Securing unsupported Macs (OCLP) - What is your setup / Best practices?

[Omega Mac]

Apprently a growing portion of Mac users use OCLP to keep their Mac's in daily useful and usable service for a whole host of reasons.

Yet the crucial issue of the security trade off / proof and cons is discussed in this topic with some cautionary comments on being secure using an unsupported Mac when outside the normative parameters of Apple support, can not be ignored.

As a awareness raising exercise - I thought a topic like this where users primarily focus on supporting and sharing their general security setups tips, tricks and approaches for the greater benefit when using their unsupported Macs day to day would be a good idea, and address one of the concerns of @deeveedee

Posting in this topic means you understand that OCLP introduces some security vulnerabilities and this topic is not to discuss or debate that specifically, but rather support users who have decided on this path for their Mac in ignorance or full knowledge and therefore, the main aim is to showcase the best mitigations users can make in terms of hardware, software and user behaviours while being free to raise any facts that are totally within context of all round good spirited "awareness raising" contributions.

- This post will be updated with some more framing and maybe a summary guide as the topic matures -

 

[Happy_John]

Not connecting those machines onto the internet, and sited only have them connected to your internal network, and setting up your network to manage traffic to and from the OCLPed machines.

I know it sounds laborious, and not really a viable option for how people are using those machines, but, as you say, there's no way of using OCLP (which is a wonderful project for many reasons) without having the vulnerabilities, all you can do is mitigate them.

I'd also to OCLP users not to automatically update to the latest available macOS version on OCLP - choose a version of macOS that your hardware is most compatible with, even when your machine does not support that version for macOS. ( This reminds me of the debate with Mac Pro 5,1 and whether to use OCLP or Martin's Lo's OC config - there were pluses and minuses for both )

Mainly, as with many security issues, the responsibility is on the user to not do stupid things.

 

[Madhatter32]

One important best practice is to continue to use a browser that is supported and receives critical security patches like Firefox, or if it's a really old Mac, Firefox ESR.

 

[cynics]

Good topic I'm very interested.

I was about to update my 2013 iMac to Linux and saw OCLP for the first time and without doing any research I figured I would try it then do Linux. To my surprise it worked perfectly, no issues, everything works (at least at face value).

Now I'm half tempted to leave it since it's not my main computer, however being tied to my iCloud has me concerned.

 

[Omega Mac]

Nt connecting those machines onto the internet, and sited only have them connected to your internal network, and setting up your network to manage traffic to and from the OCLPed machines.

I know it sounds laborious, and not really a viable option for how people are using those machines, but, as you say, there's no way of using OCLP (which is a wonderful project for many reasons) without having the vulnerabilities, all you can do is mitigate them.

I'd also to OCLP users not to automatically update to the latest available macOS version on OCLP - choose a version of macOS that your hardware is most compatible with, even when your machine does not support that version for macOS. ( This reminds me of the debate with Mac Pro 5,1 and whether to use OCLP or Martin's Lo's OC config - there were pluses and minuses for both )

Mainly, as with many security issues, the responsibility is on the user to not do stupid things.

I suppose most will not want to isolate their OCLP machines for they become pointless. There is a bit of an analogy here for recent life and times, them lockdowns did not work out so well after all.

Regards your third point, if say your machine was tapped out by Apple at Monterey but Ventura works, then that is about as deep-end one should venture?

or, maybe a target of hitting as safe as optimally possible Safari since it is tied in with OS level updates. Getting to venture to get Safari 18 seems to be a target, so that means people want to Ventura onto the webtura asap with their unsupported Mac.

I wonder how you gauge "most compatible" trial and error and/or do research in the relevant "unsupported" topic on MR, lots of work / don't work feedback in there.

 

[bogdanw]

rather support users who have decided on this path for their Mac in ignorance or full knowledge

Most are utterly ignorant about what OCLP is or does. There should be a thread presenting alternatives to OCLP. Like installing Windows 10 or a Linux distribution on Intel Macs. Or installing and running for free a newer version of macOS in a virtual machine.

 

[Omega Mac]

One important best practice is to continue to use a browser that is supported and receives critical security patches like Firefox, or if it's a really old Mac, Firefox ESR.

A lot of OCLP users seem to need to get their Safari up to one within security updates zone and optimum web support, as per previous point hitting Safari 18 but not necessarily safari 26 since that OS might be a few degrees to out there for the machine.

I thought Firefox was reliant on the native macOS level web support (frameworks is it?) or am I thinking iOS?

 

[Omega Mac]

Most are utterly ignorant about what OCLP is or does. There should be a thread presenting alternatives to OCLP. Like installing Windows 10 or a Linux distribution on Intel Macs. Or installing and running for free a newer version of macOS in a virtual machine.

Feel free to setup that topic, with the exception that VM machine point is the one relevant to this topic, as a security mitigation right?

 

[Happy_John]

Regards your third point, if say your machine was tapped out by Apple at Monterey but Ventura works, then that is about as deep-end one should venture?

There’s no definitive answer to that, or, at least, I’m no way qualified to give such an answer. At best I’ll give to real examples from my own experience.

Officially, a Mac Pro 5,1 tops out at Mojave, and that’s with latest firmware and a non-stock Metal GPU installed ( you can’t get above High Sierra with a non-Metal card) In theory, you can use OCLP to successfully install more recent versions of macOS.

The problem is that Apple started depreciating hardware drivers in macOS after Big Sur. Relying on an implementation of OC that doesn’t start patching and replacing the code in macOS, you can run Monterey, but you will lose WiFi-fi and Bluetooth unless you physically upgrade the WiFi and Bluetooth card(s) to a more up to date Broadcom card.

After Monterey, the only way you can run a later version of MacOS is by applying patches to both the drivers and the kernel itself. At this point you’ve turned your Mac Pro into a hackintosh, which is not necessarily a bad thing in and of itself, but there are a huge amount of potential vulnerabilities and issues that can arise, because you are spoofing more and more aspects of the hardware.

The dilemma is that, while Mojave, as the last official release (and still able to run my legally purchased but non-subscription versions of Abode software) should be more secure than an OCLP-enabled 5,1, the fact that macOS no longer released security updates for older OSes is a concern, so the Mac Pro does not connect to the internet.

or, maybe a target of hitting as safe as optimally possible Safari since it is tied in with OS level updates. Getting to venture to get Safari 18 seems to be a target, so that means people want to Ventura onto the webtura asap with their unsupported Mac.

I just wouldn’t recommend running safari as a browser on OCLP, that said, if the machine is unsupported because of Apple’s “cut off” of support, rather than any significant hardware changes, then it’s probably OK.

I wonder how you gauge "most compatible" trial and error and/or do research in the relevant "unsupported" topic on MR, lots of work / don't work feedback in there.

I wouldn’t think MR is the best place for it, but I gave up on Facebook a few months ago, so I’m in exile :-(. There was just far too much slop on FB, but I miss the LEM and Mac Pro groups ( and Dull Men, of course). To answer your question, I don’t gauge, I’m purely a hobbyist who plays around with old Macs.

EDIT: My work Macs and my “hobby” Macs are very different machines. My work machines are not running either OCLP or any other flavour of OC. Paid work is done on currently supported AS Macs ( I’d love a Mac Pro 7,1, and I would use it as a “work machine”, but I don’t have one. )