Mojave Clean Install (from Apple) Features “Lone Star College” Dialog Box During Setup !??

A re-engineered firmware issue?  Fabulous.  I am unfamiliar with EtreCheck or any diagnostic utilities that might be useful for firmware analysis, but I’m willing to try anything.

Thank you all for the informative replies.  I’m sorry I haven’t answered sooner but yesterday was a long day & today was another 3/4 day of work.

You are all correct — I am the 2nd owner of this mid-2012 MBP.  I bought it on eBay in 2017, soon after reading an article about how extraordinarily useful the 2012s still were— even at 5 years old— because they were the very last MBPs to have all those beautiful legacy ports plus the option to upgrade to a HUGE main hard drive plus replace the DVD with a HUGE 2nd HD.  (I don’t believe in using online storage — in fact, I think the switch to those faster but very tiny hard drives are all part of a CIA plot to make us all, um, never mind.)   Although I didn’t know it until it was delivered, the most beautiful part about this MBP is there was no indication it had ever been “used.”  There were no marks or smudges anywhere, no lint in between the keys, & the battery only had 2 cycles on it.  

As has been pointed out, this MBP must have been one of many sold or leased to Lone Star College for use by faculty members, apparently with an eye toward allowing administrators to keep a very tight rein on their intellectuals.  I looked through my 2017 emails & found my eBay seller, an IT company about 240 miles from LSJ called Global Asset, who work with educational institutions in Texas.  Their website is https://globalassetonline.com.  

This afternoon I did an experiment.  I just happened to have some spare empty external HDs laying around so I did yet another clean install of Mojave onto one of those.  This time, during the initial SETUP I took pictures of the usage agreement.  After typing in my network settings & clicking “Continue,” I was face to face with the text that made me decide to halt the first Mojave install 3 nights ago:  

REMOTE MANAGEMENT

Remote management enables the administrator of “Lone Star College” to set up email and network accounts, install and configure apps, and manage this computer’s settings.  

Underneath this was a large gear icon & then:

“Lone Star College” can automatically configure your computer.

I clicked Continue & got to a page with all this text on it:

Lone Star College

NH OTS

5000 Research Forest Drive

THE WOODLANDS 77381

USA

813-813-6600

Remote management enables the administrator of “Lone Star College” to manage this computer remotely.  

Remote management enables the administrator of “Lone Star College” to set up email and network accounts, install and configure apps, and manage this computer’s settings.

Using remote management the administrator of Lone Star College may disable features, install or remove apps, monitor and restrict your internet traffic and remotely erase this computer.

Learn how the administrator of Lone Star College will specifically manage this computer remotely by using the contact information above.

Are you kidding me?  This has gotta be the reason my MBP was so ridiculously pristine — nobody on the faculty at LSC would agree to touch the thing.  If you worked at Lone Star College would you really agree to all this just to avoid having to pay for your own computer?  Not scary at all.  But I was operating from an external HD so I agreed to those conditions by clicking “OK” & got this:

Contacting enrollment server and configuring your Mac.

After maybe 90 seconds with the clock icon spinning at the bottom this popup appeared:

Unable to connect to the MDM server for your organization.  

Try Again (button)

I clicked “Try Again” twice but got the same popup.

So what have I learned?  Does anyone know what an MDM server is?  

OK, the quick answer to this question is:  If, like me, you are getting frequent notifications telling you that some business or educational institution wants to configure your Mac for you, this means that your device does NOT contain the type of software that allows someone to remotely wipe all your data.  Just keep clicking “Dismiss” whenever that notification box appears, because it cannot hurt you unless you agree to download the installer.  The long answer follows below.

Apologies for being AWOL from my own thread, but I had family in town for 3 days during the 4th of July weekend & my weekdays don’t really belong to me.

Thanks for all of the input on my issue with Lone Star College claiming that it had the right to be in complete control of my 2nd hand (but somehow still virginal) mid-2012 MBP.  I’ve finally had enough time to explore that bold & baseless accusation & here is what I’ve found:

1.)  Laptop theft is a real issue that will always come up in this type of discussion thread.  My MBP was not stolen from Lone Star College or anyone else.  The eBay seller I purchased it from, Global Asset in Dallas, is a completely legitimate enterprise with a perfect reputation.  They have contracts with numerous Texas educational IT departments to (among other services) dispose or broker the resale of retired computers on behalf of the schools they service. 

2.)  I don’t have the option of returning this MBP because it has been laying around my house virtually unused since 2017 (while I waited in vain for my Late 2008 MBP, a gift from my mother, to stop working).  But even if this eBay sale had happened yesterday I’d still be keeping it, because I am not a Power User & this pristine mid-2012 MBP is the newest & best 15” Mac laptop that it is possible to install two 2TB SSDs into — and I’ve done it.

3.)  FYI, A Mac’s firmware is not altered by the kind of Mobile Device Management (MDM) software used by normal businesses or educational institutions to monitor the Macs it distributes to employees or students.  (T2 chip Macs might be different in this regard, but I didn’t investigate.)

4.)  During a clean MacOS Setup process on a used MBP which originally had MDM software installed — if you provide your network info when asked & then allow the MDM to re-download its software, within a few minutes it will have made changes at the root level of your clean new system that gives absolute control of that particular system to some organization’s MDM administrator.  

5.)  However, if you are doing a clean MacOS install on a used MBP which previously had MDM management software installed & you tell the Setup Assistant that you don’t have internet access and if the Setup Assistant accepts that answer, (which it did for me) you have just prevented the automatic install of MDM software.  Voilà!  From that point forward you can blatantly refuse to ever install MDM.  (Note that Apple does not involve itself with MDM software at any time other than during a clean System Setup.  MDM is a product provided to institutions by 3rd party MDM vendors.) 

5a.)  If you’ve been provided a Mac by a business or a school you really won’t have the option to block the install of MDM software — because even if you succeed they’ll immediately make you return the device.  This is referred to as leveraged compliance.

6.)  The main points to know about MDM:  It is not installed by people touching the device.  It is arranged & contracted for prior to anyone taking the shrink wrap off the box.  Using iPads as an example just because it's probably the most typical implementation of MDM software: A school would simply tell Apple “We will be enrolling every one of the 500 iPads on this Apple purchase order into MDM.”  Because Apple already has a record of those 500 iPad serial numbers, they would simply copy them into their Device Enrollment Program (DEP) database.  The MDM vendor would then send Apple an individualized DEP profile with specifications about how the MDM client (the school) wants the 500 iPads to behave when they boot up for the first time.  This DEP profile contains the address of the MDM vendor’s server, which the iPad is forced to contact within seconds of achieving internet access in order to download the specific payloads the school wants to install on the devices.  (“Payloads” mostly refers to apps & textbooks, but the very first payload is the MDM software, which then enables whatever specific behavioral limitations the school wants to impose on the students who use the devices.  i.e. No porn stashes on your school iPads you little twits.) 

---> continued

6a.)  It seems that Apple may have recently changed the name of this enrollment process from DEP to either “Apple School Manager” or “Apple Business Manager” & the processes may be slightly different than outlined here.  But I didn’t bother to nail this down because DEP is the process that would have been assigned to MBPs manufactured until at least 2018.

7.)  Apple does only one small thing that has any long term effect on MDM management:  Apple grants the MDM vendor an APNs certificate that authorizes the vendor to send push notifications to your MBP in perpetuity, based solely on its unique identifiers, which will survive all future MacOS updates or clean installs of the MacOS on your device.  Apple otherwise makes no attempt to supervise or enforce MDM.  If you have successfully prevented automatic MDM install at System Setup as described above, you’re in the clear & the MDM’s pushes are just proof of impotence.

8.)  Two weeks ago, if I had started doing google searches on my particular problem using more generalized search terms than I did at first (leaving out “Lone Star College” for example) I would have learned almost immediately that, other than in cases of actual iPad or laptop theft, the problem faced by the overwhelming majority of people in my situation boiled down to IT departments at businesses & schools neglecting to do their jobs.  When an electronic device ages out of service & is decommissioned, the IT department is supposed to remove its serial number from the list of managed devices on their own MDM databases.  When the ex-spurts fail to perform this basic task it will inevitably create headaches & potential paranoia for the next owner.

9.)  Conclusion.  If some school’s computer is sending you notifications every 3 hours telling you to enroll your MBP—>  feel free to dismiss it, because it’s just a harmless push from a spambot.  By definition, that notification means their software is not yet installed on your machine.  And there is no way they can make you install it (without leverage).  So don’t worry, nobody is going to be remotely wiping all your data.

Most of the technical details cited above are way over my pay grade.  However, this information comes from a very technical 47 minute YouTube video posted by the security firm Black Hat Briefings, who in 2018 announced that they had discovered a security flaw in Apple’s MDM enlistment code.  The video is called “A Deep Dive Into MacOS MDM yadda yadda.”

https://www.youtube.com/watch?v=ku8jZe-MHUU

Ignore the moronic YouTube comments, which are all spam.