Using a Mac without a network connection

If network connections are now so important to Macs, what can a Mac running Ventura do without being connected to a network? Can it still run apps, and how does it cope with tasks like Gatekeeper checks? This article explains what does and doesn’t work when a Mac running Ventura has no network connection at all.

To investigate this, rather than trying to block network connections on a Mac, I built a new version of my lightweight virtualiser Viable with the option to run completely locked down in a sandbox, without any shared folders, and with no network device available. This is an update to the sandboxed version of that app, ViableS. If you want to try this out yourself, ViableS 1.0.8 (beta 8) is available from here: viables1b8

This simply adds a checkbox so you can run a VM with or without its NAT network connection device.

Installing macOS

Setting up a macOS VM in ViableS is a two-step process. First, the VM has to be installed from an IPSW image into a new VM bundle. Once that’s done, you start that VM up for macOS to complete installation with personalisation and configuration, just as you would when your Mac first starts up into a new macOS boot volume group.

Early during that process, macOS 13.2 detected that no network was available, and offered to try connecting with Ethernet. The other option, admission of the sad fact that your Mac doesn’t connect to the internet, resulted in a dialog trying to persuade me that I really wanted to try again. But I persevered through its warnings, and the remaining configuration completed successfully.

Of course, without an internet connection, Software Update was unable to update the VM to 13.2.1, so for that I shut it down, enabled the network, opened that VM again and installed the macOS update. Once that was complete, I started the VM without the network, and it ran fine. Of course it had no Location Services, so didn’t have a clue which time zone it was in, so that and its clock had to be set manually.

There was a time when Apple provided standalone updater packages for macOS, but that came to an end with Big Sur, and its switch to this new update mechanism. If you had no option to enable a network connection, the only solution now is to use the full installer app. Many of us pointed this out to Apple early in Big Sur’s release cycle, but Apple has chosen not to provide standalone macOS updaters any more.

Running apps

To be able to assess what effects the absence of a network have on macOS and apps, I then needed to copy across additional software including Ulbow and other utilities, Pages, and the Xcode 14.2 xip file. I did that by running the VM briefly in Viable, using a shared folder, before returning to my networkless VM. In other circumstances, that could easily be performed using a removable disk.

Running the VM in a sandbox, without any network connection or shared folders, thus completely isolated from the host Mac except through input devices (keyboard and trackpad) and its display device, I then performed the following tasks:

ran several apps for the first time, without quarantine;
ran one app with its quarantine flag set;
ran Pages and created a new document;
installed Xcode from its xip file;
ran Xcode for the first time, and completed its installation;
created a new project in Xcode, built and ran its Hello World demo app;
booted into Recovery mode and accessed Startup Security Utility and other tools.

I encountered no difficulties or delays performing any of these tasks. Indeed, if anything, the first run of apps like Xcode was started with less delay than when an internet connection is available. Gatekeeper still asked me to confirm that I really did want to run the app that was in quarantine, but did so perfectly happily, and it was here that I first noticed the new com.apple.provenance extended attribute in action. Although WhatRoute had no network connection available, it too ran fine.

Gatekeeper checks

Log extracts covering Gatekeeper checks were obtained using Ulbow. Like most of my apps, Ulbow itself expects to be able to connect to the internet to check for its own updates, although it no longer checks its own security and integrity with a full signature check. Although neither of those connections was possible, those apps ran fine without a network.

During Gatekeeper checks, two internet connections are normally made, to api.apple-cloudkit.com for notarization checks, and ocsp2.apple.com for the validity of the code-signing certificate. The first of those was attempted once, failed, and was promptly abandoned. The OCSP check was attempted multiple times, but was also abandoned quickly.

Failure of those two online checks didn’t prevent or delay successful app launching.

What doesn’t work

Lightweight VMs don’t support connecting with an Apple ID in any case, and that prevents access to all App Store apps apart from Apple’s free products Pages, Numbers and Keynote, which run without being signed in. This also prevents signing in to iCloud services.

Although not tested, any third-party app that relies on signing into an account or on remote licence-checking will also fail without a network connection, obviously. Those that perform checks for updates, such as apps using Sparkle, shouldn’t be affected, but merely report that they were unable to check for updates.

The most obvious limitation of a VM with no network connection is reliance on network time services to correct system clocks, which drift noticeably and lose synchronisation with other Macs and devices with internet connections. Other services and apps not available, such as Messages and FaceTime, should be easy to identify.

Summary

In the complete absence of a network connection:

macOS Ventura installs and configures correctly;
Gatekeeper first-run checks complete without delay, even when an app is in quarantine;
apps that don’t require a network connection function normally;
Pages, Numbers and Keynote function normally;
Xcode installs and runs normally, but without access to online accounts;
other App Store apps aren’t available;
signing into iCloud isn’t available;
Software Update, including macOS updates, isn’t available.

For those requiring absolute privacy, and researchers wanting a completely sealed macOS testing environment, ViableS 1.0.8 (beta 8) now provides that.

