From Smart to Smarter: Elevating Apple IQ Even More
If you haven’t read part 1, then click here and go back and read it.
The next portion of Apple Intelligence is now shipping with macOS 15.2 and iOS/iPadOS 18.2. We now have Image Wand, Image Playground, Genmojis, ChatGPT integration, and a little more. To soothe all concerns quickly, Apple Intelligence is NOT powered by ChatGPT. It will never send data off to ChatGPT without first asking permission and that integration must also be enabled. Ok, now that that’s out of the way.
What’s great is that all of these features have a way to be blocked. Apple has provided the following configuration profile keys for the preference domain com.apple.applicationaccess
- allowImagePlayground
- allowImageWand
- allowGenmoji
And new as of Dot 2 release
- allowExternalIntelligenceIntegrations
- allowExternalIntelligenceIntegrationsSignIn
The two new keys, as of the Dot 2 releases, must be deployed on the Dot 2 releases and higher versions. They may not work if deployed before a system is upgraded to the new release. In contrast, the other previously existing keys have existed since the fall and launch of the new OSes and can be deployed before a device updates.
The allowExternalIntelligenceIntegrations key blocks the ability to enable the ChatGPT integration. The second key blocks the ability for a user to sign into ChatGPT with their account. I recommend deploying both if disabling external intelligence integrations.
How can you determine if a user has enabled the ChatGPT integration? There’s already someone who has wrote a nice way to determine the status of it. Dr. K, Emily, the Modtitan herself, has written a nice Extension Attribute for Jamf to determine the status. (Go buy her stickers! https://ko-fi.com/modtitan)
Something interesting to me is the name of Configuration Profile key. Calling it allowExternalIntelligenceIntegrations not like allowChatGPTIntegration.
Federighi explains that Apple partnered with OpenAI because GPT-4o is currently the best LLM out there for broad world knowledge, Apple may partner with other LLM providers in the future, allowing users to bolt on the external LLM provider of their choice.
So you may see the ability to connect to other external intelligence integrations in the future.
What else has been learned since Apple Intelligence debuted?
The good news, to share, is that not much seems to actually get sent to Apple’s Private Cloud Compute service.
Now, how can you determine what is being sent? In Settings →Privacy & Security → Apple Intelligence Report, this report is exactly that, a json file that provides the information sent to Apple’s PCC server.
There are more ways to dig up when PCC is contacted. The process PrivateMLClientInferenceProviderService appears to do some heavy logging when you use Apple Intelligence and it requires contacting the PCC servers.
log stream --predicate 'process == "PrivateMLClientInferenceProviderService"'You can also do
log show --predicate 'process == "modelmanagerd" AND category == "ModelCatalog"'You’ll see things like these in each log entry
- com.apple.fm.language.instruct_3b.proofreading_review
- com.apple.fm.language.instruct_server_v1.text_summarizer
- com.apple.fm.language.instruct_3b.messages_reply
- com.apple.fm.language.safety_guardrail.base
- com.apple.fm.language.instruct_3b.urgency_classification
- com.apple.fm.language.instruct_3b.mail_reply
- com.apple.fm.language.instruct_server_v1.tables_transform
- com.apple.fm.language.instruct_server_v1.bullets_transform
- com.apple.fm.language.instruct_server_v1.takeaways_transform
- com.apple.fm.language.instruct_server_v1.open_ended_tone_query_response
Correlating this to the Apple Intelligence Report, the things that have _server in the model name, identify times and features that require PCC.
Lastly, another easy way to determine if a feature is reaching out to PCC run this command in Terminal:
nettop -p privatecloudcomWith nettop running, using the different features of Apple Intelligence will show you when the device reaches out to Private Cloud Compute servers.
Now what actually seems to reach out to PCC?…Honestly, the list is small, whenever you summarize text (in any application), create key points, make a list, make a table, and on iOS create a memory movie and of course ChatGPT requests.
These are the Apple Intelligence Features that DO reach out off device.
- Writing Tools — Summarize
- Writing Tools — Create Key Points
- Writing Tools — Make List
- Writing Tools — Make Tables
- Writing Tools — Describe Changes
- Create a Memory movie in Photos on iOS/iPadOS
Writing Tools — Summarize is kind of different because Apple Mail, Safari Reader Mode, and selected text in any Application seem to be slightly different. Apple Mail’s summarize and Safari Reader Mode summarize are not controllable by the allowWritingTools setting.
These are the Apple Intelligence Features that do NOT reach out off device.
- Writing Tools — Proofread
- Writing Tools — Rewrite
- Writing Tools — Make Friendly
- Writing Tools — Make Professional
- Writing Tools — Make Concise
- Natural language search in Photos
- Notification summaries
- Reduce Interruptions Focus
- Intelligent Breakthrough & Silencing in Focus
- Priority messages in Mail
- Smart Reply in Mail and Messages
- Image Wand
- Genmoji
- Image Playground
- Visual Intelligence (Unless you tell it to)
Can I say without a shadow of a doubt that this will always be the case? No, not at all. This is simply what I’ve found so far, but in my testing this is what has reached out to PCC. Somewhat disappointing, is that we cannot block parts of Writing Tools but allow others since it’s the most useful part of Apple Intelligence in the business world, in my opinion. This is a place where Apple can really step up additional granularity to these controls. Maybe if we file those Feedbacks, Apple will listen. Apple if you ARE listening, pretty please with sugar on top! We all really want to use Apple Intelligence, this is critical for many organizations to adopt these new features.
Something also to keep in mind, when you use the Summary feature of Writing Tools, the entire message is saved into your Apple Intelligence Report. On top of this, part of or potentially all of the contents that you summarize are in Unified Logs. However, the default behavior is that this data in Unified Logs is hidden behind Private Data. Luckily, the Apple Intelligence Report does not appear to have a way to be accessed other than pressing the button to Export and entering your Passcode to export.
Running the log command below, while using one of those features that reach out off device, will show you some of the content of what you selected to summarize for example if you have configured your system to show the private data.
log stream --predicate 'process == "PrivateMLClientInferenceProviderService" AND category == "provider"' --debugWhy is this a thing to be mindful of…This means contents selected to summarize in messages that are encrypted using S/MIME encryption, information on intranet pages, PII, or information marked with some level of sensitivity are now saved without that level of protection in the Apple Intelligence Report and in Unified Logs and the data is sent off to the PCC servers. Is this much different than copying and pasting the information somewhere else? I’d say one is intentional and one is accidental. Data is still very protected in the accidental but potentially not the same level. Do not freak out! To access your Apple Intelligence Report requires the User to enter their Passcode and export it. The private data in Unified Logs requires administrative privileges to access and unhide.
Can you use Apple Intelligence and block data from going to PCC on macOS, the answer is No! Even when you disable Writing Tools, you are still able to use the Summarize feature within Safari Reader Mode. Can you use Apple Intelligence and block all data from going to PCC on iOS/iPadOS, the answer is No! You cannot disable Create a Memory movie in Photos as well as Summarize within Safari Reader Mode. You could do something with a cloud DNS provider or your /etc/hosts file as described in Part 1 to block the PCC servers. But those are messy approaches to solve the problem.
File those Feedbacks, be specific and maybe we can get more granular controls or the ability to restrict to on device only.
These views are my own and not the views of my employer. If you have any questions or want more information on this, feel free to contact me on the MacAdmins Slack(boberito), Linkedin(linkedin.com/in/bob-gendler-8702014), GitHub(http://github.com/boberito/) or email(bobgendler@gmail.com).
