-
-
Save b0gdanw/40d000342dd1ba4d892ad0bdf03ae6ea to your computer and use it in GitHub Desktop.
#!/bin/zsh | |
#Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3 | |
#Disabling unwanted services on macOS 11 Big Sur (11) and macOS Monterey (12) | |
#Disabling SIP is required ("csrutil disable" from Terminal in Recovery) | |
#Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist and disabled.501.plist | |
# user | |
TODISABLE=() | |
TODISABLE+=('com.apple.accessibility.MotionTrackingAgent' \ | |
'com.apple.AddressBook.ContactsAccountsService' \ | |
'com.apple.AMPArtworkAgent' \ | |
'com.apple.AMPDeviceDiscoveryAgent' \ | |
'com.apple.AMPLibraryAgent' \ | |
'com.apple.ap.adprivacyd' \ | |
'com.apple.ap.adservicesd' \ | |
'com.apple.ap.promotedcontentd' \ | |
'com.apple.assistant_service' \ | |
'com.apple.assistantd' \ | |
'com.apple.avconferenced' \ | |
'com.apple.BiomeAgent' \ | |
'com.apple.biomesyncd' \ | |
'com.apple.CalendarAgent' \ | |
'com.apple.cloudd' \ | |
'com.apple.cloudpaird' \ | |
'com.apple.cloudphotod' \ | |
'com.apple.CloudPhotosConfiguration' \ | |
'com.apple.CommCenter-osx' \ | |
'com.apple.ContactsAgent' \ | |
'com.apple.CoreLocationAgent' \ | |
'com.apple.familycircled' \ | |
'com.apple.familycontrols.useragent' \ | |
'com.apple.familynotificationd' \ | |
'com.apple.followupd' \ | |
'com.apple.gamed' \ | |
'com.apple.geod' \ | |
'com.apple.homed' \ | |
'com.apple.icloud.findmydeviced' \ | |
'com.apple.icloud.findmydeviced.aps-demo' \ | |
'com.apple.icloud.findmydeviced.aps-development' \ | |
'com.apple.icloud.findmydeviced.aps-production' \ | |
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \ | |
'com.apple.icloud.findmydeviced.ua-services' \ | |
'com.apple.icloud.fmfd' \ | |
'com.apple.icloud.searchpartyd' \ | |
'com.apple.icloud.searchpartyd.accessorydiscoverymanager' \ | |
'com.apple.icloud.searchpartyd.advertisementcache' \ | |
'com.apple.icloud.searchpartyd.beaconmanager' \ | |
'com.apple.icloud.searchpartyd.beaconmanager.agentdaemoninternal' \ | |
'com.apple.icloud.searchpartyd.finderstatemanager' \ | |
'com.apple.icloud.searchpartyd.pairingmanager' \ | |
'com.apple.icloud.searchpartyd.scheduler' \ | |
'com.apple.icloud.searchpartyuseragent' \ | |
'com.apple.iCloudNotificationAgent' \ | |
'com.apple.iCloudUserNotifications' \ | |
'com.apple.imagent' \ | |
'com.apple.imautomatichistorydeletionagent' \ | |
'com.apple.imtransferagent' \ | |
'com.apple.itunescloudd' \ | |
'com.apple.knowledge-agent' \ | |
'com.apple.ManagedClient.cloudconfigurationd' \ | |
'com.apple.ManagedClientAgent.enrollagent' \ | |
'com.apple.Maps.mapspushd' \ | |
'com.apple.Maps.pushdaemon' \ | |
'com.apple.mediaanalysisd' \ | |
'com.apple.mediastream.mstreamd' \ | |
'com.apple.newsd' \ | |
'com.apple.nsurlsessiond' \ | |
'com.apple.parsec-fbf' \ | |
'com.apple.parsecd' \ | |
'com.apple.passd' \ | |
'com.apple.photoanalysisd' \ | |
'com.apple.photolibraryd' \ | |
'com.apple.progressd' \ | |
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \ | |
'com.apple.quicklook' \ | |
'com.apple.quicklook.ui.helper' \ | |
'com.apple.quicklook.ThumbnailsAgent' \ | |
'com.apple.rapportd-user' \ | |
'com.apple.remindd' \ | |
'com.apple.routined' \ | |
'com.apple.SafariCloudHistoryPushAgent' \ | |
'com.apple.SafeEjectGPUAgent' \ | |
'com.apple.screensharing.agent' \ | |
'com.apple.screensharing.menuextra' \ | |
'com.apple.screensharing.MessagesAgent' \ | |
'com.apple.ScreenTimeAgent' \ | |
'com.apple.security.cloudkeychainproxy3' \ | |
'com.apple.sidecar-hid-relay' \ | |
'com.apple.sidecar-relay' \ | |
'com.apple.Siri.agent' \ | |
'com.apple.siri.context.service' \ | |
'com.apple.siriknowledged' \ | |
'com.apple.suggestd' \ | |
'com.apple.telephonyutilities.callservicesd' \ | |
'com.apple.TMHelperAgent' \ | |
'com.apple.TMHelperAgent.SetupOffer' \ | |
'com.apple.UsageTrackingAgent' \ | |
'com.apple.videosubscriptionsd' \ | |
