Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Disable bunch of #$!@ in Catalina - Note about Big Sur: https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21#gistcomment-3448419
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# WARNING: It might disable things that you may not like. Please double check the services in the TODISABLE vars.
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to disable
# 'com.apple.speech.speechdatainstallerd' 'com.apple.speech.speechsynthesisd' 'com.apple.speech.synthesisserver' will freeze Edit menus
# 'com.apple.bird' will prevent saving prompt from being shown
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TODISABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TODISABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TODISABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TODISABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TODISABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TODISABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TODISABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TODISABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TODISABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TODISABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TODISABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TODISABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist ./System/Library/LaunchAgents/${agent}.plist.bak
echo "[OK] Agent ${agent} disabled"
done
# Daemons to disable
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TODISABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist ./System/Library/LaunchDaemons/${daemon}.plist.bak
echo "[OK] Daemon ${daemon} disabled"
done
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TOENABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TOENABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TOENABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TOENABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TOENABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TOENABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TOENABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TOENABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TOENABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TOENABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TOENABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TOENABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist.bak ./System/Library/LaunchAgents/${agent}.plist
echo "[OK] Agent ${agent} disabled"
done
# Daemons to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TOENABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist.bak ./System/Library/LaunchDaemons/${daemon}.plist
echo "[OK] Daemon ${daemon} disabled"
done
@Wyvern
Copy link

Wyvern commented Dec 20, 2021

Is there a way to completely disable/remove MRT to run at startup time?

sudo  launchctl disable system/com.apple.MRTd
sudo  launchctl remove system/com.apple.MRTd

tries different methods, still run MRT app at fresh start.

@b0gdanw
Copy link

b0gdanw commented Dec 21, 2021

@Wyvern
Copy link

Wyvern commented Dec 21, 2021

Finally got the right method to disable/remove MRT.

sudo  launchctl disable  gui/501/com.apple.MRTa
sudo  launchctl remove  gui/501/com.apple.MRTa

Anybody knows what gui/501/ means ...?

@ink-splatters
Copy link

ink-splatters commented Dec 28, 2021

@Wyvern

501 is the uid (user id) of the first user in the system (you can check your id running id in terminal)

Here what man says about gui domain

/usr/bin/man 1 launchctl
          Another form of the login specifier. Rather than specifying a user-login domain by its ASID, this specifier targets the domain based on which user it is
          associated with and is generally more convenient.

          Note: GUI domains and user domains share many resources. For the purposes of the Mach bootstrap name lookups, they are "flat", so they share the same set of
          registered names. But they still have discrete sets of services. So when printing the user domain's contents, you may see many Mach bootstrap name
          registrations from services that exist in the GUI domain for that user, but you will not see the services themselves in that list.

@ink-splatters
Copy link

ink-splatters commented Dec 28, 2021

Thanks everyone for amazing insights!

AFAIK a lot of parts of /private/var are writable w/o disabling authenticated-root, some parts even don't require SIP to be disabled.
So just checkin' to be sure I got it: (I'm on latest Monterey Release, M1) :

Given disabling the system daemons / agents persists somewhere in /private/var/db/... (which AFAIK is mostly? "Data" partition)
does it actually mean: there's no need to disable authenticated-root (and have all the consequences) to actually disable system services / agents?

Or I'm missing it and launchd "disable override" (or wtf it's called) db path is mounted from SSV instead?

@b0gdanw
Copy link

b0gdanw commented Dec 28, 2021

@ink-splatters
In my tests without csrutil disable, commands like sudo launchctl bootout system/* failed with an error and commands like sudo launchctl disable system/* were ignored after a restart.
I never used csrutil authenticated-root disable.

@estmortis
Copy link

estmortis commented Dec 31, 2021

for anyone looking for more process's that can be disabled i found this page helpful
https://web.archive.org/web/20170222052540/http://triviaware.com/macprocess/all

i will be adding a updated list to my git soon / also found away around using disk utility with cloud services all disabled :XD

@estmortis
Copy link

estmortis commented Jan 3, 2022

I have a updated version on here https://github.com/estmortis/disablebunchof-h-t_Catalina

thanks @pwnsdx I also added another alternative to just remove the launchagents/daemons etc completely (instead of just renaming plist) tested on Catalina and all working fine.

