Macos 12/13/14/15 system daemon minimization

UPDATED for Sequoia 15.7 and Sonoma 14.5, see last posts

This is not a new trick, but I just realized that this modification is reboot-resistant, easily removable and does not require to alter the read-only system partition:

Works on macos 12, too. For example, if you don’t want to use icloud at all, you can disable most of its services, except apple bird. Also heavily reduces write access to the internal SSD, and therefore increases lifetime (apple ssds are usually produced by the usual suspects, samsung, toshiba etc, and have the same lifespan).

You can also disable all the surveillance, tracking, online logging, submit-diag stuff by Apple. If you don’t use photos or apple music, you can disable those scanning services, too. Don’t want your keychain in the cloud available for any unknown body? Disable it.
If something does not work as intended, you just have to delete two files in the user space of the drive and reboot. You need to disable SIP (read script comment).

Of course you really need to know which services are what for and do research.

This is my current disabler script:

#!/bin/zsh
#Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3

#Disabling unwanted services on macOS 13 Ventura
#Disabling SIP is required  ("csrutil disable" from Terminal in Recovery)
#Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist, disabled.501.plist
# To revert, delete /private/var/db/com.apple.xpc.launchd/ disabled.plist and disabled.501.plist and reboot


# user
TODISABLE=()

TODISABLE+=('com.apple.accessibility.MotionTrackingAgent' \
'com.apple.ReportCrash' \
'com.apple.SafariBookmarksSyncAgent' \
'com.apple.Safari.SafeBrowsing.Service' \
'com.apple.amsaccountsd' \
'com.apple.amsengagementd' \
'com.apple.transparencyd' \
# prevent filerequester warning 'com.apple.bird' \
'com.apple.EscrowSecurityAlert' \
#iphone/ipad sync 'com.apple.AMPArtworkAgent' \
#iphone/ipad sync 'com.apple.AMPDeviceDiscoveryAgent' \
#iphone/ipad sync 'com.apple.AMPLibraryAgent' \
'com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd' \
'com.apple.ap.promotedcontentd' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.avconferenced' \
'com.apple.BiomeAgent' \
'com.apple.biomesyncd' \
'com.apple.CallHistoryPluginHelper' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CloudSettingsSyncAgent' \
'com.apple.CommCenter-osx' \
'com.apple.CoreLocationAgent' \
'com.apple.dataaccess.dataaccessd' \
'com.apple.donotdisturbd' \
'com.apple.ensemble' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.financed' \
'com.apple.followupd' \
'com.apple.gamed' \
'com.apple.geod' \
'com.apple.homed' \
'com.apple.icloud.fmfd' \
'com.apple.iCloudNotificationAgent' \
'com.apple.iCloudUserNotifications' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imtransferagent' \
'com.apple.intelligenceplatformd' \
'com.apple.itunescloudd' \
'com.apple.knowledge-agent' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClientAgent.enrollagent' \
'com.apple.Maps.mapspushd' \
'com.apple.Maps.pushdaemon' \
'com.apple.mediaanalysisd' \
'com.apple.mediastream.mstreamd' \
'com.apple.newsd' \
'com.apple.nsurlsessiond' \
'com.apple.parsec-fbf' \
'com.apple.parsecd' \
'com.apple.passd' \
'com.apple.photoanalysisd' \
'com.apple.photolibraryd' \
'com.apple.progressd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.quicklook' \
'com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.rapportd-user' \
'com.apple.remindd' \
'com.apple.routined' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra' \
'com.apple.screensharing.MessagesAgent' \
'com.apple.ScreenTimeAgent' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.sharingd' \
'com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay' \
'com.apple.siri.context.service' \
'com.apple.macos.studentd' \
'com.apple.siriknowledged' \
'com.apple.suggestd' \
'com.apple.tipsd' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.TMHelperAgent' \
'com.apple.TMHelperAgent.SetupOffer' \
'com.apple.triald' \
'com.apple.universalaccessd' \
'com.apple.UsageTrackingAgent' \
'com.apple.videosubscriptionsd' \
'com.apple.WiFiVelocityAgent' \
'com.apple.weatherd')

for agent in "${TODISABLE[@]}"
do
	launchctl bootout gui/501/${agent}
	launchctl disable gui/501/${agent}
done

# system
TODISABLE=()

TODISABLE+=('com.apple.bootpd' \
'com.apple.analyticsd' \
'com.apple.osanalytics.osanalyticshelper' \
'com.apple.locationd' \
'com.apple.SubmitDiagInfo' \
'com.apple.symptomsd-diag' \
'com.apple.symptomsd' \
'com.apple.memoryanalyticsd' \
'com.apple.rtcreportingd' \
'com.apple.systemstats.daily' \
'com.apple.systemstats.analysis' \
'com.apple.systemstats.microstackshot_periodic' \
'com.apple.backupd' \
'com.apple.backupd-helper' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CoreLocationAgent' \
'com.apple.coreduetd' \
'com.apple.dhcp6d' \
'com.apple.familycontrols' \
'com.apple.findmymacmessenger' \
'com.apple.followupd' \
'com.apple.FollowUpUI' \
'com.apple.ftp-proxy' \
'com.apple.ftpd' \
'com.apple.GameController.gamecontrollerd' \
'com.apple.geod' \
# prevent diskutility warning 'com.apple.icloud.findmydeviced' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyd' \
'com.apple.itunescloudd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.netbiosd' \
'com.apple.nsurlsessiond' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.rapportd' \
'com.apple.screensharing' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.siri.morphunassetsupdaterd' \
'com.apple.siriinferenced' \
'com.apple.triald.system' \
'com.apple.wifianalyticsd')

