[GekkePrutser]

I agree about notarisation, I think it's the wrong solution. It gives Apple too much insight in what applications are used on Macs. This is my business and mine alone. I don't wany my Mac calling home with everything I open. Despite there being a way to turn it off.

I think simply spreading signatures of known malware for a local check would be a much better option.

However as a Mac enterprise admin I don't think the process is particularly difficult. When it came in I scripted it all once and that worked fine. Only issue is that sometimes it doesn't like if I make a PKG with a package from another supplier embedded in it. The problem is that I have to do that because some solutions have several packages that need to be installed in a particular order, and my MDM (MS Intune) does not provide a means by which to specify installation order. It just blasts all packages in a random order at the machines. So I re-package those. But anyway even that is not all that tough to get around.

[sneak]

> Despite there being a way to turn it off.

There isn't; the OCSP checks happen on launch automatically.

I got Apple to encrypt it next year and delete their logs, though, thanks in part to the publicity afforded by HN to my yelling about it. They also committed to adding an off switch.

Hopefully they'll do it in a clever, privacy-preserving way using a bloom filter or something, instead of just sending the developer cert hash up to Apple as soon as you double-click an app.

[GekkePrutser]

Well by turning it off I mean blocking ocsp.apple.com in my firewall. I do this personally, not at work by the way. But yes they should really provide a way to properly turn it off in the OS itself.

By the way another issue I have with the developer cert thing is that this way they will block all your apps if they have an issue with just one thing you've uploaded. And we all know Apple tends to blur the line between plain old malware and "against our T&C/Commercial interests". They already have a say in what apps I can use on my iPad. Like the ban on emulators, etc. It's my device, it should be a recommendation at most.. This is why I fear they are moving Mac in this direction as well.

PS: I didn't realise you were the one who raised this issue a couple months ago. Thanks for your work!!

[sneak]

There are a lot of other host names that need blocking, too, pancake.apple.com and xp.apple.com and *.push.apple.com among them

The amount of spyware in macOS these days is absolutely astounding:

https://sneak.berlin/20210202/macos-11.2-network-privacy/

[GekkePrutser]

Thanks, again something I wasn't aware of. The problem with the push one is that blocking it will also block some legitimate stuff unfortunately :(

I'll keep an eye on your blog! Excellent info.

[sneak]

Like what?

[GekkePrutser]

Well, push messages :)

The problem is, if the Mac can't reach APNS, it won't get informed when there's update to things like MDM profiles. If I push a new MDM profile it happens immediately on a Mac that receives push notifications. On a Mac that doesn't, it can take more than a day!

This is something I'm fighting with our network team about because they're not allowing that traffic right now. Understandable, but for proper management it's necessary to make changes quickly sometimes when a user needs to get an exception applied. It's also necessary for things like iMessage but we don't allow that in work anyway (at least not for work purposes)

We're running an internal proxy but APNS doesn't work through a proxy, they need to make an exception for it so it can go out direct.