Monday, July 19, 2021

Owner Accounts on M1 Macs

Howard Oakley:

In the next few days those using M1 Macs will be updating to Big Sur 11.5, blissfully ignorant of how, as an admin user, their Mac could refuse to update. Because now, in addition to regular users, admin users and root, there’s another class of admin user: the Owner.


If you install a second operating system, on internal or external storage, the Owner needs to agree to hand over Ownership to users of that second system. And that’s where problems can occur, with a combination of puzzlement and frustration. Last week, when trying to perform a macOS update on a second operating system on my M1 Mac mini, I only succeeded at the third attempt, after a total of five hours.


Update (2021-07-26): Howard Oakley:

So during this creation of the default state, the OIK, the private half of a public-private key pair, is generated and stored in the Secure Enclave. Also created is a new User Identity Key (UIK) for Activation Lock. This is sent to Apple for certification, where it’s checked to see if it’s associated with a lost Mac using the Find My Mac service. If it is, then certification is refused and that attempt to set that Mac up fails. If the UIK is certificated successfully, then that User Identity Certificate (ucrt) is used to sign in RemotePolicies, which provide constraints for LocalPolicies.


Creating and maintaining LocalPolicies requires a user to have access to the private OIK in the Secure Enclave, making that user an Owner. Apple states: “Access to the Owner Identity Key (OIK) is referred to as “Ownership.” Ownership is required to allow users to resign the LocalPolicy after making policy or software changes.”


M1 Macs always start their boot process from their internal storage, even when they’re then going to boot from a second operating system stored elsewhere. To be able to boot from that second OS, it requires a LocalPolicy with an OIC attached, and Ownership has to be handed off to an Install User created when that OS is installed.


Handing off Ownership to the Install User is more of a problem, as users are only created once the installation is complete. To accommodate that, macOS offers to copy a user from the current boot system as the Install User, and the primary admin user, on the second OS.

He notes that the process doesn’t “always work as expected, particularly when using beta releases,” and that there is “no way to identify Owners or Install Users.”

1 Comment RSS · Twitter

This raises many questions in my mind.

Did anyone ask for this?

Was anyone outside of Apple actually unhappy with the way secondary installations and updates worked on Intel macs?

What's the justification for not allowing an administrator account to update the mac, given the frustration and complexity it brings?

Why does Apple need to keep making the mac more locked down and difficult to use?

Leave a Comment