Managing Metered Connections on OSX
TripMode
TripMode works on a whitelist system and blocks entire apps/processes from accessing the internet.
It is advertised with these relevant features:
When TripMode is ON, it prevents all your Mac apps from accessing the Internet but those that have been whitelisted by yourself. It typically stops automatic updates, online backups, Photos syncs, and various obscure apps from consuming precious data. Both uploads and downloads are blocked.
Track your data usage. See the data used per app, session, day, and month. Spot the data hungry apps.
New: You set the limit Set your data limit. All traffic stops when you reach it. Never go over your plan again!
Little Snitch
Little Snitch lets you restrict specific network traffic from apps and processes. You can configure it to switch profiles automatically depending on the network that it is connected through.
You can set up Little Snitch to prompt on new connections, or configure the connections before the access attempt.
Blocking with third party software
Apart from the excellent TripMode and LittleSnitch already mentioned the market has other contenders for this type of job on offer.
Blocking unwanted traffic is also possible with these application level firewalls:
RadioSilence
Advertised as:
The easiest network monitor and firewall for Mac. Radio Silence can stop any app from making network connections.
Powerful privacy for your Mac.
Radio Silence lets you keep a list of apps that aren't allowed to go online. Protect your privacy. Prevent apps from phoning home. Save on bandwidth and data charges. Radio Silence is completely invisible.
The firewall is invisible and always active. You don't have to keep any windows open. No annoying pop-ups. No clutter on your screen or dock. No effect on your Mac's performance.
HandsOff
Advertised as:
Hands Off! is an application to monitor and control the access of applications to your network and disks. Being able to monitor the normally unnoticeable activities enables you to make informed decisions regarding the transfer of your private information, hence avoiding confidential information leakage.
Vallum
Advertised as:
Vallum is a little tool that helps you monitoring applications connections. It is able to intercept apps connections and hold them while you decide whether to pass or block them. Vallum interface is very simple and based on icons. Its default configuration is not intrusive, it does not require any interaction or specific networking knowledge or skills. Just drag an app icon from the Finder into main Vallum window to block it. To change Vallum attitude and interaction level you just have to play with the very few options available. Vallum Configuration Strategies let you choose from a list of predefined firewall configurations ad attitudes. Vallum is not intrusive, it runs as a menulet in macOS menu bar, near the clock. It respects your privacy too: it does not connect home to verify the license, it does not need any online activation.
Blocking with onboard tools
Some other options are also already built into the operating system. But there is considerable effort involved to configure often limited possibilities.
Blocking the destination IPs with a hostfile via /etc/hosts
Blocking the ports used by those programs using your builtin pf firewall
Both have downsides of inflexibility and overreach. Sometimes benign and nefarious destinations share the same IP. The same ports are also used for way too many purposes at once as to be very effective to differentiate between allowed and unwanted traffic.
Monitoring the traffic with onboard tools
You can monitor the traffic with numerous applications and tools. One that is already installed is found on the command line:
/usr/bin/nettop
And in Activity Monitor there is of course the tab called "Network" where you can sort for "Sent Bytes" and "Received Bytes".
Advanced third party monitoring tools
Then there are advanced tools like tcpdump, wireshark, PeakHour and others that are usually a bit overkill in such a simple scenario.
Most important and practical is of course to just uninstall the offenders – if posssible.