Is APNS working in your environment? Can you manage the Macs with Configuration Profiles? Siri will most likely be a restricted item soon. JAMF just released Casper Suite 9.96 and it includes new MDM restrictions plus compatibility with macOS 10.12 Sierra.

Failing that, I would look to disabling the item through System Preferences:

System Preferences > Siri > uncheck "Enable Siri."

And then restricting the Siri preference pane.

There does not seem to be a restriction for Siri via the MDM spec. Here's what I've got so far for a profile with custom payloads:

com.apple.assistant.support:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Assistant Enabled</key>
    <false/>
</dict>
</plist>

com.apple.Siri:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>StatusMenuVisible</key>
    <false/>
    <key>UserHasDeclinedEnable</key>
    <true/>
</dict>
</plist>

This leaves the Dock icon; if users click that, it will prompt them to enable Siri, but clicking the Enable button has no effect (it doesn't even close the window). Presumably I could remove that icon with dockutil, but I've had no time to try that yet.

@bradtchapman We can't use a APNS for security reasons (external bad, internal good). But we do use configuration profiles. I create them, download them, package them, and then deploy them like any other package. So I do have a way of disabling the system panel.

@bvrooman Great info. Will test it out. I can only imagine more companies are going to need to do this for security reasons. Would be nice to kill Siri completely to have no trace of her, but not sure we'll be able to fully get rid of her (at least without disabling SIP...which we aren't doing).

I love how my job is to take all the fun stuff out the OS due to security.

Sidenote: At home I love Siri and use her all the time. In fact, I can't remember the last time my wife actually typed a text since she uses Siri to send all of them.

Just to add my own two cents regarding this:

Presumably I could remove that icon with dockutil, but I've had no time to try that yet.

If you're not a company that uses or isn't allowed to use dockutil, like me, then you could always capture the Siri icon using Casper Admin then add the dock payload to a policy and configure it to "Remove" instead of add the icon.

As a second note, I've done some testing and I've found that even with Siri disabled the icon continues to stay in the menu bar which nets the same result as the dock icon when clicked; it simply asks if you'd like to enable it. If you'd like Siri to NOT appear in the menu bar any longer you can run the following command, either via script or JSS policy, probably the Files and Processes payload which allows one-liner commands to be run:

killall SystemUIServer

This kills the menu bar and it will refresh with Siri removed. It's important to note that you'll need to do that AFTER you've confirmed that the config profiles have landed on the machine (maybe via Ext Att?) otherwise you'll simply restart the menu bar and the Siri icon persists because it's still enabled.

Hope that helps too.

Ok...I've been working my way through and I'm sure others will find a quicker, more streamlined way but here's what my company will probably be doing:

1) Use Casper Admin to capture the Siri dock icon (you'll use this later in step 5)
2) Create those plists as recommended and add them to a config profile payload then scope the deployment either in your Config Profiles module or in a JSS Policy to deploy the packaged profiles.
3) Create an extension attribute that runs a script to check to see if the Config Profile lives on the machine or not. I banged out the script real quick, but I'm sure there's a better way to do this:

#!/bin/bash

vers=`sw_vers | awk '/ProductVersion:/ {print $2}'`

if [ $vers = "10.12" ] || [ $vers = "10.12.0" ] [ $vers = "10.12.1" ] [ $vers = "10.12.2" ] [ $vers = "10.12.3" ] [ $vers = "10.12.4" ] [ $vers = "10.12.5" ] [ $vers = "10.12.6" ]; then
        if [[ -e /Library/Managed\ Preferences/com.apple.Siri.plist ]]; then
                echo "<result>Config Profile Disabled Siri</result>"
        else
                echo "<result>Siri still active</result>"
        fi
else
        echo "Not macOS Sierra"
fi

4) Create a SmartGroup that looks for your extension attribute value to be set to "Config Profile Disabled Siri"
5) Create policy that removes the dock icon that you captured in step 1 & use the "Files and Processes" payload in the policy under the "Execute Command" section to run the command: killall SystemUIServer

I've run through a quick test on my test machine and it seemed to have done the trick but obviously you'll want to check it out for yourself.

Hope that helps.

@cgiordano Good stuff!