@ink-splatters
Copy link

ink-splatters commented Jan 3, 2022

wrong

@̶b̶0̶g̶d̶a̶n̶w̶ ̶a̶s̶ ̶f̶a̶r̶ ̶a̶s̶ ̶I̶ ̶s̶e̶e̶,̶ ̶o̶n̶ ̶M̶o̶n̶t̶e̶r̶e̶y̶/̶M̶1̶ ̶a̶t̶ ̶l̶e̶a̶s̶t̶,̶ ̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶a̶n̶d̶ ̶a̶d̶d̶i̶n̶g̶ ̶s̶e̶r̶v̶i̶c̶e̶s̶ ̶t̶o̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶p̶l̶i̶s̶t̶’̶ ̶a̶n̶d̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶5̶0̶1̶.̶p̶l̶i̶s̶t̶’̶ ̶o̶r̶ ̶t̶h̶e̶ ̶s̶i̶m̶i̶l̶a̶r̶ ̶v̶i̶a̶ ̶‘̶l̶a̶u̶n̶c̶h̶c̶t̶l̶ ̶d̶i̶s̶a̶b̶l̶e̶’̶ ̶s̶e̶e̶m̶s̶ ̶t̶o̶ ̶s̶u̶r̶v̶i̶v̶e̶ ̶r̶e̶-̶e̶n̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶(̶n̶o̶t̶ ̶f̶u̶l̶l̶y̶ ̶a̶s̶ ̶o̶n̶ ̶M̶1̶ ̶i̶t̶’̶s̶ ̶d̶o̶n̶e̶ ̶v̶i̶a̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶w̶h̶i̶c̶h̶ ̶h̶a̶s̶ ̶t̶i̶g̶h̶t̶ ̶r̶e̶l̶a̶t̶i̶o̶n̶s̶h̶i̶p̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶b̶u̶t̶ ̶I̶ ̶d̶o̶n̶’̶t̶ ̶k̶n̶o̶w̶ ̶y̶e̶t̶ ̶w̶h̶a̶t̶ ̶ ̶S̶I̶P̶ ̶b̶i̶t̶s̶ ̶a̶r̶e̶ ̶s̶e̶t̶.̶ ̶ ̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶ ̶h̶a̶s̶ ̶h̶u̶g̶e̶ ̶p̶o̶t̶e̶n̶t̶i̶a̶l̶ ̶f̶o̶r̶ ̶h̶a̶c̶k̶i̶n̶g̶ ̶a̶r̶o̶u̶n̶d̶ ̶,̶ ̶e̶.̶g̶.̶ ̶l̶o̶c̶k̶i̶n̶g̶ ̶s̶o̶m̶e̶ ̶p̶r̶i̶v̶a̶c̶y̶ ̶e̶v̶a̶d̶i̶n̶g̶ ̶d̶a̶e̶m̶o̶n̶s̶ ̶o̶u̶t̶ ̶o̶f̶ ̶t̶h̶e̶i̶r̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶d̶i̶r̶s̶,̶ ̶b̶u̶t̶ ̶t̶h̶a̶t̶’̶s̶ ̶f̶o̶r̶ ̶m̶e̶ ̶u̶n̶e̶x̶p̶l̶o̶r̶e̶d̶ ̶t̶e̶r̶r̶i̶t̶o̶r̶y̶,̶ ̶I̶ ̶s̶u̶c̶c̶e̶e̶d̶e̶d̶ ̶p̶a̶r̶t̶i̶a̶l̶l̶y̶,̶ ̶b̶u̶t̶ ̶a̶t̶ ̶s̶o̶m̶e̶ ̶p̶o̶i̶n̶t̶ ̶k̶i̶l̶l̶e̶d̶ ̶a̶l̶l̶ ̶o̶f̶ ̶i̶t̶ ̶:̶)̶ ̶I̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶ ̶b̶e̶i̶n̶g̶ ̶v̶e̶r̶y̶ ̶c̶a̶r̶e̶f̶u̶l̶ ̶a̶s̶ ̶m̶e̶s̶s̶i̶n̶g̶ ̶u̶p̶ ̶w̶i̶t̶h̶ ̶i̶t̶ ̶m̶e̶a̶n̶s̶ ̶f̶u̶l̶l̶ ̶r̶e̶i̶n̶s̶t̶a̶l̶l̶ ̶(̶u̶n̶l̶e̶s̶s̶ ̶s̶o̶m̶e̶ ̶“̶t̶e̶m̶p̶l̶a̶t̶e̶”̶ ̶f̶o̶l̶d̶e̶r̶s̶ ̶f̶r̶o̶m̶ ̶r̶e̶c̶o̶v̶e̶r̶y̶ ̶a̶r̶e̶ ̶h̶e̶l̶p̶f̶u̶l̶)̶

unfortunately the information posted by me is at least irrelevant on the date.

