MacOS X Sierra went GM....anyone kill Siri yet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2016 12:12 PM
So Sierra just went GM and was wondering if any others are having issues removing Siri from the OS. Our company is pretty security conscience and Siri didn't pass her tests. So I need to figure out how to disable her as much as possible. I can already disable the system panel, but I was hoping to get rid of the menu bar item, and any mention of her if possible. With SIP things have gotten harder to remove (even chess for some reason). So I can't imagine and easy answer to this.
Any thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2016 12:26 PM
Is APNS working in your environment? Can you manage the Macs with Configuration Profiles? Siri will most likely be a restricted item soon. JAMF just released Casper Suite 9.96 and it includes new MDM restrictions plus compatibility with macOS 10.12 Sierra.
Failing that, I would look to disabling the item through System Preferences:
System Preferences > Siri > uncheck "Enable Siri."
And then restricting the Siri preference pane.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2016 12:34 PM
There does not seem to be a restriction for Siri via the MDM spec. Here's what I've got so far for a profile with custom payloads:
com.apple.assistant.support:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Assistant Enabled</key>
<false/>
</dict>
</plist>
com.apple.Siri:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>StatusMenuVisible</key>
<false/>
<key>UserHasDeclinedEnable</key>
<true/>
</dict>
</plist>
This leaves the Dock icon; if users click that, it will prompt them to enable Siri, but clicking the Enable button has no effect (it doesn't even close the window). Presumably I could remove that icon with dockutil, but I've had no time to try that yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2016 12:41 PM
@bradtchapman We can't use a APNS for security reasons (external bad, internal good). But we do use configuration profiles. I create them, download them, package them, and then deploy them like any other package. So I do have a way of disabling the system panel.
@bvrooman Great info. Will test it out. I can only imagine more companies are going to need to do this for security reasons. Would be nice to kill Siri completely to have no trace of her, but not sure we'll be able to fully get rid of her (at least without disabling SIP...which we aren't doing).
I love how my job is to take all the fun stuff out the OS due to security.
Sidenote: At home I love Siri and use her all the time. In fact, I can't remember the last time my wife actually typed a text since she uses Siri to send all of them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-13-2016 03:31 PM
Just to add my own two cents regarding this:
Presumably I could remove that icon with dockutil, but I've had no time to try that yet.
If you're not a company that uses or isn't allowed to use dockutil, like me, then you could always capture the Siri icon using Casper Admin then add the dock payload to a policy and configure it to "Remove" instead of add the icon.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-13-2016 04:17 PM
As a second note, I've done some testing and I've found that even with Siri disabled the icon continues to stay in the menu bar which nets the same result as the dock icon when clicked; it simply asks if you'd like to enable it. If you'd like Siri to NOT appear in the menu bar any longer you can run the following command, either via script or JSS policy, probably the Files and Processes payload which allows one-liner commands to be run:
killall SystemUIServer
This kills the menu bar and it will refresh with Siri removed. It's important to note that you'll need to do that AFTER you've confirmed that the config profiles have landed on the machine (maybe via Ext Att?) otherwise you'll simply restart the menu bar and the Siri icon persists because it's still enabled.
Hope that helps too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-13-2016 05:41 PM
Ok...I've been working my way through and I'm sure others will find a quicker, more streamlined way but here's what my company will probably be doing:
1) Use Casper Admin to capture the Siri dock icon (you'll use this later in step 5)
2) Create those plists as recommended and add them to a config profile payload then scope the deployment either in your Config Profiles module or in a JSS Policy to deploy the packaged profiles.
3) Create an extension attribute that runs a script to check to see if the Config Profile lives on the machine or not. I banged out the script real quick, but I'm sure there's a better way to do this:
#!/bin/bash
vers=`sw_vers | awk '/ProductVersion:/ {print $2}'`
if [ $vers = "10.12" ] || [ $vers = "10.12.0" ] [ $vers = "10.12.1" ] [ $vers = "10.12.2" ] [ $vers = "10.12.3" ] [ $vers = "10.12.4" ] [ $vers = "10.12.5" ] [ $vers = "10.12.6" ]; then
if [[ -e /Library/Managed Preferences/com.apple.Siri.plist ]]; then
echo "<result>Config Profile Disabled Siri</result>"
else
echo "<result>Siri still active</result>"
fi
else
echo "Not macOS Sierra"
fi
4) Create a SmartGroup that looks for your extension attribute value to be set to "Config Profile Disabled Siri"
5) Create policy that removes the dock icon that you captured in step 1 & use the "Files and Processes" payload in the policy under the "Execute Command" section to run the command: killall SystemUIServer
I've run through a quick test on my test machine and it seemed to have done the trick but obviously you'll want to check it out for yourself.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2016 05:36 AM
@cgiordano Good stuff!
So I found that the Siri panel is called Speech. So with Casper I was able to create a configuration profile that disables the Dictation and Speech panel (which is just called Speech). So that disables it. But I went a step further and wrote a script that hides it:
defaults write com.apple.systempreferences HiddenPreferencePanes -array "com.apple.preference.speech"
Still testing it...but I think with that and removing the Dock item, I might be ok.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:01 AM
Is there a direct command line command to disable Siri and/or remove the System Preferences pane? If you suppress the setup assistant and remove the dock item that does one part. Then if you grey out the pane using a config profile that is another but I would have to imagine that there is a command to handle this so that we can "keep" Siri disabled, even with users that have admin privs. That is true management!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:11 AM
@bajankinch Not sure about command line, but there might be. But that gave me a good idea. In theory if Siri is launched we should be able to detect the process and kill it under restricted applications. Will have to do some testing and test it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:18 AM
Sidenote: Siri does not DELETE if you delete the application from the applications folder. It was still in the System Preference Pane and could be enabled (even without it being in the Applications folder). It does indeed have a process named "Siri" once enabled and launched (parent launchd).
