Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Disable bunch of #$!@ in Catalina - Note about Big Sur: https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21#gistcomment-3448419
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# WARNING: It might disable things that you may not like. Please double check the services in the TODISABLE vars.
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to disable
# 'com.apple.speech.speechdatainstallerd' 'com.apple.speech.speechsynthesisd' 'com.apple.speech.synthesisserver' will freeze Edit menus
# 'com.apple.bird' will prevent saving prompt from being shown
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TODISABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TODISABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TODISABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TODISABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TODISABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TODISABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TODISABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TODISABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TODISABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TODISABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TODISABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TODISABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist ./System/Library/LaunchAgents/${agent}.plist.bak
echo "[OK] Agent ${agent} disabled"
done
# Daemons to disable
TODISABLE=()
# iCloud
TODISABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TODISABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TODISABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist ./System/Library/LaunchDaemons/${daemon}.plist.bak
echo "[OK] Daemon ${daemon} disabled"
done
#!/bin/bash
# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to run this script from Recovery. In fact, macOS Catalina brings read-only filesystem which prevent this script from working from the main OS.
# This script needs to be run from the volume you wish to use.
# E.g. run it like this: cd /Volumes/Macintosh\ HD && sh /Volumes/Macintosh\ HD/Users/sabri/Desktop/disable.sh
# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# Agents to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.security.cloudkeychainproxy3' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.findmydeviced.findmydevice-user-agent' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotosd' \
'com.apple.followupd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing')
# Safari useless stuff
TOENABLE+=('com.apple.SafariBookmarksSyncAgent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.WebKit.PluginAgent')
# iMessage / Facetime
TOENABLE+=('com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imklaunchagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced')
# Game Center / Passbook / Apple TV / Homekit...
TOENABLE+=('com.apple.gamed' \
'com.apple.passd' \
'com.apple.Maps.pushdaemon' \
'com.apple.videosubscriptionsd' \
'com.apple.CommCenter-osx' \
'com.apple.homed')
# Ad-related
TOENABLE+=('com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd')
# Screensharing
TOENABLE+=('com.apple.screensharing.MessagesAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra')
# Siri
TOENABLE+=('com.apple.siriknowledged' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.Siri.agent' \
'com.apple.parsec-fbf')
# VoiceOver / accessibility-related stuff
TOENABLE+=('com.apple.VoiceOver' \
'com.apple.voicememod' \
'com.apple.accessibility.AXVisualSupportAgent' \
'com.apple.accessibility.dfrhud' \
'com.apple.accessibility.heard')
# Quicklook
TOENABLE+=('com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.quicklook')
# Sidecar
TOENABLE+=('com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay')
# Debugging process
TOENABLE+=('com.apple.spindump_agent' \
'com.apple.ReportCrash' \
'com.apple.ReportGPURestart' \
'com.apple.ReportPanic' \
'com.apple.DiagnosticReportCleanup' \
'com.apple.TrustEvaluationAgent')
# Screentime
TOENABLE+=('com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent')
# Others
TOENABLE+=('com.apple.telephonyutilities.callservicesd' \
'com.apple.photoanalysisd' \
'com.apple.parsecd' \
'com.apple.AOSPushRelay' \
'com.apple.AOSHeartbeat' \
'com.apple.AirPlayUIAgent' \
'com.apple.AirPortBaseStationAgent' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.findmymacmessenger' \
'com.apple.sharingd' \
'com.apple.identityservicesd' \
'com.apple.java.InstallOnDemand' \
'com.apple.parentalcontrols.check' \
'com.apple.security.keychain-circle-notification' \
'com.apple.syncdefaultsd' \
'com.apple.appleseed.seedusaged' \
'com.apple.appleseed.seedusaged.postinstall' \
'com.apple.CallHistorySyncHelper' \
'com.apple.RemoteDesktop' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.SocialPushAgent' \
'com.apple.touristd' \
'com.apple.macos.studentd' \
'com.apple.KeyboardAccessAgent' \
'com.apple.exchange.exchangesyncd' \
'com.apple.suggestd' \
'com.apple.AddressBook.abd' \
'com.apple.helpd' \
'com.apple.amp.mediasharingd' \
'com.apple.mediaanalysisd' \
'com.apple.mediaremoteagent' \
'com.apple.remindd' \
'com.apple.keyboardservicesd' \
'com.apple.AddressBook.SourceSync' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.mobileassetd' \
'com.apple.CalendarAgent' \
'com.apple.knowledge-agent')
for agent in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchAgents/${agent}.plist.bak ./System/Library/LaunchAgents/${agent}.plist
echo "[OK] Agent ${agent} disabled"
done
# Daemons to enable
TOENABLE=()
# iCloud
TOENABLE+=('com.apple.analyticsd', 'com.apple.icloud.findmydeviced')
# Others
TOENABLE+=('com.apple.netbiosd' \
'com.apple.preferences.timezone.admintool' \
'com.apple.remotepairtool' \
'com.apple.security.FDERecoveryAgent' \
'com.apple.SubmitDiagInfo' \
'com.apple.screensharing' \
'com.apple.appleseed.fbahelperd' \
'com.apple.apsd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.locate' \
'com.apple.locationd' \
'com.apple.eapolcfg_auth' \
'com.apple.RemoteDesktop.PrivilegeProxy' \
'com.apple.mediaremoted')
for daemon in "${TOENABLE[@]}"
do
mv ./System/Library/LaunchDaemons/${daemon}.plist.bak ./System/Library/LaunchDaemons/${daemon}.plist
echo "[OK] Daemon ${daemon} disabled"
done
@ink-splatters
Copy link