Thought it might be, in theory, that behaviour has changed after some macOS update, instead it's very likely that I've been actually mistaken, paying not enough attention to the contents of disabled.*plist files after re-enabling SIP.

In any way: apologies for misleading information from my side.

Instead

State of things on the date of edit (tested at MacBook Air M1 2020, macOS Monterey 2.2.1 21D62)*.

  • everything works as expected with SIP disabled (by issuing csrutil disable)
  • when SIP is reenabled (I only used Security Policy menu item in Recovery putting M1 to Reduced security and with custom kexts enabled):

only some of changes persist.

  • it's clear that some kind of whitelisting takes place, of services macOS treats "critical"

  • it's not clear how it's facilitated but either (likely) by processing some list of services located somewhere in /System (but not limited to it) and enforcing it either on system policy check stage or later during the boot (needs to be investigated)

  • as per experiences of others (and my own), dumping of launchd cache overwrites (with significant likelihood, up to 100%) the changes made to disabled.* files manually (unless done in Recovery mode). This applies well to the discussed case when one changes the security policy to other than "permissive" value.

Summary

  • all your changes done manually to disabled.*plist files should not be considered persistent, ever. if done in normal boot, they will be overridden by launchd dumping its cache, upon next boot
  • the only exception to the statement above, might be: editing disabled.*plist files in Recovery mode, and only if planning booting in Permissive Security mode, however I'm not fully sure about this so discourage anyone to rely on this and check yourself instead, first
  • any follow-up booting the system after changing the security mode to other than Permissive Security must be considered as wiping all your changes to /private/var/db/com.apple.xpc.launchd, therefore do always back it up first

--

it's very sad but seems there is no reliable way to disable system services, given Apple Silicon and (at least) the current build of macOS Monterey without switching to permissive security.*

What makes me specially sad about it: mainly need for iOS apps running at M1. So probably the below is related only to people concerned about it.

Given permissive security, one would loose ability to run iOS apps. it's well known (at least to M1 users) but putting it here just in case .

The "true" workaround for this might be custom XNU build with security policy / sandboxing / FairPlay related stuff likely patched. As the bar is pretty high to implement it, in particular IMHO it would be very hard without first going thru macOS / iOS security basics first; there might be much easier workarounds using tools available around at GitHub. if interested, ping me I could share the info I have (I don't have fully working variant on the date, also because it needs time to dig into it).

In any way, one would need to downgrade to permissive security and if more advanced techniques are not in mind, switching off amfi (which of course would put your system at high risk of being compromised).


  • I'm not elaborating into the obvious risks associated with reduced security, as IMO system tampering implies some prior research or existing knowledge, regarding the consequences
  • even if it comes to Apple Silicon, because of very subtle nature of both security related features (e.g.: some peculiarities might differ, in the way of enforcing stronger guarantees when it comes to M1 Pro / Pro Max systems vs M1 air 2020) and the presumed way the whitelisting works, the behaviour described here might be different in your case

@estmortis
Copy link

estmortis commented Jan 10, 2022

curious why CoreLocationAgent & Geod is not on this list.

if i disable AirPlayXPCHelper can i still use WiFI ?

@elesto
Copy link

elesto commented Jan 17, 2022

I think a big problem most people are having is the format of this project. Nobody really wants to go back and read 500 lines of separate conversations to find out that someone already answered their question 30 lines up. Knowledge is found and then lost in the sea of neverending posts and nobody knows whats happening. I for one dont know if this project even works on monterey or its drawbacks and its near impossible for me to piece together if it does or not without just flat out asking and therefore contributing to the endless stream of "does anyone know if X does Y" I appreciate the project and I use some bits for myself but we really need a better wiki style format

@neofright
Copy link

neofright commented Jan 17, 2022

@elesto In my opinion it would require someone to make the script as part of a repo and not just a gist. Then we can all more easily collaborate on pull requests and issues.

For me, not being able to keep FileVault enabled is a deal breaker. If someone can explain a way of keeping FileVault enabled (Disk Password—based DEK. may work - has anyone tested this?) then I'll happily create a repo for this, otherwise I can see little utility to maintaining such a project.

