hoakley July 18, 2021 Macs, Technology

Last Week on My Mac: The perils of M1 Ownership

In the next few days those using M1 Macs will be updating to Big Sur 11.5, blissfully ignorant of how, as an admin user, their Mac could refuse to update. Because now, in addition to regular users, admin users and root, there’s another class of admin user: the Owner. Let me explain.

According to the small print in Apple’s Platform Security Guide, when you set up a new M1 Mac, or set one up after restoring it in DFU mode, the primary admin account created is special: it’s the Owner account of that Mac. During that inital setup, the Mac sends a request to Apple for that Mac’s signed Owner Identity Certificate (OIC). This is based on a private key generated in the Secure Enclave known as the Owner Identity Key (OIK).

Each M1 Mac has just a single OIK, and access to that is confined to that primary admin user of the internal SSD, who is thus its Owner. If your M1 is configured with a single macOS boot volume group on its internal SSD, never boots from an external disk, and has no other admin users – a vanilla system – then that’s all transparent.

If you install a second operating system, on internal or external storage, the Owner needs to agree to hand over Ownership to users of that second system. And that’s where problems can occur, with a combination of puzzlement and frustration. Last week, when trying to perform a macOS update on a second operating system on my M1 Mac mini, I only succeeded at the third attempt, after a total of five hours.

On an Intel Mac, there’s little to the installation and use of second operating systems: format the disk, run the installer, and by the end of the process you can switch readily between the two, logging in as an appropriate user on the system of your choice. For the M1’s Secure Boot, each bootable volume group needs a signed LocalPolicy which defines security policy for that system, and an Install User authorised by the Owner. When you run a macOS installer from the Owner account on internal storage, you’re normally invited to copy that Owner account to the second system, to become its primary admin user. If you agree to that, you’re prompted to enter the Owner’s password so their OIK can be accessed from the Secure Enclave.

When this works properly, it’s almost transparent to the Owner, and Ownership is handed over securely to the primary admin user of the second system. What happens, though, when a second admin user is created on that second system?

Because that second admin user has full admin rights, you’d expect them to be able to download and install macOS updates. What should happen before they’re installed is that macOS should ask for the primary admin user’s password, and installation should proceed. But it doesn’t always work that way. Depending on the version of iBoot installed, and which way the wind’s blowing, one of two failures can occur:

macOS may be unable to identify the Owner or primary admin user for that second system, and display an error alert reporting that the system has no Owner, so refusing to even download the update.
macOS may proceed to download and install the update, apparently as normal, but at the final stage it gets cold feet and reverts to the previous version of macOS installed. In other words, the update proceeds right up to the last moments, then aborts.

Having experienced both of these several times now, I’ve been unable to find any information provided by Apple (or anyone else) which explains what’s going on, what the errors mean, or how to address them. It’s only by wading through Apple’s Platform Security Guide, guesswork and experiment that I think I’ve realised what’s going on, and even then I stand by to be corrected by someone who really does know what they’re doing.

If you want to try duplicating these problems, here’s what I suggest:

Take a standard M1 Mac with macOS 11.4 installed in vanilla form on its internal SSD.
Install Monterey Public Beta 3 on an external SSD, to update the Mac’s firmware to something more recent than that accompanying 11.4.
Connect (or create) an external SSD with macOS 11.3.1 installed on it, with just the primary admin user configured.
Boot from 11.3.1, create a second admin user, and restart, logging into 11.3.1 using the second admin account.
Try installing the waiting macOS update to 11.4 (or 11.5 when available).

These may seem elaborate and esoteric, but in the next few months we’re all expecting Apple to release more Apple Silicon Macs aimed well above the lower end of the market, where users often live more adventurous lives and have Macs which are far from vanilla. Yet as far as I can see, none of these subtleties are documented for those more advanced users. That’s something I’ll be trying to put right in the coming week.

