MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
Alas, length has other drawbacks, first practical and then social. Yes, a passphrase such as the example you gave is fairly easy to remember, but it's now more much difficult to type accurately (and impossible on an iPhone). There's also now more scope for mis-remembering parts of it.
I was about to say that myself. I would add that length can be especially problematic for older people whose hands shake or who have vision problems.
 


When I last needed to update my Synology because it lost sync with time.google.com, I tried the "five random word" type password. While it was apparently accepted, when I looped back to verify it worked, it didn't. Apparently it was simply too long. Fie on those places which have specific password requirements/limitations, and aren't clear about what will and won't work.
 


When I last needed to update my Synology because it lost sync with time.google.com, I tried the "five random word" type password. While it was apparently accepted, when I looped back to verify it worked, it didn't. Apparently it was simply too long. Fie on those places which have specific password requirements/limitations, and aren't clear about what will and won't work.
Or worse yet, don't tell you the restrictions until after your first attempt!
 


I couldn't find the maximum length Apple allows, despite several searches of Apple's support lists. Presumably it's at least 64 characters and perhaps as high as 256.
Depending on how they store passwords, there may be no limit.

The typical Unix way of storing a password is to combine it with some kind of "salt" value and run it all through a one-way hash algorithm. The hash string is stored. For authentication, it takes what you type in and re-runs the hash, comparing the result.

Here's an article that shows how modern Linux systems do it:
Slashroot.in said:
How are passwords stored in Linux
(Understanding hashing with shadow utils)
With a system like this, there is no actual limit to the length of a password. The size of the hash will remain the same whether your password is one or a million characters. The only practical limit is how much memory the UI itself has allocated to hold the string you type in.

Some older algorithms (like the DES encryption mechanism used by old Unix systems) work by encrypting a well-known block of data (and possibly a salt value) using your password as the key. These systems limit your password to the maximum key length (which is 56 bits, or eight 7-bit ASCII characters for DES). Algorithms like this should not be used because they are far too easy to crack using modern hardware, but they are still configurable options on many platforms in order to support backward compatibility (e.g. a shared password file that some old computers use for authentication).
 


I'm trying to repurpose an iPhone from a family member. I have its passcode. Apple won't let me erase it, demanding the Apple ID/iCloud password. I then had the previous owner (who is not in my location) do this:
Apple said:
Turn off Find My iPhone Activation Lock
If the previous owner isn't with you
If the previous owner isn't present, contact them and ask them to follow these steps:
  1. Sign in to iCloud.com with their Apple ID.
  2. Go to Find My iPhone.
  3. Click All Devices at the top of the screen.
  4. Select the device that you want to remove from iCloud.
  5. If necessary, click Erase [device].
  6. Click Remove from Account.
After the previous owner removes the device from their account, turn off the device and then turn it back on to begin the setup process.
This simply didn't work....
Have you thought of restoring the iPhone to factory setting? This erases everything as if it was a new cell phone. Maybe that's the way that will bypass the passcode.
 


Ric Ford

MacInTouch
Have you thought of restoring the iPhone to factory setting? This erases everything as if it was a new cell phone. Maybe that's the way that will bypass the passcode.
Yes, I thought of that. And I remembered perhaps the worst experience I've ever had with an Apple product when I tried that approach... and failed after many, many hours. I'm not looking to repeat that experience.
 


Yes, I thought of that. And I remembered perhaps the worst experience I've ever had with an Apple product when I tried that approach... and failed after many, many hours. I'm not looking to repeat that experience.
And if it works, but the records in Apple's servers aren't cleared, isn't the phone effectively bricked?
 