@elesto
Copy link

elesto commented Jan 18, 2022

So.. I hate to be that guy but ive been eyeing the upgrade from catalina for two years and im wondering does the disabling of agents work on monterey?

@ink-splatters
Copy link

ink-splatters commented Jan 18, 2022

@elesto
the following applicable for M1 (I don’t have Intel, so it must be verified):

i̶t̶ ̶_̶d̶o̶e̶s̶_̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶t̶u̶r̶n̶e̶d̶ ̶o̶f̶f̶.̶
I̶f̶ ̶f̶a̶n̶c̶y̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶i̶O̶S̶ ̶a̶p̶p̶s̶,̶ ̶c̶h̶a̶n̶g̶e̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶t̶o̶ ̶“̶r̶e̶d̶u̶c̶e̶d̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶(̶a̶n̶d̶ ̶a̶l̶l̶o̶w̶ ̶k̶e̶x̶t̶s̶ ̶i̶f̶ ̶n̶e̶e̶d̶e̶d̶)̶ ̶b̶u̶t̶ ̶ ̶_̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶s̶t̶u̶f̶f̶_̶.̶ ̶ ̶A̶v̶o̶i̶d̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶a̶s̶ ̶i̶t̶ ̶w̶o̶u̶l̶d̶ ̶r̶o̶l̶l̶ ̶e̶v̶e̶r̶y̶t̶h̶i̶n̶g̶ ̶b̶a̶c̶k̶.̶ ̶T̶h̶a̶t̶ ̶a̶l̶s̶o̶ ̶i̶m̶p̶l̶i̶e̶s̶ ̶n̶o̶t̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶̶c̶s̶r̶u̶t̶i̶l̶ ̶e̶n̶a̶b̶l̶e̶̶ ̶a̶s̶ ̶i̶t̶ ̶m̶i̶g̶h̶t̶ ̶t̶r̶i̶g̶g̶e̶r̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶.̶ ̶ ̶I̶’̶m̶ ̶n̶o̶t̶ ̶s̶u̶r̶e̶ ̶p̶e̶r̶s̶i̶s̶t̶e̶n̶c̶e̶ ̶i̶s̶ ̶c̶o̶n̶s̶i̶s̶t̶e̶n̶t̶,̶ ̶b̶u̶t̶ ̶c̶u̶r̶r̶e̶n̶t̶l̶y̶ ̶i̶t̶ ̶w̶o̶r̶k̶s̶ ̶f̶o̶r̶ ̶m̶e̶.̶ ̶ ̶A̶l̶w̶a̶y̶s̶ ̶b̶a̶c̶k̶u̶p̶ ̶̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶/̶d̶b̶/̶c̶o̶m̶.̶a̶p̶p̶l̶e̶.̶x̶p̶c̶.̶l̶a̶u̶n̶c̶h̶d̶̶ ̶b̶e̶f̶o̶r̶e̶ ̶a̶n̶y̶ ̶u̶p̶d̶a̶t̶e̶ ̶a̶s̶ ̶i̶t̶ ̶w̶i̶l̶l̶ ̶w̶i̶p̶e̶ ̶i̶t̶.̶ ̶ ̶M̶i̶g̶h̶t̶ ̶b̶e̶ ̶m̶o̶r̶e̶ ̶l̶o̶c̶a̶t̶i̶o̶n̶s̶ ̶t̶o̶ ̶b̶a̶c̶k̶u̶p̶ ̶i̶f̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶f̶o̶r̶ ̶u̶s̶e̶r̶s̶ ̶o̶t̶h̶e̶r̶ ̶t̶h̶a̶n̶ ̶0̶ ̶a̶n̶d̶ ̶5̶0̶1̶ ̶(̶f̶i̶n̶d̶ ̶/̶ ̶g̶r̶e̶p̶ ̶i̶t̶,̶ ̶I̶ ̶h̶a̶v̶e̶n̶’̶t̶ ̶h̶a̶d̶ ̶c̶h̶a̶n̶c̶e̶ ̶t̶o̶ ̶d̶o̶ ̶i̶t̶ ̶y̶e̶t̶)̶

Please disregard this post, it was the "Survivalist bias" of working thing just on my machine, probably to a bug in earlier versions of OS.

@490398290
Copy link

490398290 commented Jan 22, 2022

Could the script be adapted to use the new commands like

sudo launchctl bootout system/com.apple.spindump
sudo launchctl disable system/com.apple.spindump
sudo launchctl bootout system/com.apple.tailspind
sudo launchctl disable system/com.apple.tailspind

This way, services can be disabled even with SIP on.