for daemon in "${TODISABLE[@]}"
do
	sudo launchctl bootout system/${daemon}
	sudo launchctl disable system/${daemon}
done

launchctl also seems to be able to disable services and XPCs from apps. Didn’t dive into that, but it seems to be a very powerful command now.

How much of a performance boost are you getting, or what other benefits are noticing with this? (or is it mostly just the peace of mind about apple not running funny business that you don’t know about?)

On the new M1 macbook I still have yet to break 60% cpu in renoise with like a million vsts and everything is still smooth as glass.

I think you will only notice a small difference in performance while extremely heavy load, like a huge final cut project or so. I never ever use 100% at all, so I think it doesnt matter. But the swapped/fixed memory usage is reduced, and the ssd writings. Yes, mostly for disabling internet talking with apple. Ah, and idle load should be lower, so less battery drain.

As a sidenote:

If you want to disable icloud, Apple Bird only needs to be activated to get rid of a warning requester, which appears all the time if you file requester your drive. Kind of annoying that Apple never tested how the system works if Bird is disabled. Because it’s completely useless then. Also seems to prove the low quality assurance in Apple macos and poor testing practice at Apple…

Same goes for com.apple.icloud.findmydeviced, only needs to stay activated, because otherwise the disk utility refuses to apply changes to your drives, due a crytic error “cannot access findmymac”. Even if you did not enable this.

Instead constantly adding more and more bloatware and surveillance services to macos just like Microsoft, they really should rethink their strategy and macos better again. I think not even Windows runs like 400 background services.

Also it is not at all respecting neither privacy nor constitution laws. Not a single average mac user knows that his movements are tracked and uploaded to icloud by default, most people do not realize that the whole keychain will be uploaded, too, with all your passwords. This is not only a very comfortable open gate for secret services like nsa, but also imagine if icloud was hacked. You probably would never know that your data was hacked and used. Do you know those Apple admins in person? Do you really want to trust unknown persons? This all makes no sense at all. This is really, really bad. EU and national laws do nothing against it, as always the biggest portemonnaie will make the laws instead. But go on with your lemming existence…

This is my advice, if you want to take your privacy seriously: Do not use cloud services by Apple, Microsoft or Google in any case. Those are completely insecure intentionally by design. You can instead install a little script on a cheap php hosting server and sync your contacts and dates with that (e.g. baikal). Syncing files into the cloud makes no sense at all, only for teams, but this is usually not the case with icloud. Sync it in your local area network instead automatically, if you come home. On an iphone or mobile device, always create a fake account as system account with fake data. This might lead into payment problems for apps. Well then jailbreak this shit. Remember what Snowden told us? This still is there, even stronger and even less respecting democracy.

Here is my updated “Disable-bloatware” script for Sonoma. Note that I mostly deactivated icloud and and also siri. You can always reenable everything again (after reboot). So it is completely reversable.

I also did these steps before also disabling the icloud and siri system services:

• Actually login in into icloud in the macos settings (some software won’t work if you didn’t at least login in once).
• Very quickly disable all the file and keychain(!) syncing under “icloud”, which all is enabled by default! Disable all the specific types of syncing.
• Then enable icloud drive again, but disable all detail options. Some games required icloud drive. If you do not plan to play recent macos games, you might leave this off.
• Disable siri in the settings.
• Login into recovery boot, go to terminal there from the menu. Disable SIP by entering “csrutil disable”. Reboot into macos.

Now put this script into your user directory, chmod +x it, so it is exectuable. Run it in the console. Don’t mind the error messages, these popup, if the service already is not running.

#!/bin/zsh
#Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3

#Disabling unwanted services on macOS 14.5 Sonoma
#Disabling SIP is required  ("csrutil disable" from Terminal in Recovery)
#Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist, disabled.501.plist

# To revert, delete
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.plist
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.501.plist
# and reboot

# restart a agent/daemon:
# launchctl bootstrap system YZX
# launchctl kickstart -kp gui/501/YZX

# more references:
# bootup optimization https://github.com/Wyvern/macos/blob/master/macOS
# what is chronod https://discussions.apple.com/thread/255185176?sortBy=best
# disable sonoma bloatware https://gist.github.com/b0gdanw/812997a189f72f3953e0a1bb237f783d