I'm trying to repurpose an iPhone from a family member. I have its passcode. Apple won't let me erase it, demanding the Apple ID/iCloud password. I then had the previous owner (who is not in my location) do this:
Apple said:
Turn off Find My iPhone Activation Lock
If the previous owner isn't with you
If the previous owner isn't present, contact them and ask them to follow these steps:
  1. Sign in to iCloud.com with their Apple ID.
  2. Go to Find My iPhone.
  3. Click All Devices at the top of the screen.
  4. Select the device that you want to remove from iCloud.
  5. If necessary, click Erase [device].
  6. Click Remove from Account.
After the previous owner removes the device from their account, turn off the device and then turn it back on to begin the setup process.
This simply didn't work. The iPhone continues to demand the previous owner's Apple ID (over and over and over ad infinitum), no matter what I try.
The steps outlined included "If necessary, click Erase [device]". If transferring ownership, that isn't really optional.... The only time Step 5 isn't necessary is when the previous owner has previously already done an erase. If you go to Step 6 before 5, then Apple probably sends the device into some kind of 'limbo" state. The order of the steps matters.

Apple doesn't mention it in the Activation Lock article, but in the "stolen" article:
Apple said:
If your iPhone, iPad, or iPod touch is lost or stolen
What if your device is off or offline?
If your missing device is off or offline, you can still put it in Lost Mode, lock it, or remotely erase it. The next time your device is online, these actions will take effect. If you remove the device from your account while it's offline, any pending actions for the device are canceled.
So again, deleting the device from the Apple ID account before you have finished off the erasure is a problem state. That erase pragmatically needs to be left pending until it is complete. Getting connected to be erased is also trapped in a loop if you have detached the iOS device from any possible way to get online to get to the "erase" web services.

There's a similar issue when the person is wiping the device clean. It should be connected to web services at the time of the clean wipe (full erase). Don't pull the SIM card and disconnect from all Wi-FI before cleaning the device for sale/transfer. Pulling the SIM card would be one of the very last steps, if appropriate.
This just illustrates how, when someone buys an iPhone, Apple ultimately continues to control it, not the purchaser, who doesn't have the cryptographic codes that Apple holds internally and through which it exerts that control.
There isn't much of a material difference between stolen and a device that has been decoupled from the owner who has the Apple ID/password for the device. Apple doesn't have control if the device is properly erased before being exchanged. The responsibly to erase it is assigned to the owner.

A clear best practice in handing over a device to a new owner should include removing all data from the previous owner from the device before transfer. All Apple is doing is setting that up as standard operating procedure. The notion that there is something fundamentally wrong here runs exactly backward from solid security practice.

... Most modern operating systems (Android, iOS, Windows, etc. ) can erase back to clean/factory state. macOS needs a more protracted erase/install process to go clean.
 


Have you thought of restoring the iPhone to factory setting? This erases everything as if it was a new cell phone. Maybe that's the way that will bypass the passcode.
From the same Activation Lock Knowledge Base page.
Apple said:
If you don't sign out of iCloud before you put your device in recovery mode and restore through iTunes, it might remain in Activation Lock. That means you need to enter the same Apple ID and password that you used when you previously set up the device.
Basically it is a theft deterrence issue/feature. For devices with a secure enclave and secure boot process, even recovery mode would include an authentication. Even if the iOS gets corrupted, the basic boot system would still be functional. If the basic boot process is secured, it can also run an authentication. If the 'master' boot image isn't presented to the mounted system, it is relatively easy to prevent the overwhelming majority of possible corruption.

Turning on "Find My Phone" seriously means "protect my device no matter what". If never turned on, then the older methods of reset by random anybody tend to work. That really isn't the default setup path these days, though.
 


Ric Ford

MacInTouch
... I do not know, and it is unlikely but possible that my friend did not know, there was another four-digit code that set in motion the reset program. Knowing him like I did, I tried several times to guess the sequence before I neared the dreaded “N more tries and it’s toast" note....
Not having small children around, I've never encountered this myself, but I believe that the 4-digit code you've been asked for is part of the Parental Restrictions setting, which is normally used to prevent little fingers from wandering where they shouldn't in your iPhone or iPad. As far as I know, this code can't be overridden other than by restoring the device from a pre-restriction backup, so that's out for you.
I don't know if this is related or not, but I cannot disable Screen Time on my iPhone running iOS 12.1.1 - my own iPhone I've owned since the beginning and for which I have all the passwords, etc.... except... the iPhone demands a 4-digit passcode in order to disable Screen Time, and nothing I've tried works. I have no idea what it wants (or why), and I can't disable Screen Time.

