Syspolicyd, Periodically High CPU Load, Reading Huge Amounts of Data, on Mac Big Sur (and likely Catalina as well)

Putting Computer Errors in Perspective:
Two men were examining the output of the new computer in their department. Eventually one of them remarked: «Do you realize it would take 400 men 250 years to make a mistake this big?»

After installing Mac OS 11 — Big Sur — my MacBook Pro started to spin the fans on maximum every 7-8 minutes or so. Periodically. Although I think only when it was connected to the internet. After some digging around (Activity Monitor => CPU => sort by load) it turned out that syspolicyd was to blame. Unfortunately, this is a core security feature of macOS 11.

Looking online did not lead to any solutions. It appears to have started happening with Catalina, and continues now on Big Sur. After a few days of trying to ignore it, it turned out that syspolicyd also read a lot of data — in the TB range. And within a short timeframe. Likely not that good for the hard disk drive, even though it’s an SSD.

I tried preventing syspolicyd from accessing the Internet, even though Little Snitch (Mac firewall app) did not recommend it. But it had no effect.

Finally, another search led me to a website recommending looking at which files syspolicyd has open during high CPU activity (thank you dr1zzzt on Reddit!). And it (rather: dr1zzzt) provided the Terminal command to do so:

sudo lsof -c syspolicyd

Timing the CPU spike by having Activity Monitor and Terminal open, and executing the line in Terminal (you have to enter your password, as you act as superuser), revealed the files that were the problem.

And yeah, it turned out to scan some .pkg files at that moment. Large .pkg files (one 25 GB, another around 6 GB, then a few smaller ones, or just one multiple times?):

syspolicyd being hard at work scanning a pkg file, not sure whether only this one multiple times (as shown), or all pkg files in that directory (capturing was limited).

Apparently, syspolicyd did not like the files, and did not stop scanning them. So, let’s assume 32 GB of files, read every 8 minutes, results in IICC 240 GB per hour or 5.76 TB per day.

Yikes, but makes sense considering the amount of data that was read.

Deleting them had an immediate effect — or rather, something changed at the same time. syspolicyd did only go up to 40% CPU load. And after deleting the package files in another directory (in which I did store all apps I had installed) it is now … not a significant contributor of CPU load. Not even periodically.

I can’t guarantee that these pkg files were the cause. After all, the games installed from these files did run. After manually allowing their execution, and access to the install directory, for each freaking app and DLC, and Stellaris has a lot of DLCs. And Pathfinder: Kingmaker’s 25 GB file took ages to even start installing (some kind of security check pre install, I guess). Apparently,, or the game developers, needs to update the files to provide them with a valid signature.

Although — hey, Apple, who owns this computer? Why does the security process work against me installing something on my computer? Bad move, Apple, bad move.

But it looks like it worked — and now, it’s quiet. As a computer should be.

Of course, I don’t have any games installed anymore (not sure if they would make the same problems), but that’s likely a feature, not a bug.