Thursday, January 21, 2021

Notes on Activation Lock: Apple Silicon Management Challenges

Nathaniel Strauss:

EFI (Extensible Firmware Interface) no longer exists on Apple silicon and along with it has gone EFI passwords. In the past, EFI passwords secured recovery and prevented Macs from using most boot modifiers at startup. A user couldn’t enter recovery, do a PRAM reset, enter target disk mode or perform a whole host of other useful functions without first entering a password.

[…]

Minor differences until point number three. To emphasize, anyone with physical access can to erase the disk, with or without FileVault. Sure, they can’t boot to recoveryOS without entering a FileVault user’s password first, but the erase option exists before authentication.

[…]

Activation Lock would work well as an enterprise alternative to EFI passwords except for the fact MDM can’t enable it on Mac.

Comments RSS · Twitter

Leave a Comment