# user
TODISABLE=()

TODISABLE+=('com.apple.accessibility.MotionTrackingAgent' \
'com.apple.ReportCrash' \
'com.apple.SafariBookmarksSyncAgent' \
'com.apple.Safari.SafeBrowsing.Service' \
'com.apple.amsaccountsd' \
'com.apple.amsengagementd' \
'com.apple.transparencyd' \
# prevent filerequester warning 'com.apple.bird' \
'com.apple.EscrowSecurityAlert' \
#iphone/ipad sync 'com.apple.AMPArtworkAgent' \
#iphone/ipad sync 'com.apple.AMPDeviceDiscoveryAgent' \
#iphone/ipad sync 'com.apple.AMPLibraryAgent' \
'com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd' \
'com.apple.ap.promotedcontentd' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.BiomeAgent' \
'com.apple.biomesyncd' \
'com.apple.CallHistoryPluginHelper' \
# calendar local database 'com.apple.calaccessd' \
# calendar sync 'com.apple.dataaccess.dataaccessd' \
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CloudSettingsSyncAgent' \
'com.apple.CommCenter-osx' \
'com.apple.CoreLocationAgent' \
'com.apple.donotdisturbd' \
'com.apple.ensemble' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.financed' \
'com.apple.followupd' \
#'com.apple.gamed' \
'com.apple.geod' \
'com.apple.geodMachServiceBridge' \
'com.apple.Siri.agent' \
'com.apple.homed' \
'com.apple.icloud.fmfd' \
# required for notes and some recent games 'com.apple.iCloudNotificationAgent' \
# required for notes and some recent games 'com.apple.iCloudUserNotifications' \
# required for notes and some recent games 'com.apple.icloud.searchpartyuseragent' \

# imessage / facetime
'com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced' \

'com.apple.intelligenceplatformd' \
'com.apple.itunescloudd' \
'com.apple.knowledge-agent' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClientAgent.enrollagent' \
'com.apple.Maps.mapspushd' \
'com.apple.Maps.pushdaemon' \
'com.apple.networkserviceproxy' \

'com.apple.networkserviceproxy-osx' \
'com.apple.mediaanalysisd' \
'com.apple.mediastream.mstreamd' \
'com.apple.newsd' \
'com.apple.nsurlsessiond' \
'com.apple.parsec-fbf' \
'com.apple.parsecd' \
'com.apple.passd' \
'com.apple.photoanalysisd' \
'com.apple.photolibraryd' \
'com.apple.progressd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.quicklook' \
'com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.rapportd-user' \
'com.apple.remindd' \
'com.apple.routined' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra' \
'com.apple.screensharing.MessagesAgent' \
'com.apple.ScreenTimeAgent' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.sharingd' \
'com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay' \
'com.apple.Siri.agent' \
'com.apple.siri.context.service' \
'com.apple.macos.studentd' \
'com.apple.siriknowledged' \
'com.apple.suggestd' \
'com.apple.tipsd' \
'com.apple.telephonyutilities.callservicesd' \
'com.apple.TMHelperAgent' \
'com.apple.TMHelperAgent.SetupOffer' \
'com.apple.triald' \
'com.apple.universalaccessd' \
#screentime
'com.apple.UsageTrackingAgent' \

'com.apple.videosubscriptionsd' \
'com.apple.WiFiVelocityAgent' \
'com.apple.SocialPushAgent' \
'com.apple.weatherd' \
# added for sonoma
# widget stuff, I don't use widgets
#'com.apple.chronod' \ # test notes
'com.apple.WeatherService' \

'com.apple.siriactionsd' \
'com.apple.SiriTTSTrainingAgent' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.betaenrollmentd' \
'com.apple.cmio.ContinuityCaptureAgent' \
# not required for mail
#'com.apple.email.maild' \ # test notes
#'com.apple.icloudmailagent' \
# for enabling two factor accounts like google mail? 'com.apple.MailServiceAgent' \
# for smarthome
'com.apple.homeenergyd' \

'com.apple.SafariHistoryServiceAgent' \
'com.apple.Safari.PasswordBreachAgent' \
'com.apple.SafariTechnologyPreview.SyncService' \
'com.apple.translationd' \
'com.apple.UserPictureSyncAgent' \
'com.apple.peopled' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.textunderstandingd' \
'com.apple.avatarsd' \
# business chat
'com.apple.businessservicesd' \

'com.apple.promotedcontentd' \

# siri
'com.apple.sirittsd'
# spotlight core service TEST for reducing spotlight write access, required by mail 'com.apple.corespotlightd'
)

echo "Your user id:"
id -u

for agent in "${TODISABLE[@]}"
do
    echo "disabling ${agent}"
	launchctl bootout gui/501/${agent}
	launchctl disable gui/501/${agent}
done

# system
TODISABLE=()

TODISABLE+=('com.apple.bootpd' \
# icloud
'com.apple.analyticsd' \

'com.apple.osanalytics.osanalyticshelper' \
'com.apple.locationd' \
'com.apple.SubmitDiagInfo' \
'com.apple.symptomsd-diag' \
'com.apple.symptomsd' \
'com.apple.memoryanalyticsd' \
'com.apple.rtcreportingd' \
'com.apple.systemstats.daily' \
'com.apple.systemstats.analysis' \
'com.apple.systemstats.microstackshot_periodic' \
'com.apple.backupd' \
'com.apple.backupd-helper' \
# to test 'com.apple.biomed' \
# to test 'com.apple.biometrickitd' \
'com.apple.cloudd' \