ink-splatters commented Dec 28, 2021

Thanks everyone for amazing insights!

AFAIK a lot of parts of /private/var are writable w/o disabling authenticated-root, some parts even don't require SIP to be disabled.
So just checkin' to be sure I got it: (I'm on latest Monterey Release, M1) :

Given disabling the system daemons / agents persists somewhere in /private/var/db/... (which AFAIK is mostly? "Data" partition)
does it actually mean: there's no need to disable authenticated-root (and have all the consequences) to actually disable system services / agents?

Or I'm missing it and launchd "disable override" (or wtf it's called) db path is mounted from SSV instead?

@b0gdanw
Copy link

b0gdanw commented Dec 28, 2021

@ink-splatters
In my tests without csrutil disable, commands like sudo launchctl bootout system/* failed with an error and commands like sudo launchctl disable system/* were ignored after a restart.
I never used csrutil authenticated-root disable.

@estmortis
Copy link

estmortis commented Dec 31, 2021

for anyone looking for more process's that can be disabled i found this page helpful
https://web.archive.org/web/20170222052540/http://triviaware.com/macprocess/all

i will be adding a updated list to my git soon / also found away around using disk utility with cloud services all disabled :XD

@estmortis
Copy link

estmortis commented Jan 3, 2022

I have a updated version on here https://github.com/estmortis/disablebunchof-h-t_Catalina

thanks @pwnsdx I also added another alternative to just remove the launchagents/daemons etc completely (instead of just renaming plist) tested on Catalina and all working fine.