@elesto
Copy link

elesto commented Jan 22, 2022

@kikieri
Copy link

kikieri commented Apr 5, 2022

anyone used this on monterey?

@terry9873
Copy link

terry9873 commented May 8, 2022

@johnstonenow It does look like the future is Linux for secure computing. I'm considering stopping at Mojave and using Mojave for another five years for AV work. Office work and portable work would be on Linux and probably not Canonical. Debian is hardcore but usable. Mint and Ubuntu are built on Debian

I am so sorry Alec, I didnt get a ping for this reply. I am at that point right now. Running Mojave but when trying to upgrade to Catalina I notice my drive encryption password is DEMANDED by Catalina OS. For YEARS now I have always formatted my drives and stored that complex password in ONE place (my head!). It doesnt exist anywhere else. How am I to believe;

  1. That it's more secure to let Catalina/FileVault FORCE my user password to be able to unlock my disk?
  2. That Apple isn't (maybe, just maybe) FORCING all of this for one reason - To get a copy of everyone's disk passwords so, should the need arise (secret warrant perhaps), they can unlock anyone's drive.

Am I being irrational in having such concerns?

I now fear it's time for Linux, although I have no choice re business work as I still have to use Mac for that. So do i stick to Mojave (unsupported = risks), or do I 'comply' with Catalina forcing me to allow user password to unlock my drive? Would love your opinion on this!

@ink-splatters
Copy link

ink-splatters commented Jul 2, 2022

DISCLAIMER: the info here should not be considered accurate, that's just my attempt to highlight how FileVault2 works basing on my current understanding.

One could also easily Google it s̶o̶ ̶m̶y̶ ̶r̶e̶a̶l̶ ̶m̶o̶t̶i̶v̶a̶t̶i̶o̶n̶ ̶b̶e̶h̶i̶n̶d̶ ̶t̶h̶i̶s̶ ̶p̶o̶s̶t̶ ̶i̶s̶ ̶l̶e̶a̶v̶i̶n̶g̶ ̶h̶e̶r̶e̶ ̶s̶o̶m̶e̶t̶h̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶l̶o̶o̶k̶s̶ ̶d̶e̶c̶e̶p̶t̶i̶v̶e̶l̶y̶ ̶s̶m̶a̶r̶t̶ ̶:̶)̶


The disk on modern machines (by that I mean Apple Silicon or Intel with T2) is always encrypted with XTS-AES (regardless of FireVault2 "enablement" status), using Volume encryption key (VEK) which is related to Hardware and xART (anti-replay system) keys.

"Enabling" FileVault2 is nothing to do with data, metadata or filesystem B-Tree encryption, for which VEK is used.
VEK stays intact but becomes wrapped by newly generated KEK (Key encryption key)

KEK is stored:

  • wrapped with user password
  • wrapped with volume recovery key (if user password is lost, volume still can be decrypted using recovery key).

Additional wrapping with institutional recovery key can be done, either enforced by MDM enrolment
or via Provisioning Profiles using this payload

https://raw.githubusercontent.com/ProfileCreator/ProfileManifests/5b4d8f9a9e8498c0db55be6b042c355b83535d62/Manifests/ManifestsApple/com.apple.MCX.FileVault2.plist


So, thanks to KEK and hardware AES impl, encryption / decryption is very fast, as well as re-encryption is not needed after enabling/disabling FileVault and /or adding new user.

Complete data erasure is also very fast and easy and can be done by ditching xART (and corresponding keys) using e.g. xartutil (̶I̶ ̶h̶a̶v̶e̶n̶'̶t̶ ̶t̶o̶l̶d̶ ̶y̶o̶u̶ ̶t̶h̶a̶t̶)̶

There is (quite technical) paper which covers the FV2 design on non-T2 Macs but still relevant in many aspects: https://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf

Also, there are ultimately amazing write-ups, highlighting related topics, at Eclectic Light:

https://eclecticlight.co/2022/04/23/explainer-filevault
https://eclecticlight.co/2021/07/03/explainer-xart-and-nonces


Back to the original topic:

Why Catalina asks for password - I don't know exactly, but any operations assuming deriving KEK (PBKDF / PBKDF2) do require entering the password

Summarising when user password is required for sure:

  1. For generating KEK, which happens:
  • while upgrade to FileVault2, if you have FusionDrive (AFAIK, the macOS upgrade, either to Mojave or to Catalina "kindly asks" - read "forces" you - to upgrade)
  • enabling / disabling FileVault for whatever reason and /or "adding" user using fdeutil
  • [more examples]?
  1. for bootable volume auth (I presume some PBKDF / PBKDF2 derivation takes place as well, in order for Secure Enclave to authenticate booting from the volume).

