The other peril of M1 ownership is the lack of alternative operating systems. The other way I reinstalled an older Macbook through "internet recovery" and it downloaded the version it was originally shipped with - macOS Mojave.
The UI was a breath of fresh air compared to Big Sur. Despite the screen being smaller than my M1 the information density was higher and it felt more like a tool than a toy. The lack of bullshit apps such as Apple TV, News & co and useless "widgets" was also good (for all of iTunes' flaws, it's still better than its modern successors), and it somehow felt faster despite being less than half the processing power of the M1.
I now wish I could run this on my M1 but alas I can't. At least with PCs and older Macs you could always switch to Windows or Linux, but with the M1 you're currently screwed - if Apple drops the ball or decides to take their OS in a direction you don't like you currently have no alternative (and all the "security" around locking out the user from their own machine doesn't bode well for alternative OSes).
You might be happy to hear about Linux running on M1 Macs already then (and Windows ARM version will run as soon as Microsoft gets around to it, I expect).
Asahi Linux hardly runs on M1. They're definitely spearheading research into the hardware and have done a ton. But the project is well into it's infancy.
And it's doubtful Microsoft would ever go through the same effort to port Windows on ARM to the M1, instead probably relying on Apple's virtualization framework to allow it to run.
That's great news but how do users go about 'installing it' right now?
I think the comments in 9to5mac are just as bewildered as I and many users are. By the time a guide is written, they would have moved on to getting an M1X or M2 Macbook, still waiting.
It's only got kernel support, but is actually still not 'user ready'. Could take months for that to happen.
T2 Macs are still handicapped when it comes to Linux. It can run but with too many caveats. Needs special kernel versions with custom modules to have working keyboard/trackpad and at least last time I looked couldn't have both audio and sleep. Too big of a compromise on a laptop for me to use it. Wish I could. Seems like M1 Macs are going to have better Linux support than the T2 ones where BridgeOS throws a bunch of complications into the mix.
I'm glad I'm not the only one who truly loved Mojave! Once Apple cut off 32-bit support, it seemed like stuff really started going downhill. I still might pick up an M1 machine secondhand once Linux support is ironed out, it would be a fun little tinker-toy.
Well, in Apple’s defense, backporting old versions of MacOS makes no sense and would cause developers much headache, Linux already boots to a GUI on the M1 Mac mini (just no HW acceleration), and the list of available operating systems will grow each year there is a MacOS release. Just like you can’t run MacOS 10.6 Snow Leopard on the MacBook you restored.
All of your talking points are the reason why I can't devote myself to the Apple ecosystem anymore. On top of making it borderline impossible to retrieve any of your data as a file, they have been focusing way too much on Apple One and their SaaS models than they have their actual products. It wasn't until the M1 came around that I really looked upon them very disfavorably.
But now with Macbooks reaching $2k for a decent base model on the horizon, I'm really starting to just dip further into Linux every day. At least with ext4, btrfs, or zfs I can access those files on different operating systems. APFS? Have fun with recovering those backups without having to shell out for another Mac. Not to mention the OS is free. Had I still been an avid gamer Windows would hold it's leash on me, but Windows 11 is not looking better either.
There are two open source FUSE drivers for APFS that, theoretically, should work on any system with userspace file system support. They don't support all APFS features, though, and I wouldn't rely on them for anything serious or that you care about.
A friend of mine runs Arch on his Samsung Chromebook Plus, and there's also the Pinebook Pro. Both ARM. Both happen to use the RK3399 SoC, I believe, but there are other supported machines like the Asus Chromebook C201 as well.
Wow I'm so happy I'm moving away from Mac administration. I currently manage a big userbase but we still don't have M1s in our environment as our antivirus solution (Cylance) is really slow in supporting it.
Apple is introducing more and more mechanisms in the name of security but they keep access and information very close to their heart. All us Mac admins have struggled with SecureToken in combination with AD accounts and it took two major releases for Apple to actually introduce a way for us to manage these properly through MDM. In the mean time most information had to be gathered through blogs such as this one.