@ink-splatters
Copy link

ink-splatters commented Jan 3, 2022

wrong

@̶b̶0̶g̶d̶a̶n̶w̶ ̶a̶s̶ ̶f̶a̶r̶ ̶a̶s̶ ̶I̶ ̶s̶e̶e̶,̶ ̶o̶n̶ ̶M̶o̶n̶t̶e̶r̶e̶y̶/̶M̶1̶ ̶a̶t̶ ̶l̶e̶a̶s̶t̶,̶ ̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶a̶n̶d̶ ̶a̶d̶d̶i̶n̶g̶ ̶s̶e̶r̶v̶i̶c̶e̶s̶ ̶t̶o̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶p̶l̶i̶s̶t̶’̶ ̶a̶n̶d̶ ̶‘̶d̶i̶s̶a̶b̶l̶e̶d̶.̶5̶0̶1̶.̶p̶l̶i̶s̶t̶’̶ ̶o̶r̶ ̶t̶h̶e̶ ̶s̶i̶m̶i̶l̶a̶r̶ ̶v̶i̶a̶ ̶‘̶l̶a̶u̶n̶c̶h̶c̶t̶l̶ ̶d̶i̶s̶a̶b̶l̶e̶’̶ ̶s̶e̶e̶m̶s̶ ̶t̶o̶ ̶s̶u̶r̶v̶i̶v̶e̶ ̶r̶e̶-̶e̶n̶a̶b̶l̶i̶n̶g̶ ̶S̶I̶P̶ ̶(̶n̶o̶t̶ ̶f̶u̶l̶l̶y̶ ̶a̶s̶ ̶o̶n̶ ̶M̶1̶ ̶i̶t̶’̶s̶ ̶d̶o̶n̶e̶ ̶v̶i̶a̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶w̶h̶i̶c̶h̶ ̶h̶a̶s̶ ̶t̶i̶g̶h̶t̶ ̶r̶e̶l̶a̶t̶i̶o̶n̶s̶h̶i̶p̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶b̶u̶t̶ ̶I̶ ̶d̶o̶n̶’̶t̶ ̶k̶n̶o̶w̶ ̶y̶e̶t̶ ̶w̶h̶a̶t̶ ̶ ̶S̶I̶P̶ ̶b̶i̶t̶s̶ ̶a̶r̶e̶ ̶s̶e̶t̶.̶ ̶ ̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶ ̶h̶a̶s̶ ̶h̶u̶g̶e̶ ̶p̶o̶t̶e̶n̶t̶i̶a̶l̶ ̶f̶o̶r̶ ̶h̶a̶c̶k̶i̶n̶g̶ ̶a̶r̶o̶u̶n̶d̶ ̶,̶ ̶e̶.̶g̶.̶ ̶l̶o̶c̶k̶i̶n̶g̶ ̶s̶o̶m̶e̶ ̶p̶r̶i̶v̶a̶c̶y̶ ̶e̶v̶a̶d̶i̶n̶g̶ ̶d̶a̶e̶m̶o̶n̶s̶ ̶o̶u̶t̶ ̶o̶f̶ ̶t̶h̶e̶i̶r̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶d̶i̶r̶s̶,̶ ̶b̶u̶t̶ ̶t̶h̶a̶t̶’̶s̶ ̶f̶o̶r̶ ̶m̶e̶ ̶u̶n̶e̶x̶p̶l̶o̶r̶e̶d̶ ̶t̶e̶r̶r̶i̶t̶o̶r̶y̶,̶ ̶I̶ ̶s̶u̶c̶c̶e̶e̶d̶e̶d̶ ̶p̶a̶r̶t̶i̶a̶l̶l̶y̶,̶ ̶b̶u̶t̶ ̶a̶t̶ ̶s̶o̶m̶e̶ ̶p̶o̶i̶n̶t̶ ̶k̶i̶l̶l̶e̶d̶ ̶a̶l̶l̶ ̶o̶f̶ ̶i̶t̶ ̶:̶)̶ ̶I̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶ ̶b̶e̶i̶n̶g̶ ̶v̶e̶r̶y̶ ̶c̶a̶r̶e̶f̶u̶l̶ ̶a̶s̶ ̶m̶e̶s̶s̶i̶n̶g̶ ̶u̶p̶ ̶w̶i̶t̶h̶ ̶i̶t̶ ̶m̶e̶a̶n̶s̶ ̶f̶u̶l̶l̶ ̶r̶e̶i̶n̶s̶t̶a̶l̶l̶ ̶(̶u̶n̶l̶e̶s̶s̶ ̶s̶o̶m̶e̶ ̶“̶t̶e̶m̶p̶l̶a̶t̶e̶”̶ ̶f̶o̶l̶d̶e̶r̶s̶ ̶f̶r̶o̶m̶ ̶r̶e̶c̶o̶v̶e̶r̶y̶ ̶a̶r̶e̶ ̶h̶e̶l̶p̶f̶u̶l̶)̶

unfortunately the information posted by me is at least irrelevant on the date.

