Any specific procedure before selling MBP with T2 chip?

[Yoms]

Hi,

I own a 2018 MBP with T2 chip (FileVault enabled) that I'm about to sell. I've read the "What to do before you sell, give away, or trade in your Mac" support article, but there's no mention about how to "reset" the T2 Secure Enclave. Is it done automatically when you erase the disk? Or should I perform an extra step to set my MBP to the exact same state it was when I first got it?

Thanks.

 

[alfogator]

Just a reminder before you venture further:

https://forums.macrumors.com/threads/things-that-may-brick-your-2018-macbook-pro.2128945/

so be careful if you take extra steps.

 

[Bo15]

Erase and reinstall macOS.


https://support.apple.com/en-us/HT208496

 

[Bo15]

These are the Apple trade in instructions when you “sell” it back to them.

 

[chabig]

...but there's no mention about how to "reset" the T2 Secure Enclave.

Erasing your SSD clears the encryption key from the Secure Enclave.

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

 

[Fishrrman]

With a t2 Mac, before I sold it I would boot to the recovery partition and DISABLE startup security insofar as it can be disabled.

However, I would TELL the new owner that startup security WAS disabled, and how to re-enable it after he got it set up to his liking.

This might make it easier for the new owner to get up-and-running without stumbling over the t2 roadblocks.

 

[_Kiki_]

These are the Apple trade in instructions when you “sell” it back to them.

this guide is really bad, the SSD should be wiped by secure erase single-pass zeros, HDD needs more advanced secure wiping

 

[Yoms]

Erasing your SSD clears the encryption key from the Secure Enclave.

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

Thanks, that's what I wasn't sure of. Didn't want to brick the laptop. So, erasing the SSD does more than erasing, it also reset the Secure Enclave
[automerge]1575219856[/automerge]
So, here is a recap:

1) Perform step 1 to 5 only described in this support article
2) After step 5 and before step 6, disable FileVault
3) Clear all fingerprints
4) Disable Secure Boot and allow External Boot (for future macOS install from USB key)
5) Perform step 6, i.e. erase the SSD

Sounds about right. Any mistake or advice?

 

[alfogator]

Thanks, that's what I wasn't sure of. Didn't want to brick the laptop. So, erasing the SSD does more than erasing, it also reset the Secure Enclave
[automerge]1575219856[/automerge]
So, here is a recap:

1) Perform step 1 to 5 only described in this support article
2) After step 5 and before step 6, disable FileVault
3) Clear all fingerprints
4) Disable Secure Boot and allow External Boot (for future macOS install from USB key)
5) Perform step 6, i.e. erase the SSD

Sounds about right. Any mistake or advice?

I'd skip step 2 of your list.

 

[Yoms]

I'd skip step 2 of your list.

Can't find the link anymore, but I think I read that this could also cause issues when trying to format the SSD if FileVault is still enabled. Not sure though.

 

[LoganT]

I’m very confused right now. I bought the new 16” MBP and used it for a little bit and then decided I wanted to do a clean install. I restarted my Mac and hit Command+R to boot into recovery mode. I then went into Disk Utility and erased the drive in APFS and I selected the main drive by clicking “show all drives” so the drive was completely erased. I

then installed Catalina and everything worked fine. I didn‘t have to connect it to another Mac through Thunderbolt 3 and I entered in my name and what I wanted my username to be and put in what I wanted my password to be. Did Catalina change something? Why would I need to disable secure boot anyway? If I did a completely fresh install of Catalina and sold it, when that person gets the computer they put their name, password, fingerprint and sign into their iCloud account and it should work, right?

 

[Nacho98]

ive never seen a recommendation to turn off filevault?

 

[Yoms]

ive never seen a recommendation to turn off filevault?

As I said, I can't really recall where I saw this. But, what would be the problem doing so?

 

[Nacho98]

As I said, I can't really recall where I saw this. But, what would be the problem doing so?

no problem doing so, i just have never seen apple recommend doing it so seems odd their trade in partner would. may as well just do it

 

[Yoms]

I’m very confused right now. I bought the new 16” MBP and used it for a little bit and then decided I wanted to do a clean install. I restarted my Mac and hit Command+R to boot into recovery mode. I then went into Disk Utility and erased the drive in APFS and I selected the main drive by clicking “show all drives” so the drive was completely erased. I

then installed Catalina and everything worked fine. I didn‘t have to connect it to another Mac through Thunderbolt 3 and I entered in my name and what I wanted my username to be and put in what I wanted my password to be. Did Catalina change something? Why would I need to disable secure boot anyway? If I did a completely fresh install of Catalina and sold it, when that person gets the computer they put their name, password, fingerprint and sign into their iCloud account and it should work, right?

But at some point during the reinstall procedure, you were asked to enter your password, right?. If not, then I would be the one confused. By entering this password, you allowed the Secure Enclave to be reset. This is mandatory otherwise your MBP will remain tied on a hardware level (T2 chip) to your password. Quite annoying if you want to sell it to someone else.

Also, in another thread (quoted above), it was mentioned that not disabling Secure Boot before erasing the SSD may brick the MBP. I can't say if it this was an isolated case or not. Obviously you did not have this issue. Just in case, I will do it when I sell mine.

 

[ZMacintosh]

All you really need to do is:
disable find my Mac
sign out of iCloud
reboot into internet recovery and erase your Macintosh HD, this will destroy the encryption key/FileVault.
reinstall macOS from internet recovery. All done.

 

[LoganT]

All you really need to do is:
disable find my Mac
sign out of iCloud
reboot into internet recovery and erase your Macintosh HD, this will destroy the encryption key/FileVault.
reinstall macOS from internet recovery. All done.

Not sure if this is new but when you boot into recovery mode and erase the HD it will ask you to enter your credentials to disable Find My Mac.

 

[ZMacintosh]

Not sure if this is new but when you boot into recovery mode and erase the HD it will ask you to enter your credentials to disable Find My Mac.

Correct, depending on the version of macOS. Though I'd always recommend doing as much as you can in the OS as well when it comes to personal data.

 

[me55]

Run this command on the macOS Recovery Terminal:

xartutil --erase-all

This will delete the Touch ID data and the decryption keys for the SSD. Reboot and reinstall macOS with Cmd+R after this command.

 

[hawkeye_a]

I'm prepping my late 2016 13" for tadein.

I've followed the instructions on Apple's website, and 'deauthorized' and signed out of iCloud(after turning off 'find my mac').

However, I still see the Mac listed on my iCloud account on my iPhone. Should it still be listed there?

Also, is it preferable to hand the Mac to the nearest Apple store as opposed to mail it in? And is the process at a store simple?(Or does one need an appointment, to make an appointment to do it? etc)

Cheers

 

[Yoms]

I think it's not a problem. I remember having deleted my Mac from my account manually too.

 

[0906742]

Is this mentioned xartutil command needed to use for erasing fully T2 chip in newer Macbooks like 2019 and 2020, or is it even safe to use with them? I did not see that command listed in Apple instructions for erasing Mac before selling it.
Is there really anything else than what Apple mentions needed to do to safely erase all before selling and there is really no need to erase secure enclave and stored fingerprints manually?

 

[ZMacintosh]

Is this mentioned xartutil command needed to use for erasing fully T2 chip in newer Macbooks like 2019 and 2020, or is it even safe to use with them? I did not see that command listed in Apple instructions for erasing Mac before selling it.
Is there really anything else than what Apple mentions needed to do to safely erase all before selling and there is really no need to erase secure enclave and stored fingerprints manually?

xartutil command just erases the stored data in the T2 Secure Enclave, however when you run Disk Utility from Internet Recovery it also performs this action.

 

[0906742]

xartutil command just erases the stored data in the T2 Secure Enclave, however when you run Disk Utility from Internet Recovery it also performs this action.

So basically following Apple guide how to erase machine before selling is all you need?
Is it safe to use that xarutil anyway with T2? I saw some mentioning it might brick the machine or at least complicate thing to get it up and running again.

 

[ZMacintosh]

Yes, Apple's steps are preferred or the ones I mentioned earlier work too

• sign out of iCloud
• De-authorize iTunes/Books/App Store
• You may manually turn off Fingerprint if you have any stored (but all encrypted items will be removed via erase)
• restart using Recovery (Command R) or Internet Recovery (Option Command R)
• in recovery select Disk Utility, select Macintosh HD, select Erase, then in the erase window select Erase Volume Group
that will run the same xartutil command via disk utility (since this process goes through the T2 chip and SSD)
• reinstall macOS

if you run the xartutil command after you erase I don't think it will cause any issues, but since the secure enclave will be erased anyway don't think it's necessary.