aaronprice/mac_report.sh

## mac_report.sh
#!/usr/bin/env bash
# Mac Paranoia Report — table with color-coded statuses and explanatory details
# Compatible with default macOS bash (no associative arrays)
# Run with: sudo bash mac_paranoia_report.sh

# ANSI color codes
GREEN="\033[0;32m"
YELLOW="\033[0;33m"
RED="\033[0;31m"
NC="\033[0m"

# Color-wrapped status functions
status_ok()   { echo -e "${GREEN}OK${NC}"; }
status_warn() { echo -e "${YELLOW}WARN${NC}"; }
status_fail() { echo -e "${RED}FAIL${NC}"; }

# Header
echo -e "\n=== Mac Paranoia Report ==="
echo "Date: $(date '+%Y-%m-%d %H:%M')"
echo

# System Info
serial=$(system_profiler SPHardwareDataType 2>/dev/null | awk '/Serial Number/ {print $4; exit}' || echo "Unknown")
memory=$(system_profiler SPHardwareDataType 2>/dev/null | awk '/Memory:/ {print $2,$3; exit}' || echo "Unknown")
disk_info=$(df -H / 2>/dev/null | tail -1)
disk_total=$(echo $disk_info | awk '{print $2}')
disk_avail=$(echo $disk_info | awk '{print $4}')
chip=$(sysctl -n machdep.cpu.brand_string 2>/dev/null || system_profiler SPHardwareDataType 2>/dev/null | awk -F': ' '/(Chip|Processor Name)/ {print $2; exit}')
arch=$(uname -m)
if [[ "$arch" == "arm64" ]]; then arch_type="ARM"; else arch_type="Intel"; fi
os_version=$(sw_vers -productVersion 2>/dev/null || echo "Unknown")

# CPU type
if [[ "$chip" == *Pro* ]]; then
  cpu_type="Pro"
elif [[ "$chip" == *Max* ]]; then
  cpu_type="Max"
else
  cpu_type="Regular"
fi

# Print System Info
echo "System Info"
echo "-----------"
printf "%-20s %s
" "Serial Number" "$serial"
printf "%-20s %s
" "RAM" "$memory"
printf "%-20s %s
" "Disk Total" "$disk_total"
printf "%-20s %s
" "Disk Available" "$disk_avail"
printf "%-20s %s
" "CPU Type" "$cpu_type"
printf "%-20s %s
" "CPU Architecture" "$arch_type"
printf "%-20s %s
" "macOS Version" "$os_version"
echo

# Table Header for Checks
printf "%-20s %-09s %s
" "Check" "Status" "Details"
echo "-----------------------------------------------------------"

# Prepare manual steps array
manual_steps=()

# 1) MDM Enrollment
if command -v profiles &>/dev/null; then
  enroll=$(profiles status -type enrollment 2>/dev/null)
  if [[ -z "$enroll" ]] || [[ "$enroll" == *"No"* ]]; then
    status_mdm=$(status_ok)
    mdm_msg="No MDM profiles enrolled"
  else
    status_mdm=$(status_fail)
    mdm_msg="$enroll"
    manual_steps+=("Remove MDM profiles: System Settings > Profiles or 'sudo profiles remove -all'.")
  fi
else
  status_mdm=$(status_warn)
  mdm_msg="profiles tool unavailable — check in System Settings > Profiles"
  manual_steps+=("Verify MDM profiles manually in System Settings > Profiles.")
fi
printf "%-20s %-20s %s
" "MDM Enrollment" "$status_mdm" "$mdm_msg"

# 2) Activation Lock
if command -v ioreg &>/dev/null; then
  lock=$(ioreg -c IOPlatformExpertDevice -d 1 -r | awk '/ActivationLockStatus/ {print $NF; exit}')
  if [[ "$lock" == "1" ]]; then
    status_lock=$(status_fail)
    lock_msg="Find My Mac is enabled"
    manual_steps+=("Disable Find My Mac: System Settings > Apple ID > iCloud.")
  elif [[ "$lock" == "0" ]]; then
    status_lock=$(status_ok)
    lock_msg="Find My Mac is disabled"
  else
    status_lock=$(status_warn)
    lock_msg="Unknown — check in System Settings > Apple ID > iCloud"
    manual_steps+=("Verify Activation Lock status in System Settings > Apple ID > iCloud.")
  fi
else
  status_lock=$(status_warn)
  lock_msg="ioreg unavailable — check in System Settings > Apple ID > iCloud"
  manual_steps+=("Verify Activation Lock status in System Settings > Apple ID > iCloud.")
fi
printf "%-20s %-20s %s
" "Activation Lock" "$status_lock" "$lock_msg"