Thought it might be, in theory, that behaviour has changed after some macOS update, instead it's very likely that I've been actually mistaken, paying not enough attention to the contents of disabled.*plist files after re-enabling SIP.

In any way: apologies for misleading information from my side.

Instead

State of things on the date of edit (tested at MacBook Air M1 2020, macOS Monterey 2.2.1 21D62)*.

  • everything works as expected with SIP disabled (by issuing csrutil disable)
  • when SIP is reenabled (I only used Security Policy menu item in Recovery putting M1 to Reduced security and with custom kexts enabled):

only some of changes persist.

  • it's clear that some kind of whitelisting takes place, of services macOS treats "critical"

  • it's not clear how it's facilitated but either (likely) by processing some list of services located somewhere in /System (but not limited to it) and enforcing it either on system policy check stage or later during the boot (needs to be investigated)

  • as per experiences of others (and my own), dumping of launchd cache overwrites (with significant likelihood, up to 100%) the changes made to disabled.* files manually (unless done in Recovery mode). This applies well to the discussed case when one changes the security policy to other than "permissive" value.

Summary

  • all your changes done manually to disabled.*plist files should not be considered persistent, ever. if done in normal boot, they will be overridden by launchd dumping its cache, upon next boot
  • the only exception to the statement above, might be: editing disabled.*plist files in Recovery mode, and only if planning booting in Permissive Security mode, however I'm not fully sure about this so discourage anyone to rely on this and check yourself instead, first
  • any follow-up booting the system after changing the security mode to other than Permissive Security must be considered as wiping all your changes to /private/var/db/com.apple.xpc.launchd, therefore do always back it up first

--

it's very sad but seems there is no reliable way to disable system services, given Apple Silicon and (at least) the current build of macOS Monterey without switching to permissive security.*

What makes me specially sad about it: mainly need for iOS apps running at M1. So probably the below is related only to people concerned about it.

Given permissive security, one would loose ability to run iOS apps. it's well known (at least to M1 users) but putting it here just in case .

The "true" workaround for this might be custom XNU build with security policy / sandboxing / FairPlay related stuff likely patched. As the bar is pretty high to implement it, in particular IMHO it would be very hard without first going thru macOS / iOS security basics first; there might be much easier workarounds using tools available around at GitHub. if interested, ping me I could share the info I have (I don't have fully working variant on the date, also because it needs time to dig into it).

In any way, one would need to downgrade to permissive security and if more advanced techniques are not in mind, switching off amfi (which of course would put your system at high risk of being compromised).


  • I'm not elaborating into the obvious risks associated with reduced security, as IMO system tampering implies some prior research or existing knowledge, regarding the consequences
  • even if it comes to Apple Silicon, because of very subtle nature of both security related features (e.g.: some peculiarities might differ, in the way of enforcing stronger guarantees when it comes to M1 Pro / Pro Max systems vs M1 air 2020) and the presumed way the whitelisting works, the behaviour described here might be different in your case

@estmortis
Copy link

estmortis commented Jan 10, 2022

curious why CoreLocationAgent & Geod is not on this list.

if i disable AirPlayXPCHelper can i still use WiFI ?

@elesto
Copy link

elesto commented Jan 17, 2022

I think a big problem most people are having is the format of this project. Nobody really wants to go back and read 500 lines of separate conversations to find out that someone already answered their question 30 lines up. Knowledge is found and then lost in the sea of neverending posts and nobody knows whats happening. I for one dont know if this project even works on monterey or its drawbacks and its near impossible for me to piece together if it does or not without just flat out asking and therefore contributing to the endless stream of "does anyone know if X does Y" I appreciate the project and I use some bits for myself but we really need a better wiki style format

@neofright
Copy link

neofright commented Jan 17, 2022

@elesto In my opinion it would require someone to make the script as part of a repo and not just a gist. Then we can all more easily collaborate on pull requests and issues.

