Jamf Nation Community

I created an image with the Siri app deleted.
I dont anticipate our uses wanting it considering how there may be some privacy concerns. We'er not ready to run Sierra at the University and in fact I have the installer blocked so I have no surprises.

@CapU What are you going to do when 10.12.3+ installs a new version?

@MrP , no luck. I ran the script and the two Launch Agents were created under /Library/LaunchAgents. I then rebooted and Siri still is running. If I Force Quit it, it just comes back.

DUPLICATE

Update: This doesn't work. Leaving here as reference that it has been tried. SIP forces Siri to run.

Odd. In my /var/log/jamf.log i saw it constantly killing Siri.app before ran the script above. Try doing this as root to add assistantd to the disabled items list in launchd under both the user and system contexts.

Run the following commands as root before and after to check the status. Disabled = True.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
userid=`id -u $user`
launchctl print-disabled system
launchctl print-disabled gui/$userid

Run the following to disable them. To reverse change 'disable' to 'enable'.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
userid=`id -u $user`
launchctl disable user/$userid/com.apple.assistantd
launchctl disable gui/$userid/com.apple.assistantd
launchctl disable system/com.apple.assistantd
# these three will fail unless you have SIP disabled. 
launchctl disable user/$userid/com.apple.Siri.agent
launchctl disable gui/$userid/com.apple.Siri.agent
launchctl disable system/com.apple.Siri.agent

Siri and Assistantd didn't show as disabled initially, but after running the command to disable they are in the list now. But it still looks like Siri.app is running in Activity Monitor. BTW, I do NOT have SIP disabled. I don't see any resolution involving disabling SIP viable since there isn't a way to switch it off and on with JAMF and doing it manually isn't really an option.

$ launchctl print-disabled system
disabled services = {
    "com.apple.security.FDERecoveryAgent" => false
    "com.apple.screensharing" => false
    "com.apple.uucp" => true
    "com.apple.ftpd" => true
    "com.openssh.sshd" => false
    "com.apple.rshd" => true
    "com.apple.mdmclient.daemon.runatboot" => false
    "com.apple.usbmuxd" => false
    "com.apple.rpmuxd" => false
    "org.ntp.ntpd" => false
    "com.apple.fingerd" => true
    "com.apple.telnetd" => true
}


$ sudo launchctl disable user/1459944745/com.apple.assistantd
$ sudo launchctl disable gui/1459944745/com.apple.assistantd
$ sudo launchctl disable system/com.apple.assistantd
$ sudo launchctl disable user/1459944745/com.apple.Siri.agent
$ sudo launchctl disable gui/1459944745/com.apple.Siri.agent
$ sudo launchctl disable system/com.apple.Siri.agent



$ launchctl print-disabled system
disabled services = {
    "com.apple.security.FDERecoveryAgent" => false
    "com.apple.screensharing" => false
    "com.apple.uucp" => true
    "com.apple.ftpd" => true
    "com.openssh.sshd" => false
    "com.apple.rshd" => true
    "com.apple.mdmclient.daemon.runatboot" => false
    "com.apple.usbmuxd" => false
    "com.apple.rpmuxd" => false
    "com.apple.Siri.agent" => true
    "org.ntp.ntpd" => false
    "com.apple.fingerd" => true
    "com.apple.assistantd" => true
    "com.apple.telnetd" => true
}



$ launchctl print-disabled gui/1459944745
disabled services = {
    "com.apple.TMHelperAgent.SetupOffer" => false
    "com.apple.ManagedClientAgent.enrollagent" => true
    "com.apple.FileStatsAgent" => true
    "com.apple.Siri.agent" => true
    "com.apple.assistantd" => true
}
login item associations = {
}

I have to apologize. I had forgotten that I disabled SIP to do a dtrace while troubleshooting something else. I just re-enabled it and siri resumed trying to launch and jamf killing it. I agree, disabling SIP is not an option. Sorry to waste your time. Hopefully someone else has something more insightful. I do believe that the majority of the functionality is disabled when you disable assistantd, however it would be re-assuring to not have the app running.

The following will configure the user options to be disabled if found to be enabled, but it won't stop siri.app from running in the background. fwiw. Disable the system preferences icon by selecting the configuration profile "Restrictions -> Disable System preferences -> Dictation and Voice".

#!/bin/bash
IFS=$'
'
# Set verbosity level. The following are the available levels.
#   [0]="emerg" [1]="alert" [2]="crit" [3]="err" [4]="warning" [5]="notice" [6]="info" [7]="debug"  
__VERBOSE=6


##
# Function to implement proper output logging.
#  This uses syslog standard levels: https://en.wikipedia.org/wiki/Syslog#Severity_level
##
declare -a LOG_LEVELS
LOG_LEVELS=([0]="emergency" [1]="alert" [2]="critical" [3]="error" [4]="warning" [5]="notice" [6]="info" [7]="debug")
function log () {
  local LEVEL=${1}
  shift
  if [ ${__VERBOSE} -ge ${LEVEL} ]; then
    echo "[${LOG_LEVELS[$LEVEL]}]" "$@"
  fi
}
# Get user logged into console and put into variable "user"
user=`ls -l /dev/console | cut -d " " -f 4`
if [ $user ]; 
then 
    log 6 "User logged into console is: $user"
    userid=`id -u $user`
    log 6 "Unique ID for $user is: $userid"
fi

if [ "$user" != "root" ];
then
    ##
    # Siri: Disable
    ##
    markerFile="/tmp/$user-disableSiri.jssrecord"
    if [ ! -e $markerFile ];
    then
        uirestart=0
        sudo -u $user defaults read com.apple.assistant.support "Assistant Enabled" 2> /dev/null | grep 1 > /dev/null
        if [ $? == "0" ];
        then
            log 5 "User: Siri: Siri is marked enabled in System Preferences.  Disabling."
            sudo -u $user defaults write com.apple.assistant.support "Assistant Enabled" -bool false
        fi
        sudo -u $user defaults read com.apple.Siri StatusMenuVisible  2> /dev/null | grep 1 > /dev/null
        if [ $? == "0" ];
        then
            log 5 "User: Siri: Siri is marked visible in the menu bar.  Removing from menubar."
            sudo -u $user defaults write com.apple.Siri StatusMenuVisible -bool false
            uirestart=1
        fi
        sudo -u $user defaults read com.apple.Siri UserHasDeclinedEnable  2> /dev/null | grep 0 > /dev/null
        if [ $? == "0" ];
        then
            log 5 "User: Siri: UserHasDeclinedEnable is set to false.  Setting to true."
            sudo -u $user defaults write com.apple.Siri UserHasDeclinedEnable -bool true
            uirestart=1
        fi
        if [ $uirestart == 1 ]; then log 5 "User: Siri: Restarting SystemUIServer to apply changes."; killall -HUP SystemUIServer; fi
    fi
fi

@MrP I just updated to 10.12.2 and Siri is still disabled. well see what happens when 10.12.3 is released

I'm disabling Siri using an MDM config profile.
Using the Custom Settings, I just import the Plists that have the setting for having Siri enabled.
com.apple.assistant.support.plist
com.apple.siri.plist

Seems to be working well so far.

I have tried the adjusted plists as well as the 2 mobileconfigs seen below, but when we add siri to the restricted software list, it is still flagged continuously. I did notice it always squats in activity monitor, regardless of anything that is done to try and kill it

https://github.com/rtrouton/profiles/tree/master/DisableSiri

any other thoughts as to how I can get siri on the restricted software tab without it continuously being flagged?