{"id":33171,"date":"2021-07-19T16:58:18","date_gmt":"2021-07-19T20:58:18","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33171"},"modified":"2021-07-26T15:13:40","modified_gmt":"2021-07-26T19:13:40","slug":"owner-accounts-on-m1-macs","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/07\/19\/owner-accounts-on-m1-macs\/","title":{"rendered":"Owner Accounts on M1 Macs"},"content":{"rendered":"<p><a href=\"https:\/\/eclecticlight.co\/2021\/07\/18\/last-week-on-my-mac-the-perils-of-m1-ownership\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2021\/07\/18\/last-week-on-my-mac-the-perils-of-m1-ownership\/\">\n<p>In the next few days those using M1 Macs will be updating to Big Sur 11.5, blissfully ignorant of how, as an admin user, their Mac could refuse to update. Because now, in addition to regular users, admin users and root, there&rsquo;s another class of admin user: the Owner.<\/p>\n<p>[&#8230;]<\/p>\n<p>If you install a second operating system, on internal or external storage, the Owner needs to agree to hand over Ownership to users of that second system. And that&rsquo;s where problems can occur, with a combination of puzzlement and frustration. Last week, when trying to perform a macOS update on a second operating system on my M1 Mac mini, I only succeeded at the third attempt, after a total of five hours.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/12\/22\/booting-an-m1-mac-from-an-external-disk\/\">Booting an M1 Mac From an External Disk<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/12\/08\/reviving-or-restoring-a-mac-with-apple-silicon\/\">Reviving or Restoring a Mac With Apple Silicon<\/a><\/li>\n<\/ul>\n\n<p id=\"owner-accounts-on-m1-macs-update-2021-07-26\">Update (2021-07-26): <a href=\"https:\/\/eclecticlight.co\/2021\/07\/21\/owners-and-users-primary-and-secondary-systems-on-m1-macs\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2021\/07\/21\/owners-and-users-primary-and-secondary-systems-on-m1-macs\/\">\n<p>So during this creation of the default state, the OIK, the private half of a public-private key pair, is generated and stored in the Secure Enclave. Also created is a new User Identity Key (UIK) for Activation Lock. This is sent to Apple for certification, where it&rsquo;s checked to see if it&rsquo;s associated with a lost Mac using the Find My Mac service. If it is, then certification is refused and that attempt to set that Mac up fails. If the UIK is certificated successfully, then that User Identity Certificate (ucrt) is used to sign in RemotePolicies, which provide constraints for LocalPolicies.<\/p>\n<p>[&#8230;]<\/p>\n<p>Creating and maintaining LocalPolicies requires a user to have access to the private OIK in the Secure Enclave, making that user an Owner. Apple states: &ldquo;Access to the Owner Identity Key (OIK) is referred to as &ldquo;Ownership.&rdquo; Ownership is required to allow users to resign the LocalPolicy after making policy or software changes.&rdquo;<\/p>\n<p>[&#8230;]<\/p>\n<p>M1 Macs always start their boot process from their internal storage, even when they&rsquo;re then going to boot from a second operating system stored elsewhere. To be able to boot from that second OS, it requires a LocalPolicy with an OIC attached, and Ownership has to be handed off to an Install User created when that OS is installed.<\/p>\n<p>[&#8230;]<\/p>\n<p>Handing off Ownership to the Install User is more of a problem, as users are only created once the installation is complete. To accommodate that, macOS offers to copy a user from the current boot system as the Install User, and the primary admin user, on the second OS.<\/p>\n<\/blockquote>\n<p>He notes that the process doesn&rsquo;t &ldquo;always work as expected, particularly when using beta releases,&rdquo; and that there is &ldquo;no way to identify Owners or Install Users.&rdquo;<\/p>","protected":false},"excerpt":{"rendered":"<p>Howard Oakley: In the next few days those using M1 Macs will be updating to Big Sur 11.5, blissfully ignorant of how, as an admin user, their Mac could refuse to update. Because now, in addition to regular users, admin users and root, there&rsquo;s another class of admin user: the Owner. [&#8230;] If you install [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-07-19T20:58:21Z","apple_news_api_id":"56e0315d-c96b-4a77-b9c0-e9f7359f3603","apple_news_api_modified_at":"2021-07-26T19:13:45Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/AVuAxXclrSne5wOn3NZ82Aw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2014,30,1891,1608,2087],"class_list":["post-33171","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-m1","tag-mac","tag-macos-11-0","tag-secure-boot","tag-software-update"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=33171"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33171\/revisions"}],"predecessor-version":[{"id":33225,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33171\/revisions\/33225"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=33171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=33171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=33171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}