We have some poor soul in Puerto Rico who has a MacBook Pro that is tied to our MDM system and, for whatever reason, it cannot be removed.
The closest we can tell is that he sent his MBP off to Apple for repair and they swapped the logic board with a refurb unit that was swapped from one of our machines. There is some internal tool that rewrites the serial number and apparently nobody ever overwrote the serial number on the removed unit.
So anyway, there's two legitimate MBPs out there with the same serial number, although ours is probably decommissioned by now (I believe it was a 2015).
Was a funny journey figuring out what the hell was going on, though.
Yeah I disagree with that as well. Here is a much simpler story:
When you install a blank motherboard, you need to key in the desired serial number. If you make a mistake, you are supposed to ask apple to re-ship a blank and you take an oopsie on your record.
Someone did the oopsie, but it validated so they either never noticed or didn't feel the need to call it in.
> When you install a blank motherboard, you need to key in the desired serial number. If you make a mistake, you are supposed to ask apple to re-ship a blank
Why is "you made a typo entering a serial number, so we're going to hard brick an expensive component" legal, especially in an age where politicians say they care about the environment?
Probably because it's write once memory? (and tied into Apple validating the serial on activation for theft prevention).
It's a repair process presumably done by a certified professional who should know there is no margin for error. I really can't imagine this kind of error causing more damage than, for example, users throwing full cups of coffee over their expensive laptops. Should we ban drinking coffee close to expensive laptops too then?
My complaint is that Apple went out of their way to make the process have no margin of error. Making it rewritable would have been less effort and less costly.
And tech used the part during a repair, did system configuration with the board, realized that wasn't the issue, and then removed it and sent it to back to apple. I've had a tech do it once.
I'm not sure how the "Diag" board would have ended up in the hands of a customer. We note that the part was opened and used.
It wasn't assigned to a computer manufactured some time ago, it was assigned by a tech in some repair depot, and for all we know it happened a moment before.
The factory's serial assignment systems are connected to Apple's internal systems that would also have recorded the 'tech in some repair depot' assigning that number?
It doesn't literally have to be from the same factory, as it could be any one of the dozens of factories or hundreds of repair depots.
I had this happen with an iPad that I received as an exchange when I sent one in for a repair. I booted the new unit up and was prompted to enroll the device in MDM for a school district in Florida. Kind of a frustrating experience, but Apple support was eventually able to get it unenrolled after enough escalations ("yes, I bought it from you", "no, I'm not going to sign in to an MDM-enrolled device with my personal Apple ID", "no, I've never heard of this school district and don't know anyone in IT there who could unenroll the device", "yes, I'm quite sure I didn't buy it off a truck").
I'm curious how that happened in the first place. Telling Apple that you want a mac to be autoenrolled in MDM after purchase requires you giving them the same proof of purchase you would need to get it unenrolled. (At least, it used to. I know now definitely for iOS devices you can get them set up in Automated Enrollment via Configurator)
Someone at Expedia would've needed the receipt for this laptop to get it enrolled, or someone at Apple fat fingered the serial number and accidentally enrolled that person's laptop?
Probably a return/cancelled order from Apple Managed side, then ended up in general inventory. Evidently there are two completely separate customer relationship systems, which makes sense given the amount of power given to managed accounts (truthfully still boggles my mind the dev and managed aren’t the same system with the amount of similar power). I would have thought inventory would be separated though, but stranger things happen.
If that is the case, either Expedia, didn't release the device before sending it back to apple. Or apple didn't release the device from ASM before re-selling the device.
I imagine it was a fat fingering. I’ve purchased MBPs for my org in person at an Apple Store because I needed them urgently and I had to call my Apple rep to manually assign the serials to our company in ABM.
You can manually assign MacBooks to your Apple Business account.
Just install Apple Configurator on an iPhone and hold the phone close to the laptop at initial boot. It will show a sort of QR code and when you scan it it’s attached.
