Jamf Nation Community

@cshepp It looks like that thread has two recommendations. One is to restart pf and the other is to create a pf rule to block the traffic. I'd prefer a way of disabling Bonjour which would cause the traffic to not be created in the first place rather than blocking the traffic with pf. Obviously, if that's the only way to do it in 10.10 then it is what it is, but i'm hoping there is a way to disable it instead of block it.

This might work for you

http://apple.stackexchange.com/questions/151485/how-do-i-disable-bonjour-visibility-after-yosemite-install

Hi @alexmcclements , I've already checked that link unfortunately. The solution Jon Schwenn proposes is the same as the information in my original post (using --no-multicast in the discoveryd plist), but that breaks WiFi.

There is some discussion that the upcoming 10.10.4 release will get rid of discoveryd due to all of the issues it's caused and bring back mDNSResponder:
http://www.macrumors.com/2015/05/26/apple-discoveryd-replaced-with-mdnsresponder/

Hopefully if that is true then this won't be an issue any longer and the old process for mDNSResponder will work again.

I think mDNSResponder may be back in 10.10.4.

Hey Jason,
Did you ever find a solution for this? Thanks!

Is there a solution for this? we want to disable Bonjour in 10.11.3.

I haven't looked recently but I suspect SIP would prevent this change on 10.11.x and if it is possible, it will break wi-fi and the Macs ability to perform any kind of DNS lookups.

I've been discussing this with CIS and Apple as well. The current stance is that it is possible to disable broadcasts, but SIP must be disabled first, which involves booting into recovery, disabling SIP, making the change to mDNSResponder, re-enabling SIP, then booting back into the OS. CIS isn't going to have this as a control in future versions since there isn't a easy way for enterprises to implement this today.

If anyone does come up with some magic to automate this then I think many would benefit.

Give Apple feedback so they can implement a control for this perhaps via a config profile.
http://www.apple.com/feedback/

"Any update on this?" he asked hopefully.

Firewall rule is about the best manageable approach i've seen.

Check my code, but would this work? edit: I see above that SIP is possibly blocking this. My script comes from the audit/remediation guide of CIS for Yosemite.

#!/bin/bash

checkBonjourAdvertising="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
    if [ "$checkBonjourAdvertising" = "1" ] || [ "$checkBonjourAdvertising" = "2" ]; then
        echo "  Bonjour Advertising is off."
    else
        echo "  Bonjour Advertising is on. Shut it down."
        defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguements -array-add '{-NoMulticastAdvertisements;}'
        echo "  Bonjour Advertising is off."
    fi

@krispayne anything under /System cannot be modified while SIP is enabled (https://support.apple.com/en-us/HT204899). In Yosemite this would have worked fine. For El Cap this would no longer work.

@Jason I see, thanks for clarifying

Looks like Rich just mentioned this on his blog Disabling Bonjour advertisement on OS X El Capitan and later

After 3 years of working on Mac I finally beat rich to posting a solution! haha

Hello, all! I was hoping to disable Bonjour Advertising in 10.12 but I can't seem to locate com.apple.mDNSResponder.plist. It is not present in /Library/Preferences. Does anyone have any further information on whether it has moved or whether the process of manipulating the file has changed? Thanks!

@annamentzer I did not test good, but that file does not exist by default, and by creating the file (with the proper settings) the Bonjour behaviour should be changed. Read Rich troutons blog post that is mentioned above to see examples.

@mjsanders Ah, that's it. I read Rich's article did not understand that it had to be created. Many thanks for the clarification!