Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Setting umask for All Users

            By Emalee Firestein

            Learn about setting umask for all users, and how it helps secure your Mac fleet

            What is umask?

            The umask (user file-creation mode mask) is a command in Unix that sets default permissions for new files and directories. It essentially dictates which permission bits will not be set when a file or directory is created, thus controlling the default permissions. For more information about setting custom umask values in macOS, see this Apple guide.

            How umask Works 

            When you create a file or directory, it starts with a default set of permissions. The umask value is subtracted from this default to determine the final permissions. For instance, the default permissions are typically 666 for files (read and write for everyone) and 777 for directories (read, write, and execute for everyone). The umask value is subtracted from these defaults to get the actual permissions. 

            Setting the umask to 027 is a common practice for enhancing security. Here’s a breakdown of what this means: 

            0: This digit is often ignored in the context of umask. 

            2: This digit affects group permissions, removing write permissions. 

            7: This digit affects "others" permissions, removing read, write, and execute permissions. 

            After the umask is applied the following numeric values for permissions will be set:

            Files will have permissions 640 (666 - 027):

            Owner
            Group
            Others
            read and writeread-onlyno permissions

            Directories will have permissions 750 (777 - 027):

            Owner
            Group
            Others
            read, write, and executeread and executeno permissions

            How to set the umask to 027 

            A Parameter can be configured in both Assignment Maps and Classic Blueprints to set the umask to 027 across all users on the Mac computers in your fleet.

            Enabling this Parameter will require a restart for each Mac it runs on if the umask value does not already match the value set. It may also cause unintended consequences for software installs, or in collaborative environments. Please test umask adjustments thoroughly before deploying to production computers.

             To configure the Parameter:

            1. Navigate to your desired Assignment Map or Classic Blueprint, and click Parameters.
            2. Select Edit Parameters. If this is the first Parameter you're adding, select Add Parameters in your Assignment Map or Enable Parameters in your Classic Blueprint.
            3. In the search field, enter "umask".
            4. Locate the Set umask for all users Parameter, and enable it by toggling the switch.
            5. Click Save.
            Preview
            0 of 0