Screen Sharing / SSH after power fail reboot of Mac mini

I have several Mac mini's and desktop Mac's at work and we had to turn off FileVault and place them in a secure location. In our case, an onsite small data center. They have UPS filtered power and they are configured to Start up automatically after a power failure as well as disabling sleep. They have static IP addresses as well. We have no problems with SSH / ScreenSharing of those Macs. Only a major catastrophe would require physically needing to touch those Mac's in-person.

A drive encrypted with FileVault brings up a login screen but it's not really a login screen, it's a pre-boot authentication screen that looks just like a normal login screen. You have to manually enter the password to unlock the disk and continue booting. It then single signs on at the real login screen. Turning off FileVault gets rid of the pre-boot authentication screen and when rebooted the Mac comes up to the real login screen and the network is connected.

An M1 Mac mini will be a problem because any encrypted Mac will offer the pre-boot authentication. The Intel w/T2 Macs and the M1 Mac's are all encrypted at the factory and will do the pre-boot authentication wether or not you have turned on FileVault. They are always encrypted. When you do turn on FileVault it will merely create a recovery key and inject a new private key into the Secure Enclave. Giving you an extra method to unlock the disk in an emergency scenario using the Recovery Key. But no matter what, that pre-boot authentication is going to occur.

One possible solution for M1 / T2 equipped Macs would be to use a networked KVM. You connect to the KVM device which is attached to the Mac for KB/mouse and screen. There is a DIY RaspberryPI KVM (google it) and that would solve most scenarios except you can't get to the Recovery Mode as you can't hold the power button. You would have to custom wire the Mac to do that and that would void your warranty.

Another solution is MacStadium.com where you can rent Macs in their data center and that would be a better solution. It's what we might end up doing when we can no longer use older Mac mini's.

An Intel based Mac mini without the T2 Security Chip (2014 or prior) can be configured without FileVault encryption enabled. These you can easily SSH / ScreenShare as there won't be any pre-boot authentication login screen because the disk is not encrypted at all and the operating system boots immediately on power up.

Any Intel w/T2 or M1 Mac mini (2018 -> 2020+) will be encrypted at the hardware level with the Secure Enclave chip on the T2 / M1 SoC (System on Chip). The SSD is encrypted at time of manufacturing and the encryption cannot be turned off. When these Macs boot, they require physical access to unlock the disk to boot. There is no automatic login option either. If you enable FileVault you merely add a recovery key. When turning FileVault on or off there is no encryption nor decryption of the drive sectors. The sectors are always encrypted. FileVault gives you an extra recovery option if you forget your password you can still boot with the recovery key and reset your password. The recovery key is stored in iCloud by default.

If FileVault is enabled you can reboot with 'fdesetup authrestart' which is what happens when applying macOS updates, etc. But you need to remember to set that option before the next reboot. So planned reboots mostly. I suppose you might be able to automate setting 'fdesetup authrestart -delayminutes -1" meaning it shouldn't immediately reboot but wait indefinitely until the system does restart. This works, I just tested it out. You can also pass in an '-inputplist' which would be an XML file containing the user and password to use when authrestarting. You could script that and perhaps use Launchd to apply it at every boot. The setting for authrestart is one time only so you need to set it every time you boot to ensure it will work on the next reboot. Doing such a thing has its security risks as you are effectively bypassing the disk being locked at boot.

If you are losing power for upwards of 4 days you should be using a generator and a UPS. The UPS will maintain power until the automatic generator kicks in. If the UPS detects power loss, you can execute scripts to automatically shutdown before the battery runs out and perhaps again, insert the authrestart command for a one time bypass of the disk encryption pre-boot authentication. If the generator kicks in, the shutdown will not occur and the UPS recharges the battery. When / if the generator runs out of fuel and shuts off the UPS keeps things running as long as it can before safely shutting down the system. When power is restored, the authrestart should work if you set things up properly. Crisis management process is to test these things perhaps as often as once or twice a year. Generators require regular maintenance as well. The big ones need frequent oil changes, etc.

The Apple T2 Security Chip is actually a repurposed A10 iPhone SoC processor running a specialized operating system called BridgeOS. It has the same Secure Enclave in all iPhones and iPads. All of these mobile device SoC processors have encrypted file systems that are always encrypted. The M1 is a larger scaled up version of the mobile chip designs. That is why mobile Apps can run on macOS, the processor is almost identical. There's just more cores, RAM and more bandwidth, etc. On Intel w/T2 Mac's the T2 boots first then passes control to the Intel CPU. On M1 Mac's it's all the same chip.

The hardware encryption is, I suppose, an artifact of using the same chip design as the mobile SoC designs. Most of Apple's sales are notebooks not desktops. They sell far more MacBooks than iMacs or Mini's or Mac Pro's.

You would be surprised how much personal information would be useful to malicious bad actors that can be found on any computer. Even if you don't have confidential company documents or defense contractor top secret data. Your keychain might contain sensitive passwords, your browser history can reveal a lot about you as a person. Your autofill data would be potentially useful. Your friends, family, and contacts can definitely be useful. Knowing details about your family and pets might be enough to get past security questions, etc. Having ones identity stolen is a horrible experience and results in a new full time job to combat debt collectors and rebuild your credit and never discarding all the documentation as the troubles can re-occur years later as debt collectors sell their records to others who start over with attempting to recover the debt.

This is a interesting thread as I have a Mac mini (2018) which uses the T2 security chip. If I understood correctly, the following setup might address your issue.

Set up an account that automatically logs in at startup:

Run an Automator application at login (by clicking "+" to add an app):

Use the Automator app to enable screen sharing (in my case this seems to stay enabled) and finally "lock the screen" using the equivalent AppleScript command:

Hope this helps.

The FileVault screen is firmware driven (or maybe a small unencrypted boot partition) and at that point in time you are not on the network, ssh daemon is not running, screen sharing server is not running. You just have enough code running to prompt for the FileVault password.

WinterGlen wrote:

The Mac requires a local user to log in which in the case of a Mac mini being used headless (no monitor), is a total pain! It means a monitor needs to be plugged in, a keyboard and mouse found and then someone to physically log in to an account to enable remote management.

None of this is required. This is how you've configured it.

This appears to be caused by FileVault being active, and there's a workaround to manually restart the machine using:

Then turn off FileVault. If this is a remote machine, then FileVault is fairly pointless anyway. What you need to do instead is better manage your risk of data loss. FileVault is designed for the vast majority of Apple's consumer users who are sitting in front of their devices. If you are doing something extra special, then you'll need extra special ways of doing it.

unplanned reboots.

I didn't mention it above, but you really should have this machine connected to a UPS with some kind of monitoring and notification service. Anything can always break, of course. Nothing is guaranteed. But you can effectively make the most painful of scenarios extremely rarer.

I can't find any information as to the "proper" fix, but the way I see it we currently have two options:

1. Turn off FileVault

2. Setup a dummy user on the machine that has no sensitive data, and set this user to auto-login at startup.

These are effectively the same thing.

Which is the best solution, or is there a better one?

Well that's a big question. What is this computer being used for? There are always lots of options depending on the level of utility required vs. acceptable risk.

It really seems like this should be fixed by Apple!

Apple hasn't broken anything.

In that case, how about using iCloud Drive as an alternative to FileVault?

When working remotely, iCloud Drive downloads can be removed from the machine with the exception of the particular folders needed for the task(s) at hand. Once done, the any downloaded folders could also be removed from the Mac (or saved as an encrypted disk image using the Disk Utility) for extra security. Should the machine be stolen, the AppleID password can be changed via another device to protect against potential data theft.

WinterGlen wrote:

For me, renting remote macs isn’t a viable solution.