'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CoreLocationAgent' \
'com.apple.coreduetd' \
'com.apple.dhcp6d' \
'com.apple.familycontrols' \
'com.apple.findmymacmessenger' \
'com.apple.followupd' \
'com.apple.FollowUpUI' \
'com.apple.ftp-proxy' \
'com.apple.ftpd' \
# gaming 'com.apple.GameController.gamecontrollerd' \
'com.apple.geod' \
# prevent diskutility warning 'com.apple.icloud.findmydeviced' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyd' \
'com.apple.itunescloudd' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.netbiosd' \
'com.apple.nsurlsessiond' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.rapportd' \
'com.apple.screensharing' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.siri.morphunassetsupdaterd' \
'com.apple.siriinferenced' \
'com.apple.triald.system' \
'com.apple.wifianalyticsd' \
# added for sonoma
'com.apple.nearbyd' \
# collecting user data
'com.apple.dprivacyd' \
# apple pay
'com.apple.seld'
# TEST completely disable logd, since it writes tons of data
# 'com.apple.logd'
)

for daemon in "${TODISABLE[@]}"
do
    echo "disabling ${daemon}"
	sudo launchctl bootout system/${daemon}
	sudo launchctl disable system/${daemon}
done

To revert this, run in terminal:

sudo rm /private/var/db/com.apple.xpc.launchd/disabled.plist
sudo rm /private/var/db/com.apple.xpc.launchd/disabled.501.plist

And reboot.

References:
bootup optimization macos/macOS at master · Wyvern/macos · GitHub
what is chronod What is chronod, is it a part of Sonoma? - Apple Community
disable sonoma bloatware Disable-Sonoma-Bloatware.sh · GitHub
University paper about the introduction of dprivacyd https://arxiv.org/pdf/1709.02753

CHANGELOG

• Fixed Apple notes not responding and some AAA games like death stranding using icloud drive
• Added dprivacyd, read here iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment · GitHub
• Fixed calendar database and sync by reenabling these services

There seems to be a problem with above blacklist. Might be too many disabled. If you go to the system settings, while the above is enabled, and click into areas which cannot work anymore (e.g. icloud details), the settings will hang. Now it seems that even after force-quitting settings, it will produce some kind of memory leak over time.

The symptons then are over time:

• loosing bluetooth connections (this very early)
• actual reboot
• after reboot, you can’t open a lot of apps, and touch id doesnt work

If this happens, simply revert the blacklist and restart again. Then everything is back to normal. I then activated the blacklist again. I am still investigating, if a newly added entry is responsible for this. My list above, for Monterey/Ventura worked fine for over a year. So either the new system settings are really badly coded, or I added an essential daemon. By “essential” I mean a daemon which Apple is not expecting not to be available, disregarding its functionality.

TL;DR: Also the new sonoma blacklist works fine here, as long as I do not click any areas in the system settings which require internet, icloud, siri etc.

From this paper https://arxiv.org/pdf/1709.02753 :

The dprivacy (com.apple.dprivacyd) daemon runs the system re-
sponsible for implementation of differential privacy. Once a user
opts-in to differentially private data collection in the MacOS Secu-
rity & Privacy Settings (Figure 8), the dprivacy daemon is enabled
and the database that will be supporting relevant data storage and
management is created in /var/db/DifferentialPrivacy. Furthermore,
there’s a message visible on Console: “dprivacyd: accepting work
now".
Per Apple’s original announcement [1 , 21 , 23], the use of DP is
focused on four applications: new words, emojis, deeplinks, and
lookup hints in Notes, with iCloud data added as an additional
application in early 2017 [ 2], and further types of data collection
such as health data introduced in mid-2017 [24 ]. We observed how
to reliably trigger DP-related activity when entering new words
and emojis2; thus, our conclusions will be based on experiments
with those applications

So on initial launch, dprivacyd was disabled by default. I can tell you that this daemon in current macos is enabled, even if you didn’t opt-in to collect your personal data.

Fixed caldendar database and sync in the sonoma script above.

Do these steps to update it:

1. Enter in terminal:

sudo rm /private/var/db/com.apple.xpc.launchd/disabled.plist
sudo rm /private/var/db/com.apple.xpc.launchd/disabled.501.plist
sudo reboot

2. Reboot and login

3. Go to terminal, enter “cd” (if the new script is saved to your user dir), then run the new script.

THANKYOU!

i have been having the most irritating glitch related to mpv, (just playing music) and had been looking into stripping macOS of the intentional idiotware that they are obviously using against their average facebook users to force machine upgrades.

They seem to be forcing a rapid upgrade model, My guess is they are either wanting to be the very first computing in the land of optronics, they believe the haters that without steve they are dead. Or they are on that same “know’s the future” schedule that amazon was/is still using. which is so incredibly fucked up to begin with. And should probably get the ol
“hammer on the sidewalk” method. -Placing enough mini-sledge hammers with the words “BREAK GLASS”, written on handles, will inevitably cause all windows to no longer exist.

