- #Mac unmount disk wants password software
- #Mac unmount disk wants password code
- #Mac unmount disk wants password mac
#Mac unmount disk wants password software
Apple states: “Access to the Owner Identity Key (OIK) is referred to as “Ownership.” Ownership is required to allow users to resign the LocalPolicy after making policy or software changes.”Īny user with access to the OIK is therefore an Owner. Which is also available as a downloadable PDF: SettingM1Mac1Ĭreating and maintaining LocalPolicies requires a user to have access to the private OIK in the Secure Enclave, making that user an Owner.
#Mac unmount disk wants password mac
From then on, whenever the Secure Enclave signs a new LocalPolicy, it attaches the OIC to the Image4.”Īt the end of these processes, the Mac has an OIC, kept in the Secure Enclave, which is used to attach to all LocalPolicies for that Mac, a private OIK, also kept in the Secure Enclave, RemotePolicies which are signed into the ucrt, and a UIK for Activation Lock. The OIC is sent back to the Secure Enclave. If the BAA can verify the certification, it certifies the public key, returning the Owner Identity Certificate (OIC) which is signed by the BAA and contains the constraints stored in ucrt. BAA verifies the OIK certification request using the public key from the ucrt stored in the BAA accessible database. After the device has a ucrt, a certification request for the public key which corresponds to the OIK is sent to the Basic Attestation Authority (BAA) server. The ucrt and OIK are then used to obtain an Owner Identity Certificate from Apple: “When an Activation Lock/ucrt is successfully retrieved, it’s stored in a database on the server side and also returned to the device. If the UIK is certificated successfully, then that User Identity Certificate (ucrt) is used to sign in RemotePolicies, which provide constraints for LocalPolicies. If it is, then certification is refused and that attempt to set that Mac up fails.
This is sent to Apple for certification, where it’s checked to see if it’s associated with a lost Mac using the Find My Mac service. Also created is a new User Identity Key (UIK) for Activation Lock. So during this creation of the default state, the OIK, the private half of a public-private key pair, is generated and stored in the Secure Enclave. If any OIK already exists, it’s destroyed as part of this process.” The private key is referred to as the Owner Identity Key (OIK). During this process, the restore environment creates a new pair of public and private keys which are held in the Secure Enclave.
#Mac unmount disk wants password code
As Apple explains: “When macOS is first installed in the factory, or when a tethered erase-install is performed, the Mac runs code from temporary restore RAM disk to initialize the default state.
There are two situations in which an M1 Mac needs to be set in its default state: when it’s brand new, and when it has been fully erased and restored in DFU mode using Apple Configurator 2. Apple provides details in its Platform Security Guide, so here I’ll try to explain them, and their problems. Knowing now that on M1 Macs there are not only admin users but also Owners, this article looks in more detail at how Ownership works, particularly in setting the Mac up initially and when installing second operating systems, such as a copy of macOS on an external disk.