'com.apple.wifi.WiFiAgent') | |
for agent in "${TODISABLE[@]}" | |
do | |
launchctl bootout gui/501/${agent} | |
launchctl disable gui/501/${agent} | |
done | |
# system | |
TODISABLE=() | |
TODISABLE+=('com.apple.airportd' \ | |
'com.apple.bootpd' \ | |
'com.apple.backupd' \ | |
'com.apple.backupd-helper' \ | |
'com.apple.cloudd' \ | |
'com.apple.cloudpaird' \ | |
'com.apple.cloudphotod' \ | |
'com.apple.CloudPhotosConfiguration' \ | |
'com.apple.CoreLocationAgent' \ | |
'com.apple.coreduetd' \ | |
'com.apple.dhcp6d' \ | |
'com.apple.diagnosticextensions.osx.wifi.helper' \ | |
'com.apple.familycontrols' \ | |
'com.apple.findmymacmessenger' \ | |
'com.apple.followupd' \ | |
'com.apple.FollowUpUI' \ | |
'com.apple.ftp-proxy' \ | |
'com.apple.ftpd' \ | |
'com.apple.GameController.gamecontrollerd' \ | |
'com.apple.geod' \ | |
'com.apple.icloud.findmydeviced' \ | |
'com.apple.icloud.findmydeviced.aps-demo' \ | |
'com.apple.icloud.findmydeviced.aps-development' \ | |
'com.apple.icloud.findmydeviced.aps-production' \ | |
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \ | |
'com.apple.icloud.findmydeviced.ua-services' \ | |
'com.apple.icloud.fmfd' \ | |
'com.apple.icloud.searchpartyd' \ | |
'com.apple.icloud.searchpartyd.accessorydiscoverymanager' \ | |
'com.apple.icloud.searchpartyd.advertisementcache' \ | |
'com.apple.icloud.searchpartyd.beaconmanager' \ | |
'com.apple.icloud.searchpartyd.beaconmanager.agentdaemoninternal' \ | |
'com.apple.icloud.searchpartyd.finderstatemanager' \ | |
'com.apple.icloud.searchpartyd.pairingmanager' \ | |
'com.apple.icloud.searchpartyd.scheduler' \ | |
'com.apple.icloud.searchpartyuseragent' \ | |
'com.apple.iCloudHelper' \ | |
'com.apple.iCloudNotificationAgent' \ | |
'com.apple.iCloudUserNotificationsd' \ | |
'com.apple.itunescloudd' \ | |
'com.apple.ManagedClient.cloudconfigurationd' \ | |
'com.apple.netbiosd' \ | |
'com.apple.nsurlsessiond' \ | |
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \ | |
'com.apple.rapportd' \ | |
'com.apple.screensharing' \ | |
'com.apple.security.cloudkeychainproxy3' \ | |
'com.apple.siri.morphunassetsupdaterd' \ | |
'com.apple.siriinferenced' \ | |
'com.apple.wifianalyticsd' \ | |
'com.apple.wifiFirmwareLoader' \ | |
'com.apple.wifip2pd' \ | |
'com.apple.wifivelocityd') | |
for daemon in "${TODISABLE[@]}" | |
do | |
sudo launchctl bootout system/${daemon} | |
sudo launchctl disable system/${daemon} | |
done |
will this work in Monterey ?
It should work in Monterey too, but I haven’t tested it.
To only stop the services, exclude the lines with launchctl disable from the script.
There are many ways to run a script at login, see https://superuser.com/questions/229773/run-command-on-startup-login-mac-os-x
Please notice that stoping/disabling AMP… breaks Apple Music and TV. The script disables wifi related services, delete those lines if you use Wi-Fi.
Do i have to keep SIP disabled and run this at every boot?
The disable command should persist, the script only needs to be run once.
It should work in macOS 12 Monterey too.
My tests with SIP enabled were unsuccessful, many of the disabled services came back after a restart.
As I always have SIP disabled (csrutil disable), I didn’t persist in trying. Other people say it’s working with SIP enabled.
https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21#gistcomment-4014715
I tried it on my intel on monterey. Everything works until i re-enable SIP then for some reason only some of the plists stay disabled. Since you keep it off how dangerous is it to keep it disabled?
I consider the risk to be low for the following reasons:
The files/folders protected by SIP are included in /System/Library/Sandbox/rootless.conf. Even if SIP is disabled, you still need the admin password to make any modifications to them.
Is extremely rare for malware to specifically target macOS with SIP disabled or iOS with jailbreak.