The initial detection will only trigger when it is in the “choose locale” screen, just after the very first “choose language” screen.
If you go beyond “choose locale” it will not work, even if you go back a step, and even if you reboot.
Then in ABM change the MDM platform to whatever you want (your Jamf instance) and Bob’s your uncle
That is simultaneously (a) so freaking cool and (b) the most nonobvious, undiscoverable UI/UX I've ever heard of.
"How do you do this sort-of complex business process to a new apple device?"
"Oh just install this app on your phone, then hold the phone next to the computer when you turn it on. No, don't open the app. No, don't lock the phone. No, don't click anything on the computer, lest you go too far."
When companies purchase Macs, the serial numbers of those Macs could be associated with the respective purchasing company for enrollment purposes. Mistakes could happen, but also new (or for that purpose even used) Macs could end up being sold before their serial numbers is disassociated with the company purchasing them.
We recently are in the process of trying to return a MacBook to apple and avoid them dinging our return allotment. My store sold to a customer who later called us and said it was making them enroll into a PA University's MDM. This was a device that apple sold to us directly.
I had no idea this feature exists; do PCs have this "feature" too?
Are we now saying a central authority can simply brick or forcefully install software on any mac at any time given only the serial number? What the actual fuck!?
Is this an OS feature or part of the "secure enclave" (Are macs entirely useless now or can you install Linux and still trust the device)?
This is a corporate device management facility. It exists for both Windows and Macs.
With Macs, it’s more closely tied to the hardware because of course they’re integrated.
With PCs, Intune and Autopilot are Windows features that depend on hardware, but hardware alone isn’t sufficient. You can install and run Linux or DOS all you want on an Autopilot enrolled device, but every time you boot Windows it will want to phone home.
It’s fairly carefully controlled. With a PC, serial number is not sufficient. You need a device specific hash that is not generated and that you can’t get until you turn on the computer at least once, so you need physical possession at some point in the workflow.
With Macs, Apple more completely manages those first stages of enrollment. Devices are enrolled when sold through a B2B channel, or when manually enrolled through Business Manager.
Either way, it would be difficult for an adversary to assume control of a device without authorization. Not impossible, surely, but it’s definitely a scenario these vendors have anticipated and worked to prevent.
The good news for device owners is that it adds complexity to resale of a stolen device.
Physical possession is a good enough high bar. But remotely enabling this feature with just a serial number sounds incredibly invasive, and a very serious breach of trust.
Even if Apple are "the good guys" (now), we know they can be compelled by governments to do things quietly (see the push notifications thing that came up recently). So simply having the ability to remotely push software or configuration changes to any machine targeted by just a serial number is a big security hole.
Second one. It’s also not secret - you are greeted with a prompt, which you must accept, to complete enrolment (although granted you can’t use the device without accepting).
Essentially, the device phones home during setup, and asks Apple whether it’s in Apple Business/School Manager. If it is, and it’s assigned to an MDM, Apple will let it know the host name of that server to try and prompt the user to enroll into.
Yes. That significantly raises the barrier, and reduces the risk of accidental enrollment.
And once that's burned into the UEFI, I'd like it plastered all over; maybe as part of the boot logo "This device belongs to Expedia"; there will be no risk of someone buying the device (perhaps on the used market) and not realize they don't own it.
Of course, there should also be an un-enrollment option for when companies decommission devices so they can be reused instead of just trashed, but that's an environmental concern not a security one.
They can. Surfacebooks can be enrolled into Autopilot. Any OEM device running Windows 11 can be preenrolled. It’s actually a pretty good feature for managing laptop fleets.
A similar issue on Windows will be a license key stored in UEFI that is tied to a company. A clean install will find that key and ask you to login with your company email and password. You can get around it by not being online during setup, but you're out of luck if you don't know that trick.
>Are we now saying a central authority can simply brick or forcefully install software on any mac at any time given only the serial number?
