How to safeguard and secure your retina MacBook Pro! (Instructions and explanation)

Discussion in 'MacBook Pro' started by WolfSnap, Dec 17, 2013.

  1. WolfSnap macrumors 6502a

    Sep 18, 2012
    Here's how to make your MacBook Pro retina into a brick if someone steals it, and how to hopefully get it back!

    There's four things to do:

    1. Enable the computer's EFI password.
    2. Enable and set a lock message.
    3. Encrypt your HDD using FileVault 2 (No, this will not noticeably slow your computer.)
    4. Enable guest mode.

    Here's how to do it:

    1. Enable your computer's EFI password by rebooting your computer while holding down CMD-R.

    Once in the recovery console, go to the Utilities menu and choose, "Firmware Password Utility". Set a password. DO NOT FORGET THIS EVER!!! Also, when you sell your computer, ENSURE YOU REMOVE IT (or give the password to the new owner).

    2. Open up System Preferences and go to "Security & Privacy". Then, go to "General" and click the lock icon at the bottom left. Then, turn on the 'Show a message when the screen is locked' and click 'Set Lock Message...'.

    Enter something meaningful here, like this: Property of WolfSnap. If found, please call 999-555-1212. Reward offered!

    3. Go to the FileVault tab and Turn ON FileVault. Follow the prompts and ensure you make a copy of the decryption key. Make a few copies of it, and store it in a sealed envelope at a friends home/parents home.

    4. Go to System Preferences, Users & Groups, and click the padlock icon. Click the 'Guest User' account and ENABLE the Allow guests to log in to this computer.

    Now that you've enabled all of this, you've essentially made it impossible for a thief to use your computer (except for the very limited guest mode), which ALSO allows you to use the Find my Mac feature in iCloud. Also, there's no way for a thief to reformat your computer and make it usable. It's literally a brick.

    BUT, since we've set the lock message, there's a (now) permanent way to mark your computer for easy return. After all, a thief wants some money; a reward is still better than nothing.

    Hope this helps!
  2. WildCard^ macrumors regular

    Oct 11, 2013
    Great hints, glad there's a way to protect my hardware. Do these steps only protect newer versions of hardware or OS version? or is it universal among the macbook family?
  3. laurihoefs macrumors 6502a


    Mar 1, 2013
    FileVault 2, which encrypts the full disk, was introduced in Mac OS X 10.7. The older FileVault (1), which was available from 10.3 on, only encrypted the user's home folder.

    FileVault 2 also requires a CPU that supports AES instructions, so Core 2 or older are not supported, but all i5 and i7 CPUs since Sandy Bridge are.

    Guest mode was introduced with 10.7 too, and is not to be confused with a normal Guest user account. It's a workaround to give guests a possibility to use the computer without gaining access to the FileVault 2 encrypted volumes, and it also gives a way to track the computer with Find My Mac even with FileVault 2 enabled.

    EFI passwords were possible to bypass in pre-2011(? or 2010, correct me if I'm wrong) MacBook Pros by changing the memory configuration, e.g. taking out a memory module, but currently it's not possible to (easily) bypass.

    To sum it up: Any MacBook Pro with an i5/i7 CPU and OS X 10.7 or newer can use these methods.
  4. WildCard^ macrumors regular

    Oct 11, 2013
    Thanks Lauri. I just have Core2Duo MBs so I will do what I can.

  5. laurihoefs macrumors 6502a


    Mar 1, 2013
    To be a bit more specific: FileVault 2 works with Core2Duo CPUs, you'll just see a larger performance decrease and higher CPU utilization than you would with a newer CPU.

    I tried googling for benchmark data, but could not find much. If I remember correctly, with a Core 2 CPU you might see a >20% drop in disk performance with FileVault 2 enabled, when according to some benchmarks the performance drop on current MacBook Pros is almost negligible. I'm getting a <5% disk I/O hit on a 2012 rMBP, without noticing any rise in CPU utilization.

    Whether this performance hit becomes noticeable, depends largely what you use the computer for. Final Cut Pro, Logic Pro, Premiere and ProTools would be examples of software that would suffer both from the slower I/O and the increased overhead, but in most tasks the difference would go unnoticed. YMMV.
  6. WolfSnap thread starter macrumors 6502a

    Sep 18, 2012
    This works best on a retina due to the hard drive not being (easily) swappable, and dedicated decryption hardware.

    But, this will work on any newer MBP.
  7. everfangomanga, Dec 20, 2013
    Last edited: Dec 20, 2013

    everfangomanga macrumors member

    Jul 12, 2008
    Osaka, Japan
    I've looked around but haven't found a clear answer. What would the process be if you wanted to use boot camp as well? First encrypt, then partition for boot camp?

    EDIT: I just turned filevault on, tried installing windows but during the installation process, it said, "Can't install on partition" due to it not being NTFS format, or something along those lines. Then I had to exit out of the installation. When I restarted my computer, I got to the gray splash screen (with no apple logo) and it hung for a few seconds and went to a black DOS type screen telling me, "No bootable device." I then had to restart while pressing option to select which drive to boot from (it only gave me one option) and I was able to log in just fine.

    I have now deleted my bootcamp partition through the bootcamp utility and am turning off filevault as I type this. I'm going to give it another go once it's done decrypting.
  8. Silon macrumors member

    Dec 1, 2013
    Is my understanding correct that with any macbook that uses a regular HDD one can just take the HDD out, wipe it, put it back in and reinstall OSX? In that case this all does not make a whole lot of sense apart from securing your personal files. The thief will still be perfectly able to use the machine.
  9. WolfSnap thread starter macrumors 6502a

    Sep 18, 2012
    You can't change the boot device without the firmware password. You also can't open the recovery console without it either.

    So, I guess you could swap drives, but I doubt that's a big risk.

    Admittedly, this works better on a retina, but it's still reasonable to do on a non-retina MBP.
  10. laurihoefs macrumors 6502a


    Mar 1, 2013
    Changing the hard drive won't bypass the firmware password. You can't boot from any other partition, even on an internal HDD/SSD, without having to enter the password.

    Partitions get unique identifiers when created, and disks have their own unique identifiers too, so I doubt if even an identically partitioned new disk, or an exact clone of the old disk, would work.
  11. dastinger macrumors 6502a


    Mar 18, 2012
  12. Velin macrumors 65816


    Jul 23, 2008
    Hearst Castle
    Just did these steps with my new retina Macbook Pro. Took less than a half hour, feel much more confident now putting sensitive material on the portable.

    In addition, recently purchased 1Password and have encrypted all the logins/passwords. Necessary steps in today's world.

    Thanks for this list, every single new Macbook Pro owner should do this.

Share This Page