For me, not being able to keep FileVault enabled is a deal breaker. If someone can explain a way of keeping FileVault enabled (Disk Password—based DEK. may work - has anyone tested this?) then I'll happily create a repo for this, otherwise I can see little utility to maintaining such a project.

@elesto
Copy link

elesto commented Jan 18, 2022

So.. I hate to be that guy but ive been eyeing the upgrade from catalina for two years and im wondering does the disabling of agents work on monterey?

@ink-splatters
Copy link

ink-splatters commented Jan 18, 2022

@elesto
the following applicable for M1 (I don’t have Intel, so it must be verified):

i̶t̶ ̶_̶d̶o̶e̶s̶_̶ ̶w̶i̶t̶h̶ ̶S̶I̶P̶ ̶t̶u̶r̶n̶e̶d̶ ̶o̶f̶f̶.̶
I̶f̶ ̶f̶a̶n̶c̶y̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶i̶O̶S̶ ̶a̶p̶p̶s̶,̶ ̶c̶h̶a̶n̶g̶e̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶p̶o̶l̶i̶c̶y̶ ̶t̶o̶ ̶“̶r̶e̶d̶u̶c̶e̶d̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶(̶a̶n̶d̶ ̶a̶l̶l̶o̶w̶ ̶k̶e̶x̶t̶s̶ ̶i̶f̶ ̶n̶e̶e̶d̶e̶d̶)̶ ̶b̶u̶t̶ ̶ ̶_̶a̶f̶t̶e̶r̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶s̶t̶u̶f̶f̶_̶.̶ ̶ ̶A̶v̶o̶i̶d̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶a̶s̶ ̶i̶t̶ ̶w̶o̶u̶l̶d̶ ̶r̶o̶l̶l̶ ̶e̶v̶e̶r̶y̶t̶h̶i̶n̶g̶ ̶b̶a̶c̶k̶.̶ ̶T̶h̶a̶t̶ ̶a̶l̶s̶o̶ ̶i̶m̶p̶l̶i̶e̶s̶ ̶n̶o̶t̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶̶c̶s̶r̶u̶t̶i̶l̶ ̶e̶n̶a̶b̶l̶e̶̶ ̶a̶s̶ ̶i̶t̶ ̶m̶i̶g̶h̶t̶ ̶t̶r̶i̶g̶g̶e̶r̶ ̶“̶f̶u̶l̶l̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶”̶.̶ ̶ ̶I̶’̶m̶ ̶n̶o̶t̶ ̶s̶u̶r̶e̶ ̶p̶e̶r̶s̶i̶s̶t̶e̶n̶c̶e̶ ̶i̶s̶ ̶c̶o̶n̶s̶i̶s̶t̶e̶n̶t̶,̶ ̶b̶u̶t̶ ̶c̶u̶r̶r̶e̶n̶t̶l̶y̶ ̶i̶t̶ ̶w̶o̶r̶k̶s̶ ̶f̶o̶r̶ ̶m̶e̶.̶ ̶ ̶A̶l̶w̶a̶y̶s̶ ̶b̶a̶c̶k̶u̶p̶ ̶̶/̶p̶r̶i̶v̶a̶t̶e̶/̶v̶a̶r̶/̶d̶b̶/̶c̶o̶m̶.̶a̶p̶p̶l̶e̶.̶x̶p̶c̶.̶l̶a̶u̶n̶c̶h̶d̶̶ ̶b̶e̶f̶o̶r̶e̶ ̶a̶n̶y̶ ̶u̶p̶d̶a̶t̶e̶ ̶a̶s̶ ̶i̶t̶ ̶w̶i̶l̶l̶ ̶w̶i̶p̶e̶ ̶i̶t̶.̶ ̶ ̶M̶i̶g̶h̶t̶ ̶b̶e̶ ̶m̶o̶r̶e̶ ̶l̶o̶c̶a̶t̶i̶o̶n̶s̶ ̶t̶o̶ ̶b̶a̶c̶k̶u̶p̶ ̶i̶f̶ ̶d̶i̶s̶a̶b̶l̶i̶n̶g̶ ̶f̶o̶r̶ ̶u̶s̶e̶r̶s̶ ̶o̶t̶h̶e̶r̶ ̶t̶h̶a̶n̶ ̶0̶ ̶a̶n̶d̶ ̶5̶0̶1̶ ̶(̶f̶i̶n̶d̶ ̶/̶ ̶g̶r̶e̶p̶ ̶i̶t̶,̶ ̶I̶ ̶h̶a̶v̶e̶n̶’̶t̶ ̶h̶a̶d̶ ̶c̶h̶a̶n̶c̶e̶ ̶t̶o̶ ̶d̶o̶ ̶i̶t̶ ̶y̶e̶t̶)̶

