Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
-
@codemonkeymike@fosstodon.org this is fucking evil. like its not just inconvenient and greedy, it is blatantly evil.
@LunaCOLON3 I agree. There really is no excuse for this.
Even enterprise Chromebooks can be unlocked remotely when they're decomissioned. Apple could do this too. But they won't
-
@codemonkeymike I had someone give me a used iPad last year and they hadn't reset it and the absolute nightmare I had getting it to work.
They wound up having to trust me with their username and password to log into their account so I could physically deal with it on the device.
Absolute fucking bullshit.
@retrosponge yup. It's such crap. Apple... Good hardware killed by shit policy
-
R relay@relay.an.exchange shared this topic
-
@LoneLocust @codemonkeymike in simple terms, to activate a Mac, the T2 chip requires approval from the Apple server, which may say "OK" or it may say "you need to login first".
@nicolas17 @codemonkeymike OK, that makes a little more sense. I’ve wiped and sold a couple T2 equipped Macs and not had problems, but I can see how that might go wrong (for example, if there was no Internet access while wiping the machine.)
-
Another reason to hate #Apple We're seeing more 2018+ MacBook Pro/Air donations — but Apple's T2 chip means even after iCloud sign-out and reset, the firmware stays locked to the original account.
Without donor contact, these machines are useless.
I've upcycled ~1,000 older Macs, but T2 era machines will end that. It's controlling, creates e-waste, and will only get worse. #righttorepair matters — Apple couldn't care less.
@codemonkeymike With their growing market share the problem will get worse. I would wipe the drive and install linux. The challenge is to get wifi to work correctly. I was experimenting but with Intel based macs, rather than ARM based ones.
-
@codemonkeymike With their growing market share the problem will get worse. I would wipe the drive and install linux. The challenge is to get wifi to work correctly. I was experimenting but with Intel based macs, rather than ARM based ones.
@richardazia but you can't even boot to USB without unlocking it.
That's the issue. Id love to install Linux on it. But i can't
-
@codemonkeymike You may need to dump it at the Apple Store for them to recycle it.
@SamuraiSakura that's super wasteful
-
@HitokiriEric @coldclimate but here's the rub for me. Even if a user logs into their iCloud account and removes the device from their account, it still won't release.
That should be illegal.
Even enterprise locked Chromebooks can be decommissioned remotely and unlocked.
There is no reason this cant be done with apple.
Hmm… for the hardware firmware I’d still want to have to unlock it on device rather than having an attack surface/backdoor from the internet to exploit. Apple had the issue a couple years ago with thieves exploiting the remote password change to workaround the phone protections.
But I get how it sucks for this use case.
Like a lot of things, for 99% of users who don’t care they should default to a version that’s secure from most thieves but not totally secure from government and then let the users who really care opt in to the stronger lockdown mode.
-
@codemonkeymike Suspect you are talking about two different things. For a machine owned by an end user, removing the iCloud account and performing a factory reset absolutely makes that Mac available for activation and use by a new user, T2 or no. However, if the device is owned by the end user’s school or employer and enrolled by that organization to their device management, they would have to unenroll it.
@miked1112 nope. I've seen this personally too. Where I had a t2 mac mini. I signed out of iCloud, deleted it from my account, and reformatted the machine.
I gave it to a friend, who wanted to open the boot security to install Linux but needed my apple password to it.
I've had people donate to me with the same issues. It's crap.
If someone deletes the device from their iCloud account, you should be able to unlock the bootloader. Google does this easily with chromebooks
-
@SamuraiSakura that's super wasteful
@codemonkeymike @SamuraiSakura Apple skips right over Reduce & Reuse. The order is important.
-
@codemonkeymike @bigzaphod Doesn’t Apple have a program that will remove activation lock if you can prove provenance of the device?
TBH it’s also poor educating of the donors on Apple’s part that this step must be done prior to donating.
@Aaron @bigzaphod it was donated 3rd party. How am I to prove it?
Also, id bet you this device is absolutely removed from their iCloud account. Yet remains locked on device.
It's purposely confusing and hard to get around. They could make this better right now. But they won't
-
@codemonkeymike @SamuraiSakura Apple skips right over Reduce & Reuse. The order is important.
@ben @SamuraiSakura exactly.
-
@codemonkeymike @SamuraiSakura Apple skips right over Reduce & Reuse. The order is important.
@ben @SamuraiSakura and you know if you have apple recycle it. All they're going to do is shred it and reclaim a bit if metal from it. Then do a victory lap about how awesome they are.
Meanwhile how much energy when into reclaiming that tiny bit of metal?