Those upgrades with all those tons of idiotic daemons do be frying my poor otherwise perfectly capable 2020 Intel MacBook Pro. I wonder if Linux is a better OS for non-latest Macs…

EDIT: More recent version below

Neat scripts!

Couple of questions:

• Has anyone actually checked whether reenabling SIP afterwards will also reenable all (or some?) of the daemons? It’d be great if it was possible to disable the daemons & then reenable SIP.
• Will this disable the app store? This may be a problem because IIRC it’s tricky to get Xcode without it, and Xcode is required by a lot of dev stuff.

Regarding your questions:

1. Didn’t check it, I can’t really find SIP a good protection concept at all. More likely it protects Apple against the free will and privacy of their users. The much bigger security hole is Apple itself, its iCloud servers for example. Just recently those has been hacked, and hacked here means access to millions of very private and sensitive data. Apple won’t take responsibility for this. Their whole idea of security is flawed, by purpose. The only secure system is a system about which you have full control. SIP removes your own control. Imagine a hack manages to install a trojan into the protected system partition. Now you can’t even remove it. Maybe you should think deeper about the sense of SIP. Instead, install a proper third party firewall.

Also there was never any real life reason to introduce such layers of Apple vs user protections. I don’t know any active virus or trojan which actually infected macs. Except government’s surveilliance software maybe…

2. I don’t really remember, but I think it works. The script above might be too aggressive, disabling too many daemons for actual Apple online service usage. If the appstore doesn’t work you can temporarily reenable to system default, install via appstore and then reenable again. But it is more easy to only install software not via appstore. Which makes no sense for a real computer anyway.

If you’re like me, it’s very possible that malicious code will run at some point, even if no one targets you and even if you take the best measures.

How malicious code can run:

• Many of us need to run third-party software (could be a VST plugin, a game mod, some binary from somewhere, etc.). Some of it legit needs special permissions (apps using shortcuts need direct access to keyboard, etc.). Sadly, it can be infected. As a software engineer I’m following information security news and the problem of infected software is growing larger. Even if you trust the tool and whoever wrote it, it could be that that guy’s machine was infected, or some of the dependenceis were infected (supply chain attacks). Even if you read the entire source code, there’s no guarantee that the binary you downloaded was created from this source code. And so on.
• Like any software, macOS has vulnerabilities, and people find them from time to time. Vulnerabilities discovered previously (and we know about them because they were patched) could for example allow to run malicious code from a PDF.

macOS has other lines of defense, like checking what you run for known malware signatures, but it’s all not 100% perfect.

Once malicious code runs, its best first steps are to A) gain a foothold to persist even if you delete the app and B) hide itself and its Internet connections from the system (and this means also from any firewall app you run). Here’s where SIP comes in: because the system itself cannot be modified, A and B become very difficult or impossible. Even if you gave the app direct access to keyboard, because you thought it’s a safe shortcut manager, and it sniffed your root password or otherwise elevated to root, it will still have trouble hiding itself because system volume cannot be modified even from root. That’s basically all that SIP does.

If your machine is used just for music, you don’t use it for sensitive stuff like financials, and you have a solid backup system, then maybe you don’t care about SIP much, but sadly I can’t say the same.

The much bigger security hole is Apple itself, its iCloud servers for example. Just recently those has been hacked, and hacked here means access to millions of very private and sensitive data

I’m following information security news and don’t remember hearing this. The only case I found was in 2014 and that likely happened because someone could log into celebrity iCloud. I think it’d be more difficult today with 2FA.

That said, I hate most daemon bloatware as much as you do, and the work put into researching them and how to switch them off is always appreciated…

Disabling SIP and gatekeeper does not lower the security. You still then can leave checking and restrictions on. It just gives you options back you normally should already have.

Here is my almost final script to disable unneccessary system daemons/agents in macOS Sequoia 15.7. It will disable a lot of stuff, most certainly some spotlight functionality, too.

#!/bin/zsh
# Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3

# Disabling unwanted services on macOS 15.7 Sequoia
# Disabling SIP is required  ("csrutil disable" from Terminal in Recovery)
# Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist, disabled.501.plist

# To revert, delete
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.plist
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.501.plist
# and reboot

# restart a agent/daemon:
# launchctl bootstrap system YZX
# launchctl kickstart -kp gui/501/YZX

# more references:
# bootup optimization https://github.com/Wyvern/macos/blob/master/macOS
# what is chronod https://discussions.apple.com/thread/255185176?sortBy=best
# disable sequoia bloatware https://gist.github.com/b0gdanw/b349f5f72097955cf18d6e7d8035c665

