If network connections are now so important to Macs, what can a Mac running Ventura do without being connected to a network? Can it still run apps, and how does it cope with tasks like Gatekeeper checks? This article explains what does and doesn’t work when a Mac running Ventura has no network connection at all.
To investigate this, rather than trying to block network connections on a Mac, I built a new version of my lightweight virtualiser Viable with the option to run completely locked down in a sandbox, without any shared folders, and with no network device available. This is an update to the sandboxed version of that app, ViableS. If you want to try this out yourself, ViableS 1.0.8 (beta 8) is available from here: viables1b8
This simply adds a checkbox so you can run a VM with or without its NAT network connection device.
Setting up a macOS VM in ViableS is a two-step process. First, the VM has to be installed from an IPSW image into a new VM bundle. Once that’s done, you start that VM up for macOS to complete installation with personalisation and configuration, just as you would when your Mac first starts up into a new macOS boot volume group.
Early during that process, macOS 13.2 detected that no network was available, and offered to try connecting with Ethernet. The other option, admission of the sad fact that your Mac doesn’t connect to the internet, resulted in a dialog trying to persuade me that I really wanted to try again. But I persevered through its warnings, and the remaining configuration completed successfully.
Of course, without an internet connection, Software Update was unable to update the VM to 13.2.1, so for that I shut it down, enabled the network, opened that VM again and installed the macOS update. Once that was complete, I started the VM without the network, and it ran fine. Of course it had no Location Services, so didn’t have a clue which time zone it was in, so that and its clock had to be set manually.
There was a time when Apple provided standalone updater packages for macOS, but that came to an end with Big Sur, and its switch to this new update mechanism. If you had no option to enable a network connection, the only solution now is to use the full installer app. Many of us pointed this out to Apple early in Big Sur’s release cycle, but Apple has chosen not to provide standalone macOS updaters any more.
To be able to assess what effects the absence of a network have on macOS and apps, I then needed to copy across additional software including Ulbow and other utilities, Pages, and the Xcode 14.2 xip file. I did that by running the VM briefly in Viable, using a shared folder, before returning to my networkless VM. In other circumstances, that could easily be performed using a removable disk.
Running the VM in a sandbox, without any network connection or shared folders, thus completely isolated from the host Mac except through input devices (keyboard and trackpad) and its display device, I then performed the following tasks:
- ran several apps for the first time, without quarantine;
- ran one app with its quarantine flag set;
- ran Pages and created a new document;
- installed Xcode from its xip file;
- ran Xcode for the first time, and completed its installation;
- created a new project in Xcode, built and ran its Hello World demo app;
- booted into Recovery mode and accessed Startup Security Utility and other tools.
I encountered no difficulties or delays performing any of these tasks. Indeed, if anything, the first run of apps like Xcode was started with less delay than when an internet connection is available. Gatekeeper still asked me to confirm that I really did want to run the app that was in quarantine, but did so perfectly happily, and it was here that I first noticed the new com.apple.provenance extended attribute in action. Although WhatRoute had no network connection available, it too ran fine.
Log extracts covering Gatekeeper checks were obtained using Ulbow. Like most of my apps, Ulbow itself expects to be able to connect to the internet to check for its own updates, although it no longer checks its own security and integrity with a full signature check. Although neither of those connections was possible, those apps ran fine without a network.
During Gatekeeper checks, two internet connections are normally made, to api.apple-cloudkit.com for notarization checks, and ocsp2.apple.com for the validity of the code-signing certificate. The first of those was attempted once, failed, and was promptly abandoned. The OCSP check was attempted multiple times, but was also abandoned quickly.
Failure of those two online checks didn’t prevent or delay successful app launching.
What doesn’t work
Lightweight VMs don’t support connecting with an Apple ID in any case, and that prevents access to all App Store apps apart from Apple’s free products Pages, Numbers and Keynote, which run without being signed in. This also prevents signing in to iCloud services.
Although not tested, any third-party app that relies on signing into an account or on remote licence-checking will also fail without a network connection, obviously. Those that perform checks for updates, such as apps using Sparkle, shouldn’t be affected, but merely report that they were unable to check for updates.
The most obvious limitation of a VM with no network connection is reliance on network time services to correct system clocks, which drift noticeably and lose synchronisation with other Macs and devices with internet connections. Other services and apps not available, such as Messages and FaceTime, should be easy to identify.
In the complete absence of a network connection:
- macOS Ventura installs and configures correctly;
- Gatekeeper first-run checks complete without delay, even when an app is in quarantine;
- apps that don’t require a network connection function normally;
- Pages, Numbers and Keynote function normally;
- Xcode installs and runs normally, but without access to online accounts;
- other App Store apps aren’t available;
- signing into iCloud isn’t available;
- Software Update, including macOS updates, isn’t available.
For those requiring absolute privacy, and researchers wanting a completely sealed macOS testing environment, ViableS 1.0.8 (beta 8) now provides that.