Apple T2 (Terminator 2 Judgement Day) Desktop Activation Lock Nightmare

[DieHard]

So our ancient hardware has an added benefit that we seldom focus on... and that benefit is that it will never "lock" you out of using it.
You will never have to throw out a G4/G5 desktop because you got it from yard sale and don't know that person's icloud info, just boot to USB or FW and enjoy.

OK, as many of you may know, or not know, I have been servicing Apple computers since 1997.  Over the last 2 years, it is now getting absolutely horrific.  I have had 3 repairs on T2 enabled iMacs in the last 6 months that have gone terribly wrong...

The basic story goes...
1) A user buys a working used mac and chooses not to load an iCloud account and the original user forgets to remove the device from their icloud account, the new user simply enters the machine's account password and uses the mac every day, Big Sur or newer installed...
2) Then months or even years later, they get a hardware issue...it is repaired, like HD replacement
3) The Mac starts in "internet recovery mode" with a foreign icloud email account and the user is baffled, hence activation locked
4) Call apple and pray, but they usually tell you to track down original owner... kinda hard since you don't even have a full email address
5) Throw it out or sell it for parts, or ewaste weight, bye bye Good mac desktop

The newer macOS versions will NOT even boot to a USB drive or external hard drive so no luck there

If this interests you... read on...
T2 security chip ‘a nightmare for Mac repairers’
https://www.macworld.com/article/674113/t2-security-chip-a-nightmare-for-mac-repairers.html

[Syntho]

Yep. Modern operating systems are too bloated. That was the story 20 years ago too, and by now it's out of control.

[IIO]

paying for something which will not be fully in your posession. final stage of capitalism.

same with tesla cars, they started this shit long ago.

[FBz]

Ahh progress. Always newer, faster, better ehh? I think I can just barely envision IIO’s dystopian landscape (eyes squinting) and its’ grungy inhabitants scrounging ‘round for parts to build something other than what they can’t afford, for something that they can actually use… instead.

And what about ye olde Right-to-Repair movement? Didn’t the UK or the EU enact some new legislation covering kitchen appliances, etc.? The movement seems to have quite a long way to go and I believe that Apple is fighting tooth-and-nail against it.

But Apple is trying, right? Of course there’s Apple’s new “Expanding Access to Service and Repairs for Apple Devices” (April 2022). https://support.apple.com/content/dam/edam/applecare/images/en_US/otherassets/programs/Expanding_Access_to_Service_and_Repairs.pdf All need read this for the spin of it.

But have you seen the Apple kit for certain iPhones? https://www.youtube.com/watch?v=MGZZrYccvJc Or this - https://www.youtube.com/watch?v=pW1ZeStpqyw

DieHard, maybe Apple just wants you to become an IRP? [In grade school I remember quite a different definition for “urp”.] Which is sort of the feeling I have about newer Apple stuff and their Corporate behavior(s).

But, there is this (as if possibly helpful for someone with a used T2 machine). https://toolbox.iskysoft.com/mac-data-recovery/apple-m1-chip-vs-t2-security-chip.html I know, no real help there.

Just thinking about when the last time was, when I purchased any new software? Some hardware maybe recently, but that was all pre-owned.

No thanks. I’ll keep as many G4’s running here as I can & for as long as I can. And I don’t see any T2’s in my (dystopian) future.

Uuuurp!

[IIO]

the EU prepares to make such a law, but most likely there will be exceptions for situations where it is "unavoidable".

don´t forget that a T2 chip gives you more "security" on the computer you don´t really own, so you can more safely watch soap operas in ultra HD, or whatever the new generation of apple "users" do with their status symbols.

DieHard, maybe Apple just wants you to become an IRP?

that.

[smilesdavis]

the EU prepares to make such a law, but most likely there will be exceptions for situations where it is "unavoidable".

don´t forget that a T2 chip gives you more "security" on the computer you don´t really own, so you can more safely watch soap operas in ultra HD, or whatever the new generation of apple "users" do with their status symbols.

DieHard, maybe Apple just wants you to become an IRP?

that.

everything with apple and any successfull software company was always about creating a closed ecosystem to milk your cowstumers.

[V.Yakob]

This is still normal and these errors and locks are understandable.
At the very beginning there was an unpleasant bug: If an error occurred while restoring macOS on an iMac Pro from TimeMachine, the user encountered a problem with a new OS installation.
On computers with the T2 chip, you must enter the local administrator password in the installed OS before erasing the disk in Recovery, but since TimeMachine restored only part of macOS, it was no longer possible to enter the password.

I also went down in history with my Mac Mini on the M1 chip:

There are 2 accounts on this computer: local administrator and ActiveDirectory domain user account.
For secure exchange of credentials, I set up encryption and signing traffic "dsconfigad -packetencrypt ssl -packetsign require", but since the domain certificate has an obsolete secure hash algorithm type, I had to add domain controller certificates to Keychain for authentication to work.
After updating the OS on the domain controllers, I forgot about this setting. As a result, authentication simply stopped working, and the login worked using a mobile account.
I didn't write down the password for my local administrator account, and of course I forgot it a year later.
I thought I could easily reset the password from the local account in Recovery using "resetpassword". BUT it turned out that on new computers you can't reset the password of only one account, you need to reset it on all. But it is not possible to reset the password in Recovery in a domain account, which is understandable.
I was furious.
I had to erase the disk and reinstall the OS.

But I'm glad I've gone this way and now I know about it.

[DieHard]

There are 2 accounts on this computer: local administrator and ActiveDirectory domain user account.
For secure exchange of credentials, I set up encryption and signing traffic "dsconfigad -packetencrypt ssl -packetsign require", but since the domain certificate has an obsolete secure hash algorithm type, I had to add domain controller certificates to Keychain for authentication to work.
After updating the OS on the domain controllers, I forgot about this setting. As a result, authentication simply stopped working, and the login worked using a mobile account.

Sounds like a nightmare, I will try my hardest not to connect M1 macs to domain controllers and active directory, I have been having a lot of successes using virtualization on the client side and using pre-configured drive images with various windows OS versions on the latest Intel Macs; I know that really is not the best way to go as far as security, but if a client gets compromised the drive image is a single huge file so, a simple "nuke" does the trick.

Now that virtual box works with M1 and M2 macs, I will be going that route if I have to network new macs; but I greatly appreciate your post, I would definitely be stumped for a while on what you described about having to add the certificate to the mac's keychain, but it makes total sense and I may have to go that route someday

[V.Yakob]

"Dsconfigad -packetencrypt ssl -packetsign require" -- By default, when macOS joins Active Directory, this does not turn on automatically for some reason. Therefore, to improve network security, I do it manually.
Certificates of specific domain controllers should be added to the system keychain only if they are of an outdated type, such as SHA1. If the certificate is SHA2, it is enough to add a chain of these certificates of domain and everything will work fine.
I've been using macOS in the AD for 5 years and it works! First there was a Mac mini 2012 (High Sierra - Catalina), and now Mac mini 2020 (Monterey - Ventura).