Apple can brick or install an update to your computer even without MDM. For MDM you can not be spontaneously enrolled. In the article the user didn't notice this had been done until he reformatted his device.
1) Some do. Requires mechanisms to enforce it, which aren't present on most laptops yet. Intel ME, motherboard firmware, Secure Boot, et cetra et cetra. Some Android phones has it too.
2) YES.
3) Part of ... not specifically the Secure Enclave but the whole system. Hardware, firmware and software. You cannot bypass it.
"Contact Apple support with your purchase details and ask them to fix the enrollment of the serial number on the affected Mac. It sounds like there was a clerical mixup on the record keeping as part of automated device enrollment."
Funny how these "mixups" always seem to benefit the company trying to control the user.
Also I'm not really sure what benefit you're saying Apple even gets here. They have to waste time confirming all sorts of details so they don't unenroll a stolen device from MDM. Just seems like it's nothing but a pain for everyone involved.
Out of interest, what would happen if you didn't have proof of purchase or if, somehow, one day in the future Apple ceased to exist and enrollment became impossible?
Would the computer be "bricked" by this or could you wipe it and install a fresh copy of MacOS?
You can wipe it and reinstall. This happened to me by accident. The software for enrollment at my company didn't work correctly when I got my new MBP during my hardware refresh. Not knowing any better, I figured the MBP to MBP transfer process messed up my new MBP. So I just wiped my new MBP and reinstalled the OS. Of course, this also meant my new MBP was no longer enrolled and was unable to get all the software distributed by the enrollment agent. Once IT figured out what happened, I had to wipe it a second time and do the enrollment process again using some company specific image that was somehow accessible from my home -- maybe from a backup partition?
(Edited: the comments indicates this is no longer possible)
No you can't. You can wipe & reinstall, but once the Mac reboots and connects to the internet, it re-installs whatever it is that the "owner" (through device enrollment) wants installed. The only way is to get the "owner" (or Apple) to release it.
You're correct that that is the only permanent solution, but it can be bypassed until the next reinstall or major OS upgrade on Macs like this one as long as (1) you're able to change the boot device and (2) there is not a firmware password set.
I did it a couple years ago on a last generation Intel-based MBP to troubleshoot a problem caused by a particular piece of software installed by our IT team who, for various reasons, were unable to assist.
Caveat: I don't know if this is possible anymore on Apple silicon-based Macs because they apparently "require an internet connection to get firmware and other information specific to the Mac model."[^1]
The trick was to:
1. Use a freshly created bootable installer volume.[^1] (If previously setup, management software will often inject itself into the existing Recovery volume).
2. Prevent it from connecting to the internet, including any previously connected WiFi network it might remember.
3. Get it through the installation and initial user creation without being able to connect to the internet.
After that, it didn't pester me until the next reinstall.
> Caveat: I don't know if this is possible anymore on Apple silicon-based Macs because they apparently "require an internet connection to get firmware and other information specific to the Mac model."[^1]
On an Apple Silicon Mac you may have to install Monterey first, which doesn't require internet, do some incantantions, and then you can upgrade to Sonoma with no issue, and DEP/MDM bypassed.
That’s not true anymore. Now if enrollment is required because the computer was bought for a company, you cannot bypass it anymore (just like for iPhones).
This was not experience when I installed Sonoma on an M2 MBP a few months ago. Enrollment was easily skipped by blocking connection to the enrollment server.
I don't have any special MDM creds, but I do have an admin account on my OS.
Probably not the avg user or engineer (though giving engineers admin account on their local OS is common). But that's hard to predict because usually you'd want to enroll, so I don't often see people trying to avoid it. Usually it's because of a bug. In my experience if the MDM process is buggy then it's more likely to be bypassable.
Setting a firmware password and blocking boot to external drives makes it harder, but a lot of orgs don't do it.
Last instructions I saw and tested said "install Monterey with no internet connection, open terminal, sudo nano /etc/hosts, add these three entries, save, close, upgrade to Sonoma".
