Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Question about Icloud Lock, MDM, and the T2 chip

Garenorfeed

Garenorfeed

macrumors newbie
Original poster
Jul 19, 2022
6
1
So I have been reading about the horror stories of people buying these used Mac products, and have had friends personally fall victim to having a laptop be iCloud locked after purchasing on FB Marketplace.

My question is if you receive an iMac from a site like eBay, and are able to get in and use the machine, is there anything that can go wrong with iCloud or MDM after a lengthy amount of time? Or are all barriers to entry known upon trying to set up the new Mac?

Lots of listings offer 1 year warranties, and even the option for 3 years warranty. Could you be locked out even after using the Mac, and be unable to get help/return/be protected by the warranty?
 
If activation lock is enabled, you'll know immediately when you try to set up the machine. If it's not, you're good. The machine will be tied to your Apple Account when you set it up. There is nothing the previous owner can do to lock you out of your machine.
 
  • Like
Reactions: hobowankenobi, TechnoMonk and blob.DK
I'm not so sure about MDM. I think it survives activation lock. But it's easy to see if any MDM profiles are installed by looking in System Settings.

Screenshot 2025-04-15 at 5.46.06 PM.png
 
  • Like
Reactions: chown33
Garenorfeed said:
Thank you for the answer guys. Even the MDM issue will only be apparent upon full wipe and setup?
Click to expand...
macOS Sequoia (maybe this was added to Sonoma) can more aggressively prompt an already set up computer to enroll into an MDM and will eventually lock you out unless you complete the enrollment.
 
chrfr said:
macOS Sequoia (maybe this was added to Sonoma) can more aggressively prompt an already set up computer to enroll into an MDM and will eventually lock you out unless you complete the enrollment.
Click to expand...

But if I check the device management in the system settings (shown above) I should be good to go? Or is this a phantom mechanic
 
Buy from a "known good" source (like Apple).
Then you know what you're getting.

Hmmm...
Do you already have a Mac that is giving you MDM problems...?
 
  • Like
Reactions: _Mitchan1999
Fishrrman said:
Buy from a "known good" source (like Apple).
Then you know what you're getting.

Hmmm...
Do you already have a Mac that is giving you MDM problems...?
Click to expand...

Fortunately I do not, I was just looking at macs with these Security chips like the 2020 or iMac Pro (I want a larger screen than the m1/m3/m4). May just end up getting a 2017
 
Garenorfeed said:
But if I check the device management in the system settings (shown above) I should be good to go? Or is this a phantom mechanic
Click to expand...
There is a possibility that it will not show anything in system settings if the initial enrollment was bypassed or if MDM was temporarily disabled by the computer's actual owner.
With an internet connection and while signed into an admin account you can run this in terminal:
Sass: 
sudo profiles show -type enrollment
If the computer is not currently enrolled in an MDM you'll get an error message that says that the "Client is not DEP enabled." This is not a 100% certain answer as to whether the computer is managed. That can only be determined with certainty by looking the computer up in Apple's GSX service tool which is not publicly available.
 
Garenorfeed said:
So I have been reading about the horror stories of people buying these used Mac products, and have had friends personally fall victim to having a laptop be iCloud locked after purchasing on FB Marketplace.

My question is if you receive an iMac from a site like eBay, and are able to get in and use the machine, is there anything that can go wrong with iCloud or MDM after a lengthy amount of time? Or are all barriers to entry known upon trying to set up the new Mac?

Lots of listings offer 1 year warranties, and even the option for 3 years warranty. Could you be locked out even after using the Mac, and be unable to get help/return/be protected by the warranty?
Click to expand...
If you are buying on FB market place, don’t pay till the mac is clear of activation lock and you can set it up. On eBay stay away from sponsored listings which are not covered by eBay guarantee, though some claim 1 year warranty. If something is too good to be true, it most likely is a con.
 
  • Like
Reactions: hobowankenobi
To add some context, from experience with the EDU org I work for (using Jamf):

Apple enables the MDM connection for the organization via ASM or ABM. Once enrolled in ASM or ABM, the device is linked to the organization's MDM. This is back-end Apple stuff that cannot be removed or bypassed on the device.

So, to fully remove org management, 2 things have to happen:

1. The device needs to be removed from ASM/ABM (org account with Apple)
2. The device needs to be removed from MDM (org system)

If the org forgets to remove the device from ASM/ABM, and removes it from their MDM to sell/donate it...when the new user hits the internet, it will re-enroll in the MDM automatically.
 
Last edited:
  • Like
Reactions: Mike Boreham, Brian33, kitKAC and 2 others
I should add (it can get complicated) that there are at least two ways that I am aware of an org can configure an MDM to add/enroll devices:

1. Automatically (happens immediately with an internet connection)
2. Opt in, where the user initiates joining

I am only familiar with the automatic adoption/enrollment, as that is all we use.

If a device is wiped and unenrolled/removed from both org MDM and the Apple ASM/ABM systems, the device does not technically unenroll until the next OS install, when the OS checks in for updates.

So...a device will continue to act as though it is still enrolled until it can check in with the mother ship (Apple). If a device is restored from the local recovery partition with no internet connection, it will still prompt and behave as a managed device. Restoring from Internet Recovery is the resolution.

This scenario can happen if the org wipes the device, and then unenrolls properly, but does NOT re-install an OS.
 
  • Like
Reactions: Mike Boreham and Brian33
hobowankenobi said:
I should add (it can get complicated) that there are at least two ways that I am aware of an org can configure an MDM to add/enroll devices:

1. Automatically (happens immediately with an internet connection)
2. Opt in, where the user initiates joining

I am only familiar with the automatic adoption/enrollment, as that is all we use.

If a device is wiped and unenrolled/removed from both org MDM and the Apple ASM/ABM systems, the device does not technically unenroll until the next OS install, when the OS checks in for updates.

So...a device will continue to act as though it is still enrolled until it can check in with the mother ship (Apple). If a device is restored from the local recovery partition with no internet connection, it will still prompt and behave as a managed device. Restoring from Internet Recovery is the resolution.

This scenario can happen if the org wipes the device, and then unenrolls properly, but does NOT re-install an OS.
Click to expand...

Horrific.. maybe I will just go directly to apple
 
Garenorfeed said:
Horrific.. maybe I will just go directly to apple
Click to expand...
Last I heard, one needs proof of purchase to get a device released (original new purchase, not used purchase).

It really is the whole point in making the device secure...no entry without the proper rights or the key. Like selling someone a used safe, without the key. Essentially useless.

If a device is still managed by an org, contact them and they can release it remotely. All they should need is the serial number.

Depending on the org, configuration, and MDM, they may have the encryption key to unlock FileVault, although one can get around that with some options in Recovery mode (no key needed to wipe and restore).

All of this is true for MDM-managed devices...no help for devices linked it iCloud.
 
If you buy an Apple product on eBay, ya spins the wheel and ya takes yer chances. But if you're just looking for false reassurance - ¯\_(ツ)_/¯

Sure, it'll all be fine. Take my word for it 🙄
 
  • Haha
Reactions: marcotor714
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back