Question about remote locking a MacBook and removing the SSD from said MacBook

jmariani
Contributor

If someone were to loose their Mac, and we issue the lock command. We know that device would be locked down and inaccessible.

The question is if someone were to physically remove the SSD from the locked machine and installed it into another machine. Would the EFI still be applied? Would the OS load?

Wondering if any has come across this before. Is there a way to programatically force the user to log in using a FileVault recovery key if they removed the SSD and installed it into a new machine rather than just being prompted for the FileVault password first?

The idea that all an "attacker" would need to do is phish the local account password from the user prior to stealing the machine, remove the SSD, install it into a new machine and they can access all the data doesn't seem too secure to me.

Thoughts? Ideas?

1 REPLY 1

rderewianko
Valued Contributor II

The question is if someone were to physically remove the SSD from the locked machine and installed it into another machine. Would the EFI still be applied? No Would the OS load? Yes it would boot to the OS or filevault if enabled

Newer machines, also have that memory soldered on to the board, which doesn't make it impossible to boot from but a bit harder.
They also include a T2 chip, which interacts with the encryption - https://support.apple.com/en-us/HT208344

Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the Apple T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the chip.

Duo has a great writeup of that encryption here.

That being said, we wipe lost machines, and then have DEP have a workflow to auto enroll with no login just for those machines, with info in the banners saying "THIS MACHINE IS LOST - Phone Number (in the number field)"