# If you want to reenable single agents/daemons for testing purposes and finetuning, you can do so.
# For agents:
# launchctl enable gui/501/com.apple.AGENTNAME && \
# launchctl bootstrap gui/501 /System/Library/LaunchAgents/com.apple.AGENTNAME.plist && \
# launchctl kickstart -kp gui/501/com.apple.AGENTNAME
#
# For daemons:
# z.B. nsurlsessiond (System-Daemon)
# sudo launchctl enable system/com.apple.DAEMONNAME && \
# sudo launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.DAEMONNAME.plist && \
# sudo launchctl kickstart -kp system/com.apple.DAEMONNAME


# user launchagents
TODISABLE=()

TODISABLE+=(
'com.apple.accessibility.MotionTrackingAgent' \
'com.apple.ReportCrash' \

# required for appstore app installation / icloud appstore login
#'com.apple.amsaccountsd' \

'com.apple.amsengagementd' \
'com.apple.transparencyd' \
# prevent filerequester warning 'com.apple.bird' \
'com.apple.EscrowSecurityAlert' \
#iphone/ipad sync 'com.apple.AMPArtworkAgent' \
#iphone/ipad sync 'com.apple.AMPDeviceDiscoveryAgent' \
#iphone/ipad sync 'com.apple.AMPLibraryAgent' \
'com.apple.ap.adprivacyd' \
'com.apple.ap.adservicesd' \
'com.apple.ap.promotedcontentd' \
'com.apple.assistant_service' \
'com.apple.assistantd' \
'com.apple.CallHistoryPluginHelper' \
# calendar local database 'com.apple.calaccessd' \
# calendar sync 'com.apple.dataaccess.dataaccessd' \

# icloud
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.CloudSettingsSyncAgent' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.icloud.searchpartyuseragent' \
'com.apple.SafariCloudHistoryPushAgent' \
'com.apple.icloud.fmfd' \
# required for notes and some recent games 'com.apple.iCloudNotificationAgent' \
# required for notes and some recent games 'com.apple.iCloudUserNotifications' \
# required for notes and some recent games 'com.apple.icloud.searchpartyuseragent' \
# syncs user settings between all devices, neu
'com.apple.syncdefaultsd' \

'com.apple.CommCenter-osx' \
'com.apple.CoreLocationAgent' \
'com.apple.donotdisturbd' \
'com.apple.ensemble' \
'com.apple.familycircled' \
'com.apple.familycontrols.useragent' \
'com.apple.familynotificationd' \
'com.apple.financed' \
'com.apple.followupd' \
#'com.apple.gamed' \
'com.apple.geod' \
'com.apple.geodMachServiceBridge' \
'com.apple.Siri.agent' \
'com.apple.homed' \

# imessage / facetime
'com.apple.imagent' \
'com.apple.imautomatichistorydeletionagent' \
'com.apple.imtransferagent' \
'com.apple.avconferenced' \

'com.apple.intelligenceplatformd' \

'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient.mechanism' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.ManagedClientAgent.enrollagent' \
'com.apple.ManagedClientAgent.agent' \
'com.apple.mdmclient.daemon' \
'com.apple.mdmclient' \
'com.apple.devicemanagementclient.teslad' \

# maps
'com.apple.Maps.mapspushd' \
'com.apple.Maps.pushdgaemon' \
'com.apple.maps.destinationd' \

'com.apple.networkserviceproxy' \
'com.apple.networkserviceproxy-osx' \
'com.apple.newsd' \
'com.apple.nsurlsessiond' \
'com.apple.parsec-fbf' \
'com.apple.parsecd' \
'com.apple.passd' \

# photos, media, itunes
'com.apple.photolibraryd' \
'com.apple.mediaanalysisd' \
'com.apple.photoanalysisd' \
'com.apple.itunescloudd' \
'com.apple.mediastream.mstreamd' \
# remote
'com.apple.mediaremoteagent' \

'com.apple.progressd' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.quicklook' \
'com.apple.quicklook.ui.helper' \
'com.apple.quicklook.ThumbnailsAgent' \
'com.apple.rapportd-user' \
'com.apple.remindd' \
'com.apple.routined' \
'com.apple.screensharing.agent' \
'com.apple.screensharing.menuextra' \
'com.apple.screensharing.MessagesAgent' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.sharingd' \
'com.apple.sidecar-hid-relay' \
'com.apple.sidecar-relay' \
'com.apple.Siri.agent' \
'com.apple.macos.studentd' \
'com.apple.studentd' \
'com.apple.suggestd' \
'com.apple.tipsd' \
'com.apple.telephonyutilities.callservicesd' \
#'com.apple.TMHelperAgent' \
#'com.apple.TMHelperAgent.SetupOffer' \
'com.apple.triald' \
'com.apple.universalaccessd' \

#screentime
'com.apple.ScreenTimeAgent' \
'com.apple.UsageTrackingAgent' \

'com.apple.videosubscriptionsd' \
'com.apple.WiFiVelocityAgent' \
'com.apple.SocialPushAgent' \
'com.apple.weatherd' \

# added for sonoma
# widget stuff, I don't use widgets
'com.apple.chronod' \ # test notes
'com.apple.WeatherService' \

'com.apple.siriactionsd' \
'com.apple.SiriTTSTrainingAgent' \
'com.apple.betaenrollmentd' \
'com.apple.cmio.ContinuityCaptureAgent' \