Another issue is that more and more enterprise management features are becoming dependent on managed (federated) Apple IDs. But Apple requires that the email and identifying account address (UPN) are the same which will never happen in our 200k user environment. So we're stuck with more and more things to work around.
This is really something that should have been considered from the start. And this owner key thing sounds worse. Security is good but the end user or corporate admin should have the keys to every lock. Not just the vendor. Now my successor can deal with this stuff.
I used to be a big fan of macOS personally too but I moved over to FreeBSD 2 years ago and I'm glad I did. I really want an OS that answers to me.
You could just set security to Permissive. It’s as secure as any Windows machine and disables this, even though the only time you’d ever run into this would be if you ran 2 Mac installs on the same machine, which surely a corporate deployment isn’t doing.
You'd be surprised. Macs for us are only half a percent of our userbase (yet still many hundreds), and are mainly used by app developers and graphical design roles.
Especially the app dev guys tend to have fairly nonstandard usecases. However most of it happens in labs firewalled off the company network.
Anyway, I'm glad I'm not the one having to figure out how to work around these things with very limited documentation from Apple, like I have before ;)
It seems like these changes have good intentions (i.e. improved security), but introduce a lot of complexity that can have unintended consequences for end-users. This reminds me somewhat of my process setting up UEFI Secure Boot on my Windows PC that wasn't originally configured for it. Not in the exact steps, but in that there is a ton going on behind the scenes and the UX is horrendously bad.
Unfortunately, vendors haven't really thought about how to explain these changes to end-users. They are trying to make them fairly transparent, which probably works at least 95% of the time, but for a small percentage of people, becomes a big PITA.
I wanted to try out Windows 11 on my desktop, and one of the requirements was that UEFI secure boot is turned on. Took me the better part of a day to figure out how to turn it on, which required deleting some random partitions that had been created on my drive when I had upgraded from Windows 8 to Windows 10 because the tool to enable UEFI requires a _very specific_ number of partitions in the drive that it's being set up on. The error messages to figure out that was the problem were incredibly frustrating. The BIOS UI to turn it on was also so confusing; everything seems to be named differently in different places.
The kicker was that the Windows 11 install was borked and I had to wipe everything and reinstall. Ha.
something I found really handy for testing/retaining windows installs was a $30 external USB SSD (not a flash drive, a "external drive" that is flagged as "non-removable")
you can install windows directly on it and tell the UEFI to boot off of it with absolutely no fuss
Agreed. I don't think Apple is intending to be malevolent here, but this is pain for people like myself who value the ability to create bootable clones on external media. This has always been an area where the Mac excelled, but it looks like those days are over.
This is worth knowing about, but it is really a distant edge case. Calling it a peril of M1 ownership is a bit dramatic when you consider how few people it will affect.
This blog is well known for both deep original knowledge, and extreme hyperbole. There was a post about MacOS update size that compared the size of the updates to beating the backs of Mac users raw and ignoring their pleas.
I am not sure which specific article you’re talking about, but MacOS update sizes were a massive issue.
The real problem wasn’t the update size itself. The real problem was the updating through the Mac store, which would invariably fail to properly download the update if you were on anything outside a several hundred mbps connection, and even if you did successfully download it, would potentially fail to install and/or give really poor progress updates where it looked like it hadn’t installed.
All the while eating up many gigabytes of space for I don’t know what.
You don't buy a Mac (M1 or otherwise) to live an adventurous life. You get it because it has really well executed take on an opinionated computing platform that just works for normal people.
For a lot of normal people, Mac is what you buy if you want to work with your computer, but it is not what you buy if you want to work on your computer.
That's completely orthogonal to Apple's take. They talk about how much your development efforts will speed up, your creative production. So on, so forth.
Not "it's to be an unadventurous consumer of product".