# 3) Firmware Password
if command -v firmwarepasswd &>/dev/null; then
  fw=$(sudo firmwarepasswd -check 2>/dev/null)
  if [[ "$fw" == *"Password Enabled: No"* ]]; then
    status_fw=$(status_ok)
    fw_msg="No firmware password set"
  elif [[ "$fw" == *"Password Enabled: Yes"* ]]; then
    status_fw=$(status_fail)
    fw_msg="Firmware password is enabled"
    manual_steps+=("Remove firmware password: reboot to Recovery, then 'sudo firmwarepasswd -delete'.")
  else
    status_fw=$(status_warn)
    fw_msg="Unknown — verify in Recovery Mode"
    manual_steps+=("Verify firmware password status in Recovery Mode.")
  fi
else
  status_fw=$(status_warn)
  fw_msg="firmwarepasswd unavailable — verify in Recovery Mode"
  manual_steps+=("Verify firmware password status in Recovery Mode.")
fi
printf "%-20s %-20s %s
" "Firmware Password" "$status_fw" "$fw_msg"

# 4) SSH Login (Remote Login)
if command -v systemsetup &>/dev/null; then
  ssh_out=$(sudo systemsetup -getremotelogin 2>/dev/null)
  if [[ "$ssh_out" == *"Off"* ]]; then
    status_ssh=$(status_ok)
    ssh_msg="Remote Login is off"
  elif [[ "$ssh_out" == *"On"* ]]; then
    status_ssh=$(status_fail)
    ssh_msg="Remote Login is enabled"
    manual_steps+=("Turn off Remote Login: System Settings > Sharing > Remote Login.")
  else
    status_ssh=$(status_warn)
    ssh_msg="Unknown — check in System Settings > Sharing"
    manual_steps+=("Verify Remote Login status in System Settings > Sharing > Remote Login.")
  fi
else
  status_ssh=$(status_warn)
  ssh_msg="systemsetup unavailable — check in System Settings > Sharing"
  manual_steps+=("Verify Remote Login status in System Settings > Sharing > Remote Login.")
fi
printf "%-20s %-20s %s
" "SSH Login" "$status_ssh" "$ssh_msg"

# 5) Screen Sharing
ss=$(defaults read com.apple.ScreenSharing.plist Enabled 2>/dev/null || echo "0")
if [[ "$ss" == "1" ]]; then
  status_ss=$(status_fail)
  ss_msg="Screen Sharing is enabled"
  manual_steps+=("Turn off Screen Sharing: System Settings > Sharing > Screen Sharing.")
else
  status_ss=$(status_ok)
  ss_msg="Screen Sharing is disabled"
fi
printf "%-20s %-20s %s
" "Screen Sharing" "$status_ss" "$ss_msg"

# 6) Remote Management
rm=$(defaults read /Library/Preferences/com.apple.RemoteManagement.plist ARD_AllLocalUsers -bool 2>/dev/null || echo "0")
if [[ "$rm" == "1" ]]; then
  status_rm=$(status_fail)
  rm_msg="Remote Management is enabled"
  manual_steps+=("Turn off Remote Management: System Settings > Sharing > Remote Management.")
else
  status_rm=$(status_ok)
  rm_msg="Remote Management is disabled"
fi
printf "%-20s %-20s %s
" "Remote Management" "$status_rm" "$rm_msg"

# 7) Third-party Remote Apps
found=0
for app in "/Applications/TeamViewer.app" "/Applications/AnyDesk.app"; do
  if [[ -d $app ]]; then found=1; fi
done
if [[ $found -eq 1 ]]; then
  status_apps=$(status_fail)
  apps_msg="Third-party remote app detected"
  manual_steps+=("Uninstall TeamViewer/AnyDesk from /Applications.")
else
  status_apps=$(status_ok)
  apps_msg="No known remote apps found"
fi
printf "%-20s %-20s %s
" "3rd-Party Apps" "$status_apps" "$apps_msg"

echo
# Print only relevant manual steps
if (( ${#manual_steps[@]} )); then
  echo -e "${RED}Issues detected — manual steps:${NC}"
  for step in "${manual_steps[@]}"; do
    echo "· $step"
  done
else
  echo -e "${GREEN}All clear! Your Mac is freehold.${NC}"
fi
	#!/usr/bin/env bash
	# Mac Paranoia Report — table with color-coded statuses and explanatory details
	# Compatible with default macOS bash (no associative arrays)
	# Run with: sudo bash mac_paranoia_report.sh

