Hi,
so in regards to Macs I’m a bit of a newbie but now I have a advanced question.
I’m using a 16” M2 MBP from my employer which is integrated into a MDM. I have administrative privileges in order to install software etc.
Now I would like to install a second Ventura on the same hard drive for private use. I want them to be fully separate. Now when I boot from a bootable installer (USB) before I can install anything it asks for the password of my account in the existing installation.
This is confusing me (coming from the Windows world). Why do I need to enter the password of that account? As mentioned I want them to be fully separate installations so that the employer doesn’t have access to the private installation and the private installation should not have access to the corporate installation.
How can I achieve that and what am I doing wrong? Do I need to create partitions instead of volumes? I’m a bit lost here.
Thanks for any advice.
Apple Silicon Macs (so, anything with any form of M1 or M2, be it standard, Pro, Max, or Ultra) introduce the concept of "Volume Ownership". Basically the first user account (or an account blessed by your company's MDM solution) is granted a special privilege that applies across the entire system (even if the account originated on just one of the multiple volumes you intend to have). I'll be honest; Volume Ownership is still a concept that confuses me. Similarly, Bootstrap tokens which are related to this (but also apply in Catalina and newer in the Intel side of things too. (Actually those are slightly more confusing to me, but Volume Ownership, when related to any other traditional UNIX based operating system [including all Intel Mac compatible versions of Mac OS X/OS X/macOS] is new and funky and still confuses me.
This article is the one to go to for explanations on this concept and why/how you are encountering it on an Apple Silicon Mac such as the one you are referring to:
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
That all having been said, and speaking of MDM solutions; if your Mac is in your company's Apple Business Manager instance, it will try to enroll into your MDM upon hitting the setup assistant on that second installation. It's possible that it will hit an error (due to already being enrolled on a different OS) and stop you, but I'd still be mindful of it. I'd honestly consult your IT department to see what they say about it (I don't know which MDM you have, so I can't directly speak to its behavior). As others have said, if you're just looking for a test environment (and you have enough RAM to accommodate whatever needs you have for this second environment), making a VM is probably the less problematic way to go about this. Though, be warned, anything requiring an Apple ID will not work. However, you CAN enroll an Apple Silicon macOS VM into your MDM provider and get Mac App Store apps distributed to that device via MDM (by way of the Volume Purchase Program side of Apple Business Manager).
If your employer is using MDM then most likely the MBP has a firmware password set by your employer and your SSD is FileVault encrypted with a key your employer has supplied and recorded. The firmware password unlocks the internal storage as part of the boot process. You may have admin privileges but your employer does as well. Even if you were to partition the internal storage such that you could install two separate installs of macOS, it would not surprise me if your corporate policy prohibits you from doing what you propose.
Apple Silicon Macs do not have firmware passwords. That convention dies with the Intel Macs. A passcode CAN be set by an MDM provider to prevent a user from booting into the "Options" menu when pressing and holding the power button at startup, but this is not the same thing and it cannot be set by any other means (i.e. outside of a corporate environment or test environment complete with Apple Business Manager and an MDM provider).