So I found that the Siri panel is called Speech. So with Casper I was able to create a configuration profile that disables the Dictation and Speech panel (which is just called Speech). So that disables it. But I went a step further and wrote a script that hides it:

defaults write com.apple.systempreferences HiddenPreferencePanes -array "com.apple.preference.speech"

Still testing it...but I think with that and removing the Dock item, I might be ok.

Is there a direct command line command to disable Siri and/or remove the System Preferences pane? If you suppress the setup assistant and remove the dock item that does one part. Then if you grey out the pane using a config profile that is another but I would have to imagine that there is a command to handle this so that we can "keep" Siri disabled, even with users that have admin privs. That is true management!

@bajankinch Not sure about command line, but there might be. But that gave me a good idea. In theory if Siri is launched we should be able to detect the process and kill it under restricted applications. Will have to do some testing and test it out.

Sidenote: Siri does not DELETE if you delete the application from the applications folder. It was still in the System Preference Pane and could be enabled (even without it being in the Applications folder). It does indeed have a process named "Siri" once enabled and launched (parent launchd).

The app resides in /System/Library/CoreServices/Siri.app.

That would be another way to do it, but disabling SIP in theory leaves your machines more vulnerable. But not sure you could script that since you have to do it from the recovery partition, but then again I haven't tried.

Plus if I did disable SIP the first thing I would be deleting is chess....why is that protected?

Yes, I would then have to reboot again and enable it again. Annoying! Does anyone know if JAMF is adding a Siri restriction in Config Profile MDM to the next revision?

Chess? LOL.

@bajankinch I had asked my TAM about this and he said that they are at the mercy of Apple on this one, which is how I discovered this thread initially. As of right now, the suggestions on this thread are one of your best bets to disable Siri.

As with most new features, Apple hasn't included them in Config Profiles (outside of Unlock with Apple Watch) so I'm thinking, maybe a future release will include this.

well in theory it would be nice if Apple released OS's with a "Enterprise" mode. Basically all the security measures we normally take already turned on by default. That would make our lives easier.

As for Chess, its come up in discussions many of times. For our PC machines they take out all the games since they don't want to distract employees. So we have to follow suit on the Mac. On older OS's I just moved it so it was hidden. These days, I can't do anything about it (short of disabling SIP) and had to explain to info sec that Chess is protected under System Integrity.

@roiegat Why don't you make Chess.app a restricted application? This way, if you can't remove it you can at least kill the process so that it doesn't launch any more. Plus you can add reporting to it so that you get emailed every time someone tries to launch it. If you see a consistent offender then you can take the appropriate actions.

@cgiordano Already done with the introduction of El Capitan. But we have these scans Info Sec do to see whats on our machines and it always shows up on some report. Its more entertaining at this point then anything else.

Plus in theory chess is suppose to make your smarter right? So much better then solitary that comes on the PC.

I have profiles to block Siri (built from the keys provided by @bvrooman ). They're available via the link below:

https://github.com/rtrouton/profiles/tree/master/DisableSiri

Hi I have tried your skip siri setup profile and I cant get it to work

The Profile says that it has been done in Casper
but when AD uesrs login they still get prompted for siri setup
can you please advise

@Jerome Check @rtrouton's blog post on disabling the Siri prompt here

Hi Robert I did try his
Mobile config
https://github.com/rtrouton/profiles/tree/master/SkipSiriSetup

But it did not work any thoughts

Hi Robert

I have just tried the latest script file and that worked

As I said I tried the MobileConfig and that didn't work I did notice that it was 3 months old so maybe he needs to update it now

@jerome I think you need both: config profile to disable it, and the script to prevent being prompted to turn it on at the first login after the upgrade.

Anyone have any tips to disable the Siri System Preference Pane? Everything that's been on this thread has worked for me from disabling the prompt upon first log in to disabling the menu bar item and everything else. For me and my organization, I think the final missing piece is to lock down the System Preference menu.

I know that we could lock it down using the Restrictions payload in a Config Profile but the rub with that is that we're currently checking the boxes for the System Preferences that want locked. We were doing it the other way but then folks complained that we locked them out of some third-party System Preferences.

Any suggestions or ideas would be great!
Thanks!
Chris

Wow, I'm an idiot. It was mentioned already in this thread that enabling the Restriction for Dictation & Speech would lock Siri down. I've confirmed that this works as well. Sorry for the facepalm moment, everyone.