MacOS X Sierra went GM....anyone kill Siri yet?

roiegat
Contributor III

So Sierra just went GM and was wondering if any others are having issues removing Siri from the OS. Our company is pretty security conscience and Siri didn't pass her tests. So I need to figure out how to disable her as much as possible. I can already disable the system panel, but I was hoping to get rid of the menu bar item, and any mention of her if possible. With SIP things have gotten harder to remove (even chess for some reason). So I can't imagine and easy answer to this.

Any thoughts?

29 REPLIES 29

bradtchapman
Valued Contributor II

Is APNS working in your environment? Can you manage the Macs with Configuration Profiles? Siri will most likely be a restricted item soon. JAMF just released Casper Suite 9.96 and it includes new MDM restrictions plus compatibility with macOS 10.12 Sierra.

Failing that, I would look to disabling the item through System Preferences:

System Preferences > Siri > uncheck "Enable Siri."

And then restricting the Siri preference pane.

bvrooman
Valued Contributor

There does not seem to be a restriction for Siri via the MDM spec. Here's what I've got so far for a profile with custom payloads:

com.apple.assistant.support:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Assistant Enabled</key>
    <false/>
</dict>
</plist>

com.apple.Siri:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>StatusMenuVisible</key>
    <false/>
    <key>UserHasDeclinedEnable</key>
    <true/>
</dict>
</plist>

This leaves the Dock icon; if users click that, it will prompt them to enable Siri, but clicking the Enable button has no effect (it doesn't even close the window). Presumably I could remove that icon with dockutil, but I've had no time to try that yet.

roiegat
Contributor III

@bradtchapman We can't use a APNS for security reasons (external bad, internal good). But we do use configuration profiles. I create them, download them, package them, and then deploy them like any other package. So I do have a way of disabling the system panel.

@bvrooman Great info. Will test it out. I can only imagine more companies are going to need to do this for security reasons. Would be nice to kill Siri completely to have no trace of her, but not sure we'll be able to fully get rid of her (at least without disabling SIP...which we aren't doing).

I love how my job is to take all the fun stuff out the OS due to security.

Sidenote: At home I love Siri and use her all the time. In fact, I can't remember the last time my wife actually typed a text since she uses Siri to send all of them.

cgiordano
Contributor

Just to add my own two cents regarding this:

Presumably I could remove that icon with dockutil, but I've had no time to try that yet.

If you're not a company that uses or isn't allowed to use dockutil, like me, then you could always capture the Siri icon using Casper Admin then add the dock payload to a policy and configure it to "Remove" instead of add the icon.

cgiordano
Contributor

As a second note, I've done some testing and I've found that even with Siri disabled the icon continues to stay in the menu bar which nets the same result as the dock icon when clicked; it simply asks if you'd like to enable it. If you'd like Siri to NOT appear in the menu bar any longer you can run the following command, either via script or JSS policy, probably the Files and Processes payload which allows one-liner commands to be run:

killall SystemUIServer

This kills the menu bar and it will refresh with Siri removed. It's important to note that you'll need to do that AFTER you've confirmed that the config profiles have landed on the machine (maybe via Ext Att?) otherwise you'll simply restart the menu bar and the Siri icon persists because it's still enabled.

Hope that helps too.

cgiordano
Contributor

Ok...I've been working my way through and I'm sure others will find a quicker, more streamlined way but here's what my company will probably be doing:

1) Use Casper Admin to capture the Siri dock icon (you'll use this later in step 5)
2) Create those plists as recommended and add them to a config profile payload then scope the deployment either in your Config Profiles module or in a JSS Policy to deploy the packaged profiles.
3) Create an extension attribute that runs a script to check to see if the Config Profile lives on the machine or not. I banged out the script real quick, but I'm sure there's a better way to do this:

#!/bin/bash

vers=`sw_vers | awk '/ProductVersion:/ {print $2}'`

if [ $vers = "10.12" ] || [ $vers = "10.12.0" ] [ $vers = "10.12.1" ] [ $vers = "10.12.2" ] [ $vers = "10.12.3" ] [ $vers = "10.12.4" ] [ $vers = "10.12.5" ] [ $vers = "10.12.6" ]; then
        if [[ -e /Library/Managed Preferences/com.apple.Siri.plist ]]; then
                echo "<result>Config Profile Disabled Siri</result>"
        else
                echo "<result>Siri still active</result>"
        fi
else
        echo "Not macOS Sierra"
fi

4) Create a SmartGroup that looks for your extension attribute value to be set to "Config Profile Disabled Siri"
5) Create policy that removes the dock icon that you captured in step 1 & use the "Files and Processes" payload in the policy under the "Execute Command" section to run the command: killall SystemUIServer

I've run through a quick test on my test machine and it seemed to have done the trick but obviously you'll want to check it out for yourself.

Hope that helps.

roiegat
Contributor III

@cgiordano Good stuff!

So I found that the Siri panel is called Speech. So with Casper I was able to create a configuration profile that disables the Dictation and Speech panel (which is just called Speech). So that disables it. But I went a step further and wrote a script that hides it:

defaults write com.apple.systempreferences HiddenPreferencePanes -array "com.apple.preference.speech"

Still testing it...but I think with that and removing the Dock item, I might be ok.

antoinekinch
New Contributor III

Is there a direct command line command to disable Siri and/or remove the System Preferences pane? If you suppress the setup assistant and remove the dock item that does one part. Then if you grey out the pane using a config profile that is another but I would have to imagine that there is a command to handle this so that we can "keep" Siri disabled, even with users that have admin privs. That is true management!

roiegat
Contributor III

@bajankinch Not sure about command line, but there might be. But that gave me a good idea. In theory if Siri is launched we should be able to detect the process and kill it under restricted applications. Will have to do some testing and test it out.

antoinekinch
New Contributor III

Sidenote: Siri does not DELETE if you delete the application from the applications folder. It was still in the System Preference Pane and could be enabled (even without it being in the Applications folder). It does indeed have a process named "Siri" once enabled and launched (parent launchd).