Who they market their users are != who their users actually are.
Obviously all the marketing will focus on creative uses because it makes it a lot easier to sell to people on a 1500$ machine. The truth is 95% percent of people are using their computers as glorified web browsers and the computers are built to do that extremely well.
It’s almost as if Apple is building their Macs to be rogue nation-state resistant or something. Because otherwise is this almost actually security overkill? (Which does exist, we don’t want TSA Security to enter a grocery store, for example.)
I think rendering stolen devices useless is also on the feature list. iPhone theft has become super rare, because a stolen device is neigh-impossible to activate and thus has little to no resale value.
This has already been a thing for Macs as well for many, many years. If you boot into recovery mode, there is a menu option to add a Firmware Password. You cannot access recovery mode or enter the boot selection menu without providing that password, which means a thief cannot reinstall any operating system or boot from a Linux thumb drive.
When you add a Firmware Password to a Mac, you get a long recovery code as a fallback safety in case you lose/forget the password. Apple, if provided with proof of purchase for the serial number being inquired about, can create a bootable USB stick with a certificate generated using public/private key crypto for which Apple holds the private keys.
I suspect much of this newer functionality acts as a replacement for the Firmware Password, giving more options and making it a bit more well-known.
It is less common these days thanks to activation lock, Find My Phone, etc. but it still happens a fair bit for parts. The system board is useless thanks to activation lock but the battery, screen, cameras, housing, etc. are all useful to any repair business. I think the only part they can't replace is the FaceID module as Apple require specific software to configure it only available to certified repair techs so a small repair store won't have access to it but a genuine battery or screen or camera on the cheap from a stolen phone is good money to smaller repair shops.
I've heard stories of people getting their phone snatched from their hand by a thief on a moped, then seeing the thief checking if the phone is unlocked while driving away and throwing it away immediately if it is (probably smashing it to the ground)
It's not a feature, it's an anti-feature. Preventing people from using a device they get second-hand is actively hurting poorer economies, because they can't benefit from all the hardware at disposal but have to dispose of it as part of global "recycling" trade (which has nothing to do with recycling and everything to do with piling up devices in areas where random folks will use dangerous chemicals to scrap parts or tiny bits of gold).
Apple is doing such policy not for security, as they still own the master key to everything they produce (!), but for making sure people keep on buying new products and destroying the planet ever more. Screw this crap.
EDIT: If you like to think of yourself as an eco-responsible or eco-worried person, consider how "right to repair" (or "apple/samsung locks" on the other hand of the spectrum) fit into that worldview.
The nice thing about the M1 Macs (as opposed to iOS devices or, uh, apparently Windows 11?) is that these systems can be turned off if you feel so inclined. More specifically, "Permissive Security Mode" can be enabled from the Terminal inside 1TR.
Apple recommends against this, of course, but it's your computer, so you can make your own choices!
To be clear, it's still not "your computer": Apple still controls the boot process and coprocessors, as well as all of the firmware that might be running on it.
>It’s almost as if Apple is building their Macs to be rogue nation-state resistant or something.
This claim feels a little weak when there are two other posts currently on the front page discussing a zero-click iMessage exploit in iOS 14.6, which has been abused by nation-states to spy on journalists and opposition leaders.
If this is truly their aim, then they are likely a long way from having adequate software security.
Considering the recent ransomware epidemic I would not agree for this to be security overkill. Maybe this level of paranoia is the minimum required baseline in 5 years. It looks like after a decade of relatively few big and public security incidents we are starting to go downhill again.
And yet Apple is cooperating with authoritarian governments[1].
For example, in Myanmar[2]:
> Most recently, there was a dispute with ProtonVPN (the company that also makes ProtonMail) over an update for its app in the App Store. Proton Technologies claimed that Apple was intentionally blocking the update amid the ongoing crackdown in Myanmar.