(In the distant past, I may have enabled Parental Controls on my own iPhone as a hack to improve some behavior, and if I did, I don't recall the passcode I used for that, which may or may not be related to this frustrating conundrum.)
 


I may have enabled Parental Controls on my own iPhone as a hack to improve some behavior, and if I did, I don't recall the passcode I used for that, which may or may not be related to this frustrating conundrum.
See my previous post on this subject. There are ways to recover your Parental Controls and Screen Time passcodes.

Make an encyrpted backup of the phone. Then point a cracking utility (e.g. Pinfinder at the backup (using the backup's password to decrypt the contents) and it should be able to extract the code.

This can't recover the phone's screen-lock code, but it can recover the parental controls and screen time codes (I'm not sure if they are the same code or not). It's a brute-force attack on the one-way hash (try every combination until one hits), but with only a 4 digit code, it takes only a few seconds for even a slow (by modern standards) computer to find a hit. Even with a 6-digit numeric code, it doesn't take very long.
 


Ric Ford

MacInTouch
I'm trying to repurpose an iPhone from a family member. I have its passcode. Apple won't let me erase it, demanding the Apple ID/iCloud password. I then had the previous owner (who is not in my location) do this:
Apple said:
Turn off Find My iPhone Activation Lock
If the previous owner isn't with you
If the previous owner isn't present, contact them and ask them to follow these steps:
  1. Sign in to iCloud.com with their Apple ID.
  2. Go to Find My iPhone.
  3. Click All Devices at the top of the screen.
  4. Select the device that you want to remove from iCloud.
  5. If necessary, click Erase [device].
  6. Click Remove from Account.
After the previous owner removes the device from their account, turn off the device and then turn it back on to begin the setup process.
This simply didn't work. The iPhone continues to demand the previous owner's Apple ID (over and over and over ad infinitum), no matter what I try.
The owner didn't see an "Erase" option after logging into iCloud. When I checked my own iCloud account later, I found no Erase option under Settings > My Devices, but it turns out that there is an Erase iPhone button under Find My iPhone after it brings up a map showing the device's location.

In any case, the owner changed the Apple ID/iCloud password, and I was able to use the new password to reset the iPhone, after I finally found General > Reset (at the bottom of the scrolling page), but, it turns out, we had to jump through one more hoop, because 2FA was set up, so I then also had to get a 6-digit authentication code that was sent to the owner's new iPhone and enter that before I could reset the older iPhone and finally get it back to a startup state.

That's a whole lot of Apple hoops to jump through, and past bad experience with an iPhone I purchased for myself and accidentally bricked showed that missing any steps in Apple's script can deactivate the phone completely.
 


This blog post mentions and links to Parted Magic, which provides a GUI interface for both both SATA and NVMe SSD Secure Erase, as well as Secure Erase for hard disk drives.
As noted previously, I've been able to boot Linux on the new Mac Mini but not access its internal drive at all from Linux, let alone any APFS (or other) partitions on it.
That's a great tip about Parted Magic. System Rescue CD has parted, but not the Magic.

I've been struggling to come to terms with the T2's apparent destruction (very effective hiding?) of the ability to take a "never-booted" snapshot of a just-out-of-the-box Mac. I've done this with nearly every system I've ever acquired, mainly to ensure the ability to revert to how it was before I got my mitts on it.

It seems logical that Apple must be using asr or some other imaging tool internally to prepare a Mac for shipment, with the final steps being to delete the Secure Boot administrator password, enable Secure Boot, and step away from a now un-imageable (un-imaginable?) machine. Perhaps someone will manage to figure out how they do it, and/or how we can create a Secure Boot administrator password and disable Secure Boot without first having to sully the pristine state of the system. Maybe it's a bit fussy of me to want it this way, but it's hard to have Apple take away a tool I've used successfully for years.

Wait, don't we say that a lot about Apple?
 