Malware creators aim for the most number of infections, that means targeting default configurations, not odd ones.
Here is an example of malware that actually stops its execution when encountering a system with SIP disabled.
https://youtu.be/MAgrD3enYSg?t=1645
Interesting. Its important to note that you can customize SIP using flags (there are a few more flags now in monterey). I also understand that setting certain flags like --no-internal will stop you from receiving updates. Do you use a custom SIP? If not, there may be a configuration to allow a little more security while also allowing our modifications.
Hi all,
M1 user here.
TL;DR: for Apple Silicon
: work the thing out with SIP
disabled. Then enable if you need it, but via Reduced Security
policy.
While the same might work for Intel as well, I did not / cannot test.
But it’s known that trust chain creation / verifications are drastically different between the 2 platforms.
As for Intel
: I guess the only way is trying out policies and/or figuring out which SIP
bits are fair trade-off between full security but being unable to persist the changes, and complete “unsipinness”.
When you enable Full Security
or fully enable SIP
(not sure those 2 have equal power on Silicon), seems that unauthorized changes to:
/Volumes/Macintosh HD/private
/Volumes/Macintosh HD/Library/System # prbbly
are overwritten by restoring the originals from
/Volumes/Macintosh HD/System/Library/Templates/Data
(I mention full paths to avoid ambiguity as they are different to the root paths if you are in Recovery OS)
Caveats
-
it’s my guess, devil is in the details as usual 😊 the way comparison and replacement is made is yet to be clarified (for me), feel free to comment or point me at my low-effortless failing to read the whole thread, if it’s already there 😀 (sorry it’s indeed on the harder side to grasp the whole thread)
-
more locations may be affected
-
more locations ARE affected while updating, of course.
As well as it bumps up the security.
💡
But:
the Update’ defeating the daemon war campaign discussed here, could be partially mitigated in the form of “harm reduction”, with one-liner - based agent
in
/Library/LaunchAgents
(which is not vanished).
It’s appealing to think fsevents
based SystemExtension
or PriviledgedHelperTool
would do the job by constantly monitoring and restoring your files upon being overwritten, but remember that Full Security
magic still would overwrite the changes back, making it futile: launchd
will have read its files by the moment our Agent is launched ; modifying the files afterwards doesn’t make sense.
System Extension
would work inconsistently probably, as there is potential race condition with launchd
(? Correct me if I’m wrong)
Either option still could do some job by just warning you about either Update or something / someone else has screwed up the patching!
The simplest of what could be done, though: shellscript which, upon reboot, checks diff
with your changes and if files differ:
- optionally enables packet filter - based kill-switch - for the vigilant ones, who cannot afford e.g. MDM notifications to appear or
CoreDuet
/dasd
and/or another shit triggered by the former, to call home with something derived from one’s personal data - optionally shows warning Message Box
- Either
sleep 5 ; reboot
s or: forces recovery mode (by removing somebless
related policies? would feel scary 😊 ) in order for you to manually reduce security, bless the volume and return the patches to their place.
Btw, maybe it’s worth mentioning that policies on Silicon are applied on per-volume basis.
So, though Recovery is itself unpatchable to my best knowledge, you can run pretty much everything along with macOS (AFAIK someone made Arch work up to showing glGears demo 🙂 CPU emulated, but it’s quite fast)
@elesto
Those flags are not officially documented and you might find that some are no longer supported and cause problems.
@ink-splatters
In Big Sur, there is no template in /System/Library/Templates/Data/private/var/db/com.apple.xpc.launchd/, just an empty folder named config.
The launchctl values are actually cached (print-cache & uncache https://ss64.com/osx/launchctl.html )
Maybe uncache should be included in the script after bootout and disable.
In my tests, any attempt to modify disabled.plist or disabled.501.plist in /private/var/db/com.apple.xpc.launchd/ by other means than launchctl (PlistBuddy or TextEdit for example) resulted in all modification being deleted and the files being returned to the original configuration. Same happens after deleting the files and rebooting.
So, that’s a quick way of correcting any misconfiguration.
Correction: "launchctl uncache" is no supported in Big Sur & Monterey.
This is great list. I was doing this on my own and then stumbled across this.
Iam seeing 'You do not have permission to open the application “Install Visual Studio for Mac.app”.' after disabling these daemons. I tried $xattr -c com.apple.quarantine Install\ Visual\ Studio\ for\ Mac.app and $sudo spctl --master-disable. Any ideas?
@b0gdanw I updated my post which unfortunately is not relevant and it might be that I was just mistaken at all
Thanks to @b0gdanw for pointing me in the right direction, I've been able to update my High Sierra disable script to work on the newer Mac OSes. Here's my version, which is specific to my need for a temporary "quiet" boot that optimizes for a real-time music performance with video streaming. It works great on Big Sur and Monterey: https://gist.github.com/gopsmith/bf4d3a8203cd0792c9f8702cc76c8525
@tremuddie