	# ANSI color codes
	GREEN="\033[0;32m"
	YELLOW="\033[0;33m"
	RED="\033[0;31m"
	NC="\033[0m"

	# Color-wrapped status functions
	status_ok() { echo -e "${GREEN}OK${NC}"; }
	status_warn() { echo -e "${YELLOW}WARN${NC}"; }
	status_fail() { echo -e "${RED}FAIL${NC}"; }

	# Header
	echo -e "\n=== Mac Paranoia Report ==="
	echo "Date: $(date '+%Y-%m-%d %H:%M')"
	echo

	# System Info
	serial=$(system_profiler SPHardwareDataType 2>/dev/null \| awk '/Serial Number/ {print $4; exit}' \|\| echo "Unknown")
	memory=$(system_profiler SPHardwareDataType 2>/dev/null \| awk '/Memory:/ {print $2,$3; exit}' \|\| echo "Unknown")
	disk_info=$(df -H / 2>/dev/null \| tail -1)
	disk_total=$(echo $disk_info \| awk '{print $2}')
	disk_avail=$(echo $disk_info \| awk '{print $4}')
	chip=$(sysctl -n machdep.cpu.brand_string 2>/dev/null \|\| system_profiler SPHardwareDataType 2>/dev/null \| awk -F': ' '/(Chip\|Processor Name)/ {print $2; exit}')
	arch=$(uname -m)
	if [[ "$arch" == "arm64" ]]; then arch_type="ARM"; else arch_type="Intel"; fi
	os_version=$(sw_vers -productVersion 2>/dev/null \|\| echo "Unknown")

	# CPU type
	if [[ "$chip" == Pro ]]; then
	cpu_type="Pro"
	elif [[ "$chip" == Max ]]; then
	cpu_type="Max"
	else
	cpu_type="Regular"
	fi

	# Print System Info
	echo "System Info"
	echo "-----------"
	printf "%-20s %s
	" "Serial Number" "$serial"
	printf "%-20s %s
	" "RAM" "$memory"
	printf "%-20s %s
	" "Disk Total" "$disk_total"
	printf "%-20s %s
	" "Disk Available" "$disk_avail"
	printf "%-20s %s
	" "CPU Type" "$cpu_type"
	printf "%-20s %s
	" "CPU Architecture" "$arch_type"
	printf "%-20s %s
	" "macOS Version" "$os_version"
	echo

	# Table Header for Checks
	printf "%-20s %-09s %s
	" "Check" "Status" "Details"
	echo "-----------------------------------------------------------"

	# Prepare manual steps array
	manual_steps=()

	# 1) MDM Enrollment
	if command -v profiles &>/dev/null; then
	enroll=$(profiles status -type enrollment 2>/dev/null)
	if [[ -z "$enroll" ]] \|\| [[ "$enroll" == "No" ]]; then
	status_mdm=$(status_ok)
	mdm_msg="No MDM profiles enrolled"
	else
	status_mdm=$(status_fail)
	mdm_msg="$enroll"
	manual_steps+=("Remove MDM profiles: System Settings > Profiles or 'sudo profiles remove -all'.")
	fi
	else
	status_mdm=$(status_warn)
	mdm_msg="profiles tool unavailable — check in System Settings > Profiles"
	manual_steps+=("Verify MDM profiles manually in System Settings > Profiles.")
	fi
	printf "%-20s %-20s %s
	" "MDM Enrollment" "$status_mdm" "$mdm_msg"

	# 2) Activation Lock
	if command -v ioreg &>/dev/null; then
	lock=$(ioreg -c IOPlatformExpertDevice -d 1 -r \| awk '/ActivationLockStatus/ {print $NF; exit}')
	if [[ "$lock" == "1" ]]; then
	status_lock=$(status_fail)
	lock_msg="Find My Mac is enabled"
	manual_steps+=("Disable Find My Mac: System Settings > Apple ID > iCloud.")
	elif [[ "$lock" == "0" ]]; then
	status_lock=$(status_ok)
	lock_msg="Find My Mac is disabled"
	else
	status_lock=$(status_warn)
	lock_msg="Unknown — check in System Settings > Apple ID > iCloud"
	manual_steps+=("Verify Activation Lock status in System Settings > Apple ID > iCloud.")
	fi
	else
	status_lock=$(status_warn)
	lock_msg="ioreg unavailable — check in System Settings > Apple ID > iCloud"
	manual_steps+=("Verify Activation Lock status in System Settings > Apple ID > iCloud.")
	fi
	printf "%-20s %-20s %s
	" "Activation Lock" "$status_lock" "$lock_msg"

