[thepumpkin1979]

Can MacBook owners do something to disable or cripple Intel ME? Is Apple disabling it for us? I can’t find Apple responses to these issues.

[close04]

As far as I know while the Management Engine is in all chipsets that accompany Intel CPUs, Apple never shipped any AMT enabled firmware. This is the more exposed component.

[mrsteveman1]

I've seen some indication that the HECI (mailbox between the main OS and the ME) is disabled as well on most/all Apple machines.

I don't think they've ever used the Intel NIC hardware either, wired or wireless.

[yborg]

Apple is exposed to ME bugs.

https://support.apple.com/en-us/HT208465

See the "EFI" section.

[close04]

The ME is most definitely there but AMT is not. And AMT is the one with far more exposed security flaws that can be exploited over the network by virtue of AMT's purpose. Like the ones detailed in the article here. Otherwise without a shadow of doubt the ME is present in every Intel chipset since 2006.

Exploiting the ME is possible even without AMT but it definitely raises the bar in the sophistication of the attack.

The me_cleaner tool might do a good job in disabling the ME in most cases but since it's doing it by removing components from the ME FW it probably doesn't work with every OEM implementation.

[jerheinze]

You can't disable ME.

[inawarminister]

I thought you can in C2D (Nehalem?) era ThinkPads? https://libreboot.org/

and you can minimize ME in Sandy and Ivy Bridge, using ME_Cleaner?

edit: according to sounds' comment* in HN (2016), The ME is purportedly placed in "recovery" mode

[*] https://news.ycombinator.com/item?id=13056997

[ekianjo]

ME cleaner is not claiming to render ME completely ineffective, as far as I remember.

[Kliment]

me_cleaner removes most of the ME code (including the HTTP parser listed here) and then causes it to crash after bringing up the system, so it's impossible to communicate with the processor running ME. That's about as good as it gets.

[jerheinze]

Minimize != Disable.

[inawarminister]

You can disable the first generation ME

https://libreboot.org/docs/hardware/gm45_remove_me.html

after that it's impossible though.

[std_throwaway]

Is that an official tool supported by intel?

[inawarminister]

No, it's a reverse engineer by the open source community AFAIK.

But very stable, I am looking to flash my X220 soon for what it's worth.

[_emacsomancer_]

I did this about a year ago on my X230. Works fine.

[smolder]

I used me_cleaner to disable all the non-boot-essential ME stuff on my Sandybridge system

[glasz]

i have been told somewhere on the scary internet that the nature and architecture of a mac makes the ME dysfunctional because everything else is apple-made. custom chipsets and so on.