The app resides in /System/Library/CoreServices/Siri.app.

roiegat
Contributor III

That would be another way to do it, but disabling SIP in theory leaves your machines more vulnerable. But not sure you could script that since you have to do it from the recovery partition, but then again I haven't tried.

Plus if I did disable SIP the first thing I would be deleting is chess....why is that protected?

antoinekinch
New Contributor III

Yes, I would then have to reboot again and enable it again. Annoying! Does anyone know if JAMF is adding a Siri restriction in Config Profile MDM to the next revision?

Chess? LOL.

cgiordano
Contributor

@bajankinch I had asked my TAM about this and he said that they are at the mercy of Apple on this one, which is how I discovered this thread initially. As of right now, the suggestions on this thread are one of your best bets to disable Siri.

As with most new features, Apple hasn't included them in Config Profiles (outside of Unlock with Apple Watch) so I'm thinking, maybe a future release will include this.

roiegat
Contributor III

well in theory it would be nice if Apple released OS's with a "Enterprise" mode. Basically all the security measures we normally take already turned on by default. That would make our lives easier.

As for Chess, its come up in discussions many of times. For our PC machines they take out all the games since they don't want to distract employees. So we have to follow suit on the Mac. On older OS's I just moved it so it was hidden. These days, I can't do anything about it (short of disabling SIP) and had to explain to info sec that Chess is protected under System Integrity.

cgiordano
Contributor

@roiegat Why don't you make Chess.app a restricted application? This way, if you can't remove it you can at least kill the process so that it doesn't launch any more. Plus you can add reporting to it so that you get emailed every time someone tries to launch it. If you see a consistent offender then you can take the appropriate actions.

roiegat
Contributor III

@cgiordano Already done with the introduction of El Capitan. But we have these scans Info Sec do to see whats on our machines and it always shows up on some report. Its more entertaining at this point then anything else.

Plus in theory chess is suppose to make your smarter right? So much better then solitary that comes on the PC.

rtrouton
Release Candidate Programs Tester

I have profiles to block Siri (built from the keys provided by @bvrooman ). They're available via the link below:

https://github.com/rtrouton/profiles/tree/master/DisableSiri

Jerome
New Contributor

Hi I have tried your skip siri setup profile and I cant get it to work

The Profile says that it has been done in Casper
but when AD uesrs login they still get prompted for siri setup
can you please advise

RobertHammen
Valued Contributor II

@Jerome Check @rtrouton's blog post on disabling the Siri prompt here

Jerome
New Contributor

Hi Robert I did try his
Mobile config
https://github.com/rtrouton/profiles/tree/master/SkipSiriSetup

But it did not work any thoughts

Jerome
New Contributor

Hi Robert

I have just tried the latest script file and that worked

As I said I tried the MobileConfig and that didn't work I did notice that it was 3 months old so maybe he needs to update it now

RobertHammen
Valued Contributor II

@jerome I think you need both: config profile to disable it, and the script to prevent being prompted to turn it on at the first login after the upgrade.

cgiordano
Contributor

Anyone have any tips to disable the Siri System Preference Pane? Everything that's been on this thread has worked for me from disabling the prompt upon first log in to disabling the menu bar item and everything else. For me and my organization, I think the final missing piece is to lock down the System Preference menu.

I know that we could lock it down using the Restrictions payload in a Config Profile but the rub with that is that we're currently checking the boxes for the System Preferences that want locked. We were doing it the other way but then folks complained that we locked them out of some third-party System Preferences.

Any suggestions or ideas would be great!
Thanks!
Chris

cgiordano
Contributor

Wow, I'm an idiot. It was mentioned already in this thread that enabling the Restriction for Dictation & Speech would lock Siri down. I've confirmed that this works as well. Sorry for the facepalm moment, everyone.

Kyuubi
Contributor

All,

I have to 2 Config profiles and they pretty much work. However, the Siri.app still lives in /Applications. When i click on that it asks me if i want to enable SIRI. I chose yes and then Siri showed up in the menu bar. I tried to rm -r /Applications/Siri.app and was told that the operation was not permitted. Anything i can do other than chmod siri.app so that users don't have the rights to open?

thanks,

jayazicate
New Contributor

can anyone here please give me a full explanation on how I can kill siri off mac os sierra? i am trying to do so for a school build but i am currently struggling. thanks.

Not applicable

Same here! I have read everything twice but I can not see if the topics discussed even worked or any guideline. Could anyone involved in these discussions tell us what the final outcome was? I tried to remove Siri.app today and I can not find a workout as well.

RobertBasil
Contributor

I'm surprised that JAMF has not addressed this yet in some type of post. At least state what can and can't be done regarding Siri with the current version.

its-rgu
New Contributor

@bvrooman that solution is working for us. I misread the post originally and thought that it was the com.apple.assistant.plist file which wasn't disabling Siri so I did some more work and discovered it was the com.apple.assistant.support.plist instead. A few hours of extra work lost for a typo error haha. Glad it's working now though. thanks