	# 3) Firmware Password
	if command -v firmwarepasswd &>/dev/null; then
	fw=$(sudo firmwarepasswd -check 2>/dev/null)
	if [[ "$fw" == "Password Enabled: No" ]]; then
	status_fw=$(status_ok)
	fw_msg="No firmware password set"
	elif [[ "$fw" == "Password Enabled: Yes" ]]; then
	status_fw=$(status_fail)
	fw_msg="Firmware password is enabled"
	manual_steps+=("Remove firmware password: reboot to Recovery, then 'sudo firmwarepasswd -delete'.")
	else
	status_fw=$(status_warn)
	fw_msg="Unknown — verify in Recovery Mode"
	manual_steps+=("Verify firmware password status in Recovery Mode.")
	fi
	else
	status_fw=$(status_warn)
	fw_msg="firmwarepasswd unavailable — verify in Recovery Mode"
	manual_steps+=("Verify firmware password status in Recovery Mode.")
	fi
	printf "%-20s %-20s %s
	" "Firmware Password" "$status_fw" "$fw_msg"

	# 4) SSH Login (Remote Login)
	if command -v systemsetup &>/dev/null; then
	ssh_out=$(sudo systemsetup -getremotelogin 2>/dev/null)
	if [[ "$ssh_out" == "Off" ]]; then
	status_ssh=$(status_ok)
	ssh_msg="Remote Login is off"
	elif [[ "$ssh_out" == "On" ]]; then
	status_ssh=$(status_fail)
	ssh_msg="Remote Login is enabled"
	manual_steps+=("Turn off Remote Login: System Settings > Sharing > Remote Login.")
	else
	status_ssh=$(status_warn)
	ssh_msg="Unknown — check in System Settings > Sharing"
	manual_steps+=("Verify Remote Login status in System Settings > Sharing > Remote Login.")
	fi
	else
	status_ssh=$(status_warn)
	ssh_msg="systemsetup unavailable — check in System Settings > Sharing"
	manual_steps+=("Verify Remote Login status in System Settings > Sharing > Remote Login.")
	fi
	printf "%-20s %-20s %s
	" "SSH Login" "$status_ssh" "$ssh_msg"

	# 5) Screen Sharing
	ss=$(defaults read com.apple.ScreenSharing.plist Enabled 2>/dev/null \|\| echo "0")
	if [[ "$ss" == "1" ]]; then
	status_ss=$(status_fail)
	ss_msg="Screen Sharing is enabled"
	manual_steps+=("Turn off Screen Sharing: System Settings > Sharing > Screen Sharing.")
	else
	status_ss=$(status_ok)
	ss_msg="Screen Sharing is disabled"
	fi
	printf "%-20s %-20s %s
	" "Screen Sharing" "$status_ss" "$ss_msg"

	# 6) Remote Management
	rm=$(defaults read /Library/Preferences/com.apple.RemoteManagement.plist ARD_AllLocalUsers -bool 2>/dev/null \|\| echo "0")
	if [[ "$rm" == "1" ]]; then
	status_rm=$(status_fail)
	rm_msg="Remote Management is enabled"
	manual_steps+=("Turn off Remote Management: System Settings > Sharing > Remote Management.")
	else
	status_rm=$(status_ok)
	rm_msg="Remote Management is disabled"
	fi
	printf "%-20s %-20s %s
	" "Remote Management" "$status_rm" "$rm_msg"

	# 7) Third-party Remote Apps
	found=0
	for app in "/Applications/TeamViewer.app" "/Applications/AnyDesk.app"; do
	if [[ -d $app ]]; then found=1; fi
	done
	if [[ $found -eq 1 ]]; then
	status_apps=$(status_fail)
	apps_msg="Third-party remote app detected"
	manual_steps+=("Uninstall TeamViewer/AnyDesk from /Applications.")
	else
	status_apps=$(status_ok)
	apps_msg="No known remote apps found"
	fi
	printf "%-20s %-20s %s
	" "3rd-Party Apps" "$status_apps" "$apps_msg"

	echo
	# Print only relevant manual steps
	if (( ${#manual_steps[@]} )); then
	echo -e "${RED}Issues detected — manual steps:${NC}"
	for step in "${manual_steps[@]}"; do
	echo "· $step"
	done
	else
	echo -e "${GREEN}All clear! Your Mac is freehold.${NC}"
	fi