48Comments

Add yours

1

Bryan Christianson on July 18, 2021 at 7:39 am

Thanks for this Howard. So sorry you have had all these difficulties. I was running into similar problems a few months back and just gave up. I no longer have any bootable external media attached to the machine, and am making do with 3 boot volumes on the internal drive. These being 11.4, 11.5-beta and 12.0-beta. I’ll retry the external volumes at some point but for now the only external volumes I am using are for backups.

LikeLiked by 1 person
- 2
  
  hoakley on July 18, 2021 at 8:05 am
  
  Thank you, Bryan.
  I’m not sorry – it’s only through this type of testing that we discover what’s actually happening in Macs and macOS! I’m very happy with my external bootable disks, and getting happier still now that I’m starting to understand them and what appeared to bugs rather than features. These days, it’s so difficult to tell.
  Howard.
  
  LikeLike
3

hstriepe on July 18, 2021 at 12:03 pm

The Primary Owner also shows up during the Recovery Restore of an M1 system using Apple Configurator 2 for a complete wipe. Rebooting the Mac after the restore you will be presented with an Activation Dialog pointing to the AppleID of the owner. You have to log into iCloud or your Mac will remain locked from use!
I suspect to avoid this you have to sign out that Mac from “Find My Mac,” but I am not sure

LikeLiked by 1 person
- 4
  
  hoakley on July 18, 2021 at 10:34 pm
  
  Thank you. Yes, as I remarked above activation is part of the behaviour following a full restore in DFU mode (but not a refresh).
  I suspect that the Apple ID isn’t derived from the contents of the Secure Enclave, but is returned by Apple’s server, which in turn depends on the Find My status of that Mac.
  Howard.
  
  LikeLike
- 5
  
  Wil Nelson on July 18, 2021 at 11:12 pm
  
  Find my Mac instructions indicates that when Removing a device from Find My, Activation Lock is turned off immediately,
  
  LikeLiked by 1 person
  - 6
    
    hoakley on July 19, 2021 at 7:27 am
    
    Thank you.
    I don’t think this is Activation Lock, and the description in the Platform Security Guide doesn’t make that link. For example, if your boot disk is at reduced security, Activation Lock is disabled, yet the effects of a restore in DFU mode are, I believe, just the same. There’s some overlap, but they do appear distinct.
    Howard.
    
    LikeLike
    - 7
      
      Wil Nelson on July 19, 2021 at 9:05 pm
      
      Find my help says Activation lock is turned off.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on July 19, 2021 at 10:38 pm
      
      Thank you.
      Howard.
      
      LikeLike
- 9
  
  hstriepe on July 20, 2021 at 11:26 pm
  
  An additional slight diversion from my Migration Restore: the credit cards in my Wallet were invalidated, but after deleting them the system would not let me set them up again. I did the usual circus routines like log out of iCloud, turn off Software Update Install system data files and security updates, rebooted, did a jig, and turned them back on. Same error.
  After some scratching in one of my dreams (I am not kidding here,) I hit on the only logical answer, part of the storage not in the Secure Enclave was likely in my keychain! I disconnected iCloud Keychain sync and deleted the chain using Keychaing Access. Make sure you use the same password also used for your account by the local system. Then linked up the chain again to iCloud.
  Voila, problem solved!
  I had “Googled” ferociously and not found this hint ANYWHERE including the Apple Support Boards.
  So here you go!
  
  LikeLiked by 1 person
  - 10
    
    hoakley on July 21, 2021 at 7:07 am
    
    Thank you.
    That’s another undocumented issue as far as I’m aware, and new to me too.
    Howard.
    
    LikeLike
11

Performa475 on July 18, 2021 at 1:47 pm

Apple do seem to be making life difficult for those wanting to run macOS on external drives plugged into M1 Macs. I’m still waiting for an update to this ASC thread now that Monterey Beta 3 is available.

https://developer.apple.com/forums/thread/681773

Will I really have to buy a Samsung X5 drive for instance?

LikeLiked by 1 person
- 12
  
  Jeremy on July 18, 2021 at 6:05 pm
  
  Admittedly the Samsung X5 is one of the fastest drives you can get, so at least there’s that going for it. That said, your linked thread mentioned getting a much cheaper T5 to work.
  
  LikeLiked by 1 person
- 13
  
  hoakley on July 18, 2021 at 10:43 pm
  
  No, you don’t need a TB3 SSD. What type of external SSD are you using, and which M1 Mac?
  Howard.
  
  LikeLike
  - 14
    
    Performa475 on July 19, 2021 at 8:27 am
    
    M1 MacBook Pro 16GB/1TB purchased late 2020. SandDisk Extreme Portable SSD Model SDSSDE60-250G connected via the USB-C cable that came with drive. I was able to install and run Monterey beta 1 from the SSD but trying to upgrade and install via a Beta 2 bootable USB stick, I was unable to boot from the device. SDErrorDomain error 108. I haven’t attempt to install the very latest beta to the drive yet.
    
    LikeLiked by 1 person
    - 15
      
      hoakley on July 19, 2021 at 3:15 pm
      
      Thank you. With beta 2, I had to download the full installer and run that from the internal SSD before I could get it to work. It’s a shame you haven’t got an M1 mini, because another potential solution is to connect the disk to one of its USB-A ports instead of USB-C/TB.
      Another trick which might be worth trying is booting into Recovery – which should be in beta 1, of course – and installing from there, either using the Recovery tool or at the command line from an installer in a DMG.
      Howard.
      
      LikeLike
16

Joey Jay on July 18, 2021 at 5:03 pm

You can tell who the pioneers are by the arrows in their backs.

Thank you for spending so much time on this. It is a welcome respite in a time of turbulent transition. But I couldn’t help but chuckle as you attempted to juggle a beta firmware update with beta software and two different versions of macOS 11 on an M1 machine. These stunts should not be attempted without an experienced guide and a safety harness.

LikeLiked by 1 person
- 17
  
  hoakley on July 18, 2021 at 10:47 pm
  
  Thank you. No arrows in my back – it’s a journey of discovery. It is good though once everything is working fine.
  Howard.
  
  LikeLike
18

David Byrum on July 19, 2021 at 3:36 am

Thank you Howard for taking the time to do these investigations and then to explain the outcomes to the rest of us. Your efforts are much appreciated.

LikeLiked by 1 person
- 19
  
  hoakley on July 19, 2021 at 7:27 am
  
  Thank you. There’s more to come later this week, hopefully after we get 11.5.
  Howard.
  
  LikeLike
20

Charles Kenney on July 19, 2021 at 7:17 am

Hmmm. What happens if you boot the machine to the internal SSD fresh out of the box, setup an admin user (tempadmin), make a new admin user, log into the new admin, then delete the first one (tempadmin). Does the 2nd admin become owner?

LikeLiked by 1 person
- 21
  
  hoakley on July 19, 2021 at 7:34 am
  
  Thank you.
  This isn’t something you should try: if macOS were to allow that, then you’d almost certainly render your Mac unbootable and have to restore it. It’s also a very very bad thing to do because of all the user 501 issues which arise whenever the primary admin user account is deleted.
  (Also a reminder for others: M1 Macs only ever boot to their internal SSDs, and can’t boot to anything else, except a second OS which they can only load after booting from the internal storage.)
  Howard.
  
  LikeLike
  - 22
    
    Chuck Kenney on July 19, 2021 at 11:13 pm
    
    It functions. I’ve setup 20+ M1 MacBook Pros this way over the last few months. Now I’m worried about this owner nonsense, though. Even booting to recovery shows the 2nd created admin in Startup Security Utility.
    
    LikeLiked by 1 person
    - 23
      
      hoakley on July 20, 2021 at 4:39 pm
      
      Thank you. All is revealed tomorrow morning. The bottom line is that what you’re doing should work fine, provided that there aren’t problems brought about by something like a beta version of macOS. Having fallen foul of those problems a couple of times now, I wouldn’t choose to do that, but then I tend to use betas, at least in the months prior to each major macOS release.
      Howard.
      
      LikeLike
  - 24
    
    the old green spoon on July 20, 2021 at 3:21 pm
    
    Hello there,
    
    I always create a second account with admin privileges, log-off, log-on with the admin account and set the first account to a non-admin type. System wants a reboot and that’s that. No hiccups.
    I’m doing this because I don’t want my day-to-day account to have admin privileges.
    
    But now, reading all that and understanding half of it, I wonder if what I do is OK or if my day-to-day account should just be admin…
    
    ta-ra
    J
    
    LikeLiked by 1 person
    - 25
      
      hoakley on July 20, 2021 at 4:47 pm
      
      Thank you.
      There’s an excellent ongoing debate as to whether you should create a second account as a regular user, and normally work in that. macOS does tend to assume the 501 primary account is the first admin user, but these days that shouldn’t cause problems. The snag with regular user accounts is that so many basic features, such as access to the log, are denied to them. I gave up long ago, and just work in the default configuration, for a simple life.
      Howard.
      
      LikeLike
26

Pico on July 19, 2021 at 4:31 pm

From my previous investigations, there can be mutliple Owner accounts (if this is the same as “Volume Owner”). From what I can tell, Secure Token holder accounts are 1:1 with Volume Owners. This can be seen when running “diskutil apfs listUsers /”.

I believe even non-admin can be Volume Owners the same way non-admins can be Secure Token olders. But some tasks (such as updates) are reseved only for Admins who are also Volume Owners (and Secure Token holders).

That being said, maybe there in another special layer to the very first user account beyond these “Volume Owners”. It’s hard to know since Apple is not specific and uses slightly different terminology in different places.

LikeLiked by 1 person
- 27
  
  hoakley on July 19, 2021 at 7:27 pm
  
  Thank you, Pico.
  I don’t think that these are the same thing, and APFS volume owners certainly exist on T2 Macs, and I suspect on pre-T2 Intel Macs too. This is about ownership of encryption keys to volumes. The Ownership described in the Platform Security Guide is about M1 Mac Ownership, Secure Boot, and LocalPolicy, which are separate from the file system, as far as I can see. That said, second operating systems are handed ‘local’ ownership by the M1 Owner. This kind of Ownership is independent of encryption too: my external OS are all on unencrypted volumes.
  It’s all terribly confusing when we’ve got a few separate fragments covering Secure Boot and APFS encryption, and nothing coherent to bring them all together.
  Howard.
  
  LikeLike
28

Michael Tsai - Blog - Owner Accounts on M1 Macs on July 19, 2021 at 8:58 pm

[…] Howard Oakley: […]

LikeLike
29

Robin K on July 19, 2021 at 11:54 pm

This may be an oddball question … to what extent might “ownership” affect selling a Mac with an Mx chip down the road? I always have an “admin” ID with admin privileges but wonder if others do. How does the ability to wipe a Mac without deleting the OS play in all of this?

LikeLiked by 1 person
- 30
  
  hoakley on July 20, 2021 at 4:42 pm
  
  Thank you.
  When I come to part with my M1 Macs, what I will do is disable their Find My Mac and Activation Lock, then restore them in DFU mode. They’ll then to all intents and purposes be brand new, with no trace of any of my keys, certificates, passwords, or data. This does require a second Mac, though. Maybe Apple stores will be able to do that as a free service.
  Howard.
  
  LikeLike
  - 31
    
    MattW on July 20, 2021 at 6:07 pm
    
    The mere fact that a 2nd Mac (device/browser) is required to remove activation lock *&* FMM, ensures that a large percentage will not be unlocked. The complexity of the existing system (honestly not all that complex) leaves many unusable devices in the reuse/recycling stream. When people don’t bother to clear a $600 iPhone 11, and haven’t bothered to remove 10 year-old devices from their AppleID account, why would they change behavior now? Historical inertia will continue.
    
    Taking a Mac to the Apple store for pre-sale clean-up will also not happen due to liability. Again, extra trip, proof of ownership…too complex. Garbage can.
    
    LikeLiked by 1 person
    - 32
      
      hoakley on July 20, 2021 at 8:40 pm
      
      Thank you.
      If people can’t even be bothered to do that with a recent Mac or iPhone, then they have money (and a planet) to burn.
      I’m also surprised to learn that in the USA (I presume) electrical and electronic items can’t be put in the “garbage can”. In the UK and much of Europe, they have to go for special recycling, and it’s actually easier and better sense to trade them in or recycle them through Apple.
      Howard.
      
      LikeLike
33

Tim R on July 20, 2021 at 1:15 pm

Just wanted to add my data point to the discussion. I created a new volume in the main/only container on my internal SSD, installed Monterey Beta 2 in that container, said “No” when asked to copy over my current/other user accounts but did set up the default admin account using the same Apple ID as my Big Sur install. I just successfully updated that container to Beta 3.

Now whether I’ll be able to update to Big Sur 11.5 or not is another question.

LikeLiked by 1 person
- 34
  
  hoakley on July 20, 2021 at 4:44 pm
  
  Thank you.
  Full detail comes tomorrow, but I think you should be OK. However, Apple advises that for best security you do copy the account over. But you don’t have to.
  Howard.
  
  LikeLike
35

Gilbert P. on July 20, 2021 at 9:33 pm

Does this happen as well;l on MDM managed M1’s?

LikeLiked by 1 person
- 36
  
  hoakley on July 20, 2021 at 10:35 pm
  
  I believe that it does to a certain extent. Further details will be in another article first thing tomorrow, although it doesn’t consider MDM specifically.
  Howard.
  
  LikeLike
37

hstriepe on July 20, 2021 at 11:29 pm

How are owner’s related to iCloud “Find My Mac” AppleIDs? Logically they tend to be the same, but is there a system link?

LikeLiked by 1 person
- 38
  
  hoakley on July 21, 2021 at 7:08 am
  
  Hopefully that becomes a little more clear in today’s more detailed account.
  Howard.
  
  LikeLike
39

Pico on August 13, 2021 at 5:40 am

I thought you may be interested in this good summary of Ownership on Apple Silicon in a new video about Deployment from Apple:

https://developer.apple.com/videos/play/tech-talks/10870/?time=1518

“Mac computers with Apple silicon introduce the concept of ownership.

Ownership can loosely be defined as the user who has first claimed the Mac for configuring it for their use and is not tied to true legal ownership or chain of custody. Ownership in this context defines who is authorized to make changes to the startup security policy for a specific install of macOS. The startup security policy defines the restrictions around which version of macOS can boot on Mac computers with Apple silicon as well as how and if third-party kernel extensions can be loaded and managed.

Ownership is backed by cryptography protected in the Secure Enclave and should really be more of an implementation detail versus a primary consideration for deployment operations.

However, because security policies are specific for each installation of macOS, before you can perform certain installation actions, such as installing an additional copy of macOS, you may be prompted for a current user’s credentials, and more specifically, a current owner’s credentials. You’ll also be prompted for an owner’s credentials before making any changes to the startup security policy for a specific macOS installation in recoveryOS. It’s possible to be an owner but not be an administrator, but certain tasks requiring ownership will check for both. For example, modifying startup security settings requires being both an administrator and an owner.

Installing software updates on Mac computers with Apple silicon also requires owner authentication before the installation can begin, but remember that managed devices also leverage the bootstrap token from MDM.”

LikeLiked by 1 person
- 40
  
  hoakley on August 13, 2021 at 5:49 pm
  
  Thank you.
  That echoes the additional detail in the Platform Security Guide too. Unfortunately neither explains how problems occur, or, more usefully, how they can be overcome.
  Howard.
  
  LikeLike
  - 41
    
    Joey Jay on November 22, 2021 at 7:05 pm
    
    Does this have anything to do with my inability to change security settings on an external startup volume? I get the error “No administrator was found.”
    
    LikeLiked by 1 person
    - 42
      
      hoakley on November 22, 2021 at 7:31 pm
      
      I’m not sure exactly what that problem is. If you’d explain a bit more, I might recognise its cause.
      Assuming you’re using an M1, and you want to access the Startup Security Utility to change the security settings, the best way to do this is to boot from that external disk first, then shut down, and start up in Recovery. When you navigate through to the main menu, Startup Security Utility should then offer you that feature for the external disk.
      This has changed with Monterey, in that Monterey now runs its Recovery from the boot volume which you shut down from just before starting up in Recovery. However, Big Sur doesn’t have that local Recovery, only the Recovery container on the internal SSD. Whichever you’re running, shutting down from the boot disk whose security settings you want to change should bring the correct result.
      That does of course assume that the owner of the external disk has admin privileges, which are required to use Startup Security Utility, I think.
      Howard.
      
      LikeLiked by 1 person
43

Aprivate John for your convenience on October 18, 2021 at 3:15 am

I think Apple is being disengenuous. What has happened is Apple now Owns you device, and only grudgingly releases use rights to those who purchase and Admin Macs.
Apples authentication servers have been know too fail. leaving admins with little recourse.
this ‘security Poli y needs fixing so that on first launch of a new Mac the purchaser can have the legal ownerships rights they thought the were purchasing.
the reason I say this is that there are hundreds of thousands -perhaps millions – of Mac owners who barely remember their passwords, and are just as likely to use a unique day to day primary user (admin) password discrete from their setup password, and absolutely reliant on an apple authentication server in an entirely different country reliant on stable telecommunications to do prev piously simple tasks like doing a fresh install on external drives, 9my Mac Pro has 11 primary boot drives, each with a slightly different mix of operating system and dependant third party software. my M1 is faster, cooler, less power hungry but far my limited in its end use.

LikeLiked by 1 person
- 44
  
  hoakley on October 18, 2021 at 8:13 am
  
  “my Mac Pro has 11 primary boot drives”
  I think that may be a little unusual for a Mac user. Almost everyone I know who needs access to such a range of macOS does so using VMs rather than bootable disks. And you aren’t going to do that with Apple Silicon anyway, as it can’t boot any version of macOS earlier than Big Sur no matter what.
  Howard.
  
  LikeLike
45

Pico on October 27, 2021 at 10:18 pm

Today, Apple has finally added some human understandable information about Volume Ownership to this already existing page: https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web

LikeLiked by 1 person
- 46
  
  hoakley on October 28, 2021 at 11:17 am
  
  Thank you. That confirms what we’d gathered. Hopefully the Platform Security Guide is next in line for updating.
  Howard.
  
  LikeLike
47

A private John on December 9, 2021 at 12:58 pm

It would be extremely useful if Apple provided a pinhole, paper clip option to reset Apple silicon to factory fresh ownership.
Use paper clip when you want to nuke your drive, inclusive of all cryptographic boot keys.
The paper clip pinhole could be hidden from casual sight at the bottom of one of the ports.
This would be a nice and useful re-engineering of history, when a paper clip was all one needed to fix one’s Macintosh.

LikeLiked by 1 person
- 48
  
  hoakley on December 9, 2021 at 6:28 pm
  
  I presume you’re being humorous?
  If you open System Preferences in Monterey, you’ll see a new menu item in the app menu which lets you Erase All Content and Settings, which does exactly what you want, without any need of a paperclip.
  If that’s your idea of “fixing” your Mac, I’m not letting you near any of mine!
  Howard.
  
  LikeLike