Taming Sierra for privacy, security, battery life, running cool and general sanity

Discussion in 'macOS Sierra (10.12)' started by MikeyN, Aug 16, 2017.

  1. MikeyN macrumors regular

    MikeyN

    Joined:
    Jul 26, 2017
    #1
    The advent of SIP was another step into the walled garden that Apple wants its users to dwell in, doing not much more as pondering how to best spend more money on Apple products.
    If Sierra would have been a well designed and developed OS then SIP might have been actually a welcome hardening aspect towards a more secure OS.
    Unfortunately that does not seem to be the case. SIP seems to be more of a hassle for you to take control of your machine, your setup and the OS you have to use.
    Sierra keeps growing the list of background processes and 'cool features', introduces new bugs and rarely fixes old ones.
    There are numerous bugs and way too many processes that are having some of these bugs running all the time. They suck up CPU cycles, available RAM and battery. They phone home and cost you on your metered internet.
    Best of all, some of them do that on your hardware because they try to use 'cool' features of this OS despite your hardware being really not capable or simply blacklisted by Apple. Examples for that might be HandOff, Continuity, AirDrop, Airplay and the like.

    Fanboys keep telling us that Apple really tests their hardware and software so that they play so well together like no other.

    Since this customisation is only rarely possible to achieve with Sierra's own GUI tools I want to list several convenience options to make that OS behave itself and disable as much of the useless, the broken, the scary, the dangerous, the unwanted stuff that Apple deems cool to have on marketing check boxes.

    This might/will break some things behind the scene. But breakage should be kept to a minimum and is most of the time intentional. So do not apply any of these tools blindly but check every step along the way.


    What keeps missing is an up-to-date and live version of a thorough documentation of what all these processes are intended to do, like it used to be here (dead link):
    http : / / triviaware . com / macprocess /


    General guide, but for El Capitan, some advice still applies:
    https://github.com/ernw/hardening/b...m/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md


    Available tools, GUI editors for launchd:
    Lingon (non-free):
    https://www.peterborgapps.com/lingon/

    LaunchControl (non-free):
    http://www.soma-zone.com/LaunchControl/


    Available tools, pre-made scripts and guides to automate disabling certain aspects:

    Disable bunch of #$!@ in Sierra (Version 2.1):
    https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3
    ## The list of disabled services there is a nice starting point for the cautious to unload those daemons one by one with one of the above GUI tools


    A practical guide to securing macOS:
    https://github.com/drduh/macOS-Security-and-Privacy-Guide

    Up to date successor to osxlockdown:
    https://github.com/kristovatlas/osx-config-check

    Nicely commented "Simple shell script to fix macOS privacy issues and remove mostly useless macOS calls to cupertino":
    https://goo.gl/Mk19Lo


    Only small portions really applicable here but still some unique items:
    https://gist.github.com/brandonb927/3195465

    If you have other suggestions to minimise the foot print of the Sierra juggernaut, please post below.
     
  2. Trusteft macrumors 6502

    Trusteft

    Joined:
    Nov 5, 2014
    #2
    Not affected but I do have two questions for you if you don't mind.

    1. What is SIP and why is it pissing you off so much?
    2. You have your Mac on metered internet? Are you typing this from the mid 90s?
     
  3. MikeyN thread starter macrumors regular

    MikeyN

    Joined:
    Jul 26, 2017
    #3
    1. https://en.wikipedia.org/wiki/System_Integrity_Protection
    As I wrote: I see Apple heading towards even more closure of the Mac. I do not want an OS out of my control that I have to jail break. Since only a fraction of the processes are easily disabled – let alone properly documented – SIP needs to be disabled for as long as it takes you to figure them all out. People will tell that SIP is about hackers, Apple says it's about protecting hapless admin-only users breaking their own stuff. But hackers were not really hindered by it in the past and proper privilege separation is a small price to pay in educating admin users.

    2. Metered internet is the goal of ISPs everywhere. But you can time travel to the 90s if you like: just visit developing third world countries, like those in central Europe. But jokes aside: I want my machine to do my bidding. And this excludes constant uploads or syncs with the mothership. Every single bit not authorised or requested by me is to be avoided. It's also wasteful.
     
  4. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #5
    SIP is fine for its intended users, otherwise its real easy for a knowledgable user to turn off.

    New Zealand has shifted from wholly metered to almost universal unmetered internet so Im not sure your logic holds up.

    But thanks for the list of links.
     
  5. MikeyN thread starter macrumors regular

    MikeyN

    Joined:
    Jul 26, 2017
    #6
    Points in favour of SIP accepted, for now. Moving towards a locked down OS or hardware provided by Apple is still a real threat. The user needs to be in control. And stay there. macOS is moving further away from that.
    If I want to write my own kernel extension then the requirements for that are tighter and tighter for every release. I do not want to pay for a signing certificate if I already bought the machine in question.

    Metered internet access is just an example. And I've been to countries were the logic holds up pretty well.
    Even if unmetered net were the standard everywhere:
    – it is still wasteful to have programs chat behind your back all the time
    – it might also be a privacy issue if the do so
    The first point being just the more wasteful if it is chat from 'features' Apple tries to stuff into your mouth even if they are genuinely senseless.

    Please reconsider just this one example:
    You have a Mac with an old WiFi/Bluetooth card in it. Anything that needs coreduetd (like those listed in the first post) is not supported on your machine. Yet coreduetd runs in the background, talks to the net, writes to the disk. And you cannot turn that off as an ordinary user.
    That is bad design. And I am looking for ways to mitigate this.
     
  6. Fishrrman macrumors G4

    Joined:
    Feb 20, 2009
    #7
    OP wrote:
    "Unfortunately that does not seem to be the case. SIP seems to be more of a hassle for you to take control of your machine, your setup and the OS you have to use."

    Then disable it. It's that simple.

    That's one of the first things I do. I want to be able to install whatever I want to install, and that's that. Sure, others are going to jump in and say "that's dangerous", but I will assume the risks. Things ran great for years without SIP and -- for me -- they still run great without it.
     
  7. MikeyN thread starter macrumors regular

    MikeyN

    Joined:
    Jul 26, 2017
    #8
    Yep. Of course. It was disabled to apply all those hacks in trying to control the juggernaut.
    SIP issues are not so much the point as the sheer number of potentially useless or unwanted things going on in the OS that Apple deems necessary for you to have running all the time and better dare not touch it.

    People were saying that with Mavericks or then Yosemite: "Apple optimised the system for SSDs so now it runs slow on spinning drives". I'd like to call this Stockholm-Syndrome like brainwashed sentence I heard way too often an end product of hairy and often unwashed four legged animals intended for human consumption. "But look at how much the systems do these days!" was the next four-letter worthy apology one has to endure. This is all a bunch of fanboy fantasies struggling with cognitive dissonance at the extreme. The systems were so badly organised and badly optimised that they now required an SSD to be bearable. And if you turned off all those things that the OS might be capable of but either your hardware didn't support or you simply didn't need or didn't want: then even magnetic spinners weren't so bad anymore. There were indeed some welcome under the hood changes. Memory management is not completely bonkers anymore. Memory compression and better kernel security were introduced without significant downgrades in overall performance.


    What I want and I think we all might need is far better documentation and better control over the system. It's still a computer in my eyes and not an appliance Apple so graciously lent me.

    The links given in the first post are an attempt to enable users where company policy would cripple them.
    I would like to consolidate them and expand on them.
    It's much more interesting to learn of all the unexpected consequences for e.g. turning Spotlight off completely than to praise the unworthy. It's far more efficient to run what you need and nothing else.
     

Share This Page