# not required for mail
#'com.apple.email.maild' \ # test notes
'com.apple.icloudmailagent' \

# for enabling two factor accounts like google mail? 'com.apple.MailServiceAgent' \
# for smarthome
'com.apple.homeenergyd' \

# safari
'com.apple.SafariHistoryServiceAgent' \
'com.apple.Safari.PasswordBreachAgent' \
'com.apple.SafariTechnologyPreview.SyncService' \
'com.apple.SafariBookmarksSyncAgent' \
'com.apple.Safari.SafeBrowsing.Service' \

'com.apple.translationd' \
'com.apple.UserPictureSyncAgent' \
'com.apple.peopled' \
'com.apple.textunderstandingd' \
'com.apple.avatarsd' \
# business chat
'com.apple.businessservicesd' \

'com.apple.promotedcontentd' \

# siri
'com.apple.sirittsd' \
'com.apple.siriinferenced' \
'com.apple.SiriAUSP' \
# spotlight core service TEST for reducing spotlight write access, required by mail 'com.apple.corespotlightd'
'com.apple.webprivacyd' \
'com.apple.geod' \
'com.apple.proactiveeventtrackerd' \
'com.apple.proactived' \
'com.apple.sociallayerd' \

# sequoia
'com.apple.MENotificationAgent' \
'com.apple.companiond' \
'com.apple.dprivacy' \
'com.apple.feedbackd' \
'com.apple.generativeexperiencesd' \

# neu
'com.apple.intelligenceplatformd' \

'com.apple.intelligenceflowd' \
'com.apple.managedcorespotlightd' \
'com.apple.privatecloudcomputed' \
#'com.apple.swtransparencyd' \
'com.apple.Maps.mapssyncd' \

'com.apple.cmio.ContinuityCaptureAgent' \
'com.apple.diagnosticspushd' \
'com.apple.diagnostics_agent' \
'com.apple.diagnosticextensionsd' \
'com.apple.betaenrollmentagent' \

# apple data collection
'com.apple.analyticsagent' \
'com.apple.geoanalyticsd' \
'com.apple.inputanalyticsd' \

# user activity, handoff/continuity ios, universal clipboard ios, siri suggestions, browser-restore ios
'com.apple.coreservices.useractivityd' \

# apple experience knowledge / user erlebnis / context database
'com.apple.ContextStoreAgent' \
'com.apple.BiomeAgent' \
'com.apple.biomesyncd' \
'com.apple.intelligencecontextd' \
'com.apple.knowledge-agent' \
'com.apple.spotlightknowledged' \
'com.apple.spotlightknowledged.updater' \
'com.apple.spotlightknowledged.importer' \
'com.apple.siriknowledged' \
'com.apple.knowledgeconstructiond' \
'com.apple.siri.context.service' \
# coreduet, logs app usage for battery optimization, also part of knowledge db, handoff, continuity
'com.apple.duetexpertd' \

# personal voice training, reading
'com.apple.voicebankingd' \

# remote desktop
'com.apple.RemoteManagementAgent' \
'com.apple.RemoteDesktop.agent' \

# find my
'com.apple.findmy.findmylocateagent' \

# not required accesibility
'com.apple.accessibility.AXVisualSupportAgent'
)


USER_ID=$(id -u)
echo "Your user id: ${USER_ID}"

for agent in "${TODISABLE[@]}"
do
    echo "disabling ${agent} for user id ${USER_ID}"
	launchctl bootout gui/${USER_ID}/${agent}
	launchctl disable gui/${USER_ID}/${agent}
done

# system launchdaemons
TODISABLE=()

TODISABLE+=(
'com.apple.bootpd' \

# apple data collection
'com.apple.analyticsd' \
'com.apple.osanalytics.osanalyticshelper' \
'com.apple.memoryanalyticsd' \
'com.apple.systemstats.analysis' \
'com.apple.systemstats.daily' \
'com.apple.systemstats.microstackshot_periodic' \
'com.apple.wifianalyticsd' \
'com.apple.audioanalyticsd' \
'com.apple.ecosystemanalyticsd' \
# coreduet, logs app usage for battery optimization, also part of knowledge db, handoff, continuity
'com.apple.coreduetd' \

'com.apple.locationd' \
'com.apple.SubmitDiagInfo' \
'com.apple.symptomsd-diag' \
'com.apple.symptomsd' \
'com.apple.rtcreportingd' \

# timemachine, will also periodically create apfs snapshots on the system drive, which might be annoying for proper free space calculation.
# however, timemachine is fully integrated in Apple's device restore process, so it makes a lot of sense to also do a timemachine backup.
'com.apple.backupd' \
'com.apple.backupd-helper' \

# icloud
'com.apple.cloudd' \
'com.apple.cloudpaird' \
'com.apple.cloudphotod' \
'com.apple.CloudPhotosConfiguration' \
'com.apple.icloud.fmfd' \
'com.apple.icloud.searchpartyd' \
'com.apple.ManagedClient.cloudconfigurationd' \

