(My original post at https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4912658#gistcomment-4912658 -> was too long).
I managed getting rid of spyware and worse w/ Sonoma (14.3.1).
>sudo sysinfo
Software:
System Software Overview:
System Version: macOS 14.3.1 (23D60)
Kernel Version: Darwin 23.3.0
Boot Volume: Macintosh HD
Boot Mode: Normal
Computer Name: <>
User Name: System Administrator (root)
Secure Virtual Memory: Enabled
System Integrity Protection: Enabled
Time since boot: <>
Hardware:
Hardware Overview:
Model Name: MacBook Pro
Model Identifier: Mac15,9
Model Number: <>
Chip: Apple M3 Max
Total Number of Cores: 16 (12 performance and 4 efficiency)
Memory: 128 GB
System Firmware Version: 10151.81.1
OS Loader Version: 10151.81.1
Serial Number (system): <>
Hardware UUID: <>
Provisioning UDID: <>
Activation Lock Status: Disabled
>sudo profiles list
There are no configuration profiles installed in the system domain
>sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled. Try again later.
This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).
- Create bootable installer (I followed these instructions: https://mrmacintosh.com/how-to-create-a-macos-sonoma-usb-boot-disk-installer-in-5-min/)
- Have another external drive (e.g. USB stick) at hand and save the skipmdm.com script (https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh) on it.
- You have access to the internet router you use to activate macOS.
Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:
iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com
Make sure the blocker works (i.e. ping from another device)!
In recovery mode, wipe the hard disk and start a clean install with the bootable installer.
Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.
In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!
Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).
Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf..apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com
>sudo launchctl disable system/com.apple.ManagedClientAgent.enrollagent
>sudo launchctl disable system/com.apple.mdmclient.daemon
>sudo launchctl disable system/com.apple.devicemanagementclient.teslad
# You might check other services and disable them - know what you do!
>sudo launchctl print system | sort | grep enabled
Finally a firewall comes in handy to possibly add even more security: I blocked
/usr/libexec/teslad
/usr/libexec/mdmclient
(for both user + system).
This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.