The 2016 MacBook Pro no longer receives the latest OS and Apple officially restricts it to Monterey. My primary concern is security, and this end of support means the end of OS security updates (and the more rare firmware updates from Apple). There are plenty of unpatched zero days over the years and even browsers like Chrome no longer support their latest versions on Monterrey.
I have a newer mac that is supported, butthe 2016 MBP is still more than capable for basic use and a supported OS receiving security support (Ubuntu) can both improve security and significantly extend the lifespan of the device, which is not upgradeable and would otherwise end up as e-waste. This also gives you 'throwaway' machine to carry around in public (library, etc.) that doesn't have sensitive data and has less risk if lost/damaged/stolen. If you also have a battery that's new or with a low cycle count, it's a nice way to make use of it and reduce battery usage on your primary Mac.
TBD with more detail
- Create a bootable USB with an ISO from the official Ubuntu website for 22 (LTS at this time). I chose 22 also since most guides I found had luck with that. I will try upgrading to 24 at some other point
- In Disk Utility, create 2 partitions (you can format them as FAT or EX-FAT, it doens't matter, since Ubuntu will reformat them anyway): one for the actual Ubuntu (I chose a few hundred GB), and a partition to be used for boot, that I set to 2GB. The purpose of this is we will need it later for setting up LUKS encryption. I tried doing this later in Ubuntu and I got all sorts of failures and it was a waste of time, but doing it before hand in disk utility seems to have worked fine.
- Boot the mac holding option and select the Ubuntu USB media. Pick the option for 'safe graphics' mode.
- Follow the steps for installation. WiFi most likely won't work unless you have a 2.4Ghz network handy, and even then, it is a bit flakey at this piont. If you have a USB-C / ethernet direct connection, now would be the time.
- Set the large partition to be used for 'physical encrypted volume'; set the container to be the root mount point; and set hte small 2GB partition to be '/boot' for its mount point', and use the ext4 file system. Set security password, but don't set the additoinal backup passphrase for LUKS. Make sure to also require a login password. Then proceed with installation
- Follow the instructions to reboot. Now when you reboot, press the 'e' key to trigger the grub menu. This part may be annoying because there is no escape key without the touchbar; and ctrl-x didnt wrok on my keyboard. If possible, you can just boot and login to ubuntu, and if it hasn't crashed yet from grahpics issues, edit the appropriate grub file and add the
nomodesetflag so it relies on basic graphics and avoids those crashes. Then reboot again - Once you are in, foollow the steps here from @TheOnly3aq https://gist.github.com/roadrunner2/1289542a748d9a104e7baec6a92f9cd7?permalink_comment_id=5292684#gistcomment-5292684 . I used the Almas guide they referenced to get WiFi working reliably. I was able to also get Bluetooth keyboard and mouse connected without issue
- Ubuntu Software updates
TBD
- The
nomodesetflag allowed me to have no issues in Ubuntu as far as graphics crashes. The downside is performance as a result was extremely slow (online sources mention this may be because when you set this, Ubuntu is not taking advatnage of the AMD GPU hardware acceleration). So the task then became figuring out how to stop these graphics crashes triggered by clicking certain UI elements, without having to revert to thenomodesetoption which makes the experience extremely sluggish. The remedies I tried were TBD
- VPN and a DNS that blocks malware (I've used Cloudflare for this, there's an Ubuntu CLI you can find on their website).
- LUKS encryption
- Firefox: UBlock origin; enable more filter lists for help against LAN intrusion, malware, etc (there's a lot more you can do in uBlock); enable HTTPS only; remove autofill; ensure malware protection is on in Firefox
TBD:
- Investigate further blocking with Cloudflare (domains or content hosted in specific countries can be blocked; they have some advanced settings I need to test out in Cloudflare WARP/Zero Trust)
- TBD secure linux,
- Chrome: If you add chrome, the main benefit is the enhanced phishing/malware protection; enable that
- touchbar fix,
- fingerprint fix,
- fixing graphics crashes (AMD drivers?),
- mouse/trackpad smoothness fixing
- Ubuntu equivalent to LuLu (outgiong firewall)
- incoming firewall settings Ubuntu
- LAN intrusion blocking
- fix sound
- camera fix
- passkeys on Ubuntu (touch ID probably won't work, so probably need password based syncable passkeys, test in chrome)
- update boot loader so that Ubuntu is launched by default, so you don't have to hold down the option key when turning on the mac
- Known hardware vulnerabilities in Intel processors are an issue regardless of what OS you use (another reason to consider the whole machine "insecure" for sensitive tasks)
- firmware vulnerabilities. Apple packages firmware updates with their OS updates, but also stops publishing these over time. I need to do some more reading here; it's possible another OS like Ubuntu, may work around or minimize some of these known firmware issues; but any firmware specific packages from Apple vendors like Broadcom probably are not published publicly
- OS layer and above will be getting security updates, unlike MacOS
- while it is unlikely any more will be released, any firmware updates Apple publishes are coupled with macOS updates off the top of my head. This could actually improve security in another OS partition (for instance, if firmware for a Broadcom Wi-Fi chip is updated, since the other OSes wouldn't be updating the firmware. I'm not sure where online I found it, but I think only Apple can update the firmware because of code signing
- it still works and can be used in a backup case
- keeping the recovery partition can also be useful if you brick your machine
My use case is as a backup machine I can take to study in the library. The benefits of this isn't it isn't my primary machine which has all my data and accounts, so the risk associated with lost, theft, or malware is minimal. Here are some tips I follow:
- consider the machine "insecure"
- Not connecting any Apple or other Internet accounts; no connection to email, messages, etc
- Not using the machine for any sensitive task like logging into sensitive accounts in the browser
- Use a VPN to protect against packet sniffing on public networks and DNS that filters out also blocks malware/phishing domains
- as much as possible stick to known/trusted websites
- use enhanced browsing protection on Chrome for best phishing protection (note: Chrome no longer is updated for Monterrey)
- block all incoming network connections
- disable signed software from being trusted automatically in network settings
- enable stealth mode
- set default DNS to provider of interest
- disable AirDrop
- Try and separate plugs used for this machine from other machines
- use a content blocker such as uBlock origin
- lockdown browser settings as much as possible (block access to camera, audio, etc accordingly)
- use a firmware password to block an actor from booting from a different drive
- use FileVault disk encryption
- set a Lock Screen message with contact info if lost
- only install what you need
- HTTPS only browsing / secure DNS
- Use an outgoing firewall (LuLu, Little Snitch, Lockdown, etc.); the built-in macOS firewall only protects against incoming connections
- block connections on LAN to other devices (protecting against malicous websites probing ports on LAN such as from IOT devices/printers)
Good security resources may be found here
- unofficial / not supported by apple
- I would be hesitant to install all of this from unknown sources. Even with the best of intentions, it probably doesn't have the scrutiny for security (nor all security updates that apple provides) that you would get from Ubuntu
- I don't know enough about how it works, so at this time I'm not comfortable from a security perspective with this which is an unofficial way to run later versions of macOS on a Mac
Resources of interest
-
https://security.stackexchange.com/questions/259177/how-secure-is-opencore-legacy-patcher
-
long thread I haven't gone through https://forums.macrumors.com/threads/security-for-oclp-opencore-legacy-patcher.2406586/
- Long support, Linux, and experience using it
- clear support timelines and large community of support to vet it
Sure am, tag is “vroomvroomman” on discord.