Home > Mac administration, Mac OS X, macOS > Disabling Bonjour advertisement on OS X El Capitan and later

Disabling Bonjour advertisement on OS X El Capitan and later

August 22, 2016 Leave a comment Go to comments

As part of a discussion of security issues with some colleagues this morning, the question of how to disable Bonjour advertisement came up on OS X El Capitan and later came up. Bonjour advertisement is how your Mac sends out an “I’m here and this is a list of the services I have available” message via Bonjour. In certain environments, this is undesired behavior and the advertisement service needs to be disabled.

The reason why the question came up is that, on OS X Yosemite and earlier, the process of disabling Bonjour advertisement looked like this:

1. Run the following command with root privileges to unload the /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist LaunchDaemon file:

launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

2. Run the following command with root privileges to edit the /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist LaunchDaemon file:

defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add "-NoMulticastAdvertisements"

3. Run the following command with root privileges to load the /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist LaunchDaemon file:

launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

As of OS X 10.11.x though, System Integrity Protection blocks the editing of the /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist LaunchDaemon file because of the file’s location inside of the SIP-protected /System directory.

To accommodate this change, Apple made a change to mDNSResponder on OS X El Capitan and later to allow it to pick up settings from the following file:

/Library/Preferences/com.apple.mDNSResponder.plist

Screen Shot 2016-08-22 at 11.44.36 AM

Screen Shot 2016 08 22 at 11 25 05 AM

The ability to disable Bonjour advertisement is among the settings which can be applied to the new /Library/Preferences/com.apple.mDNSResponder.plist file. To disable Bonjour advertisement in OS X El Capitan and later, use the following procedure:

1. Run the following command with root privileges:

defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

2. Restart the Mac

3. Once the Mac has restarted, Bonjour advertisement should be disabled.

For those who want to disable Bonjour advertisement using a management profile, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/DisableBonjourAdvertisement

Update – 8-22-2016: My colleague Steve Yuroff tested the profile independently and let me know that this may not be manageable via a profile after all. I re-tested and was able to reproduce his results. We have both verified that running the defaults command listed above does produce the expected behavior.

I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 27952362. I’ve also cross-posted it to OpenRadar:

https://openradar.appspot.com/27952362

Categories: Mac administration, Mac OS X, macOS
  1. richardpurves
    August 22, 2016 at 4:13 pm
    Reply

    And based on the same conversation, I wrote a Casper EA to detect if this is set or not. It’s part of the 10.11 CIS security guide. https://github.com/franton/CIS-Apple-Security-Casper/tree/master/4.1%20Disable%20Bonjour%20advertising%20service

  2. Bob
    October 2, 2016 at 10:25 pm
    Reply

    Did not work using this command:

    sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

    After reboot mDNSResponder is active again.

    OS X 10.11.6

    According to this discussion, SIP needs to be disabled and the commands are different.

    [quote]
    In recovery, run
    csrutil disable && reboot
    Once back in OS X, log in as an admin user and run
    sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguments -array-add “-NoMulticastAdvertisements”
    sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    Reboot and go back into recovery and run
    csrutil enable && reboot
    [/quote]

  3. Bob
    October 3, 2016 at 7:13 pm
    Reply

    According to a not-so-polite message I received today (from another site), the aforementioned steps don’t actually disable mDNSResponder but Bonjour discovers services. So my statement that it didn’t work may have been in error.

    But no steps were given to check if discovery is truly disabled or not.

    If you check the “Block all incoming connections” box in the firewall pane, Bonjour is supposed to be crippled anyway. And I’ve not noticed any ill effects from doing so.

    “The firewall will block all sharing services, such as file sharing, screen sharing, Messages, Bonjour, and iTunes music sharing.”

  1. No trackbacks yet.

Leave a comment