activate mac

Question

Level 1

9 points

activate mac

Hi I have forgotten my Mac Mini M1 password and the mac only boots to the recovery assistant where I can only choose the admin account for which I have forgotten the password. It says Activate Mac at the top of the monitor. I cannot get to any other menus. That is of course unless there are different keystrokes to bring up other menus. I am happy to reinstall but cannot get to any options for this. Selecting the HD from the options merely reboots back to the Activate Mac screen. I am limited by only having the one option which is to put in the password that I have forgotten. Anyone have any ideas?

Mac mini, macOS 11.1

Posted on Aug 3, 2021 1:32 PM

Reply

Answer 1

Best reply

HeyTreasure Author

Level 1

9 points

Aug 7, 2021 10:30 AM in response to Encryptor5000

Hi thanks for the answer

If I do a long press to start t loads startup options and I get a screen that says Macintosh HD and Options. If I click the HD button it restarts and goes to the Activate Mac screen. It has my mac account in the middle and a restart button underneath. Top right it has uk keyboard and WiFi. Top left I have startup disk\restart\shutdown and also Erase Mac.

Nothing at the bottom of the screen

If I choose my account it shows the following:

No amount of entries in the password box will bring up any further options. The only option appears to put in the correct password or cancel which goes back to picture 1

Would the Erase Mac be a way out of this and if so can you link a help page?

Thanks in advance

Reply

Answer 2

Aug 8, 2021 5:40 PM in response to HeyTreasure

Hi HeyTreasure,

Thanks for the screenshots. I think I might know what's happening.

Short version:

I think the startup security policy for your Mac got messed up, and it needs your administrator password in order to repair the policy so that your Mac can start up normally.

If you don't know your administrator password, unfortunately you will need to erase your Mac. To do so, go to the top of the screen, and select Recovery Assistant -> Erase Mac. Follow the onscreen instructions to erase your Mac.

You will need an internet connection to reactivate your Mac and reinstall macOS.

These articles might be helpful:

If you can't reset your Mac login password - Apple Support (see the section to erase your Mac)

How to reinstall macOS - Apple Support (CA)

Long version (explanation)

Your Mac uses a special file, called the LocalPolicy, to set and determine the startup security options for when your Mac starts up. In order to modify the LocalPolicy and keep it in a valid state, a special signing key (the Owner Identity Key) must be used. This key can only be unlocked for usage when your administrator password is provided.

I think what happened is that the LocalPolicy got modified improperly, rendering your macOS environment unbeatable. Your Mac needs your administrator password to unlock the signing key so that it can repair the LocalPolicy.

There's a couple of ways to render your macOS environment unbootable:

Your Mac stores nonces (one time values) inside the M1 chip and the LocalPolicy, to ensure that the current LocalPolicy can't be exploited by an attacker. If you lock your Mac using Find My Mac, the M1 chip removes the nonces, and the LocalPolicy can no longer be verified at startup, making macOS unbootable. To fix this, your Apple ID password is required to prove ownership, and your administrator password is required so that new nonces can be generated and recorded in the LocalPolicy.

When a software update occurs, the LocalPolicy must be updated in order to accommodate the new update. This is one reason why your administrator password is required during an update. If an update fails, that may damage the LocalPolicy. If your Mac cannot undo the update, the LocalPolicy will need to be repaired, and macOS will be unbootable.

For more details on the LocalPolicy and the security systems on your Mac, please see Apple's Platform Security document: Apple Platform Security - Apple Support

These particular pages may also be helpful:

Boot process for a Mac with Apple silicon - Apple Support

LocalPolicy signing-key creation and management - Apple Support

Contents of a LocalPolicy file for a Mac with Apple silicon - Apple Support

If you choose to erase your Mac, that will repair the issue, as described below:

M1 Macs have a separate security policy (LocalPolicy) for each copy of macOS installed. When you erase your Mac (which deletes all copies of macOS), the M1 chip destroys the existing LocalPolicy signing key (Owner Identity Key) and creates a new one. You will then be prompted to activate your Mac, so that Apple can provide you with a special certificate (the Owner Identity Certificate) to make any new LocalPolicies valid.

When you reinstall macOS after erasing your Mac, your Mac will use the new LocalPolicy signing key (Owner Identity Key) to create a new security policy on your Mac. By default, the security policy will be set to Full Security.

Reply