....Perhaps someone will manage to figure out how they do it, and/or how we can create a Secure Boot administrator password and disable Secure Boot without first having to sully the pristine state of the system. Maybe it's a bit fussy of me to want it this way, but it's hard to have Apple take away a tool I've used successfully for years.

Wait, don't we say that a lot about Apple?
... I imagine how Apple does it is through the same mechanisms they outline for cleaning up a Mac before sale.
I presume Apple has some 'secret sauce" when invoking 'Erase Disk' from the recovery mode Disk Utility that resets more than just the disk, in the context of a T2 system. The MDM tools allow remote wipe of a Mac, so that doesn't have to be 100% user-click(s)-driven.

The change in context now with the T2 (and after) systems is that there is no "back to the factory state" until the T2 security enclave is reset back to factory settings. So that "imagine" on the disk is pragmatically incomplete, if you want to get back into the initialized system.

A 'tool' to get a clean macOS image is there in recovery: "Reinstall macOS". (There is an "expense" for that in that Apple's factory images are remote and would need to be dowloaded.) What Apple could add would be variation of that tool which would create an installer on a drive of the user's choice later.... With APFS, all they need is a snapshot of the macOS subset of the container, so something like

0. new Mac​
1. Boot into recovery first.​
2. Tell recovery to make a local snapshot of this image.​
3. Reboot.​
4. Configure MacOS​
5. Run a utility to put that local snapshot on USB drive (if snapshot needs something more than the minimal recovery version of OS utilities).​
Folks on 'skinny' Internet pipes could leverage that. However, the nominal operating context for macOS imaging/updates/security isn't really skinny pipes. When these 'old' tools were created, Apple wouldn't ship people a "factory macOS" image on demand. Now they do (a variety, in fact: original model issue, latest appropriate one, etc.).
 


Ric Ford

MacInTouch
I presume Apple has some 'secret sauce" when invoking 'Erase Disk' from the recovery mode Disk Utility that resets more than just the disk, in the context of a T2 system.
This is the critical question. As I understand it, when you buy a new T2-based Mac, you have to supply an initial password ('admin' password) in the earliest part of system setup, before you can do anything with the computer, and this is used to encrypt that "secure enclave" and the internal SSD contents.

How do you reset that? How do you change that password (e.g. if it was a poor one to start, or you thought it would be a temporary one). This is completely unclear.

Meanwhile, if you buy a new iPhone, it's an unusable, pretty brick - not even functional at the level of an iPod Touch - until it's "activated" with Apple, another extremely opaque, confusing system/process. What is this mysterious "activation" exactly?
 


This is the critical question. As I understand it, when you buy a new T2-based Mac, you have to supply an initial password ('admin' password) in the earliest part of system setup, before you can do anything with the computer, and this is used to encrypt that "secure enclave" and the internal SSD contents.

How do you reset that? How do you change that password (e.g. if it was a poor one to start, or you thought it would be a temporary one). This is completely unclear.

Meanwhile, if you buy a new iPhone, it's an unusable, pretty brick - not even functional at the level of an iPod Touch - until it's "activated" with Apple, another extremely opaque, confusing system/process. What is this mysterious "activation" exactly?
The admin account you use to change anything in Secure Boot is the account you create during Setup and log in to first. Once you have set up your Mac, you can easily reboot to Recovery and change your Security settings.

If you need to change the password for any reason, you do it in the OS. There is not any super-secret account necessary. (In fact, any admin account that has been granted a Secure Token by the OS should be able make changes to the security settings. You just need to grant access.)
 


Please forgive my repeating myself, but for me, the sticking point is that unlike in the past, when, having taken a sector-copied image of the internal storage device of a new machine, I could, and occasionally did, restore it to just-out-of-the-box condition, it now seems (as Ric said) than we cannot use a T2 machine before tracking our indelible (?) digital mud all over its nice clean floor.

Can this really, truly be impossible, going forward?

It's my (or my family member's/friend's/client's) machine. I want to be able to keep it that way.
 


Ric Ford

MacInTouch
Please forgive my repeating myself, but for me, the sticking point is that unlike in the past, when, having taken a sector-copied image of the internal storage device of a new machine, I could, and occasionally did, restore it to just-out-of-the-box condition, it now seems (as Ric said) than we cannot use a T2 machine before tracking our indelible (?) digital mud all over its nice clean floor.
Can this really, truly be impossible, going forward?
It's my (or my family member's/friend's/client's) machine. I want to be able to keep it that way.
It seems to me that Apple has now moved Mac computers (via the T2 system) to the iPhone model, where each device is unusably crippled until it is cryptographically identified/associated with an individual customer, typically via their Apple ID/iCloud ID.

Apple also controls what software may be installed and run on the device in the standard scenario/setup procedure - what OS version, what cryptographically-signed third-party software is permitted, what software is not blocked by invisible anti-malware mechanisms (generally a good thing), etc.

What's confusing:
  • How do you reset a device to original "factory" condition and completely clear it from all Apple associations with your individual identity (if it's even possible)? (Yes, we've linked some Apple support documents related to that.)
  • What are all the mechanisms and data storage locations that associate and control an individual's identity elements (fingerprints, Apple ID, username/password, security questions, credit card, ApplePay wallet, etc.) and devices (hardware IDs, UUIDs, encryption keys, Secure Enclaves etc.)?
 


It seems to me that Apple has now moved Mac computers (via the T2 system) to the iPhone model, where each device is unusably crippled until it is cryptographically identified/associated with an individual customer, typically via their Apple ID/iCloud ID.
Apple also controls what software may be installed and run on the device in the standard scenario/setup procedure - what OS version, what cryptographically-signed third-party software is permitted, what software is not blocked by invisible anti-malware mechanisms (generally a good thing), etc.
What's confusing:
  • How do you reset a device to original "factory" condition and completely clear it from all Apple associations with your individual identity (if it's even possible)? (Yes, we've linked some Apple support documents related to that.)
  • What are all the mechanisms and data storage locations that associate and control an individual's identity elements (fingerprints, Apple ID, username/password, security questions, credit card, ApplePay wallet, etc.) and devices (hardware IDs, UUIDs, encryption keys, Secure Enclaves etc.)?
I think you are confusing a few different items here and not all are correct.
  1. The T2 chip has no association with your iCloud account. They are completely separate. There is nothing on the macOS side (yet) that is the equivalent of the iOS Activation Lock. There is nothing stopping a thief from reinstalling an OS (via USB, if previously enabled, or Internet Recovery, which is always available.) (DEP locked machines are close, but not the same.)
  2. The cryptographic signature of the O/S is, once again, not associated with the user, but with the machine. When the macOS is first installed, the T2 machine will reach out to Apple servers and validate the signature of the O/S installed and validate that it is a valid O/S (depending on the security settings.) Once that is complete, the on-board O/S is signed (I believe using the hardware IDs embedded in the T2 chip). This is only a software signature to ensure that that O/S has not been tampered with since its original installation.
  3. From reading the Apple T2 security white papers, the T2 chip only handles the encryption keys for the APFS volumes, TouchID, and the microphone. Other items (Apple ID, ApplePay numbers, etc,) are stored in the O/S and will be deleted when the O/S is cleared.
  4. FYI, deleting an APFS volume also deletes the volume encryption key in the Secure Enclave. This makes any data on the drive unreadable.
  5. While I can't find any reference on Apple's website anymore, it appears that Apple has previously posted that using the
    Code:
    xartutil --erase-all
    command in Terminal while in the Recovery partition will erase all elements of the Secure Chip. I am not willing to try that, as it will almost certainly make your drive unreadable and require a complete reinstall of the O/S.
For those concerned, deleting the O/S partition (formatting the complete SSD) and a complete reinstall of the O/S (via Recovery Partition or Internet Recovery) should be more than sufficient before selling the computer.

If you haven't seen it, here is Apple's T2 Security overview:
 


Ric Ford

MacInTouch
To my knowledge, you cannot boot into Recovery mode to disable the boot level - if you could, I would consider it to be a major security bug. So, you have to boot to internal drive and set up an admin user account before changing options to allow external booting. In my experience with an iMac Pro (came with macOS 10.13.3, special version), I had to set up a test user account before I could get to the System Preferences to change the Secure Boot (it's all due to T2 chip) options. I had an up-to-date macOS 10.13.3 system on a drive and still could not get it to boot the iMac Pro - had to clone (thanks to Carbon Copy Cloner) the system on the iMac Pro, and then I was successful.
I held down the Option key on power up to no effect, so I went ahead and set up a new user account (without a network and without doing any migration). ... Reconfigured a bunch of stuff. Saw a Target Disk Mode option in Startup Disk, so I rebooted into that, and the usual TDM icon appeared on the monitor. I plugged the Apple Thunderbolt 3-Thunderbolt 2 adapter into the Mini and ran a Thunderbolt 2 cable from that to the MacBook Pro. The Mac Mini internal drive appeared - and was not encrypted.
I tried Option-booting off the Mac Mini drive in Target Disk Mode from two different computers, and it kept telling me my password was wrong, no matter how many times I typed it correctly. I powered off the Mini and rebooted it into macOS, and it accepted that same password just fine. So the Mini will let you look at its unencrypted-by-default internal drive from another Mac (in Target Disk Mode), but it won't let you boot that Mini drive from another Mac.
The admin account you use to change anything in Secure Boot is the account you create during Setup and log in to first. Once you have set up your Mac, you can easily reboot to Recovery and change your Security settings. If you need to change the password for any reason, you do it in the OS. There is not any super-secret account necessary. (In fact, any admin account that has been granted a Secure Token by the OS should be able make changes to the security settings. You just need to grant access.)
  • The T2 chip has no association with your iCloud account. They are completely separate. There is nothing on the macOS side (yet) that is the equivalent of the iOS Activation Lock. There is nothing stopping a thief from reinstalling an OS (via USB, if previously enabled, or Internet Recovery, which is always available.) (DEP locked machines are close, but not the same.)
  • The cryptographic signature of the O/S is, once again, not associated with the user, but with the machine. When the macOS is first installed, the T2 machine will reach out to Apple servers and validate the signature of the O/S installed and validate that it is a valid O/S (depending on the security settings.) Once that is complete, the on-board O/S is signed (I believe using the hardware IDs embedded in the T2 chip). This is only a software signature to ensure that that O/S has not been tampered with since its original installation.
  • From reading the Apple T2 security white papers, the T2 chip only handles the encryption keys for the APFS volumes, TouchID, and the microphone. Other items (Apple ID, ApplePay numbers, etc,) are stored in the O/S and will be deleted when the O/S is cleared....
... deleting the O/S partition (formatting the complete SSD) and a complete reinstall of the O/S (via Recovery Partition or Internet Recovery) should be more than sufficient before selling the computer.
Thanks for the notes, Rob. If I understand correctly, you're saying that a customer who purchases a new Mac with a T2 chip can (with some effort) avoid entering an Apple ID/iCloud ID but still needs to enter an 'admin' username and password before the computer is usable (since it cannot be booted from an external drive prior to this process), but is otherwise not associated with a particular individual or any of their credentials.

And, if I'm understanding correctly, you're saying that Recovery mode will allow you to erase the internal Apple SSD completely, which will erase the admin username and password from the Secure Enclave and leave no trace of the customer's identity or credentials - is that correct?

Lastly, since setting up a T2-based MacBook Pro also involves entering fingerprints, are those also erased by reformatting the drive in Recovery Mode?
 


cryptographically identified/associated with an individual customer
Will a T2 Mac boot into macOS Recovery (access to the internal(s) via Internet Recovery?) before being "blessed" in that way?
What's confusing...
The two points of confusion were confusing enough before the T2 Apple came along (and spoiled the whole bunch?)!

I'm going to have to mull this over (perhaps over some non-Apple cider) over the weekend.
 