The app resides in /System/Library/CoreServices/Siri.app.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:25 AM
That would be another way to do it, but disabling SIP in theory leaves your machines more vulnerable. But not sure you could script that since you have to do it from the recovery partition, but then again I haven't tried.
Plus if I did disable SIP the first thing I would be deleting is chess....why is that protected?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:28 AM
Yes, I would then have to reboot again and enable it again. Annoying! Does anyone know if JAMF is adding a Siri restriction in Config Profile MDM to the next revision?
Chess? LOL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:31 AM
@bajankinch I had asked my TAM about this and he said that they are at the mercy of Apple on this one, which is how I discovered this thread initially. As of right now, the suggestions on this thread are one of your best bets to disable Siri.
As with most new features, Apple hasn't included them in Config Profiles (outside of Unlock with Apple Watch) so I'm thinking, maybe a future release will include this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 08:52 AM
well in theory it would be nice if Apple released OS's with a "Enterprise" mode. Basically all the security measures we normally take already turned on by default. That would make our lives easier.
As for Chess, its come up in discussions many of times. For our PC machines they take out all the games since they don't want to distract employees. So we have to follow suit on the Mac. On older OS's I just moved it so it was hidden. These days, I can't do anything about it (short of disabling SIP) and had to explain to info sec that Chess is protected under System Integrity.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 09:07 AM
@roiegat Why don't you make Chess.app a restricted application? This way, if you can't remove it you can at least kill the process so that it doesn't launch any more. Plus you can add reporting to it so that you get emailed every time someone tries to launch it. If you see a consistent offender then you can take the appropriate actions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 09:13 AM
@cgiordano Already done with the introduction of El Capitan. But we have these scans Info Sec do to see whats on our machines and it always shows up on some report. Its more entertaining at this point then anything else.
Plus in theory chess is suppose to make your smarter right? So much better then solitary that comes on the PC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2016 10:40 AM
I have profiles to block Siri (built from the keys provided by @bvrooman ). They're available via the link below:
https://github.com/rtrouton/profiles/tree/master/DisableSiri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2016 01:35 PM
Hi I have tried your skip siri setup profile and I cant get it to work
The Profile says that it has been done in Casper
but when AD uesrs login they still get prompted for siri setup
can you please advise
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2016 08:41 PM
@Jerome Check @rtrouton's blog post on disabling the Siri prompt here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2016 08:59 PM
Hi Robert I did try his
Mobile config
https://github.com/rtrouton/profiles/tree/master/SkipSiriSetup
But it did not work any thoughts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2016 09:45 PM
Hi Robert
I have just tried the latest script file and that worked
As I said I tried the MobileConfig and that didn't work I did notice that it was 3 months old so maybe he needs to update it now
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-30-2016 11:21 AM
@jerome I think you need both: config profile to disable it, and the script to prevent being prompted to turn it on at the first login after the upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-04-2016 05:21 PM
Anyone have any tips to disable the Siri System Preference Pane? Everything that's been on this thread has worked for me from disabling the prompt upon first log in to disabling the menu bar item and everything else. For me and my organization, I think the final missing piece is to lock down the System Preference menu.
I know that we could lock it down using the Restrictions payload in a Config Profile but the rub with that is that we're currently checking the boxes for the System Preferences that want locked. We were doing it the other way but then folks complained that we locked them out of some third-party System Preferences.
Any suggestions or ideas would be great!
Thanks!
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2016 11:53 AM
Wow, I'm an idiot. It was mentioned already in this thread that enabling the Restriction for Dictation & Speech would lock Siri down. I've confirmed that this works as well. Sorry for the facepalm moment, everyone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2017 12:20 PM
All,
I have to 2 Config profiles and they pretty much work. However, the Siri.app still lives in /Applications. When i click on that it asks me if i want to enable SIRI. I chose yes and then Siri showed up in the menu bar. I tried to rm -r /Applications/Siri.app and was told that the operation was not permitted. Anything i can do other than chmod siri.app so that users don't have the rights to open?
thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2017 05:43 AM
can anyone here please give me a full explanation on how I can kill siri off mac os sierra? i am trying to do so for a school build but i am currently struggling. thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2017 05:31 AM
Same here! I have read everything twice but I can not see if the topics discussed even worked or any guideline. Could anyone involved in these discussions tell us what the final outcome was? I tried to remove Siri.app today and I can not find a workout as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2017 08:47 AM
I'm surprised that JAMF has not addressed this yet in some type of post. At least state what can and can't be done regarding Siri with the current version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2017 02:12 AM
@bvrooman that solution is working for us. I misread the post originally and thought that it was the com.apple.assistant.plist file which wasn't disabling Siri so I did some more work and discovered it was the com.apple.assistant.support.plist instead. A few hours of extra work lost for a typo error haha. Glad it's working now though. thanks