-
@codemonkeymike yikes. I was just reading about imjtool and fighting edl qualcomm and some of the tools might help with T2?? I hate this shit
@amsomniac @codemonkeymike
Nah, those are specific to AOSP and Qualcomm devices respectively, T2 is a much different beast. There are some workarounds I've seen using checkm8 to trick bridgeOS into believing it's activated, but those are not truly permanent since machine identity and activation lock is tied to the ECID which is burned into the chip itself, and can't be changed. -
@ben @SamuraiSakura and you know if you have apple recycle it. All they're going to do is shred it and reclaim a bit if metal from it. Then do a victory lap about how awesome they are.
Meanwhile how much energy when into reclaiming that tiny bit of metal?
@codemonkeymike @SamuraiSakura gotta get ready for another Mother Earth keynote appearance
-
Hmm… for the hardware firmware I’d still want to have to unlock it on device rather than having an attack surface/backdoor from the internet to exploit. Apple had the issue a couple years ago with thieves exploiting the remote password change to workaround the phone protections.
But I get how it sucks for this use case.
Like a lot of things, for 99% of users who don’t care they should default to a version that’s secure from most thieves but not totally secure from government and then let the users who really care opt in to the stronger lockdown mode.
@HitokiriEric @coldclimate yeah. I mean look. You can unsolder the t2 chip and reprogram it etc. Motivated thiefs can still do it.
But was this when a problem? I really don't think it was.
Again. Look at Chromebooks. They have a firmware level lock too that can't be hacked. And yet it can be decomissioned remotely when the org releases it.
You're telling me apple couldn't do this?! For regular users? Its a racket
-
@oscherler @codemonkeymike IME Android tablets don't even have serious bootloader locking, unlike phones. You can basically do whatever with them.
@dalias @oscherler @codemonkeymike
Well, you're still probably getting dropped in EL1, so you're not truly free. The freest device you can buy is a used Chromebook, as they use Coreboot, so you can just compile and flash your own firmware. Thanks to the weird CR50 TPM thingy, if you've got a SuzyQAble, you can even get RW access to the AP firmware and a serial console without having to open the device, provided you run a command and assert your presence (once) with timed power button presses -
@HitokiriEric @coldclimate yeah. I mean look. You can unsolder the t2 chip and reprogram it etc. Motivated thiefs can still do it.
But was this when a problem? I really don't think it was.
Again. Look at Chromebooks. They have a firmware level lock too that can't be hacked. And yet it can be decomissioned remotely when the org releases it.
You're telling me apple couldn't do this?! For regular users? Its a racket
@codemonkeymike @coldclimate Well. When that generation of laptops was new, that was a big feature that Apple was selling hard on. They kept trying to lock them down more and more to attempt to be as secure as possible by default and were so proud of how hard it was to defeat.
I’m not saying they couldn’t do better and better consider different choices to improve the balance for different types of users. Which they have done since then.
I’m just saying that back then, the discussion was all about making them as secure as they could think to make them and that’s what they optimized for. It’s not a surprise they went too far back then when that was top of mind for them.
-
@codemonkeymike Suspect you are talking about two different things. For a machine owned by an end user, removing the iCloud account and performing a factory reset absolutely makes that Mac available for activation and use by a new user, T2 or no. However, if the device is owned by the end user’s school or employer and enrolled by that organization to their device management, they would have to unenroll it.
@miked1112 @codemonkeymike you have to specifically remove the iCloud account using these steps, logging out of iCloud and reseting the device is not enough. it's a (purposely?) confusing end user experience. https://support.apple.com/en-us/102773
-
@codemonkeymike @coldclimate Well. When that generation of laptops was new, that was a big feature that Apple was selling hard on. They kept trying to lock them down more and more to attempt to be as secure as possible by default and were so proud of how hard it was to defeat.
I’m not saying they couldn’t do better and better consider different choices to improve the balance for different types of users. Which they have done since then.
I’m just saying that back then, the discussion was all about making them as secure as they could think to make them and that’s what they optimized for. It’s not a surprise they went too far back then when that was top of mind for them.
@codemonkeymike @coldclimate Keep in mind how proud they were of resisting government attempts to access devices and saying that they would design them so that Apple would have no ability to unlock them for governments.
-
@brandonscript @codemonkeymike while they could simply give, don’t know, a certain number of years out of production and, honestly, they call them unsupported, so why not nuke the T2 on these? You know how many Macs I’ve seen that ended up being trashed because of this? It’s entirely irresponsible and yes they ought to be forced to back down a bit. We’re not suggesting that delicate and precious Mac users have their data stolen, nor their computing devices.
@csgraves yeah, resetting after a time limit without a claimant would be great. @codemonkeymike
