The 2016 MacBook Pro no longer receives the latest OS and Apple officially restricts it to Monterey. My primary concern is securty, and this end of support means the end of OS security updates (and the more rare firmware updates from Apple). I have a newer machine I use that is supported; but the 2016 MBP is still a capable machine that can be derisked and made more secure, both in macOS and additional OS partitions (such as Ubuntu). The purpose of this guide is to address that.
- Known hardware vulnerabilities in Intel processors are an issue regardless of what OS you use (another reason to consider the whole machine "insecure" for sensitive tasks)
- firmware vulnerabilities. Apple packages firmware updates with their OS updates, but also stops publishing these over time. I need to do some more reading here; it's possible another OS like Ubuntu, may work around or minimize some of these known firmware issues; but any firmware specific packages from Apple vendors like Broadcom probably are not published publicly
- OS layer and above will be getting security updates, unlike MacOS
- while it is unlikely any more will be released, any firmware updates Apple publishes are coupled with macOS updates off the top of my head. This could actually improve security in another OS partition (for instance, if firmware for a Broadcom Wi-Fi chip is updated, since the other OSes wouldn't be updating the firmware. I'm not sure where online I found it, but I think only Apple can update the firmware because of code signing
- it still works and can be used in a backup case
- keeping the recovery partition can also be useful if you brick your machine
My use case is as a backup machine I can take to study in the library. The benefits of this isn't it isn't my primary machine which has all my data and accounts, so the risk associated with lost, theft, or malware is minimal. Here are some tips I follow:
- consider the machine "insecure"
- Not connecting any Apple or other Internet accounts; no connection to email, messages, etc
- Not using the machine for any sensitive task like logging into sensitive accounts in the browser
- Use a VPN to protect against packet sniffing on public networks
- as much as possible stick to known/trusted websites
- use a different browser than Safari (I recommend Firefox) because Safari updates also will no longer be available
- block all incoming network connections
- disable signed software from being trusted automatically in network settings
- enable stealth mode
- set default DNS to provider of interest
- disable AirDrop
- Try and separate plugs used for this machine from other machines
- use a content blocker such as uBlock origin
- lockdown browser settings as much as possible (block access to camera, audio, etc accordingly)
- use a firmware password to block an actor from booting from a different drive
- use FileVault disk encryption
- set a Lock Screen message with contact info if lost
- only install what you need
- HTTPS only browsing / secure DNS
Good security resources may be found here
- unofficial / not supported by apple
- I would be hesitant to install all of this from unknown sources. Even with the best of intentions, it probably doesn't have the scrutiny for security (nor all security updates that apple provides) that you would get from Ubuntu
- I don't know enough about how it works, so at this time I'm not comfortable from a security perspective with this which is an unofficial way to run later versions of macOS on a Mac
Resources of interest
-
https://security.stackexchange.com/questions/259177/how-secure-is-opencore-legacy-patcher
-
long thread I haven't gone through https://forums.macrumors.com/threads/security-for-oclp-opencore-legacy-patcher.2406586/
- Bootcamp is supported by Apple to install Windows 10.
- From Some quick searches it appears Windows 11 can be installed from Windows 10 (but not directly via Bootcamp); and both are updated for security.
- this can be appealing if you want to play some games
- however, windows is a much larger user base and target for malware
- if you're a lifelong Mac or Linux user, you probably don't want to use windows anyway
- this guide may be updated in the future to include how to triple boot to Windows
- Long support, Linux, and experience using it
- clear support timelines and large community of support to vet it
TBD
I had to run some legacy software (Ubuntu 20.04, ROS Noetic, Gazebo classic) for a course. After wasting days on issues involving Apple Silicon support with VirtualBox and VMWare; and a slow cloud VM; I decided to try and natively install this on my 2016 MBP to try and get better performance for Gazebo
@TheOnly3aq i will keep this gist updated and get to it sometime later. Are you on discord?