Dukee130
Level 1 (0 points)

Q: how to secure boot sequence on the latest Mac (Mini)

questions:

1. How to prevent users from changing boot sequence on Mac OS? I assume it would be something like a firmware password.

2. How hard is it to bypass a solution to the first question.

 

thanks

Mac mini, iOS 9.2.1

Posted on Mar 1, 2016 6:39 PM

by lllaass,Apple recommended
lllaass lllaass
Level 10 (188,072 points)
Desktops
A:

This

If you lost or forgot your firmware password - Apple Support

says that on newer Mac (as specified in the article) includes

If you can't remember the firmware password for your Mac, schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider. Bring your proof of purchase (original receipt or invoice) with you. If you plan to visit an Apple Retail Store, make a reservation (available only in some countries).

Posted on Mar 3, 2016 8:30 PM

Close
Dukee130

Q: how to secure boot sequence on the latest Mac (Mini)

  • All replies
  • Helpful answers

  • by lllaass,Apple recommended

    lllaass lllaass Mar 3, 2016 8:30 PM in response to Dukee130
    Level 10 (188,072 points)
    Desktops
    Mar 3, 2016 8:30 PM in response to Dukee130

    This

    If you lost or forgot your firmware password - Apple Support

    says that on newer Mac (as specified in the article) includes

    If you can't remember the firmware password for your Mac, schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider. Bring your proof of purchase (original receipt or invoice) with you. If you plan to visit an Apple Retail Store, make a reservation (available only in some countries).

  • by LACAllen,

    LACAllen LACAllen Mar 2, 2016 1:13 AM in response to Dukee130
    Level 5 (4,633 points)
    iCloud
    Mar 2, 2016 1:13 AM in response to Dukee130

    Are you wanting to prevent a boot entirely, or to just limit which disk is used (boot sequence of sorts) to start up from?

     

    Macs don;t have a BIOS dialog that you access like on a non-Mac PC.

     

    Your regular Admin password should protect your mini from having its startup disk changed. If only your account appears on the startup screen, then a non account holder can't get past that screen.

  • by John Lockwood,Apple recommended

    John Lockwood John Lockwood Mar 3, 2016 4:07 PM in response to Dukee130
    Level 6 (9,255 points)
    Servers Enterprise
    Mar 3, 2016 4:07 PM in response to Dukee130

    While requiring a login password and also setting admin functions in System Preferences -> Security & Privacy -> Advanced… would prevent someone changing the boot drive setting it does not prevent someone holding down the Option key when turning on the Mac and then selecting an alternate boot drive.

     

    Open Firmware Password protection does lock the boot drive choice so even the Option key cannot be used to alter it.

     

    See Use a firmware password on your Mac - Apple Support

     

    It locks it to a single choice, it does not allow any alternate choices, it is therefore not like the BIOS setup on PCs where you can set the order of multiple devices and then lock that order.

  • by Dukee130,

    Dukee130 Dukee130 Mar 3, 2016 4:06 PM in response to John Lockwood
    Level 1 (0 points)
    Mar 3, 2016 4:06 PM in response to John Lockwood

    Thank you for your response.

    This answers my 1st question.

    How difficult is it to reset a Firmware password on a Mac?

    On a PC, for example, all one has to do to reset a BIOS password is to perform a BIOS reset which is a matter of opening a computer and pressing a button.

    I have been looking at a Mac alternative as I have an assumption that resetting a firmware password would be more difficult than that.

     

    ta

  • by John Lockwood,

    John Lockwood John Lockwood Mar 3, 2016 5:58 PM in response to Dukee130
    Level 6 (9,255 points)
    Servers Enterprise
    Mar 3, 2016 5:58 PM in response to Dukee130

    Dukee130 wrote:

     

    Thank you for your response.

    This answers my 1st question.

    How difficult is it to reset a Firmware password on a Mac?

    On a PC, for example, all one has to do to reset a BIOS password is to perform a BIOS reset which is a matter of opening a computer and pressing a button.

    I have been looking at a Mac alternative as I have an assumption that resetting a firmware password would be more difficult than that.

     

    ta

     

    Illaass had already replied with an answer on what to do if you forget the Firmware Password.

     

    As a reminder see If you lost or forgot your firmware password - Apple Support

  • by Dukee130,

    Dukee130 Dukee130 Mar 3, 2016 8:29 PM in response to John Lockwood
    Level 1 (0 points)
    Mar 3, 2016 8:29 PM in response to John Lockwood

    thanks, I saw Illaas' reply. My question was if there is a 'back door' password reset, like changing RAM three times or a button somewhere on the motherboard? Official Apple Support pages may not contain this info.

     

    ta

  • by lllaass,

    lllaass lllaass Mar 4, 2016 1:40 AM in response to Dukee130
    Level 10 (188,072 points)
    Desktops
    Mar 4, 2016 1:40 AM in response to Dukee130

    Not for the newer Macs. For the older ones removing a RAM stick did work but things like that for the newer ones do not work. Apple learned that the previous method of firmware password was not at all secure.

  • by John Lockwood,

    John Lockwood John Lockwood Mar 4, 2016 1:50 AM in response to Dukee130
    Level 6 (9,255 points)
    Servers Enterprise
    Mar 4, 2016 1:50 AM in response to Dukee130

    As an addendum to Illaass' reply about Firmware password backdoors, half the current models of Mac have soldered to the logic board memory so not only has this backdoor been closes previously but it is no longer physically possible to remove the memory in any case.