well. Thanks for the info, works in El Capitan for sure.

This script runs sucessfully for me with elevated privileges on El Capitan (10.11.3). However, when I go to System Preferences > General, Handoff is still enabled. Anyone else notice that?

Also, has anyone tried adapting this as an MDM profile and had success?

How are you running this as a policy? I tried to trigger at login, but absolutely nothing happens...

I modified the script a bit to hit up all users on the local machine and to change things only when they need it. A big thing was the script was set to turn off only if turned on (if missing, fail miserably).

#!/bin/bash

LocalHomes=$(/usr/bin/dscl . -list /Users NFSHomeDirectory | grep -v /var/ | grep -v /Library/ | awk '$2 ~ /^// {print $2;}')
uuid=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57)

for OneHome in $LocalHomes; do
    handoff1=$(defaults read $OneHome/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.$uuid.plist ActivityAdvertisingAllowed)
    handoff2=$(defaults read $OneHome/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.$uuid.plist ActivityReceivingAllowed)

    if [[ "$handoff1" != "0" ]]; then
        defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.$uuid.plist ActivityAdvertisingAllowed -bool no
    fi

    if [ "$handoff2" != "0" ]; then
        defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.lsuseractivityd.$uuid.plist ActivityReceivingAllowed -bool no
    fi
done

this script doesn't work for me neither on 10.11 nor 10.12

any ideas?

i've got the same output of it doesn't exsit.

I modified the above script to allow for two policies; one to disable and another to enable handoff on macOS Sierra devices (to facilitate high stakes testing).

Disable Handoff for all users:

#!/bin/bash

LocalHomes=$(/usr/bin/dscl . -list /Users NFSHomeDirectory | grep -v /var/ | grep -v /Library/ | awk '$2 ~ /^// {print $2;}')

for OneHome in $LocalHomes; do
    userName=$(/bin/echo $OneHome | awk -F "/" '{print $NF;}')
    sudo -u $userName defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist ActivityAdvertisingAllowed -bool no
    sudo -u $userName defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist ActivityReceivingAllowed -bool no
done

Enable Handoff for all users:

#!/bin/bash

LocalHomes=$(/usr/bin/dscl . -list /Users NFSHomeDirectory | grep -v /var/ | grep -v /Library/ | awk '$2 ~ /^// {print $2;}')

for OneHome in $LocalHomes; do
    userName=$(/bin/echo $OneHome | awk -F "/" '{print $NF;}')
    sudo -u $userName defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist ActivityAdvertisingAllowed -bool yes
    sudo -u $userName defaults write $OneHome/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist ActivityReceivingAllowed -bool yes
done

Just tried the 'Disable Handoff' script on Sierra 10.12.5 and it doesn't seem to do anything.
'System Preferences', 'General' - still showing the tick within 'Allow Handoff between this Mac and your iCloud devices'

Oops! the script does work, just needs user to logoff/restart to take effect.

Does anyone know of a way to actually disable this options via configuration profile, so the user can't switch it on again themselves?
Thanks in advance

jcarr's scripts work here. Thanks!

Hi Everyone I used the script and also did a restart this didn't work. Any ideas, please?  

I have a way of using the terminal to do this - 

sudo -u $(whoami) defaults write "$HOME/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist" ActivityAdvertisingAllowed -bool no

this seems to work now I need to find a way to imbed this in JAMF so we do not need to do this manually.

@Habib-Rahman, sorry I over looked were your were using macOS Sierra 10.12.5,  Configuration profiles need macOS 10.15 or later.  

For this system  create a policy in jamf, choose options -> Files and Processes,  add your command in the field "Execute Command".  Choose options -> General,  -> Execution Frequency, set to run once per user per computer. In the scope add your device.   This should Disable Handoff.  

Hi @burdett thank you for the advice I did what you said and done many restarts however this still not working. 

It still shows as enabled however when I run this command manually i works:

sudo -u $(whoami) defaults write "$HOME/Library/Preferences/ByHost/com.apple.coreservices.useractivityd.plist" ActivityAdvertisingAllowed -bool no

I even have a Configuration Profiles >> Restrictions >> Functionality >>Allow Handoff (macOS 10.15 or later)

Even though I have turned it off, nothing seems like it's working? any ideas what else I can do please? 

Thank you so much.

Habib 

Habib-Rahman, When JAMF runs a command it runs it as an elevated account using the JAMF manager account.   I don't think

sudo -u $(whoami)

is returning the correct value.   For these older macOS < 10.15 I would create and test the script  thoule posted on ‎09-02-2016. This scrip is using a different method for setting the path for the users home folder.   For devices running current macOS > 10.52, Use a Configuration Profile with Restrictions Payload and uncheck uncheck Allow Handoff.