This is a user-to-user support forum. In addition to your unique issues, there are any number of people who will find this thread via web searches. We also have a responsibility to those people. For what you have described, renting a remote Mac is absolutely the best solution for the vast majority of people.

I use a single (actually two on separate locations) M1 Mac mini’s for home and light business use usually using chrome Remote Desktop.

Apple has a wide range of great mobile devices that would be ideal for this use case.

UPS’s aren’t a solution either. For example, two weeks ago we were without power for four days so a reboot would have occurred anyway.

James Brickley has already gone into great detail about how UPSes are designed to work. Perhaps the only thing he missed that would be appropriate for the environment you describe are heavily-armed hired henchmen that would regularly strap jerrycans to their backs for the 3 hour off-road motorcycle trip across the dune sea to the black-market fuel depot.

The issue is I work away for weeks at a time, and I use the remote macs to make use of the decent internet at home for doing the tasks I do. It’s more useable to Remote Desktop than try to ftp files on my MacBook!

Perhaps you should start a new thread for your FTP problems. The networking and bandwidth requirements for remote computing far exceed those of even heavy FTP usage. Modern cellular technology exceeds the speed of most home internet services.

You say apple hasn’t broken anything, but it seems ridiculous that neither SSH nor Screen sharing is available at boot!

I guess the only thing one could respond to that point is the obligatory link to Apple Feedback so that hopefully one day in the future, new Macs will come with remote access already enabled and running at boot. I can’t imagine any downside to that.

I take issue with you’re statement of “this is how you’ve configured it”. In actual fact this is how Apple have configured it. Brand new Mac, turn on remote login or screen sharing and this is the behaviour. This is my point.

Apple designs computers for wealthy urban and suburban consumers. If you want to use Apple’s products as secure, encrypted servers for a Mad Max-style Thunderdome, it is your responsibility to cut a deal with the mad genius who runs the power grid so that you have a more reliable power source and/or hire someone to enter a cryptic code on the keyboard within 47 seconds of reboot to prevent automatic release of the neuro-toxin.

I have asked the question about how to be able to do a screen share from boot because apple doesn’t mention this. I don’t see that I’m doing anything particularly “special” really, other than using a headless Mac mini at home. Yes I sometimes screen share remotely but this is via VPN so effectively is as if I’m on the home network.

Let me assure you that what you describe is flat-out unheard-of. The very few people who truly need any setup even remotely (no pun intended) like this use data centres and/or professionally configured setups. Only a tiny fraction of those people use Macs at all.

I guess then the question is, what does FileVault do for us, and what’s the alternative?

Apple doesn’t seem to have a decent marketing page for FileVault. This page is the best I could find. I’m not sure what you mean about an alternative. I’m sure there are plenty of professional and non-Mac alternative data encryption solutions. Nobody ever claimed that Apple devices are the best for all users. People who have unique requirements are not going to be well-served by the mass-market, one-size fits most solutions that Apple specializes in.

It’s a Mac mini or two in a home / office. It has a chance of being stolen yes, but most likely for the value of the machine and not for the “value” of the data on it. The data on it isn’t particularly sensitive but it’s personal just like most peoples computers. Photos for example. It’s “managed” by iCloud so in theory could be remote wiped but this is a fairly pointless feature as it would need to be on a network to do this.

And that brings me back to my first question. So why are you running File Vault at all then? Just turn FileVault off. Turn Automatic Login on, and be done with it. You’ll have to find a local source for jerrycan-bearing henchmen, or as you suggest, maybe ask your wife to turn the power strip back on.

James Brickley wrote:

Another solution is MacStadium.com where you can rent Macs in their data center and that would be a better solution. It's what we might end up doing when we can no longer use older Mac mini's.

Just so you know, MacStadium isn't the only Mac remote server service available.

I confess that I don't see a need to use FileVault myself since macOS provides other methods for encryption. I may be influenced by stories of rightful owners being unable to access their encrypted data.

Of course, I wouldn't want anyone to have access to my financial/tax information or any data which could be used for identity theft.