Please disregard this post, it was the "Survivalist bias" of working thing just on my machine, probably to a bug in earlier versions of OS.

@490398290
Copy link

490398290 commented Jan 22, 2022

Could the script be adapted to use the new commands like

sudo launchctl bootout system/com.apple.spindump
sudo launchctl disable system/com.apple.spindump
sudo launchctl bootout system/com.apple.tailspind
sudo launchctl disable system/com.apple.tailspind

This way, services can be disabled even with SIP on.

@elesto
Copy link

elesto commented Jan 22, 2022

@kikieri
Copy link

kikieri commented Apr 5, 2022

anyone used this on monterey?

@terry9873
Copy link

terry9873 commented May 8, 2022

@johnstonenow It does look like the future is Linux for secure computing. I'm considering stopping at Mojave and using Mojave for another five years for AV work. Office work and portable work would be on Linux and probably not Canonical. Debian is hardcore but usable. Mint and Ubuntu are built on Debian

I am so sorry Alec, I didnt get a ping for this reply. I am at that point right now. Running Mojave but when trying to upgrade to Catalina I notice my drive encryption password is DEMANDED by Catalina OS. For YEARS now I have always formatted my drives and stored that complex password in ONE place (my head!). It doesnt exist anywhere else. How am I to believe;

  1. That it's more secure to let Catalina/FileVault FORCE my user password to be able to unlock my disk?
  2. That Apple isn't (maybe, just maybe) FORCING all of this for one reason - To get a copy of everyone's disk passwords so, should the need arise (secret warrant perhaps), they can unlock anyone's drive.

Am I being irrational in having such concerns?

I now fear it's time for Linux, although I have no choice re business work as I still have to use Mac for that. So do i stick to Mojave (unsupported = risks), or do I 'comply' with Catalina forcing me to allow user password to unlock my drive? Would love your opinion on this!

@ink-splatters
Copy link

ink-splatters commented Jul 2, 2022

DISCLAIMER: the info here should not be considered accurate, that's just my attempt to highlight how FileVault2 works basing on my current understanding.

One could also easily Google it s̶o̶ ̶m̶y̶ ̶r̶e̶a̶l̶ ̶m̶o̶t̶i̶v̶a̶t̶i̶o̶n̶ ̶b̶e̶h̶i̶n̶d̶ ̶t̶h̶i̶s̶ ̶p̶o̶s̶t̶ ̶i̶s̶ ̶l̶e̶a̶v̶i̶n̶g̶ ̶h̶e̶r̶e̶ ̶s̶o̶m̶e̶t̶h̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶l̶o̶o̶k̶s̶ ̶d̶e̶c̶e̶p̶t̶i̶v̶e̶l̶y̶ ̶s̶m̶a̶r̶t̶ ̶:̶)̶


The disk on modern machines (by that I mean Apple Silicon or Intel with T2) is always encrypted with XTS-AES (regardless of FireVault2 "enablement" status), using Volume encryption key (VEK) which is related to Hardware and xART (anti-replay system) keys.

