Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Disable Big Sur services
#!/bin/zsh
#Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3
#Disabling unwanted services on macOS 11 Big Sur (11) and macOS Monterey (12)
#Disabling SIP is required ("csrutil disable" from Terminal in Recovery)
#Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist, disabled.501.plist & disabled.205.plist
# user
TODISABLE=()
TODISABLE+=('com.apple.accessibility.MotionTrackingAgent' \
'com.apple.AddressBook.ContactsAccountsService' \
'com.apple.AMPArtworkAgent' \
'com.apple.AMPDeviceDiscoveryAgent' \
'com.apple.AMPLibraryAgent' \
'com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd' \
'com.apple.ap.promotedcontentd' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.avconferenced' \
'com.apple.BiomeAgent' \
'com.apple.biomesyncd' \
'com.apple.CalendarAgent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CommCenter-osx' \
'com.apple.ContactsAgent' \
'com.apple.CoreLocationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.followupd' \
'com.apple.gamed' \
'com.apple.geod' \
'com.apple.homed' \
'com.apple.icloud.findmydeviced' \
'com.apple.icloud.findmydeviced.aps-demo' \
'com.apple.icloud.findmydeviced.aps-development' \
'com.apple.icloud.findmydeviced.aps-production' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.findmydeviced.ua-services' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyd' \
'com.apple.icloud.searchpartyd.accessorydiscoverymanager' \
'com.apple.icloud.searchpartyd.advertisementcache' \
'com.apple.icloud.searchpartyd.beaconmanager' \
'com.apple.icloud.searchpartyd.beaconmanager.agentdaemoninternal' \
'com.apple.icloud.searchpartyd.finderstatemanager' \
'com.apple.icloud.searchpartyd.pairingmanager' \
'com.apple.icloud.searchpartyd.scheduler' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.iCloudNotificationAgent' \
'com.apple.iCloudUserNotifications' \
'com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imtransferagent' \
'com.apple.itunescloudd' \
'com.apple.knowledge-agent' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClientAgent.enrollagent' \
'com.apple.Maps.mapspushd' \
'com.apple.Maps.pushdaemon' \
'com.apple.mediaanalysisd' \
'com.apple.mediastream.mstreamd' \
'com.apple.newsd' \
'com.apple.nsurlsessiond' \
'com.apple.parsec-fbf' \
'com.apple.parsecd' \
'com.apple.passd' \
'com.apple.photoanalysisd' \
'com.apple.photolibraryd' \
'com.apple.progressd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.quicklook' \
'com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.rapportd-user' \
'com.apple.remindd' \
'com.apple.routined' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.SafeEjectGPUAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra' \
'com.apple.screensharing.MessagesAgent' \
'com.apple.ScreenTimeAgent' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay' \
'com.apple.Siri.agent' \
'com.apple.siri.context.service' \
'com.apple.siriknowledged' \
'com.apple.suggestd' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.TMHelperAgent' \
'com.apple.TMHelperAgent.SetupOffer' \
'com.apple.UsageTrackingAgent' \
'com.apple.videosubscriptionsd' \
'com.apple.wifi.WiFiAgent')
for agent in "${TODISABLE[@]}"
do
launchctl bootout gui/501/${agent}
launchctl disable gui/501/${agent}
done
# system
TODISABLE=()
TODISABLE+=('com.apple.airportd' \
'com.apple.bootpd' \
'com.apple.backupd' \
'com.apple.backupd-helper' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CoreLocationAgent' \
'com.apple.coreduetd' \
'com.apple.dhcp6d' \
'com.apple.diagnosticextensions.osx.wifi.helper' \
'com.apple.familycontrols' \
'com.apple.findmymacmessenger' \
'com.apple.followupd' \
'com.apple.FollowUpUI' \
'com.apple.ftp-proxy' \
'com.apple.ftpd' \
'com.apple.GameController.gamecontrollerd' \
'com.apple.geod' \
'com.apple.icloud.findmydeviced' \
'com.apple.icloud.findmydeviced.aps-demo' \
'com.apple.icloud.findmydeviced.aps-development' \
'com.apple.icloud.findmydeviced.aps-production' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.findmydeviced.ua-services' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyd' \
'com.apple.icloud.searchpartyd.accessorydiscoverymanager' \
'com.apple.icloud.searchpartyd.advertisementcache' \
'com.apple.icloud.searchpartyd.beaconmanager' \
'com.apple.icloud.searchpartyd.beaconmanager.agentdaemoninternal' \
'com.apple.icloud.searchpartyd.finderstatemanager' \
'com.apple.icloud.searchpartyd.pairingmanager' \
'com.apple.icloud.searchpartyd.scheduler' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.iCloudHelper' \
'com.apple.iCloudNotificationAgent' \
'com.apple.iCloudUserNotificationsd' \
'com.apple.itunescloudd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.netbiosd' \
'com.apple.nsurlsessiond' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.rapportd' \
'com.apple.screensharing' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.siri.morphunassetsupdaterd' \
'com.apple.siriinferenced' \
'com.apple.wifianalyticsd' \
'com.apple.wifiFirmwareLoader' \
'com.apple.wifip2pd' \
'com.apple.wifivelocityd')
for daemon in "${TODISABLE[@]}"
do
sudo launchctl bootout system/${daemon}
sudo launchctl disable system/${daemon}
done
@tremuddie
Copy link

