Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Disable bunch of #$!@ in Catalina - Note about Big Sur: https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21#gistcomment-3448419
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# WARNING: It might disable things that you may not like. Please double check the services in the TODISABLE vars.
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to disable
# 'com.apple.speech.speechdatainstallerd' 'com.apple.speech.speechsynthesisd' 'com.apple.speech.synthesisserver' will freeze Edit menus
# 'com.apple.bird' will prevent saving prompt from being shown
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TODISABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TODISABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TODISABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TODISABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TODISABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TODISABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TODISABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TODISABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TODISABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TODISABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TODISABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TODISABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist ./System/Library/LaunchAgents/${agent}.plist.bak
echo "[OK] Agent ${agent} disabled"
done
# Daemons to disable
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TODISABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist ./System/Library/LaunchDaemons/${daemon}.plist.bak
echo "[OK] Daemon ${daemon} disabled"
done
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TOENABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TOENABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TOENABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TOENABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TOENABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TOENABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TOENABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TOENABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TOENABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TOENABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TOENABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TOENABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist.bak ./System/Library/LaunchAgents/${agent}.plist
echo "[OK] Agent ${agent} disabled"
done
# Daemons to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TOENABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist.bak ./System/Library/LaunchDaemons/${daemon}.plist
echo "[OK] Daemon ${daemon} disabled"
done
@l0n3gh0st
Copy link

l0n3gh0st commented Nov 21, 2021

how can I run this in Monterey ? its it possible to write a script that kills these services each time I login in rather then disabling them all together // would that work ... new to Mac..

@Wyvern
Copy link

Wyvern commented Dec 14, 2021

Any one knows how disable/unload NewsTag and NewsToday2 in macos?

@gh0st-1
Copy link

gh0st-1 commented Dec 16, 2021

@pwnsdx how do we get disk utility to erase ssds/usbs again.. from what i understand it has something to do with findmydevice ?
do i just reenable ? "com.apple.icloud.findmydeviced

i get this error code when trying to erase noticed this (microSD in an external USB reader fails to format on OSX Catalina 10.5.7) ...
com.apple.icloud.Find My Device error 13

what would be the single cmd to use to enable

@pwnsdx do i need to Enable com.apple.icloud.findmydeviced.findmydevice-user-agent and com.apple.icloud.fmfd for disk util to work again ??

@foliovision
Copy link

foliovision commented Dec 17, 2021

@pwnsdx do i need to Enable com.apple.icloud.findmydeviced.findmydevice-user-agent and com.apple.icloud.fmfd for disk util to work again ??

This is the kind of testing that an end use can do him or herself. If cloud services are required to format a disk that would be really the limit and Apple should be named and shamed in a weblog post for just that requirement alone.

In any case, I suggest we try to help @pwnsdx by doing our own testing. It's the least we can do.

From what I can see above, pwnsdx is not planning to move past Catalina for now (I don't blame him, I would have liked to have stopped at Mojave myself but am now on Monterey with a M1 Pro as it's the first quiet and capable Apple portable in a long time, not to mention adequate ports and a reliable keyboard).

@Wyvern
Copy link

Wyvern commented Dec 20, 2021

Is there a way to completely disable/remove MRT to run at startup time?

sudo  launchctl disable system/com.apple.MRTd
sudo  launchctl remove system/com.apple.MRTd

tries different methods, still run MRT app at fresh start.

@b0gdanw
Copy link

b0gdanw commented Dec 21, 2021

@Wyvern
Copy link

Wyvern commented Dec 21, 2021

Finally got the right method to disable/remove MRT.

sudo  launchctl disable  gui/501/com.apple.MRTa
sudo  launchctl remove  gui/501/com.apple.MRTa

Anybody knows what gui/501/ means ...?

@ink-splatters
Copy link

ink-splatters commented Dec 28, 2021

@Wyvern

501 is the uid (user id) of the first user in the system (you can check your id running id in terminal)

Here what man says about gui domain

/usr/bin/man 1 launchctl
          Another form of the login specifier. Rather than specifying a user-login domain by its ASID, this specifier targets the domain based on which user it is
          associated with and is generally more convenient.