'com.apple.ManagedClient.enroll' \
'com.apple.ManagedClient.mechanism' \
'com.apple.ManagedClient' \
'com.apple.ManagedClient.startup' \
'com.apple.ManagedClientAgent.enrollagent' \
'com.apple.mdmclient.daemon' \
'com.apple.mdmclient' \
'com.apple.devicemanagementclient.teslad' \

# photos, media, itunes
'com.apple.itunescloudd' \

'com.apple.CoreLocationAgent' \

'com.apple.dhcp6d' \
'com.apple.familycontrols' \
'com.apple.followupd' \
'com.apple.FollowUpUI' \
'com.apple.ftp-proxy' \
'com.apple.ftpd' \
# gaming 'com.apple.GameController.gamecontrollerd' \
'com.apple.geod' \
'com.apple.ManagedClient.cloudconfigurationd' \
'com.apple.netbiosd' \
'com.apple.nsurlsessiond' \
'com.apple.protectedcloudstorage.protectedcloudkeysyncing' \
'com.apple.rapportd' \
'com.apple.screensharing' \
'com.apple.security.cloudkeychainproxy3' \
'com.apple.siri.morphunassetsupdaterd' \
'com.apple.siriinferenced' \
'com.apple.SiriAUSP' \
'com.apple.triald.system' \

# added for sonoma
'com.apple.nearbyd' \
# collecting user data
'com.apple.dprivacyd' \
# apple pay
'com.apple.seld' \
# TEST completely disable logd, since it writes tons of data
# 'com.apple.logd'

# apple experience knowledge / user erlebnis
'com.apple.biomed' \
'com.apple.contextstored' \

# sequoia

# memory report, might be debugging / development
'com.apple.ReportSystemMemory' \

# keychain, hardware integrity, Secure Enclave, encryption
#'com.apple.applekeystored' \

'com.apple.attentionawarenessd' \
#'com.apple.devicemanagementclient.managedeventsd' \
#'com.apple.powerexperienced' \

# mesh wlan, smart home
'com.apple.threadradiod' \

# TEST ENABLE 24.10., usb sleep? YES, seems to fix it
#'com.apple.usbctelemetryd' \

'com.apple.betaenrollmentd' \

#'com.apple.wallpaper.export' \

# remote
'com.apple.mediaremoted' \
'com.apple.remotemanagementd' \
'com.apple.remoted' \

# find my mac
# to prevent diskutility warning, leave this: 'com.apple.icloud.findmydeviced' \
'com.apple.findmymacd' \
'com.apple.findmy.findmybeaconingd' \
'com.apple.findmymacmessenger'

# rosetta
#'com.apple.oahd'

)

for daemon in "${TODISABLE[@]}"
do
    echo "disabling ${daemon}"
	sudo launchctl bootout system/${daemon}
	sudo launchctl disable system/${daemon}
done


# remove cloud personalized data
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound


#block mdm connect
#0.0.0.0 iprofiles.apple.com
#0.0.0.0 mdmenrollment.apple.com
#0.0.0.0 deviceenrollment.apple.com
#0.0.0.0 gdmf.apple.com
#0.0.0.0 acmdm.apple.com
#0.0.0.0 albert.apple.com

If you also want to completely disable Spotlight and use a replacement like Quicksilver, also execute this script once and reboot. You will then most likely have to use another email client, since Apple Mail’s search relies on Spotlight:

#!/bin/zsh

# Disable-Spotlight.sh
# Script to disable spotlight in Sonoma completely.
# Some search functionality in Apple apps depend on Spotlight and will loose search ability, e.g. Apple Mail

# To revert, delete
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.plist
# sudo rm /private/var/db/com.apple.xpc.launchd/disabled.501.plist
# and reboot

# user id 501 might be wrong in some cases
echo "Your user id:"
id -u

# user
TODISABLE=()

TODISABLE+=(
'com.apple.corespotlightd' \
'com.apple.Spotlight' \
'com.apple.spotlightknowledged' \
'com.apple.corespotlightservice' \
'com.apple.mdworker.mail' \
'com.apple.mdworker.shared' \
'com.apple.mdworker.single.arm64' \
'com.apple.mdworker.single.x86_64' \
'com.apple.mdworker.sizing' \
'com.apple.metadata.mdbulkimport' \
'com.apple.metadata.mdflagwriter' \
'com.apple.metadata.mdwrite'
)


for agent in "${TODISABLE[@]}"
do
    echo "disabling ${agent}"
	launchctl bootout gui/501/${agent}
	launchctl disable gui/501/${agent}
done

# system
TODISABLE=()

TODISABLE+=(
'com.apple.diagnosticextensions.osx.spotlight.helper' \
'com.apple.metadata.mds' \
'com.apple.metadata.mds.index' \
'com.apple.metadata.mds.scan' \
'com.apple.metadata.mdbulkimport' \
'com.apple.metadata.mds.spindump'
)

for daemon in "${TODISABLE[@]}"
do
    echo "disabling ${daemon}"
	sudo launchctl bootout system/${daemon}
	sudo launchctl disable system/${daemon}
done