What do MacBook and macOS did not send data to Apple?

It is at the end of the way out of the Apple ecosystem.

One of the most difficult challenges for me is to find the MacBook Air M1 because in the area of 1000 EUR, it did not find a laptop with a good screen (≥ 2K), to be efficient (for example, a discrete graphics) and at this very quiet (the best suited), a good, well-made, well-made, and equipped with all of the Linux platforms.
In this moment, my favorit is the Framework Laptop 13 of the AMD Ryzen 7040 Series, but is still waiting for more users.

By the time the purchaser must use MacBook AIR M1 and wonder what I could do to eliminate any private data to Apple.

The first one was a discussion format and uses a laptop without login to iCloud. All Apple applications have already been replaced by other applications, so they do not use the nice and nice to do with their shop.

The idea was to install firewall and block all connections with Apple servers. Only if there are no problems. It is where the service list (as it does not find) that it can be blocked and they must be blocked.

What’s think?
How are your proposals and suggestions?

https://fedora-asahi-remix.org/ (not kidding, it’s really stable. I love macbook build quality, have been using this as my daily driver since a while)

It doesn’t really make much sense to use macOS when you don’t like Apple and don’t want to use the bundled apps (which are quite good for the most part) IMHO.

You could use Objective-See: LuLu as firewall to block any unwanted connections. Or just outright install Asahi Linux.

I forgot to write that I am familiar with the project but this solution does not appeal to me.
For me, a kind of Frankenstein is being created.

I have already tried LuLu and so cut out traffic that the internte did not work .
It’s a pity that there is no ready-made list of what can and cannot be blocked.

Because you have not tried it. It’s actually one of the best solutions around and nothing to do with Frankenstein. Apple makes a great Arm chip with a nice laptop around, good screen etc. and there is a very dedicated team/community that works on Linux compatibility just for these devices. That makes them in many regards better supported than many other “regular” laptops you could install Linux on. Even if someone wouldn’t be interested in a MacBook and just wanted a Linux laptop, I would probably recommend them to pick up an Apple Silicon machine and put Fedora Asahi on it, it’s that good. Also, Apple fully supports installing other OSes in their hardware and boot mechanism design, they’re not doing anything especially hacky, this is a regular Linux installation running directly on the hardware.

I love macOS, because that’s what I’ve been using for the last 20 years. But now it’s 2023, and after trying this out this has won me over. I don’t even care about the privacy aspects too much, I would be fine with stock macOS in that regard (it’s far better than Windows at least), but using this is a joy so I have maybe booted into macOS like twice in the last 6 months. Hey you don’t have to use it of course, but don’t call it Frankenstein. If this is Frankenstein, then macOS is an abomination I couldn’t even describe with my vocabulary.

Anyway, if you’re really on your macOS train, even though it’s proprietary software and I personally try to avoid that, Little Snitch is just far better than LuLu in every aspect. I have used both extensively. That being said, I don’t think these firewalls are always that effective, especially if you try to use them to stop the system itself from spying from you. Ultimately they rely on the tools that the system is providing and if you ever even slip up for a second and have them toggled off in the wrong moment, that might be the moment that some system daemon decides to upload all the log data of the last 6 months that you have been trying so hard to hide from Apple in one fell swoop. Might not happen to you, but there’s no real guarantee. Or you update macOS and the new version has some kind of “bug” which causes your firewall solution to not be able to see 100% of the traffic (like already happened multiple times with macOS updates).

You should also make sure you’re only ever connecting to DNS servers that block all the Apple tracking domains. You cannot outright block all connections to Apple servers, because that would include things like their OCSP server for checking validity of app code signing certificates and then you cannot start any applications. That’s just how the game goes. You use macOS, you gotta make some connections to Apple servers. That would serve as a weaker second layer in case your firewall ever has an issue (chances are it will). DNS of course cannot interfere with connections made directly to IP addresses, and the system might always decide to do name resolution in another way, but it’s a good part of defense in depth.

And because you asked for a list, there are many blocklists around, look at the Apple part of https://github.com/nextdns/gafam/blob/21c1d3a7ea533f3fdad79b944ac43776749daa73/gafam.json and here https://github.com/nextdns/native-tracking-domains/blob/6ede2ce38ecf58c56f460f1f084bb320ac3989e0/domains/apple etc. There are some services that are not completely clear-cut whether they are really a privacy concern or not, you would have to look into the respective functionality and decide by yourself.

I don’t get it. You can’t find some windows app even though you use windows 11 with parellels. Therefore, which apps are available if you install Fedora to arm machine?

What is that in reference to? As far as I can see neither me nor OP dabble with Windows or Parallels.

Thank you for your long and insightful reply. It is very interesting what you write and you have got me interested again in the Linux project on a laptop from Apple.

Which site do you recommend on Fedora Asahi where I can find the latest information?