          Note: GUI domains and user domains share many resources. For the purposes of the Mach bootstrap name lookups, they are "flat", so they share the same set of
          registered names. But they still have discrete sets of services. So when printing the user domain's contents, you may see many Mach bootstrap name
          registrations from services that exist in the GUI domain for that user, but you will not see the services themselves in that list.

@ink-splatters
Copy link

ink-splatters commented Dec 28, 2021

Thanks everyone for amazing insights!

AFAIK a lot of parts of /private/var are writable w/o disabling authenticated-root, some parts even don't require SIP to be disabled.
So just checkin' to be sure I got it: (I'm on latest Monterey Release, M1) :

Given disabling the system daemons / agents persists somewhere in /private/var/db/... (which AFAIK is mostly? "Data" partition)
does it actually mean: there's no need to disable authenticated-root (and have all the consequences) to actually disable system services / agents?

Or I'm missing it and launchd "disable override" (or wtf it's called) db path is mounted from SSV instead?

@b0gdanw
Copy link

b0gdanw commented Dec 28, 2021

@ink-splatters
In my tests without csrutil disable, commands like sudo launchctl bootout system/* failed with an error and commands like sudo launchctl disable system/* were ignored after a restart.
I never used csrutil authenticated-root disable.

@estmortis
Copy link

estmortis commented Dec 31, 2021

for anyone looking for more process's that can be disabled i found this page helpful
https://web.archive.org/web/20170222052540/http://triviaware.com/macprocess/all

i will be adding a updated list to my git soon / also found away around using disk utility with cloud services all disabled :XD

@estmortis
Copy link

estmortis commented Jan 3, 2022

I have a updated version on here https://github.com/estmortis/disablebunchof-h-t_Catalina

thanks @pwnsdx I also added another alternative to just remove the launchagents/daemons etc completely (instead of just renaming plist) tested on Catalina and all working fine.