This step, BTW, requires macOS calling home to get some more cryptography material to be used for key derivation / wrapping, in the following cases:

  • full security enabled on Intel Macs
  • in any case on Apple Silicon, so it's just not possible to make volume bootable without pulling some related nonces from Apple servers. Well, who said that Apple machines belong to users?

From the other hand: user password is never stored anywhere in plain text. It's stored (encrypted) in user's Keychain but only upon user requested it. Keychain is also E2E encrypted, so no - there is no way for apple to get your password.

A slightly different story is if users choses resetting password using iCloud account, so that protected CloudKit entry is created to store the related key. Is it e2e encrypted? IDK. Technically it can be (later on - to be unwrapped with user password).


As for Linux, I believe, if properly set up, both Linux (LVM/Luks is enabled) and modern Apple machine with FileVault2 are at least equally secure, regarding protection from unauthorised data access.

If SELinux is enabled and, given there are no relevant 0-days for Apple Sandbox, lol, which hasn't always been too much unbreakable; we could talk about comparable level of protection in terms of containing damage.

Modern Apple Secure Enclave (at Apple Silicon and latest iOS SoCs) seems to drastically reduce the chance of machine to get fully compromised: in addition to initially solid design of Secure Enclave, more protections have been added quite recently.

E.g., Apple claims that compromising the "main part" of Secure Enclave still doesn't give carte blanche to the attacker, as there is separate hardware key storage, accessed, as per Apple, via dedicated physical lines.


Maybe Jailbreak fans have noticed that there is no thing anymore, for the latest iOS, mainly due to SSV which kills persistence of modern jailbreaks.

Feature similar to SSV, in the Linux world, AFAIK, is implemented only in some flavour of Fedora which uses r/o boot volume design, but IDK if some verification mechanism based on Merkle trees is implemented which would protect from r/w re-mount and messing up with the volume.

More cool things out there:

Apple Platform Security

Which I highly recommend reading; it has resolved lots of my questions.

@terry9873
Copy link

terry9873 commented Jul 3, 2022

Thank you so much for that brilliantly put-together piece. I only wish it wasn't light-years above my pay grade to understand the technical aspects fully!

I THINK what you're saying is it's techncally impossible for Apple to have people's drive encryption keys. I REALLY have suspicions about that, partly because Apple is a complete fraud (in spending millions brainwashing their fanatics that they are the "privacy" option, meanwhile taking BILLIONS from Google to pre-install their (knowingly privacy destroying) apps and services (default search, YouTube etc). In fact that made it impossible to UNinstall them from older iphones (not sure about newer ones as I won't use em!). But also partly because of information I am privy to which makes it plain as day (to ME) that Apple works extremely closely with government and government helps them further their empire (as with Facebook/Google) for that express purpose. These companies do more of the 'intellgence' gathering work for western nations than their own intel agencies FFS. And of course they do, it's THEIR spyware we have in our pocket. If an agency asked every citizen to carry a portable behavioural analysis/surveillance/tracking device, we'd tell them where to shove that idea. But once we are hooked on TikTok and Facebook for our 'social' interaction, 'we' can't destroy our own privacy soon enough!

But back to the point..., two of them actually:

  1. Are you saying you're certain Apple CAN NOT obtain people's drive encryption keys through the FORCED submission of passwords when installing/upgrading OSX?

  2. Can you understand my point/question, which I never seem to get an answer to (perhaps the question is too rhetorical!). Namely: HOW can it it be MORE secure, for my drive to be decryptable via TWO methods, instead of just ONE? One being in my head and NOWHERE else, the other being there, plus in my machine wrapped in as many layers of tin foil as you care to mention, but still it's a second one! (Further, my USER password can UNLOCK my drive, whereas before the ONLY thing that could do that was a SECONDARY long password/key I have stored in my brain for unlocking disk, and another for logging in). It's a valid question, surely?!

Thanks again, that's a great post above

P.S. I am using a Late 2013 27" Imac. Not sure if that's T2 or not, I suspect not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment