Last Week on My Mac: Why is Apple so reluctant for the offline Mac?

A great deal has happened in the two years since Apple promised that it would provide an option to stop online checking of certificate validity using OCSP, and that of notarization. Instead, it has introduced two quite different enhanced security modes: Lockdown Mode, and iCloud Advanced Data Protection. Although they’re both valuable, it’s surprising that Apple has put great engineering effort into those, but still can’t see its way to let Macs run without repeatedly connecting to its servers.

I’m no believer in conspiracy theories here. Unlike some, I still trust Apple; if I didn’t then I’d have stopped using Macs long ago. Like it or not, when you buy Apple hardware built with Apple’s own chips and running Apple’s own operating system and apps, you have to trust Apple, just as you have to trust a car-maker that your vehicle’s brakes won’t randomly fail, or its steering wheel come off in your hands. Once that trust is broken you can’t rationally continue to use their products.

Lockdown mode was introduced in macOS Ventura, and is intended to reduce the attack surface for the small number of users who might be targeted by the sort of sophisticated attacks mounted by government-related organisations. While it imposes sweeping restrictions on apps like Safari and Messages, it doesn’t appear interested in controlling the behaviour of third-party apps, and isn’t intended to promote anonymity.

Advanced Data Protection for iCloud extends end-to-end encryption of data stored in iCloud to cover backups, iCloud Drive, Photos, and some other features. It doesn’t set out to provide any anonymity, nor to conceal iCloud connections in any way, nor does it apply to external connections other than those to iCloud.

Each time that you open an app in Ventura, even if you use it frequently, macOS may perform two online checks, one to assess its notarization, and the other to check the validity of the certificate used to sign that app. As I have shown, these are made respectively to api.apple-cloudkit.com for the notarization ticket, and to ocsp2.apple.com for Apple’s OCSP (Online Certificate Status Protocol) service to validate the signing certificate. While both are now made over connections secured by TLS, that preserves the privacy of the exchanges, not their anonymity.

xprotectnote

But if Apple is prepared to invest in improving macOS security protections, even for “the very few individuals who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats”, why hasn’t it fulfilled its promise to introduce a “new preference for users to opt out of these security protections”?

I don’t think that Apple’s promise to provide an option to disable notarization and OCSP checks was made with the support of a full engineering assessment of its feasibility, but was more of a commitment in principle, maybe even a knee-jerk response. From all that I see, those checks are cast in code that Apple’s engineers don’t want to disturb, least of all to open the possibility of abuse. If the user could disable them, what could ensure that malicious code couldn’t too?

There’s also an acceptance that, if you use a Mac or one of Apple’s devices, it will connect to Apple for a whole load of good reasons. And what could possibly be wrong with that? For a great many of us, including myself, there’s no downside, but that’s by no means a universal opinion. There’s a small but strong body of users who, for a variety of reasons, really don’t want their Macs when they’re in use repeatedly connecting to Apple. To get a feel for how extensive the problem is, this article lists all the connections that Macs and devices require. I count 75 for regular macOS, excluding MDM and enterprise/education/business.

Some now see these external connections as an essential part of the way that software operates. With so many products sold on subscription, it’s increasingly difficult to use any third-party software without it needing to connect to remote servers, and products have come to rely on being able to check that user is in good standing as far as their subscription goes.

There’s now serious doubt that you can do anything useful in macOS without access to the internet. What was once an enhancement seems to have become a tie that macOS and apps simply can’t do without.

10Comments

Add yours

1

Duncan on March 12, 2023 at 5:22 pm

This is one reason that I hold onto old Macs, which run older versions of MacOS without all the online dependencies. They are generally used for single-purpose tasks (such as running a security camera system, on a private network) and in theory can run indefinitely in their frozen state of OS development.

Meanwhile, the Macs and iPads and other devices that do have a real reason to connect online are all becoming insufferable nags. Every morning they ask me to sign into iCloud (which I don’t use), or FaceTime (ditto), or any number of online services that I have no interest in, and that’s when they aren’t constantly demanding software updates of one sort or another.

I’m trying to understand the end-game here. How soon will it be when I buy an Apple device and it will no longer function offline? If not completely then in a practical sense where the constant intrusions cancel its purported benefits?

I thought computers were supposed to work for us, not against us. That assumption seems to be coming more and more tenuous with each new software upgrade.

LikeLiked by 1 person
- 2
  
  DiZi on March 12, 2023 at 5:56 pm
  
  Since what version of MacOS Apple has gather telemetry?
  
  LikeLiked by 1 person
  - 3
    
    hoakley on March 12, 2023 at 7:08 pm
    
    It depends what you mean by ‘telemetry’, but I think you’ll have to go back quite a few years, well before El Capitan even, before you’ll find OS X not trying to connect to Apple.
    Howard.
    
    LikeLike
- 4
  
  hoakley on March 12, 2023 at 7:06 pm
  
  Thank you.
  You’ll be surprised when I look at an offline Mac in more detail in a couple of days time.
  I’m puzzled as to why you get all those nags to sign in, though.
  Howard.
  
  LikeLike
5

F.P. on March 12, 2023 at 8:13 pm

Your privacy is never safe while using propietary garbage software. Throw your Mac and buy a good Linux machine.

LikeLike
- 6
  
  hoakley on March 13, 2023 at 9:15 am
  
  You might like to look at the top of this page before posting invective here. Maybe it’s the wrong place to be abusive?
  Howard.
  
  LikeLike
7

Yuzguy on March 12, 2023 at 8:41 pm

Thanks to SilentKnight, I discovered XProtect was not updating on my MacBook. The culprit was my dns filtering which was blocking xp.Apple.com. Otherwise, I wouldn’t have ever known connections to xp.apple.com were important and useful.

LikeLiked by 1 person
- 8
  
  hoakley on March 13, 2023 at 9:14 am
  
  Thank you.
  You might find that link to Apple’s required network connections useful.
  Howard.
  
  LikeLike
9

Ric C on March 12, 2023 at 11:43 pm

A few days ago, Bloomberg BusinessWeek described how the Russians shut down ViaSat satellite to ground connections in Ukraine early in the war. This also disconnected parts of UK and Europe from the internet for several days. Does that mean Macs would not work offline then? Iphones and iPads?

LikeLiked by 1 person
- 10
  
  hoakley on March 13, 2023 at 9:19 am
  
  Thank you. Although I live in the UK, I don’t recall any significant problem here at the time. There are some remote parts that still rely on satellite (as we used to here), but I’m not sure how many rely on ViaSat.
  I will go some way to answering your question here tomorrow, although not with Apple devices, which in general are more dependent on mobile connections, of course.
  Howard.
  
  LikeLike