@ink-splatters
Copy link

ink-splatters commented Jan 3, 2022

wrong

@̶b̶0̶g̶d̶a̶n̶w̶ ̶a̶s̶ ̶f̶a̶r̶ ̶a̶s̶ ̶I̶ ̶s̶e̶e̶,̶ ̶o̶n̶ ̶M̶o̶n̶t̶e̶r̶e̶y̶/̶M̶1̶ ̶a̶t̶ ̶l̶e̶a̶s̶t̶,̶ ̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶a̶n̶d̶ ̶a̶d̶d̶i̶n̶g̶ ̶s̶e̶r̶v̶i̶c̶e̶s̶ ̶t̶o̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶p̶l̶i̶s̶t̶’̶ ̶a̶n̶d̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶5̶0̶1̶.̶p̶l̶i̶s̶t̶’̶ ̶o̶r̶ ̶t̶h̶e̶ ̶s̶i̶m̶i̶l̶a̶r̶ ̶v̶i̶a̶ ̶‘̶l̶a̶u̶n̶c̶h̶c̶t̶l̶ ̶d̶i̶s̶a̶b̶l̶e̶’̶ ̶s̶e̶e̶m̶s̶ ̶t̶o̶ ̶s̶u̶r̶v̶i̶v̶e̶ ̶r̶e̶-̶e̶n̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶(̶n̶o̶t̶ ̶f̶u̶l̶l̶y̶ ̶a̶s̶ ̶o̶n̶ ̶M̶1̶ ̶i̶t̶’̶s̶ ̶d̶o̶n̶e̶ ̶v̶i̶a̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶w̶h̶i̶c̶h̶ ̶h̶a̶s̶ ̶t̶i̶g̶h̶t̶ ̶r̶e̶l̶a̶t̶i̶o̶n̶s̶h̶i̶p̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶b̶u̶t̶ ̶I̶ ̶d̶o̶n̶’̶t̶ ̶k̶n̶o̶w̶ ̶y̶e̶t̶ ̶w̶h̶a̶t̶ ̶ ̶S̶I̶P̶ ̶b̶i̶t̶s̶ ̶a̶r̶e̶ ̶s̶e̶t̶.̶ ̶ ̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶ ̶h̶a̶s̶ ̶h̶u̶g̶e̶ ̶p̶o̶t̶e̶n̶t̶i̶a̶l̶ ̶f̶o̶r̶ ̶h̶a̶c̶k̶i̶n̶g̶ ̶a̶r̶o̶u̶n̶d̶ ̶,̶ ̶e̶.̶g̶.̶ ̶l̶o̶c̶k̶i̶n̶g̶ ̶s̶o̶m̶e̶ ̶p̶r̶i̶v̶a̶c̶y̶ ̶e̶v̶a̶d̶i̶n̶g̶ ̶d̶a̶e̶m̶o̶n̶s̶ ̶o̶u̶t̶ ̶o̶f̶ ̶t̶h̶e̶i̶r̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶d̶i̶r̶s̶,̶ ̶b̶u̶t̶ ̶t̶h̶a̶t̶’̶s̶ ̶f̶o̶r̶ ̶m̶e̶ ̶u̶n̶e̶x̶p̶l̶o̶r̶e̶d̶ ̶t̶e̶r̶r̶i̶t̶o̶r̶y̶,̶ ̶I̶ ̶s̶u̶c̶c̶e̶e̶d̶e̶d̶ ̶p̶a̶r̶t̶i̶a̶l̶l̶y̶,̶ ̶b̶u̶t̶ ̶a̶t̶ ̶s̶o̶m̶e̶ ̶p̶o̶i̶n̶t̶ ̶k̶i̶l̶l̶e̶d̶ ̶a̶l̶l̶ ̶o̶f̶ ̶i̶t̶ ̶:̶)̶ ̶I̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶ ̶b̶e̶i̶n̶g̶ ̶v̶e̶r̶y̶ ̶c̶a̶r̶e̶f̶u̶l̶ ̶a̶s̶ ̶m̶e̶s̶s̶i̶n̶g̶ ̶u̶p̶ ̶w̶i̶t̶h̶ ̶i̶t̶ ̶m̶e̶a̶n̶s̶ ̶f̶u̶l̶l̶ ̶r̶e̶i̶n̶s̶t̶a̶l̶l̶ ̶(̶u̶n̶l̶e̶s̶s̶ ̶s̶o̶m̶e̶ ̶“̶t̶e̶m̶p̶l̶a̶t̶e̶”̶ ̶f̶o̶l̶d̶e̶r̶s̶ ̶f̶r̶o̶m̶ ̶r̶e̶c̶o̶v̶e̶r̶y̶ ̶a̶r̶e̶ ̶h̶e̶l̶p̶f̶u̶l̶)̶

unfortunately the information posted by me is at least irrelevant on the date.

Thought it might be, in theory, that behaviour has changed after some macOS update, instead it's very likely that I've been actually mistaken, paying not enough attention to the contents of disabled.*plist files after re-enabling SIP.

In any way: apologies for misleading information from my side.

Instead

State of things on the date of edit (tested at MacBook Air M1 2020, macOS Monterey 2.2.1 21D62)*.

  • everything works as expected with SIP disabled (by issuing csrutil disable)
  • when SIP is reenabled (I only used Security Policy menu item in Recovery putting M1 to Reduced security and with custom kexts enabled):

only some of changes persist.

  • it's clear that some kind of whitelisting takes place, of services macOS treats "critical"

  • it's not clear how it's facilitated but either (likely) by processing some list of services located somewhere in /System (but not limited to it) and enforcing it either on system policy check stage or later during the boot (needs to be investigated)

  • as per experiences of others (and my own), dumping of launchd cache overwrites (with significant likelihood, up to 100%) the changes made to disabled.* files manually (unless done in Recovery mode). This applies well to the discussed case when one changes the security policy to other than "permissive" value.

Summary

  • all your changes done manually to disabled.*plist files should not be considered persistent, ever. if done in normal boot, they will be overridden by launchd dumping its cache, upon next boot
  • the only exception to the statement above, might be: editing disabled.*plist files in Recovery mode, and only if planning booting in Permissive Security mode, however I'm not fully sure about this so discourage anyone to rely on this and check yourself instead, first
  • any follow-up booting the system after changing the security mode to other than Permissive Security must be considered as wiping all your changes to /private/var/db/com.apple.xpc.launchd, therefore do always back it up first

--

it's very sad but seems there is no reliable way to disable system services, given Apple Silicon and (at least) the current build of macOS Monterey without switching to permissive security.*

What makes me specially sad about it: mainly need for iOS apps running at M1. So probably the below is related only to people concerned about it.