That fully disabled MDM/DEP on an M2 MBP. Not sure if it would periodically ping after install/upgrade, but is about as clean as it gets, and for now survives OS upgrades.
It checks again unless the user cripples the service (which requires access to disable System Integrity Protection), and even if they do it will be undone after am update. But it requires the user to accept the enrollment (just a couple clicks on a pop up). I don't know that that can be changed.
During OS install the enrollment will just happen; the user's acceptance is not required.
You can zero route a few DNS entries at your router, and be fine, and then if you want, edit /etc/hosts. I've seen this work with Sonoma through multiple upgrades.
I think if Apple went out of business the service that's causing this problem wouldn't even function anymore, because I believe it relies on the MBP phoning home during the setup process and being informed that it belongs to the Expedia MDM group.
This would then be why fixing it requires a call to Apple, rather than being something you can do simply by wiping settings on the device itself. (However, I don't know whether this means that booting it in a Faraday cage, or just with the internet disabled, after wiping device settings would allow bypassing it.)
The used mac market is too risky, it's too easy for the seller to remote disable it, or it be locked into bullshit like this. I'm surprised anyone still dares to buy used.
I hear a ton of stories about managed devices ending up in the hands of general consumers with Apple machines specifically... I wonder why? Is Apple particularly sloppy in this regard or is this just a matter of Apple computers being extremely popular for deployment with MDM?
The school I work for once had a student who had left the school sell a MacBook to an unsuspecting member of the public. It hadn’t been unenrolled.
We wrote it off and removed it from DEP for the poor guy. The student was long since gone and we had depreciated it anyway, so it wasn’t a huge loss. We realised not doing so was also potentially a reputation issue for the school also.
We’ve since tightened up leaving processes so this is unlikely to happen again.
The latter. MDM is way ahead on Macs, imho. Intune and Autopilot with Windows 10/11 and Azure are only just now catching up to what MDM and Jamf can do on Macs, or even what Group Policy can do on local devices.
The decommissioning process should generally catch these situations, but it’s not foolproof, and not all organizations have robust decom procedures. A lot of Macs are managed by like a University IT dept, but procured and released by individual departments, for example. The school of business might not bother to notify central IT that they’ve let go of a bunch of old equipment, for example, and if they do it’s in some outdated spreadsheet, so the machines don’t get released properly. Things like that.
Funny thing is that Intune/Autopilot aren't infallible either to this regard.
I acquired one of those weird lil' mini PCs that are all the rage, from Minisforum. The BIOS UUID was, essentially, 1-2-3-4-5, if we omit all the zeros. That UUID somehow tripped a fresh Windows install into Autopilot mode on the box to some random company that enrolled a similarly "blank" UUID in. I was absolutely befuddled and laughing my ass off once I figured out what happened... after the shock wore off of sitting at a Miratech Azure AD login.
... then dug out an AMI utility to go re-roll the RNG on the UUID since the OEM didn't do it and reinstalled Windows again and all was well in the world.
You'll also find this happens when you get a Mini PC with a sticker telling you "if you cannot log into your personal account, please turn off WiFi and LAN, select the skip option, and then log in"...
All they need to do is boot a damn flash drive. `AMIDEWINx64 /su auto` for the win... also thanks to Lenovo for accidentally leaving that executable in some BIOS updates.
I had this happen with a Samsung phone once that had the Knox registered to Rent-A-Center. I called up RAC and they said they had no record of the phone.
The closest we can tell is that he sent his MBP off to Apple for repair and they swapped the logic board with a refurb unit that was swapped from one of our machines. There is some internal tool that rewrites the serial number and apparently nobody ever overwrote the serial number on the removed unit.
So anyway, there's two legitimate MBPs out there with the same serial number, although ours is probably decommissioned by now (I believe it was a 2015).
Was a funny journey figuring out what the hell was going on, though.