Mac mini locked down by university

Discussion in 'Mac mini' started by fishdoc, May 13, 2019.

  1. fishdoc macrumors newbie

    Joined:
    Sep 5, 2002
    #1
    So, I just got a new 2018 Mac mini though my university, and of course they always load computers up with their antivirus software, their own login, Alertus desktop, etc. And, as I always do, I promptly wipe the drive and reload it with my own software.

    This one has given me no end of headaches, I suspect due to the T2 chip. For example, when I try to create a Mojave installer out of a USB drive using this mini, I get a message that says "IT has not yet approved Mojave", and the installer gets killed (in the terminal, if I am using terminal commands, or it just tosses out that dialog and fails is using, say, Diskmaker X8).

    Any ideas how to take control of my machine? I tried booting in recovery mode and turning off the firmware restrictions; unplugging from the internet, and cloning the drive from another machine, but nothing seems to work.
     
  2. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #2
    That block on the Mojave installer has nothing to do with the T2.
     
  3. DeltaMac macrumors G3

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #3
    It appears that you have not been able to wipe the drive, and cannot even create a bootable installer for Mojave.
    Is that correct, so far?
     
  4. RyanXM macrumors 6502

    RyanXM

    Joined:
    Jul 7, 2012
    Location:
    DFW, TX
    #4
    Force boot to Internet Recovery...no need to create a USB installer.
     
  5. Boyd01, May 13, 2019
    Last edited: May 13, 2019

    Boyd01 macrumors 601

    Boyd01

    Joined:
    Feb 21, 2012
    Location:
    New Jersey Pine Barrens
    #5
    Sorry to ask the obvious. But if the university installs the software, why not ask them how to wipe the drive? When you say you "got" a new Mini, does that mean you purchased it and it is actually yours? Is there some restriction on what you can do with it?
     
  6. iluvmacs99 macrumors member

    Joined:
    Apr 9, 2019
    #6
    I have talked to the Apple people a few weeks ago about security and the T2 chip and unfortunately, if there is a lockout password set, there is no way aside from the IT department of your university who set it up can unlock it. Even if you lose the password, Apple can not unlock it. So this means technically the Mac Mini isn't your personal property I think. It may have been given to you by the university, but it remains the property of the university which is sort of like the Samsung tablets where universities give out by are locked out from being re-programmed or re-positioned unless the IT department unlocks it. So this demonstrates that the T2 security chip function is working and that is the purpose of it. So even if someone steals a Mac with the T2 chip and had the security lock set; they can't sell it to the public because you can't erase it. So if you can't take control of the machine, technically you don't own the machine. Only the original owner who bought the machine can. So makes me wonder why are you trying to ask this question here?
     
  7. fishdoc thread starter macrumors newbie

    Joined:
    Sep 5, 2002
    #7
    OK, just to clarify, I was posting to ask about technical issues, not looking for ethical or administrative advice. If you must know, though, I am a professor who bought this computer with my own funds, but to be allowed permanently on the network the university has particular requirements, some of them procrustean (e.g., installing their antivirus suites, alertus, having IT be an administrators with remote access, etc). Removing IT as a user with remote login ability is, I admit, against their policy, but I am such a rebel I am willing to do so (and have for the almost 15 years I have been here).

    So far I have heard both yes and no, with respect to this being an issue with the T2. The reason I suspect it *is* is that, as I say, I have done this with every mac in my office and lab for 14 years with no problem, and this Mac Mini is being stubborn. DeltaMac, I DID wipe the drive completely (seemingly - erased and reformatted), but clearly there is some vestige of IT's handiwork there, because how else would it both stop me from creating a Mojave installer AND put up an "IT does not allow Mojave" dialog box?

    So take it as read that I know some of you don't approve of me wiping the drive, and feel free to think poorly of me if it bothers you. But if anyone has suggestions for how to get around it, I would also welcome input.
     
  8. RyanXM macrumors 6502

    RyanXM

    Joined:
    Jul 7, 2012
    Location:
    DFW, TX
    #8
    If you force a boot to Internet Recovery, you will be able to completely wipe the SSD, you will need to use terminal to get rid of the GUID partition map.

    diskutil unmountdisk disk1 (Number needs to be the APFS Container)
    diskutil unmountdisk disk0 (Number needs to be the Primary Volume, not the APFS container)
    got destroy disk0 (Same disk as the second step)

    Those steps above will wipe the SSD fully and the previous GUID Partition Map Table.
     