Given permissive security, one would loose ability to run iOS apps. it's well known (at least to M1 users) but putting it here just in case .

The "true" workaround for this might be custom XNU build with security policy / sandboxing / FairPlay related stuff likely patched. As the bar is pretty high to implement it, in particular IMHO it would be very hard without first going thru macOS / iOS security basics first; there might be much easier workarounds using tools available around at GitHub. if interested, ping me I could share the info I have (I don't have fully working variant on the date, also because it needs time to dig into it).

In any way, one would need to downgrade to permissive security and if more advanced techniques are not in mind, switching off amfi (which of course would put your system at high risk of being compromised).


  • I'm not elaborating into the obvious risks associated with reduced security, as IMO system tampering implies some prior research or existing knowledge, regarding the consequences
  • even if it comes to Apple Silicon, because of very subtle nature of both security related features (e.g.: some peculiarities might differ, in the way of enforcing stronger guarantees when it comes to M1 Pro / Pro Max systems vs M1 air 2020) and the presumed way the whitelisting works, the behaviour described here might be different in your case

@estmortis
Copy link

estmortis commented Jan 10, 2022

curious why CoreLocationAgent & Geod is not on this list.

if i disable AirPlayXPCHelper can i still use WiFI ?

@elesto
Copy link

elesto commented Jan 17, 2022

I think a big problem most people are having is the format of this project. Nobody really wants to go back and read 500 lines of separate conversations to find out that someone already answered their question 30 lines up. Knowledge is found and then lost in the sea of neverending posts and nobody knows whats happening. I for one dont know if this project even works on monterey or its drawbacks and its near impossible for me to piece together if it does or not without just flat out asking and therefore contributing to the endless stream of "does anyone know if X does Y" I appreciate the project and I use some bits for myself but we really need a better wiki style format

@neofright
Copy link

neofright commented Jan 17, 2022

@elesto In my opinion it would require someone to make the script as part of a repo and not just a gist. Then we can all more easily collaborate on pull requests and issues.

For me, not being able to keep FileVault enabled is a deal breaker. If someone can explain a way of keeping FileVault enabled (Disk Password—based DEK. may work - has anyone tested this?) then I'll happily create a repo for this, otherwise I can see little utility to maintaining such a project.

@elesto
Copy link

elesto commented Jan 18, 2022

So.. I hate to be that guy but ive been eyeing the upgrade from catalina for two years and im wondering does the disabling of agents work on monterey?

@ink-splatters
Copy link

ink-splatters commented Jan 18, 2022

@elesto
the following applicable for M1 (I don’t have Intel, so it must be verified):

i̶t̶ ̶_̶d̶o̶e̶s̶_̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶t̶u̶r̶n̶e̶d̶ ̶o̶f̶f̶.̶
I̶f̶ ̶f̶a̶n̶c̶y̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶i̶O̶S̶ ̶a̶p̶p̶s̶,̶ ̶c̶h̶a̶n̶g̶e̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶t̶o̶ ̶“̶r̶e̶d̶u̶c̶e̶d̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶(̶a̶n̶d̶ ̶a̶l̶l̶o̶w̶ ̶k̶e̶x̶t̶s̶ ̶i̶f̶ ̶n̶e̶e̶d̶e̶d̶)̶ ̶b̶u̶t̶ ̶ ̶_̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶s̶t̶u̶f̶f̶_̶.̶ ̶ ̶A̶v̶o̶i̶d̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶a̶s̶ ̶i̶t̶ ̶w̶o̶u̶l̶d̶ ̶r̶o̶l̶l̶ ̶e̶v̶e̶r̶y̶t̶h̶i̶n̶g̶ ̶b̶a̶c̶k̶.̶ ̶T̶h̶a̶t̶ ̶a̶l̶s̶o̶ ̶i̶m̶p̶l̶i̶e̶s̶ ̶n̶o̶t̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶̶c̶s̶r̶u̶t̶i̶l̶ ̶e̶n̶a̶b̶l̶e̶̶ ̶a̶s̶ ̶i̶t̶ ̶m̶i̶g̶h̶t̶ ̶t̶r̶i̶g̶g̶e̶r̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶.̶ ̶ ̶I̶’̶m̶ ̶n̶o̶t̶ ̶s̶u̶r̶e̶ ̶p̶e̶r̶s̶i̶s̶t̶e̶n̶c̶e̶ ̶i̶s̶ ̶c̶o̶n̶s̶i̶s̶t̶e̶n̶t̶,̶ ̶b̶u̶t̶ ̶c̶u̶r̶r̶e̶n̶t̶l̶y̶ ̶i̶t̶ ̶w̶o̶r̶k̶s̶ ̶f̶o̶r̶ ̶m̶e̶.̶ ̶ ̶A̶l̶w̶a̶y̶s̶ ̶b̶a̶c̶k̶u̶p̶ ̶̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶/̶d̶b̶/̶c̶o̶m̶.̶a̶p̶p̶l̶e̶.̶x̶p̶c̶.̶l̶a̶u̶n̶c̶h̶d̶̶ ̶b̶e̶f̶o̶r̶e̶ ̶a̶n̶y̶ ̶u̶p̶d̶a̶t̶e̶ ̶a̶s̶ ̶i̶t̶ ̶w̶i̶l̶l̶ ̶w̶i̶p̶e̶ ̶i̶t̶.̶ ̶ ̶M̶i̶g̶h̶t̶ ̶b̶e̶ ̶m̶o̶r̶e̶ ̶l̶o̶c̶a̶t̶i̶o̶n̶s̶ ̶t̶o̶ ̶b̶a̶c̶k̶u̶p̶ ̶i̶f̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶f̶o̶r̶ ̶u̶s̶e̶r̶s̶ ̶o̶t̶h̶e̶r̶ ̶t̶h̶a̶n̶ ̶0̶ ̶a̶n̶d̶ ̶5̶0̶1̶ ̶(̶f̶i̶n̶d̶ ̶/̶ ̶g̶r̶e̶p̶ ̶i̶t̶,̶ ̶I̶ ̶h̶a̶v̶e̶n̶’̶t̶ ̶h̶a̶d̶ ̶c̶h̶a̶n̶c̶e̶ ̶t̶o̶ ̶d̶o̶ ̶i̶t̶ ̶y̶e̶t̶)̶

Please disregard this post, it was the "Survivalist bias" of working thing just on my machine, probably to a bug in earlier versions of OS.

@490398290
Copy link

490398290 commented Jan 22, 2022

Could the script be adapted to use the new commands like

sudo launchctl bootout system/com.apple.spindump
sudo launchctl disable system/com.apple.spindump
sudo launchctl bootout system/com.apple.tailspind
sudo launchctl disable system/com.apple.tailspind

This way, services can be disabled even with SIP on.

@elesto
Copy link

elesto commented Jan 22, 2022

@kikieri
Copy link

kikieri commented Apr 5, 2022

anyone used this on monterey?

@terry9873
Copy link

terry9873 commented May 8, 2022

@johnstonenow It does look like the future is Linux for secure computing. I'm considering stopping at Mojave and using Mojave for another five years for AV work. Office work and portable work would be on Linux and probably not Canonical. Debian is hardcore but usable. Mint and Ubuntu are built on Debian

I am so sorry Alec, I didnt get a ping for this reply. I am at that point right now. Running Mojave but when trying to upgrade to Catalina I notice my drive encryption password is DEMANDED by Catalina OS. For YEARS now I have always formatted my drives and stored that complex password in ONE place (my head!). It doesnt exist anywhere else. How am I to believe;

  1. That it's more secure to let Catalina/FileVault FORCE my user password to be able to unlock my disk?
  2. That Apple isn't (maybe, just maybe) FORCING all of this for one reason - To get a copy of everyone's disk passwords so, should the need arise (secret warrant perhaps), they can unlock anyone's drive.

Am I being irrational in having such concerns?

I now fear it's time for Linux, although I have no choice re business work as I still have to use Mac for that. So do i stick to Mojave (unsupported = risks), or do I 'comply' with Catalina forcing me to allow user password to unlock my drive? Would love your opinion on this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment