The linked article by Howard Oakley is a great place to start on that technical journey. I try not to wave my hands and whisper trust me, but I think it gets very technical very quickly, and most of our readers aren’t interested in quite low-level issues.
The basics: Past attacks on firmware through update mechanisms make it a feasible and commonly attempted pathway to bypass hardware and software protections on a Mac’s boot process. Even with signed updates and other secure mechanisms, Thunderbolt and other firmware has been maliciously rewritten in theoretical and in-the-wild cases.
Shifting some of the boot process into the Secure Enclave Processor OS (sepOS)'s Secure Boot system and having some elements on a volume that’s cryptographically locked and validated by the Secure Enclave means that it’s nearly impossible to use firmware as a path in.
The Secure Enclave’s firmware can be updated, and Apple’s revive/restore process described in the article is a way to repair or replace the sepOS and reinvigorate Secure Boot.
Using the SSD to store system security policies for startup volumes provides a secured, specific, and controllable place to store permission that’s volatile (can be rewritten) but isn’t connected to weak firmware. To my understanding of Secure Enclave, the policy can’t be stored in the Secure Enclave and retrieved. However, it can be stored on the internal SSD’s 1TR, and then the Secure Enclave used to validate its authenticity in a very strong, ostensibly unbreakable fashion. (That is, the crypto is good, but someone could find an exploit as always—it’s cryptographically strong.)
That may not sound like enough of a win to you, which is why I included a little speculation in the article. There’s clearly a combination of factors related to architecture, simplicity, security, and technical support cost that together made this new approach the right one for Apple, despite the historic change.
The computer for the rest of us, 1984 - 2020. RIP.
Whenever I have to make the transition to Apple silicon, I’ll miss a simple, reliable Thunderbolt, bootable clone that can boot the Mac even after its internal storage has failed.
I think people really need a reality check. These are SSDs we’re talking about, not hard drives. Unlike HDDs, SSDs have no mechanical parts and very rarely fail, especially not the quality stuff that Apple has been relying on lately.
If on a previous T2 Intel Mac you relied on firmware to provide you with Recovery Mode when something goes sideways, rest assured the M1-based Mac will just as well provide you with 1TR from its internal solid state memory. There is really no reason to panic here.
I’ve been an Apple user since 1978 and a ‘developer’ since 1984, having gone through every model, including 6 Lisas and 10 PB100s. Why? because computers fail and parts could be swapped and I needed to keep going quickly and work from anywhere. My MBP is a 2010 that runs Catalina and I backup with bootable clones of 2TB disks (Apple has ‘stolen’ iTunes data so no cloud) so I can swap disks into duplicate backup hardware and keep going quickly. I need to upgrade for speed and multiple cores, but can/should I imagine 11 years of convenience and stability with a new machine?
But we have read reports from people with dead SSDs. Mostly older SATA-based models that probably have older technology (both in the flash chips and in the wear-leveling algorithms), but there is one other concern - virtual memory.
When an app on a phone consumes all RAM, iOS kills background processes and if that’s not enough, it kills the foreground app. When an app on a Mac consumes all RAM, it starts swapping. That produces far more writing to storage than occurs in any other scenario. If it happens on a regular basis (perhaps because the Mac doesn’t have enough RAM for the tasks it normally performs) then that could lead to premature SSD failure.
Whether such failure will result in a dead SSD or simply make it read-only is a question we don’t have an answer to yet. If the former, it may require a motherboard replacement. If the latter, then you may be able to switch to an external SSD.
Another question we don’t yet know the answer to is if the flash chips can be replaced by someone with the necessary soldering skills. If the chips are cryptographically linked to the M1 (much like how the flash modules in a Mac pro are linked to its T2 chip), then dead chips are unreplaceable. If, on the other hand, you can replace them with new chips and run Configurator to re-create the iBoot and 1TR containers, then many independent repair ships will be able to get you back up and running for much less than the cost of a new motherboard. (Assuming, of course, that Apple didn’t design their board around proprietary flash chips that the manufacturer isn’t allowed to sell to anyone else.)
Honestly: would you react the same way If this were not Apple e.g let’s say this was Lenovo.
e.g. Lenovo notebooks would not boot from an external drive if the internal drive fails. Lenovo notebooks need to be restored from a 2nd Lenovo computer if a drive partition is overwritten. Albeit: they are more secure though.
I think it’s appropriate that there’d be some consternation about this. At least about how to adapt to future troubleshooting scenarios.
IMO this is a marked deviation from previously, in that, if I had a misadventure, I could boot a Mac from a floppy drive, or a CD-ROM drive. Then, Internet Recovery. My understanding is that Apple never really provided first party tools to easily make bootable clones, but we could install macOS onto an external drive e.g. a thumbdrive, which could at least lead to a computer that could start up.
Apple-provided no-moving-parts parts have failed before: e.g. graphics cards, crackly AirPods, ring-of-death HomePods. Firmware updates on Series 3 watches. I had a backlight failure on a 2017 MacBook Pro. After servicing, the Touch Bar didn’t work until serviced again. The MacBook Pro was out of action for 1.5–2 months, even with a local Apple Store. Although: during a pandemic.
Aside:
Just get another Mac hooked up and use Configurator to clean up the mess and restore the initial setup.
Just get… I’m afraid to ask: do people here use Apple Configurator?
Rebuilt from the ground up, Apple Configurator 2 features a flexible, device-centric design that enables you to configure one or dozens of devices quickly and easily. Simply select a single device or many at once and perform an action.
Ooh, I like. But then… it’s terrible to use. This app is ripe for a replacement with something with more features and that is easier to use. Maybe even soon. Maybe even with Family Sharing ± Screen Time support. Because basic management of multiple Apple devices quickly gets tedious (e.g. system updates).
This seems to imply that in order to give my machine in for service I will need to give them my login password so that the service people can unlock the drive and do any testing needed. Is this the case?
On an Intel machine with filevault activated I can be satisfied that the service tech is unable to access my data (or even know my login password) and doesn’t need it in order to do their work since they can test the machine by booting from an external volume.
But going forward it seems I need to give them the keys to the kingdom. I work in an industry where I have have fairly sensitive client data on my laptop and I like being able to keep that data safe from service techs.
Am I misunderstanding the situation? Are there any strategies to mitigate this going forward for when I inevitably do all my work on an Apple Silicon machine?
Set up a Guest user account that is visible on boot up that service can log into without a password. I have one set up on my MBA for just such an occasion.
That’s an interesting question, but I would be shocked if Apple would ever ask for your login password—it would be a huge privacy breach and legal liability. Apple tells users to enable FileVault and make a backup, and that it isn’t liable for lost data. And, of course, Apple never asks for your iPhone or iPad passcode when you send those devices in for repair.
I have to assume that Apple can tell if a device—Mac, iPhone, or iPad—is functional after repair with respect to the problem it came in for without any access to the user’s account and data.
Well… it’s not just Apple that does service. I’ve had keyboard and screen service done locally (at an apple authorised repair center). But given the need for them to be able to boot the machine and… say… test the keyboard or something… I’m not sure how they could do that without my login credentials (again, assuming I’m not misunderstanding the issue)
I can think of a number of ways to mitigate the access to sensitive data… but the sheer fact of needing to give admin privileges to a service tech. That seems Very Not Good ™ to me.
That said. I can count on one hand the number of times I’ve actually needed to send one of my macbooks in for service over the years. But it does happen and it would be good to understand the situation fully so I can prepare before a problem occurs.
If Apple needs to test the keyboard or trackpad, they can just boot what you’ve got and click/type on the authentication screen.
As @ace wrote, Apple doesn’t try to preserve your data. If they feel that a motherboard swap or (back when they were replaceable parts) an SSD swap is necessary, they’ll just do it and return you a computer with a clean macOS installation, telling you to restore/migrate from a backup.
If your problem is something where they need to log in (maybe in order to run software diagnostics), my experience has been that the Genius you talk with will work with you to run some tests, and will probably recommend a motherboard swap if he can’t fix it while you’re there.
I have, on the other hand, seen some third-party repair shops ask for login credentials so they can properly test the results of their repairs. Which is important if you’re repairing a board, since booting to the login screen really won’t be enough to prove that it has been properly fixed.
I would like to think that any reputable shop will be able to work with you if this is not acceptable for some reason (maybe tell you to enable booting from USB so they can boot a shop-disk for testing purposes, while leaving your internal SSD encrypted). But, of course, this will all depend on the policies of the shop and the nature of any required repairs.
Of course, if you require data recovery, then you’re going to have to give them login credentials because they won’t have any other way of getting your data off of the device. But again, a shop may be able to work with you if the data is sensitive (e.g. invite you to the shop to supervise the data recovery process).
I wasn’t referencing booting into recovery mode…if hardware needed to be checked or OS reinstalled, service should be able to do that via network boot in store. They definitely could with Intel Macs.
Again, a Guest User account set up in advance by you requires no password entry on the part of service. And when they log out, it’s like they weren’t even there, everything gets restored to as it was before.
The article talks about needing to set the boot device from recoveryOS which is why I went down that route. It would be interesting to see if you can network boot an M1 machine in this situation or if the same security policy applies.
Re: the guest account. I totally see what you’re saying now. Yes. this would definitely work and I’ve activated it on my machine (though it’s not, strictly speaking, needed at this point in time)
Sensitive client (or personal) data should never be stored in cleartext on your machine. One solution in OS X and macOS space which has served well over many os versions is use of an encrypted volume to store sensitive data. A simple encrypted volume or FileVault encrypted volume would do the job. The non-FV volume has the advantage of not needing special backup procedures and can reside on internal or external drives. This is what applications such as 1Password do to securely store Passwords and other sensitive data.
Note that segregating sensitive data to external drives isolates that data from Apple or other service technicians. This makes Intel/Apple CPU differences moot in most cases. And thus, either macOS boot in a storm will do.
I don’t think Apple does it now, but they have in the past. I took a computer into the Apple Store for a hardware problem, and I was a bit surprised when the Genius asked for a password. If I recall correctly, he did suggest just setting up a test account if I was uncomfortable with providing a password. It didn’t really matter in my case because I had just wiped the drive and reinstalled the OS, so I just gave it to him.
Oh yes definitely. My volumes are always filevault encrypted – it’s the only way I would ever let this thing out of my direct eyesight, nevermind sent to a repair center.
External drives are also definitely a possibility but it makes working in some of the locations I find myself a bit more difficult (sometimes I need to work on my lap sitting on a stool, for example) so I tend to keep things onboard if at all possible.
Exactly my experience as well. This was about 3 years ago, here at the Apple Store in Berkeley.
I’d be fine giving them a guest account or even a fresh admin account. But I would never give them my account. If that were to become necessary, I’d wipe the drive first.
A few weeks ago I went to an Apple Store to have my iPhone Battery replaced. The Genius, who was sitting across from me, asked me to type in my password and then change it to one he gave me. I reset it to a new password when I got it back.
