Script to disable Automatic Run Of Safe Files In Safari

New Contributor

I'm trying to script a way to disable the Automatic Run Of Safe Files In Safari for a CIS Benchmark across our deployment. While we have a few versions of the OS in the wild, I'm mostly focused on Catalina.

I tried the following, but it doesn't seem to change the preference.

defaults write AutoOpenSafeDownloads -boolean false

Contributor II

Have you consider using a profile and target the group of machines?

New Contributor

Is there an option in a Config Profile that allows me to do this? I looked but didn't see one, which is why I was going to go the script route.

New Contributor III

@spanaghi here you go.

As usual, please test this yourself to ensure compatibility in your environment.
I can only confirm this works for me.

Contributor III

Yeah i thought this was a config profile too but there isn't anything about it! Wonder if this should be a feature request.

Legendary Contributor II

You can also create the Config Profile by creating a new plist file in some local location, like your Desktop, with just that one setting in it.

defaults write ~/Desktop/ AutoOpenSafeDownloads -bool false

Converting that to xml format

plutil -convert xml1 ~/Desktop/

And then uploading that into a new Configuration Profile under the Application & Custom Settings payload (using the "Upload a File" option) Does basically the same thing as the gist posted above by @lucas.cantor

Contributor III

So this is not working in big Sur... anyone have any idea? I tried the config profile uploaded by @lucas.cantor

New Contributor II

Config Profile still works in my testing on Big Sur 11.2.3.

defaults write AutoOpenSafeDownloads -boolean false

not so much, it can fail silently...

...because it got sandboxed and e.g. Terminal does not have access by default. See

New Contributor

Has anyone had any luck doing this ??


New Contributor III

I've been using a config profile for at least 5 years... hope it helps

New Contributor

Hi @cesar_pineda 

I am also using the same CIS hardening profile but I face an issue when I push update from management tab or try to download/install update from self service, both cases that failed. So I had to remove those profiles restart the machine and then re-push update. After few min/hrs update complete and then all those profile put back to machine.