"Enabling" FileVault2 is nothing to do with data, metadata or filesystem B-Tree encryption, for which VEK is used.
VEK stays intact but becomes wrapped by newly generated KEK (Key encryption key)

KEK is stored:

  • wrapped with user password
  • wrapped with volume recovery key (if user password is lost, volume still can be decrypted using recovery key).

Additional wrapping with institutional recovery key can be done, either enforced by MDM enrolment
or via Provisioning Profiles using this payload

https://raw.githubusercontent.com/ProfileCreator/ProfileManifests/5b4d8f9a9e8498c0db55be6b042c355b83535d62/Manifests/ManifestsApple/com.apple.MCX.FileVault2.plist


So, thanks to KEK and hardware AES impl, encryption / decryption is very fast, as well as re-encryption is not needed after enabling/disabling FileVault and /or adding new user.

Complete data erasure is also very fast and easy and can be done by ditching xART (and corresponding keys) using e.g. xartutil (̶I̶ ̶h̶a̶v̶e̶n̶'̶t̶ ̶t̶o̶l̶d̶ ̶y̶o̶u̶ ̶t̶h̶a̶t̶)̶

There is (quite technical) paper which covers the FV2 design on non-T2 Macs but still relevant in many aspects: https://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf

Also, there are ultimately amazing write-ups, highlighting related topics, at Eclectic Light:

https://eclecticlight.co/2022/04/23/explainer-filevault
https://eclecticlight.co/2021/07/03/explainer-xart-and-nonces


Back to the original topic:

Why Catalina asks for password - I don't know exactly, but any operations assuming deriving KEK (PBKDF / PBKDF2) do require entering the password

Summarising when user password is required for sure:

  1. For generating KEK, which happens:
  • while upgrade to FileVault2, if you have FusionDrive (AFAIK, the macOS upgrade, either to Mojave or to Catalina "kindly asks" - read "forces" you - to upgrade)
  • enabling / disabling FileVault for whatever reason and /or "adding" user using fdeutil
  • [more examples]?
  1. for bootable volume auth (I presume some PBKDF / PBKDF2 derivation takes place as well, in order for Secure Enclave to authenticate booting from the volume).

This step, BTW, requires macOS calling home to get some more cryptography material to be used for key derivation / wrapping, in the following cases:

  • full security enabled on Intel Macs
  • in any case on Apple Silicon, so it's just not possible to make volume bootable without pulling some related nonces from Apple servers. Well, who said that Apple machines belong to users?

From the other hand: user password is never stored anywhere in plain text. It's stored (encrypted) in user's Keychain but only upon user requested it. Keychain is also E2E encrypted, so no - there is no way for apple to get your password.

A slightly different story is if users choses resetting password using iCloud account, so that protected CloudKit entry is created to store the related key. Is it e2e encrypted? IDK. Technically it can be (later on - to be unwrapped with user password).


As for Linux, I believe, if properly set up, both Linux (LVM/Luks is enabled) and modern Apple machine with FileVault2 are at least equally secure, regarding protection from unauthorised data access.

If SELinux is enabled and, given there are no relevant 0-days for Apple Sandbox, lol, which hasn't always been too much unbreakable; we could talk about comparable level of protection in terms of containing damage.

Modern Apple Secure Enclave (at Apple Silicon and latest iOS SoCs) seems to drastically reduce the chance of machine to get fully compromised: in addition to initially solid design of Secure Enclave, more protections have been added quite recently.

E.g., Apple claims that compromising the "main part" of Secure Enclave still doesn't give carte blanche to the attacker, as there is separate hardware key storage, accessed, as per Apple, via dedicated physical lines.


Maybe Jailbreak fans have noticed that there is no thing anymore, for the latest iOS, mainly due to SSV which kills persistence of modern jailbreaks.

Feature similar to SSV, in the Linux world, AFAIK, is implemented only in some flavour of Fedora which uses r/o boot volume design, but IDK if some verification mechanism based on Merkle trees is implemented which would protect from r/w re-mount and messing up with the volume.

More cool things out there:

Apple Platform Security

Which I highly recommend reading; it has resolved lots of my questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment