Addendum to The Demise of Firmware Passwords on M1 Macs

Shortly after posting The Demise of Firmware Passwords on M1 Macs, which I at least in part agreed with Apple’s assessment of FileVault being an equivalent level of security (so long as your users aren’t admins), someone commented on the fact that hidden in the menubar of the Recovery Assistant is an Erase Mac option!

From there, all it takes is a couple of extra clicks to begin erasing the entire system, including the main OS.

From an admin standpoint, this is very very bad… While your M1 Mac data may not be at risk of being exfiltrated or recovered, this means that Mac admins unequivocally do not have any greater control over the Mac hardware we purchase, deploy, and manage as anyone (literally anyone) who happens to be in physical possession of the hardware.

3 comments

  1. Rick Davis · April 1

    Does this mean that the AppleID or MDM/DEP then kicks in and only allows them to reinstall or reconfigure according to the prior AppleID MDM/DEP configuration? Or does the “possession is 9/10ths of the law” premise takeover and they can do whatever they want?

    Like

    • apizz · April 1

      I haven’t gotten that far, but I have to imagine the AppleID or MDM/DEP kicks in (so long as it has an Internet connection)

      Like

  2. Pingback: The Return of the Firmware Password on M1 Macs in macOS Monterey | apizz

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s