tremuddie commented Nov 21, 2021

@l0n3gh0st
Copy link

l0n3gh0st commented Nov 21, 2021

will this work in Monterey ?

@b0gdanw
Copy link
Author

b0gdanw commented Nov 22, 2021

It should work in Monterey too, but I haven’t tested it.
To only stop the services, exclude the lines with launchctl disable from the script.
There are many ways to run a script at login, see https://superuser.com/questions/229773/run-command-on-startup-login-mac-os-x
Please notice that stoping/disabling AMP… breaks Apple Music and TV. The script disables wifi related services, delete those lines if you use Wi-Fi.

@l0n3gh0st
Copy link

l0n3gh0st commented Nov 23, 2021

@elesto
Copy link

elesto commented Jan 18, 2022

Do i have to keep SIP disabled and run this at every boot?

@b0gdanw
Copy link
Author

b0gdanw commented Jan 18, 2022

The disable command should persist, the script only needs to be run once.
It should work in macOS 12 Monterey too.
My tests with SIP enabled were unsuccessful, many of the disabled services came back after a restart.
As I always have SIP disabled (csrutil disable), I didn’t persist in trying. Other people say it’s working with SIP enabled.
https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21#gistcomment-4014715

@elesto
Copy link

elesto commented Jan 19, 2022

I tried it on my intel on monterey. Everything works until i re-enable SIP then for some reason only some of the plists stay disabled. Since you keep it off how dangerous is it to keep it disabled?

@b0gdanw
Copy link
Author

b0gdanw commented Jan 19, 2022

I consider the risk to be low for the following reasons:
The files/folders protected by SIP are included in /System/Library/Sandbox/rootless.conf. Even if SIP is disabled, you still need the admin password to make any modifications to them.
Is extremely rare for malware to specifically target macOS with SIP disabled or iOS with jailbreak.
Malware creators aim for the most number of infections, that means targeting default configurations, not odd ones.
Here is an example of malware that actually stops its execution when encountering a system with SIP disabled.
https://youtu.be/MAgrD3enYSg?t=1645

@elesto
Copy link

elesto commented Jan 19, 2022

Interesting. Its important to note that you can customize SIP using flags (there are a few more flags now in monterey). I also understand that setting certain flags like --no-internal will stop you from receiving updates. Do you use a custom SIP? If not, there may be a configuration to allow a little more security while also allowing our modifications.

@ink-splatters
Copy link

ink-splatters commented Jan 19, 2022

Hi all,

M1 user here.

TL;DR: for Apple Silicon: work the thing out with SIP disabled. Then enable if you need it, but via Reduced Security policy.

While the same might work for Intel as well, I did not / cannot test.

But it’s known that trust chain creation / verifications are drastically different between the 2 platforms.

As for Intel: I guess the only way is trying out policies and/or figuring out which SIP bits are fair trade-off between full security but being unable to persist the changes, and complete “unsipinness”.