  9. s15119 macrumors 68000

    s15119

    Joined:
    Nov 20, 2010
    #9
    Simple, obey the rules the University has put forth.
     
  10. seble macrumors 6502a

    Joined:
    Sep 6, 2010
    #10
    I disagree, if he's paid for the machine let him do what he wants.
     
  11. netdudeuk macrumors 6502

    Joined:
    Nov 27, 2012
    #11
    Yes, on his own network :) I’m guessing that most large establishments don’t want systems that don’t belong to them on their networks under any circumstances. It does seem a bit much to want admin access to his machine though.
     
  12. iluvmacs99, May 14, 2019
    Last edited: May 14, 2019

    iluvmacs99 macrumors member

    Joined:
    Apr 9, 2019
    #12
    The T2 chip is really stubborn which is a huge turnoff to a number of people. Namely that down the road, Apple can easily turn it into unsupported status sooner and the T2 chip can lock out any patches, special kexts etc so you can't hack the machine like you could with machines without a security chip and load newer OS as told by an Apple technician who works for a third party repair depot. His advice to me was to stay away from that chip and now with your experience, it's evident that they can stop me or anyone from loading an OS that's not on the supported list, so forcing people to buy a machine every few years rather than keep stretching the machine past its prime.

    Here's the article about Apple confirming the T2 security chip and how it will limit third party repairs and installations.
    https://www.engadget.com/2018/11/12/apple-t2-chip-can-limit-repairs-for-recent-macs/
     
  13. seble macrumors 6502a

    Joined:
    Sep 6, 2010
    #13
    I also work in a university and have never had such issues. University devices are kept on a separate 'network' and personal devices on their own one too unable to access the main network. In practice this causes little issue.
     
  14. Lee_Bo macrumors regular

    Lee_Bo

    Joined:
    Mar 26, 2017
    Location:
    Greenville, SC
    #14
    More power to you. Unfortunately I'm one of the network admins at my company and I've had to be involved with the dismissal of employees for that very reason.

    We also have that same policy that if you bring in your own machine and want to connect it to our network, even though you paid for it, it becomes company "property" while it's in use. It gets imaged with our image, added to our domain with all required software. While I don't agree with this, I have to follow the rules.

    While this post has nothing to do with what you are looking for, my hat off to you for being a rebel and I hope you stay under the radar.
     
  15. iluvmacs99, May 14, 2019
    Last edited: May 14, 2019

    iluvmacs99 macrumors member

    Joined:
    Apr 9, 2019
    #15
    Here is the Apple T2 security policy which you can download from Apple. Below is the recovery protocol, which means your university IT department can only perform the policy change.

    Authentication in Recovery

    Critical policy changes now require authentication, even in Recovery mode. This feature is available only on Mac computers containing the T2 chip or later. When Startup Security Utility is first opened, it prompts the user to enter an administrator password from the primary macOS installation associated with the currently booted macOS Recovery. If no administrator exists, one must be created before the policy can be changed. The chip requires that the Mac computer is currently booted into macOS Recovery and that an authentication with a Secure Enclave–backed credential has occurred before such a policy change can be made.

    Full Security is the default configuration on a Mac with the T2 chip. When an operating system is being installed, the system communicates to an Apple Signing Server and requests a personalized signature that includes the ECID— a unique ID specific to the chip—as part of the signing request. The signature is unique and usable only by the operating system with that T2 chip installed. Therefore, when Full Security is configured, the T2 chip ensures the operating system is uniquely signed for each computer.

    Full Security and external media. A copy of macOS on an external drive won’t necessarily already be personalized for a Mac the first time it is booted. In this case, the first time a user attempts to boot from the external drive, Mac boots into Recovery, and Boot Recovery Assistant makes the signing request to Apple so it can obtain the necessary personalized signature. This is automatic, and looks like a longer boot process with a progress bar. Subsequent boots proceed normally
     
  16. Fishrrman macrumors P6

    Fishrrman

    Joined:
    Feb 20, 2009
    #16
    OP, try this and let us know what your results are.

    1. Boot to the recovery partition. If you can't get there, try internet recovery, but I don't know if what follows will work via internet recovery.

    2. When you get to the recovery partition, open the Startup Security Utility.

    3. Choose "no security" and "allow booting from external media".

    Can you choose these options?
    Now, reboot.

    Can you now install a copy of the OS from external sources?
     
  17. fishdoc thread starter macrumors newbie

    Joined:
    Sep 5, 2002
    #17
    thanks Lee for your input. I am always torn between recognizing that IT needs to do their job, but also recognizing that at universities they often don't know enough to enact effective or reasonable rules, and sometimes their inabilities interfere with my ability to DO my job. When I was at UC Davis, our IT guy refused to allow ANY Macs on the network, ever, because they were "too dangerous". I had to spend my postdoc working on a Windows machine, asking for permission every time I installed software (even ARCGIS or MS Office).

    So far I have been under the radar for 15 years - hoping to keep it that way! Will work on these suggestions this week....

     
  18. pl1984 macrumors 68020

    Joined:
    Oct 31, 2017
    #18
    Is this even possible? From what I've read he's unable to do any administration he wants to his system.
     
  19. netdudeuk macrumors 6502

    Joined:
    Nov 27, 2012
    #19
    They wanted admin access to his machine. That's what I wouldn't like.
     
  20. Boyd01 macrumors 601

    Boyd01

    Joined:
    Feb 21, 2012
    Location:
    New Jersey Pine Barrens
    #20
    Then maybe just be like the rest of us, who buy our own macs from a store all by ourselves and don't give them access to it? ;)
     
  21. fishdoc thread starter macrumors newbie

    Joined:
    Sep 5, 2002
    #21
    Right, which is what I did - I bought it with my own money, to use to do my work while in my office at work, but IT wants it locked down AND to have admin access to it for it to stay on the network.

    Of course, that won't happen - I have to let them set it up, but then they don't follow up afterwards, so I find a way to delete them as users. Just trying to get advice, but I am mostly there now (they are no longer admins, as with every other computer in my lab and office, but there are still some oddities, like the dialog box WRT Mojave).
     
  22. richmlow macrumors regular

    Joined:
    Jul 17, 2002
    #22
    Hi fishdoc,


    I know exactly where you're coming from!

    At my university, IT attempts to lock everything down in the name of "security."

    Is it possible for you to physically bring your 2018 Mac Mini to an Apple Store?

    If so, you can explain to the "Apple Genius" that your computer used to be at the university and now will reside at your house. Then, have them completely wipe the SSD and restore to "factory-new" condition and have them install the latest macOS. Then, physically bring your Mac Mini back to campus and discretely plug into the Ethernet landline. Obviously, do not tell your university's IT department of your plans/actions.

    Good luck!


    All the best,
    richmlow



     
  23. obiit macrumors newbie

    Joined:
    Jan 26, 2019
    #23
    Why would you buy your own computer with your own money to use at your place of work? Just seems a bit odd to me that's all.

    If the University paid for the device then it belongs to the University and they have control over it as they own it - that would be correct.

    I do understand the need to make networks secure so i would have thought that they would have blocked you from using your own device and bought you one as after all the end objective is your job role and the work you carry out for the University?
     
  24. pl1984 macrumors 68020

    Joined:
    Oct 31, 2017
    #24
    If I were you I would have demanded that they remove all of their stuff from the system. If having it is a requirement then I would tell them I will no longer using it on the network and they will need to provide one for me.
     
  25. dwfaust macrumors 601

    dwfaust

    Joined:
    Jul 3, 2011
    #25
    Sorry, but I cannot get past the part where you think your computer is special and should not have to follow the rules. I get it that it's "your" computer. You paid for it. But you want to use it "discreetly" on THEIR network, using THEIR resources, and are bent on flying "under the radar". My guess is that there are provisions in their code of conduct or policy manual about violating their security protocols. In many universities and corporations, doing what you have done and want to continue doing would constitute grounds for discipline up to and including termination.
     

Share This Page

48 May 13, 2019