Disable anti-malware service xprotectservice on MacOS Catalina for CI - macos

We recently upgraded our macmini from MacOS High Sierra to MacOS Catalina in order to compile with the latest Xcode. The macmini is a buildslave for continuous integration.
After upgrading to Catalina I noticed the machine became very slow during git checkout of thousand of files due to the apples built-in anti-malware service "XProtectService".
We don't need the anti-malware service for CI as it slows down the compile process
and no user will use the machine to download harmful files.
How can the XProtectService disabled?

As said in the comments, you can disable XProtectService by rebooting in Recovery mode (cmd-R during boot) and running:
csrutil disable
but beware that this will disable the whole System Integrity Protection. Here is an Apple article: Disabling and Enabling System Integrity Protection, describing this procedure and providing the following warning:
Warning
Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code.

Related

How to disable SIP on macOS VMs for macOS UI testing in CI/CD environment?

I have been trying to run my macOS UI tests on a remote machine(VM), and it does not work. On a local machine, it works after giving the permissions related to accessibility. After digging through, I realised that you need to have SIP disabled and add the relevant permission.
So, how can I disable SIP on a headless machine in a CI/CD?
Unfortunately, it is not possible to disable SIP on a remote machine. You have to boot in safe mode and disable it from the terminal. And that requires direct access to the machine.
You can ask your provider if they can disable SIP for a specific machine for you, or you can look for providers that do.
There are a few out there, with Codemagic being one of them.
We released SIP disabled macOS images with the latest and beta Xcode versions so you can run macOS UI tests without any extra configuration.
It was frustrating not being able to test the UI of a Mac app, but I’m happy with what we managed to release.
I also wrote a blog post if you are interested in getting started with macOS UI testing.
Full disclosure - I’m a DevRel at Codemagic CI/CD, focusing on helping the community build for Apple platforms.

Is bootable USB installer required to clean install MacOS Big Sur?

I would like to perform a clean installation of MacOS Big Sur on my MacBook Air 2017. I've read two articles on how to do this, one said I don't need a USB installer, the other one said it is required. I just want to make sure before I do anything, do I need USB installer or is it possible to download Big Sur from the internet when performing clean installation?
Thank you.
Internet recovery is my first choice for reinstalling OS X. From time to time there are problems with internet recovery. Corrupt recovery partitions, firmware passwords, and a lot of misc hardware problems are what will usually prevent you from using internet recovery.
If you don't have another machine to write your USB installer, I would just make one to be safe. You could also run Apple Diagnostics before running internet recovery to make sure hardware won't be an issue. Out of hundreds of OS X installations I've done, I've only had a handful fail in a way that prevented me from using the original OS afterward, and in those cases it was always a major hardware issue.

Is there a way to add the Network Extensions capability to a macOS app without joining the Apple Developer Program?

I want to build a macOS app that filters specific network requests so I need to add the NetworkExtensions capability. But after I add a NetworkExtensions capability, I get the following message:
Your development team, "Potato Dev2", does not support the Network Extensions capability.
Image of where the above message is from: https://i.stack.imgur.com/H46gE.png
From Apple's documentation on "Adding Capabilities to Your App":
The platform, and whether you're a member of the Apple Developer Program, may limit the capabilities available to your app
The documentation doesn't explicitly say which capabilities require being a part of the Apple Developer Program. I also don't see why I'd need to be a part of the Apple Developer Program to write software on and for my own computer. Note that, at least to my knowledge, the NetworkExtensions capability does not depend on any service from Apple (as opposed to HealthKit or Game Center).
So is there a way to add a Network Extensions capability to a macOS app without joining the Apple Developer Program?
You should be able to do it if you disable system integrity protection (SIP) on your Mac (csrutil disable in the Terminal in the macOS Recovery Environment), and disable amfid's entitlements check by adding amfi_get_out_of_my_way=1 to the kernel's command line arguments. (Again in the recovery environment, nvram boot-args='amfi_get_out_of_my_way=1')
You will need to bypass Xcode when code signing and use the codesign command directly because Xcode performs the provisioning profile entitlements check, as you noticed. codesign itself does not perform this check.
This works for basically allowing just about anything to do with DriverKit system extensions, so I'd expect it to work with Network System Extensions as well.
I figured out the answer to my question: to write macOS software that uses the NetworkExtension APIs, you must be a member of the Apple Developer Program ($100/year). See https://developer.apple.com/support/app-capabilities/ for details.

Whitelisting an unsigned kext in macOS Catalina

I've recently bought an old Alesis io26 Firewire Audio interface. The last driver release was only working on mountain Lion and older. After some time I've managed to install said drivers on Catalina, by manually dragging the midi driver into /Library/Audio/MIDI drivers and installing the kernel extension into /System/Library/Extensions via KEXT droplet. The problem I have now is that my mbpro only recognises the Interface if my SIP is disabled. I've heard that the driver is not signed and that this is the reason why the SIP is preventing it from working. So as a total noob, how can I somehow whitelist that kext so that I don't have to go to recovery mode and disable SIP every time I want to record some Audio.
The 3 "correct" ways of doing this are probably unlikely:
Get the original developer to sign the kext
Somehow persuade Apple to add it to macOS's built-in whitelist
If you have a kext signing certificate yourself, you can sign it. (Apparently, Apple no longer issues these, however.)
The best you can do in practice is probably to only disable the kext signing part of SIP by using the command
csrutil enable --without kext
instead of
csrutil disable
Of course, this leaves your system open to being attacked via unsigned kexts, though I've not heard of any malware that specifically targets Macs with kext signing disabled.
Actually, the question is for Catalina. We cannot partially disable SIP by running with --without kext. from Mojave this option is disabled and one has to either enable or disable it from Recovery OS.

deleting stock apps on os x programmatically

Does anyone know if there’s a way to delete stock apps on 10.11 programmatically without disabling SIP and rebooting the machine? Or, is there a way to disable SIP without rebooting? Thanks!
If you have a kernel signing certificate, you can disable SIP without rebooting with Rootfool. You'll need to compile it yourself.
Rootfool tool uses a kernel extension, which will only be loaded by the kernel if it's signed, or if SIP is turned off.
Without the signing certificate, no, you can't delete any of Apple's system files with SIP turned on. SIP is there to protect from the operating system being corrupt by malware, or accidental deletion and Apple has included its own applications as being protected by SIP.

Resources