12Comments

Add yours

1

Kaustav Sarkar on March 14, 2023 at 9:54 am

If the apps are installed within the data storage of the devices, then there are still chances they can run without a network connection. However, this statement may be comprised in exceptional cases.

LikeLiked by 1 person
- 2
  
  hoakley on March 14, 2023 at 12:24 pm
  
  No third-party App Store app, even free products, will run without you signing in with your Apple ID, as I explain above.
  Also no non-App-Store app will run if it needs to connect to check licence or subscription details.
  However, apps which don’t require internet connections should run perfectly normally, as in the examples above.
  Although this might appear obvious to some folk, it needs spelling out, particularly the point about App Store apps. There is no chance that they will run without signing in with your Apple ID.
  Howard.
  
  LikeLike
3

Duncan on March 14, 2023 at 2:03 pm

Howard, thank you for putting in the time and effort to test all this. I’ll probably be looking back at this article at some point in the future if/when I have secondary hardware that I want to deploy without a connection.

I’m curious if MacOS might now have a built-in timer that allows a certain number of days runtime in isolation but then inserts its itself later with more persistent pop-up notices and/or software shutdowns. This is complete speculation on my part but what happens after, say, 30 days? Any new behavior?

Also, as a reality check, have you tried your tests with *no* Ethernet or Wifi connection on the host Mac (ie. a hard air-gap)? That should prove that nothing is ‘slipping by’ the virtual-machine barrier.

LikeLiked by 1 person
- 4
  
  hoakley on March 14, 2023 at 2:15 pm
  
  Thank you.
  No, there’s no timer. macOS works fine, apart from being unable to connect to online services. The only nag you get is when configuring a new macOS, when it just can’t believe that you really don’t want a network connection, that doesn’t exist anyway.
  I think this is a better reality check than trying with a Mac. It’s easy to not plug in an ethernet cable, but removing the Wi-Fi chip from Macs is quite destructive. With lightweight virtualisation, there is no way of the VM making any form of network connection, as the driver simply isn’t available. On a real Mac, Apple could still (hypothetically) sneak through a turned-off Wi-Fi connection, as the drivers are still there and loaded, and might only be blocking the connections you try to make. I don’t believe that, and it’s easy to check in the log, but when the drivers aren’t even there in the VM that’s more robust. Except for hardware surgery, of course.
  I suppose the other way is to take my MBP to the top of the Downs one day, but I think I’ll leave that until the weather’s more conducive.
  Howard.
  
  LikeLike
  - 5
    
    Duncan on March 14, 2023 at 3:23 pm
    
    Thank you for the clarification, and all your extensive testing.
    
    LikeLiked by 1 person
6

shiningtime95 on March 14, 2023 at 2:07 pm

I’d be surprised if Final Cut Pro wouldn’t run without an internet connection, even though it’s an App Store app that you have to pay for. I previously experimented with running the app on a Hackintosh laptop which had an Intel graphics card that supported accelerated graphics but didn’t meet FCP’s system requirements. I downloaded the app through the App Store on a supported Mac and transferred the app bundle to the Hackintosh through an external drive. To my surprise, the app opened right up. Though it was a bit slow, I was able to work in and export a simple timeline. Granted, I was signed in to my Apple ID and was connected to the Internet on the Hackintosh. I don’t know if you’re VM app supports accelerated graphics, but I don’t believe that the lack of Internet would stop Final Cut Pro from running.

LikeLiked by 1 person
- 7
  
  hoakley on March 14, 2023 at 2:18 pm
  
  Maybe – I didn’t try it.
  But no third-party App Store apps, even free ones, can run without being signed in with an Apple ID. This is a well-known limitation with lightweight virtualisation, as even with network support it can’t support an Apple ID, so breaking all those apps we have come to rely on.
  Howard.
  
  LikeLike
8

Michael Tsai - Blog - Using a Mac Without Phoning Home on March 14, 2023 at 7:47 pm

[…] Howard Oakley (Hacker News): […]

LikeLike
9

Paul on June 23, 2023 at 2:02 pm

There are people all over the world with spotty internet service. This is an argument for them to avoid app store apps for anything important.

LikeLiked by 1 person
- 10
  
  hoakley on June 23, 2023 at 7:14 pm
  
  I’m not sure this is suitable evidence, as this is without any Apple ID access, rather than intermittent access. I don’t know how that would affect the ability to launch App Store apps.
  Howard.
  
  LikeLike
11

John on June 30, 2023 at 5:37 pm

curious if you’ve tried this with later Ventura builds. When I try to install 13.4.1 on a Mac that does not have any internet connection at all, I get an error message that says “an internet connection is required to install MacOS.”

LikeLiked by 1 person
- 12
  
  hoakley on June 30, 2023 at 7:10 pm
  
  I don’t have an IPSW for 13.4.1 to hand, but just repeated this successful with 13.4, which is all but identical. This is in a VM, though.
  Howard.
  
  LikeLike