The point is you can’t even find apps for using windows 11 with parallels, which is supposed to support x64 apps on arm. That said, you can install the operating system such as Fedora, but you will hardly find apps.

https://fedora-asahi-remix.org/ has the newest install information. Asahi Linux - Fedora Discussion is a general discussion board with important announcements. For almost all purposes it’s enough if you just look at the announcements there from time to time.

If you want a bit more high-frequency notifications then this Mastodon account also is good to follow (you can also use RSS if you don’t use the Fediverse) Asahi Linux (@AsahiLinux@treehouse.systems) - Treehouse Mastodon And for 24/7 talk or some help from the community if you need it there is the the Matrix room https://matrix.to/#/#asahi:fedoraproject.org and IRC channel #asahi on OFTC network.

I haven’t used Windows since the early 2000s. I have heard about their Arm version and that it is bad. Ok. I don’t care. I don’t know what is up with Windows 11 and/or Parallels, and it’s completely unrelated.

Linux on Arm is completely fine. After all the userland is FOSS. For the most part, your distribution will compile and maintain your apps, and Fedora supports aarch64 the same way they support x86. If you need anything else, most open source projects also provide aarch64 binaries, but even if they don’t, it’s open source and someone else probably already compiled them for you or you can just do so yourself. Who cares what some little developer somewhere thinks is a relevant architecture? They provide the source code and then they shut up. Distro and repo maintainers take it from there.

I weep in the morning for everyone who is dependent on shitty proprietary software binary blobs like the Isrealites waiting for manna falling from the sky, but after I have done so for 10 secs I forget about it and keep on using my awesome Arm-powered device with real software.

Your use case is a complete outlier, you like it or not. But I don’t wanna continue an unnecessary discussion.

This is OT but I found this similie super interesting. I am assuming the users are the israelites, the manna is the proprietary blobs. Does that makes Google (or insert big corporation who uses proprietary blobs of your choice) akin to God in this?

Yes, indeed that’s what I was going for. And the big corporation’s ecosystem is the desert. Now where this kinda falls apart I guess is that the Israelites ultimately succeed with their conquest of Canaan and God is overall the good guy.

My list:

Allow:

airportd
bridge
bridge-gui
captiveagent
com.apple.MobileSoftwareUpdate.UpdateBrinService
curl
git-remote-http
mDNSResponder (???)
mobileassetd
ndoagent
netbiosd
ping
pingsender
rtadvd
ShipIt (???)
softwareupdated
SoftwareUpdateNotificationManager
ssh

Block

AssetCacheLocatorService.xpc
adprivacyd
AirPlayXPCHelper
akd
AMPLibraryAgent
amsaccountsd
amsengagementd
appstoreagent
apsd
askpermissiond
avconferenced
callservicesd
cloudd
com.apple.geod
com.apple.Safari.SearchHelper
com.apple.WebKit.Networking.xpc ***
com.apple.WebPrivacy.Service
ControlCenter
CrashReporterSupportHelper
dataaccessd
familycircled
FindMyWidgetIntentsPeople
Freeform
gamed
Help Viewer
helpd
homed
iCloudNotificationAgent
identityservicesd
IMAutomaticHistoryDeletionAgent
itunescloudd
mobileactivationd
Music
nbagent
netstat
networkserviceproxy
Notes
nsurlsessiond
parsecd
passd
PasswordBreackAgent
PasswordsSettingsExtension
promotedcontentd
remindd
rtcreportingd
Safari
ScreenTimeWWidgetExtension
searchpartyuseragent
SecurityAgent
Sharing (???)
Spotlight
StocksDetailIntents
StocksWidget
storekitagent
studentd
swcd
syspolicyd
taskgated-helper
timed
tipsd
translationd
transparencyd
trustd
Wallet & Apple Pay
weatherd
WeatherWidget
WifiAgent
wifivelocityd

Do you also block them and there is no problem with the system operation?
How do you block them?

I block them with Lulu. I think Little Snitch might have some preset lists to make your job easier.

I use MacOS but no Apple service whatsoever (Notes, Music, Message, etc).

System update works and nothing seems to break. I might block some additional urls via DNS, I’ll check that later.

Stuff today (everything, not just MacOS) check for updates every 15 seconds. Of course it’s a form of telemetry. So you might want to block those services too and allow them every X days. (I haven’t bothered yet to do this)

Well done! I’m starting to block
Did you figure out what to block yourself or did you find it on the Internet?

A lot of trial and error at first. Then I used the MacOS guide from inteltechniques.com to make some adjustments.

Oh. One thing is still broken, but I’m not sure my Lulu rules are to blame. Couldn’t get file sharing to work with Mac VMs in UTM.

One last thing: as someone else said, blocking by firewall has unknown limitations. By the way, at one point Apple created a firewall backdoor for it’s own services. They backed down after a public outcry, but we’ll never know for sure. And DNS filtering might work for telemetry, but I bet by now the NSA uses some hard-coded IPs to circumvent that.