When you enable Full Security or fully enable SIP (not sure those 2 have equal power on Silicon), seems that unauthorized changes to:

/Volumes/Macintosh HD/private
/Volumes/Macintosh HD/Library/System # prbbly

are overwritten by restoring the originals from
/Volumes/Macintosh HD/System/Library/Templates/Data

(I mention full paths to avoid ambiguity as they are different to the root paths if you are in Recovery OS)

Caveats

  • it’s my guess, devil is in the details as usual 😊 the way comparison and replacement is made is yet to be clarified (for me), feel free to comment or point me at my low-effortless failing to read the whole thread, if it’s already there 😀 (sorry it’s indeed on the harder side to grasp the whole thread)

  • more locations may be affected

  • more locations ARE affected while updating, of course.
    As well as it bumps up the security.

💡
But:

the Update’ defeating the daemon war campaign discussed here, could be partially mitigated in the form of “harm reduction”, with one-liner - based agent in
/Library/LaunchAgents (which is not vanished).

It’s appealing to think fsevents based SystemExtension or PriviledgedHelperTool would do the job by constantly monitoring and restoring your files upon being overwritten, but remember that Full Security magic still would overwrite the changes back, making it futile: launchd will have read its files by the moment our Agent is launched ; modifying the files afterwards doesn’t make sense.
System Extension would work inconsistently probably, as there is potential race condition with launchd (? Correct me if I’m wrong)

Either option still could do some job by just warning you about either Update or something / someone else has screwed up the patching!

The simplest of what could be done, though: shellscript which, upon reboot, checks diff with your changes and if files differ:

  • optionally enables packet filter - based kill-switch - for the vigilant ones, who cannot afford e.g. MDM notifications to appear or CoreDuet / dasd and/or another shit triggered by the former, to call home with something derived from one’s personal data
  • optionally shows warning Message Box
  • Either sleep 5 ; reboots or: forces recovery mode (by removing some bless related policies? would feel scary 😊 ) in order for you to manually reduce security, bless the volume and return the patches to their place.

Btw, maybe it’s worth mentioning that policies on Silicon are applied on per-volume basis.
So, though Recovery is itself unpatchable to my best knowledge, you can run pretty much everything along with macOS (AFAIK someone made Arch work up to showing glGears demo 🙂 CPU emulated, but it’s quite fast)

@b0gdanw
Copy link
Author

b0gdanw commented Jan 20, 2022

@elesto
Those flags are not officially documented and you might find that some are no longer supported and cause problems.

@ink-splatters
In Big Sur, there is no template in /System/Library/Templates/Data/private/var/db/com.apple.xpc.launchd/, just an empty folder named config.

The launchctl values are actually cached (print-cache & uncache https://ss64.com/osx/launchctl.html )
Maybe uncache should be included in the script after bootout and disable.
In my tests, any attempt to modify disabled.plist or disabled.501.plist in /private/var/db/com.apple.xpc.launchd/ by other means than launchctl (PlistBuddy or TextEdit for example) resulted in all modification being deleted and the files being returned to the original configuration. Same happens after deleting the files and rebooting.
So, that’s a quick way of correcting any misconfiguration.

@b0gdanw
Copy link
Author

b0gdanw commented Jan 20, 2022

Correction: "launchctl uncache" is no supported in Big Sur & Monterey.

@gentry-tran
Copy link

gentry-tran commented Feb 16, 2022

This is great list. I was doing this on my own and then stumbled across this.

Iam seeing 'You do not have permission to open the application “Install Visual Studio for Mac.app”.' after disabling these daemons. I tried $xattr -c com.apple.quarantine Install\ Visual\ Studio\ for\ Mac.app and $sudo spctl --master-disable. Any ideas?

@ink-splatters
Copy link

ink-splatters commented Mar 14, 2022

@b0gdanw I updated my post which unfortunately is not relevant and it might be that I was just mistaken at all

@gopsmith
Copy link

gopsmith commented May 19, 2022

Thanks to @b0gdanw for pointing me in the right direction, I've been able to update my High Sierra disable script to work on the newer Mac OSes. Here's my version, which is specific to my need for a temporary "quiet" boot that optimizes for a real-time music performance with video streaming. It works great on Big Sur and Monterey: https://gist.github.com/gopsmith/bf4d3a8203cd0792c9f8702cc76c8525

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment