There comes a time when all good Macs get passed on to a new owner, who could be a close relative or someone you’ve never even met before. How then should you prepare that Mac before parting with it? Even if it’s for one of your children, once it’s someone else’s Mac it passes out of your control. The last thing you want to do is hand over sensitive material, or give someone else access to your iCloud files or tax returns. This article outlines what I recommend for Macs which have seen normal use. If yours has stored classified information or regulated databases, then it may well have stringent legal requirements which override my suggestions – in some cases, these could require total destruction of its internal storage.
Disable Find My Mac and Activation Lock
The first thing I like to do is to turn off Find My Mac, which also removes Activation Lock, and check that Mac is no longer using that service. This is particularly important for M1 Macs, where that service could prevent the Mac from setting up properly for a new user. Of course these should be disabled when you log the Mac out of iCloud, but I like to check this carefully first.
Apple details the process here.
Back up, migrate or copy files
This is your last chance to recover anything you want from your old Mac: use it wisely. Depending on what is stored on it, you might want to make a clone of its internal storage, run one last backup, migrate from it to another Mac, or just check that you’ve got copies of important files like your old emails.
Although I gather you don’t have to do this any more, I always open one of the iTunes substitutes and deauthorise that Mac. Then I sign out of iCloud, and out of iMessage in the Messages app.
Disable any firmware password
On Intel Macs which have their firmware password set, enter Recovery and disable that. M1 Macs don’t have this feature.
On many Macs, NVRAM can retain private content. Now’s the time to reset it by starting up with the Command, Option, P and R keys held until the Mac restarts a second time. If you’ve got the startup chime enabled, just listen for the second chime, then release the keys and let it start up normally again. Currently, there doesn’t seem to be any way of doing this on an M1 Mac, though.
Unpair any Bluetooth devices you’re not getting rid of
If you’re keeping any paired Bluetooth devices, open the Bluetooth pane and unpair them. If the keyboard and mouse are going with the Mac, then leave them paired for the next user. If you do unpair those, you’ll need to connect them using their charging leads, so they connect through USB.
Apple summarises most of these steps in this article.
Erase the Mac and install macOS
The last step is the most controversial: wiping the Mac’s internal storage and installing a fresh copy of macOS ready for the next user. Apple’s descriptions are here for Intel Macs, and here for M1 Macs.
The simplest case is dealing with an Intel Mac with an internal hard disk (thus without a T1 or T2 chip). You should start up from another disk – either in remote Recovery if you can spare the time, or by booting from an external disk (not in Recovery) – open Disk Utility, and erase the internal storage completely. If you want peace of mind, you can use one of the secure options to overwrite the disk and make any recovery of its contents even more impossible. Once you’ve done that, install an appropriate version of macOS, and just as that starts the personalisation phase, shut the Mac down. When the new user starts it up, they’ll then resume with personalising macOS for their own use.
When your Mac’s internal storage is an SSD, you don’t want to repeatedly write to it, as that will reduce its working life. So a secure erase isn’t recommended. As most internal SSDs – such as those in Macs with T1 or T2 chips, or M1 Macs – are encrypted, throwing away the encryption key effectively renders their contents inaccessible. Apple’s recommended solution is simply to erase the boot Volume Group (System and Data volumes) using Disk Utility, which should have the same effect. As the internal SSD of Macs with T1 or T2 chips, and M1 Macs, is soldered in and uses Apple Silicon as its disk controller, there is no way for anyone to gain access to your old data, unless they’re a well-funded security agency, perhaps, and even then they’d have a long struggle.
The remaining question is whether it’s worth putting an M1 Mac into DFU mode and restoring its entire internal SSD from an IPSW image, to make it factory fresh for the new user. That would wipe the other two containers, including the whole of recoveryOS, and its iBoot ‘firmware’, in addition to macOS and the Data volume. The only advantage is the security of knowing that everything on that Mac will have been returned to factory defaults. If you have a second Mac with Apple Configurator 2 installed, there’s no harm in doing that for a new user. But it’s hard to see what benefits it really brings, so that’s a matter of personal choice.