Ric Ford

MacInTouch
For those concerned, deleting the O/S partition (formatting the complete SSD) and a complete reinstall of the O/S (via Recovery Partition or Internet Recovery) should be more than sufficient before selling the computer.
Does that also force a motherboard replacement?
MIT Information Systems & Technology (kb.mit.edu) said:
Imaging 2018 Macbooks with the T2 chip
If reinstalling the operating system on a T2 mac, it is absolutely necessary to disable the “Secure Boot” feature. If secure boot is enabled when the drive is erased, there will be no way to install a new OS and the system will be entirely unusable until the logic board is replaced.
 


Thanks for the notes. If I understand correctly, you're saying that a customer who purchases a new Mac with a T2 chip can (with some effort) avoid entering an Apple ID/iCloud ID but still needs to enter an 'admin' username and password before the computer is usable (since it cannot be booted from an external drive prior to this process), but is otherwise not associated with a particular individual or any of their credentials.
Yes, and sort of. From a user standpoint, very little has changed about how you set up a Mac, even with the T2 chip. Apple IDs/iCloud are solely an OS function. As far as the "admin" account, there is no T2 embedded admin account or password. That is why, if you boot directly to the Recovery Partition before setting up the O/S, you can't change any of the secure boot settings. What happens is that the first user created during macOS setup is granted something called a Secure Token. This Secure Token grants the that specific user two special authorities
(1) ability to unlock a File Vault enabled drive, and​
(2) the ability to change the Secure Boot settings.​
Users that have a Secure Token are stored in a special "pre-boot" partition on the SSD. That is why they can login to a FileVault-enabled computer (the pre-boot login screen). (FYI, the first user set up always gets a Secure Token, even if FileVault is not enabled.) When you boot to Recovery, the Secure Boot application is reading this pre-boot environment to determine which users can manipulate Secure Boot settings.

In summary, setting up a T2 Mac will look no different than a non-T2 Mac. There is no special admin to setup. The same first user created in the setup screens is the user that would be used to change any Secure Boot settings.
And, if I'm understanding correctly, you're saying that Recovery mode will allow you to erase the internal Apple SSD completely, which will erase the admin username and password from the Secure Enclave and leave no trace of the customer's identity or credentials - is that correct?
Correct, the "admin" users are stored in the pre-boot volume and would be erased.
Lastly, since setting up a T2-based MacBook Pro also involves entering fingerprints, are those also erased by reformatting the drive in Recovery Mode?
I am not 100% sure on that, but I don't think that is necessary. It is important to remember that the fingerprints are stored as irreversible mathematical data. Also, this data is not readable by the O/S. At the very core level, Touch ID works by comparing the mathematical representation of the current fingerprint to what is stored in the enclave, then TouchID only sends "Approved"/"Denied" back to the O/S.
 



I don't know where that document was developed, but that is wrong. If you completely erase the O/S by erasing the SSD, Internet Recovery works just fine. I have done this several times.
I interpret the mit.edu article as meaning a fully (including the recovery partition) erased SSD. I'm not quite sure how to do that except through an externally booted drive, however.
 


Ric Ford

MacInTouch
I interpret the mit.edu article as meaning a fully (including the recovery partition) erased SSD. I'm not quite sure how to do that except through an externally booted drive, however.
After enabling external booting, that seems easy to do... and a very dangerous trap, if it does require motherboard replacement as a result.
 


I interpret the mit.edu article as meaning a fully (including the recovery partition) erased SSD. I'm not quite sure how to do that except through an externally booted drive, however.
After enabling external booting, that seems easy to do... and a very dangerous trap, if it does require motherboard replacement as a result.
Yes, it is possible to erase the Recovery Partition by booting the Recovery Partition. The Recovery partition actually contains a bootable DMG (basesystem.dmg) that is loaded in to RAM and booted too. But, even it you erase the Recovery Partition, you can still boot to Internet Recovery (even with max security settings) and run the macOS installer from there. Trust me, I have done it several times, including just last week on my brand new 2018 MacBook Pro.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts