MacBook Air Installation of OS After Erase

Hi KSM012,

We understand you have questions about a prompt you encountered while re-installing Big Sur. Was the computer issued to you by, or is it associated with a school or business?

We know you mentioned you hadn't set up your Apple ID on the Mac, but do you have an Apple ID? If so, have you checked to ensure it wasn't unintentionally associated? Check your Apple ID device list to see where you're signed in

Are you the only user of the Mac? Might someone else have signed in from another user account?

Cheers!

Hi KSM012,

If your Mac has the T2 Security Chip or an Apple silicon chip (M1), it must be activated after you fully erase it. Activation is a system process, and is not linked to your Apple ID. The only exception to that is if Apple servers detect that Find My Mac is enabled, in which case you will need your Apple ID and password in order to prove ownership of the Mac.

For Macs with Apple silicon, activation is required in order to boot macOS. At activation time, your Mac generates two important system keys: the Owner Identity Key (used for Secure Boot), and the User Identity Key (used for Find My Mac and Activation Lock). In order to boot macOS, these keys need to be certified by Apple's signing servers. The process looks something like this:

1. You choose to erase your Mac.
2. Your Mac detects that macOS isn't installed, and generates a new Owner Identity Key (OIK) and User Identity Key (UIK).
3. Your Mac contacts Apple servers, and sends the public portion of the UIK (probably along with the serial number).
4. If the server detects that your Mac still has Find My Mac enabled, it will demand the Apple ID and password of the previous owner (to enforce Activation Lock). If Find My Mac is disabled, or if authentication succeeds, it signs the UIK and returns the User Identity Certificate (ucrt).
5. Your Mac then sends the public portion of the OIK (probably along with the serial number).
6. The server verifies that it already gave you a ucrt. If it did, it signs the OIK and returns the Owner Identity Certificate (OIC). This is critical for your Mac to boot macOS. Your Mac is now successfully activated.
7. When you install macOS, your Mac creates a secure boot policy (the LocalPolicy), and signs it using the OIK. It then attaches the OIC to the secure boot policy.

Once macOS is installed, the secure boot process looks something like this:

1. You power on or restart your Mac.
2. The CPU runs permanent code, known as the Boot ROM (read-only memory).
3. The Boot ROM verifies the Low-Level Bootloader (LLB), and then runs it.
4. LLB verifies and loads the firmware for all of the internal peripherals (trackpad, display, etc).
5. LLB checks the secure boot policy. LLB already trusts Apple's servers, so it can safely trust the Apple-signed OIC attached to the secure boot policy. The secure boot policy is signed using the OIK, which corresponds to the OIC, so LLB can safely trust the entire secure boot policy.
6. LLB verifies and runs iBoot, which boots macOS as specified by the secure boot policy.

If step 5 fails here, your Mac cannot boot macOS, and it has to go to the recoveryOS to diagnose and resolve the issue.

If you're interested in more details regarding the secure boot process, Apple has more info available here:

Boot process for a Mac with Apple silicon - Apple Support

LocalPolicy signing-key creation and management - Apple Support

Regarding Intel-based Macs with the T2 Security Chip, their secure boot process is different, and I'm not entirely sure how activation would correspond to the secure boot process. I think the activation process is mainly there to ensure that the Mac doesn't have Find My Mac enabled. (If it is enabled, Activation Lock would be enforced.)

TL;DR: Activation is required in order for your Mac to start up properly. It also ensures that a stolen Mac cannot be used by a thief.