#!/usr/bin/env python3 import subprocess import os import time import threading import shutil BUNDLE_ID = "com.brave.Browser" # BUNDLE_ID = "com.google.chrome" MANAGED_PLIST = f"/Library/Managed Preferences/{BUNDLE_ID}.plist" # === Brave-specific feature lockdown === managed_policies = { # "RestoreOnStartup": 5, # Open new tab on startup # "HomepageIsNewTabPage": True, # Use New Tab as homepage "AutofillAddressEnabled": False, # Disable address autofill "AutofillCreditCardEnabled": False, # Disable credit card autofill "BackgroundModeEnabled": False, # Disable background tasks "BookmarkBarEnabled": False, # Disable bookmark bar "BraveAIChatEnabled": False, # Disable Brave AI features "BraveNewsDisabled": True, # Disable Brave News "BravePlaylistEnabled": False, # Disable Brave Playlist "BraveRewardsDisabled": True, # Disable Brave Rewards "BraveSpeedreaderEnabled": False, # Disable Speedreader "BraveStatsPingEnabled": False, # Disable telemetry pings "BraveTalkDisabled": True, # Disable Brave Talk "BraveVPNDisabled": True, # Disable Brave VPN "BraveWalletDisabled": True, # Disable Brave Wallet "BraveWalletShowInToolbar": False, # Hide wallet icon "BraveWebDiscoveryEnabled": False, # Disable web discovery "BrowserSignin": 0, # Disable browser sign-in "DefaultGeolocationSetting": 2, # Block location access "EnableMediaRouter": False, # Disable Google Cast "GoogleSearchSidePanelEnabled": False, # Disable Google Search side panel "PasswordLeakDetectionEnabled": False, # Disable password leak check "PasswordManagerEnabled": False, # Disable password manager "PasswordManagerPasskeysEnabled": False, # Disable passkeys "PasswordSharingEnabled": False, # Disable password sharing "PaymentMethodQueryEnabled": False, # Disable payment autofill "PrivacySandboxAdMeasurementEnabled": False, # Disable Privacy Sandbox ads "PrivacySandboxAdTopicsEnabled": False, # Disable ad topics "PrivacySandboxPromptEnabled": False, # Disable Privacy Sandbox prompt "PrivacySandboxSiteEnabledAdsEnabled": False, # Disable site-enabled ads "PromotionsEnabled": False, # Disable promotional content "ShowHomeButton": False, # Hide Home button "SideSearchEnabled": False, # Disable side search "SpellcheckEnabled": False, # Disable spellcheck "SuggestedContentEnabled": False, # Disable content suggestions "SyncDisabled": True, # Disable Brave Sync "TorDisabled": True, # Disable Tor integration "TranslateEnabled": False, # Disable translate feature "UserFeedbackAllowed": False, # Disable sending feedback "DeviceMetricsReportingEnabled": False, # "MetricsReportingEnabled": False, "SafeBrowsingExtendedReportingEnabled": False, "DefaultBrowserSettingEnabled": False, "AlternateErrorPagesEnabled": False, "URLKeyedAnonymizedDataCollectionEnabled": False, "SpellCheckServiceEnabled": False, "SearchSuggestEnabled": False, "SigninInterceptionEnabled": False } def run(cmd, use_sudo=False, silent=False): if use_sudo: cmd = ["sudo"] + cmd if not silent: print("โ†’", " ".join(cmd)) subprocess.run(cmd, check=True) def keep_sudo_alive(): """Refresh sudo timestamp every 60 s.""" while True: subprocess.run(["sudo", "-v"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(60) def ensure_managed_dir(): os.makedirs("/Library/Managed Preferences", exist_ok=True) run(["chown", "root:wheel", "/Library/Managed Preferences"], use_sudo=True) run(["chmod", "755", "/Library/Managed Preferences"], use_sudo=True) def set_policy(key, value): # Remove existing key before adding (avoid duplicate errors) subprocess.run( ["sudo", "/usr/libexec/PlistBuddy", "-c", f"Delete :{key}", MANAGED_PLIST], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL ) # Choose correct PlistBuddy type if isinstance(value, bool): cmd = ["Add", f":{key}", "bool", "true" if value else "false"] elif isinstance(value, int): cmd = ["Add", f":{key}", "integer", str(value)] elif isinstance(value, str): cmd = ["Add", f":{key}", "string", value] elif isinstance(value, list): # array run(["/usr/libexec/PlistBuddy", "-c", f"Add :{key} array", MANAGED_PLIST], use_sudo=True) for v in value: run(["/usr/libexec/PlistBuddy", "-c", f"Add :{key}: string {v}", MANAGED_PLIST], use_sudo=True) return else: print(f"โš ๏ธ Unsupported type for key {key}") return run(["/usr/libexec/PlistBuddy", "-c", " ".join(cmd), MANAGED_PLIST], use_sudo=True) def set_managed_policies(): ensure_managed_dir() for key, value in managed_policies.items(): set_policy(key, value) def refresh_preferences(): run(["killall", "cfprefsd"], use_sudo=True) def cleanup_brave_data(): """Optionally remove crypto-related folders.""" profile = os.path.expanduser("~/Library/Application Support/BraveSoftware/Brave-Browser/Default") for folder in ["brave_rewards", "ethereum_wallet", "brave_vpn", "ai_chat"]: path = os.path.join(profile, folder) if os.path.exists(path): print(f"๐Ÿงน Removing {path}") shutil.rmtree(path, ignore_errors=True) if __name__ == "__main__": print("๐Ÿ” Applying full Brave Browser hardening policies (mandatory).") subprocess.run(["sudo", "-v"], check=True) # ask for password once threading.Thread(target=keep_sudo_alive, daemon=True).start() set_managed_policies() cleanup_brave_data() refresh_preferences() print(f"\nโœ… All mandatory policies applied under:\n {MANAGED_PLIST}") print(" Restart Brave and check brave://policy โ€” all should show Level = Mandatory.") print(" You can re-run this script anytime to refresh or update settings.")