mac-onboarding: Privacy-First macOS Configuration Bootstrapper

2 min read Original article ↗

→ What It Does

Export your macOS apps, shell configs, system settings, hotkeys, and app preferences from a source Mac, then replay them on a fresh target Mac. One command, one script.

$ mac-onboarding export ~/onboard.tar.gz # → Captures 21 modules: bootstrap, brew, shell, git, system, hotkeys, ... $ mac-onboarding install ~/onboard.tar.gz # → Installs Xcode CLT, Homebrew, apps, dotfiles, settings, hotkeys

→ Why mac-onboarding?

🔒 Privacy No cloud sync. Everything local.

🛡️ Secrets Safe API keys auto-redacted before archiving.

🔍 Auditable See exactly what gets captured.

📱 MDM-Aware Won't break enrollment or protected settings.

⚡ Fast No Time Machine. Single binary.

🚀 Open Source MIT licensed. Full transparency.

→ Install

Via Homebrew (recommended):

brew tap oleg-koval/tap brew install mac-onboarding

Or download from releases:

# Apple Silicon (M1/M2/M3) curl -Lo mac-onboarding https://github.com/oleg-koval/mac-onboarding/releases/latest/download/mac-onboarding-darwin-arm64 # Intel curl -Lo mac-onboarding https://github.com/oleg-koval/mac-onboarding/releases/latest/download/mac-onboarding-darwin-amd64 chmod +x mac-onboarding sudo mv mac-onboarding /usr/local/bin/

Verify installation:

mac-onboarding --help

→ Quick Start

cp ~/.local/share/doc/mac-onboarding/onboard.yaml.example onboard.yaml

mac-onboarding export --dry-run ~/onboard.tar.gz

mac-onboarding export ~/onboard.tar.gz

mac-onboarding install --dry-run ~/onboard.tar.gz mac-onboarding install ~/onboard.tar.gz

→ Supported Modules (21 Total)

bootstrap

brew

shell

git

system

hotkeys

kitty

cursor

claude

codex

pi

swiftbar

alfred

klack

flux

betterdisplay

orbstack

tailscale

shottr

synology

onepassword

→ Bridge Mode (Live Pull)

Skip the archive—pull directly from source Mac via Tailscale SSH:

# On target Mac (requires source Mac's Tailscale hostname in config) mac-onboarding bridge pull --only brew,shell

→ Security & Privacy

  • Secrets redacted: Shell rc files, git credentials, API keys filtered before archiving
  • SSH keys not migrated: You manage these manually per security best practices
  • MDM-safe: Won't overwrite enrollment settings or protected system defaults
  • Offline capable: Works without internet after initial config
  • Auditable: Run tar tzf onboard.tar.gz to inspect archive contents