Apple Silicon arm64 Macs (M1) can not be locked from being reset

pnbahry
New Contributor III

As most of you are aware the new Apple Silicon arm64 Macs no longer support a Firmware password and it looks like Apple suggests we use one or both of the following:

• File Vault (Encrypts the users data)
• Recovery password (Stops the machine entering recovery mode)

However setting any of these still allows users to put an M1 into DFU mode and once in DFU mode the machine can be factory reset. During the setup the client can then select “I don’t have an internet connection”, the machine will prompt that you need one, but doing this four times bypasses all DEP Enrolment.

Has anyone else come across this and do you have any suggestions on a solution.

At the moment, the only solution I can think of will be for Apple to set:

  • Activation Lock which is only available for iOS
  • Stop a DEP enrolled Silicon Device from skipping the internet connection which is how it is for iOS

I understand that under standard employment if you alter the security settings on your work issued device this can result in termination of your employment contract. This area is harder to in-force with students at a school and maybe a short term solution for us might be to replace students that change security settings on a school issued laptop to a second hand intel laptop.

6 REPLIES 6

chrisB
Contributor II

There's a new (MDM only) feature called "Recovery Lock".

https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command

 

pnbahry
New Contributor III

This can be bypassed if you use DFU to restore the machine.

mainelysteve
Valued Contributor II

"Activation Lock which is only available for iOS"

Not quite. Macs with the T2 chip can utilize activation lock.

I will grant you that the ability to skip ADE is still an issue. Perhaps in it's absence you need to use a carrot and stick model. Dangle things like learning content access or a less restrictive network policy if you're enrolled versus not. Implement recovery lock that @chrisB mentions in the meantime. 

pnbahry
New Contributor III

Activation lock - I should have mentioned that activation lock can not be set in a pre-stage like it can on iOS.

pkleiber
Contributor

Hi @pnbahry ,

can you checkout those two articles please:
https://docs.jamf.com/technical-articles/Leveraging_Apples_Activation_Lock_Feature_with_Jamf_Pro.htm...
https://support.apple.com/en-us/HT208987

So as Apple states in his support article, this should work, or am I missing something?

Also check out this video:
https://www.youtube.com/watch?v=C_JLkLqbpv4

So the idea would be to create an apple ID for your school and put this account in for the activation lock. Not sure if you can script that.

pnbahry
New Contributor III

I have looked into this, and we are unable to set activation lock using the JAMF Pro (MDM) on a mac like you can with iOS.

On iOS in the pre-stage you can stop user from setting an activation lock then "Enable Activation Lock on the device (Apple School Manager, Apple Business Manager)"

At the moment JAMF can prevent someone from enabling Activation Lock when they sign in with an Apple ID. MDM can’t enable Activation Lock itself.

If you wipe the drive and reinstall using startosinstall with eraseinstall. Activation lock screen never comes into play. Mac boots back to Setup Assistant after reinstalling the OS. Activation lock stays enabled as the Mac either didn’t need to go through activation again, or activation was treated differently as a result of using startosinstall.

It turns out startosinstall is the exception to the rule. When using startosinstall the Mac returned directly to Setup Assistant and was able to continue on without prompting for activation.