And in China[2]:
> "China appears to have received help on Saturday from an unlikely source in its fight against tools that help users evade its Great Firewall of internet censorship: Apple."
> "The Republic of China flag emoji has disappeared from Apple iPhone’s keyboard for Hong Kong and Macau users. The change happened for users who updated their phones to the latest operating system."
> September 2019 — Apple adopts a “SIM canary”. If you insert a Chinese carrier SIM, apps like TikTok & Apple News no longer function.
> May 2021 — Censorship, Surveillance and Profits: A Hard Bargain for Apple in China
And in Russia[2]:
> October 2020 — Apple forced Telegram to close channels run by Belarus protestors
And in Pakistan[2]:
> February 2021 — Apple Removes Apps for Pakistani Government
There are about a dozen more examples than those in this article here[2]. Here's its conclusion:
> So what does any of this have to do with app developers? Why should we care? When it comes to the iOS App Store, Apple controls where we are allowed to distribute our apps. More importantly, Apple has the unilateral power remove our apps from any App Store region at any time to nurture its relationship with whatever unsavory government it is interested in pleasing in order to pursue its political motives or financial objectives.
> Apple’s centralized power over app distribution combined with its willingness to surrender to political pressures is incredibly concerning as ostensibly “democratic” governments across the globe (including the United Sates!) increasingly exhibit far-right, fascist behavior and implement fascist policies. What will happen when you need to build your own HKmap.live?
This again. In authoritarian regimes, it’s either you comply or you are gone. The regime can cut every one of your phones off their networks in seconds. Noncompliance is not an option. It’s not like the US where you can fight with the FBI in court.
The argument is whether you think their people should be able to use iPhones or not. If so, the rules are the rules. And the argument is that it would be better they had iPhones than domestic phones more likely to be compromised.
Nearly everything you list involves Apple blocking features and material which individual Governments consider illegal or objectionable. Apple is merely complying with the laws of each country it trades within, just as you would expect Xiaomi to comply with US laws when they sell their electronics in America.
If you don't like the laws of other countries, you should be angry with the Government which enacted them—not its citizens or corporate residents for complying with them.
It's the opposite. For this "security" you are handing control to a private corporation that when it comes down to it will pick money over democracy and freedom.
The lack of documentation is concerning, it makes me wonder why Apple are rushing the rollout since they could have provided a lot more technical info in advance to prepare users.
Aside from that, with all these security features I'd be quite content if there was a way to setup an endpoint at *.myco.com instead of *.apple.com for the 'calling home'.
I just don't want my hardware being so tied to the network services of one vendor. Is it too much to ask?
One question: can I finish the setup of an M1 Mac without giving it an internet connection? As in, could I get it from unboxing to desktop without it sending a single network packet to Apple?
>According to the small print in Apple’s Platform Security Guide, when you set up a new M1 Mac, or set one up after restoring it in DFU mode, the primary admin account created is special: it’s the Owner account of that Mac. During that inital setup, the Mac sends a request to Apple for that Mac’s signed Owner Identity Certificate (OIC). This is based on a private key generated in the Secure Enclave known as the Owner Identity Key (OIK).
I'm not trying to imply that you're wrong at all, but I'm curious how the Mac goes about obtaining the OIC without a network connection.
To clarify, Home will not. But home is targeted to the non techy layman. pro / Enterprise will allow this. comparing window home to oax is like complaining that my Honda civic doesn't have the towing capacity that my f150 has. different class and purpose.
apple doesn't even have a comparable os to be compared to home, as it's a market they don't even target or develop for.
No, because of activation lock. Setup doesn’t differentiate whether it’s been wiped or not, and activation lock would be weak if a simple wipe could defeat it.
Readit News
The UI was a breath of fresh air compared to Big Sur. Despite the screen being smaller than my M1 the information density was higher and it felt more like a tool than a toy. The lack of bullshit apps such as Apple TV, News & co and useless "widgets" was also good (for all of iTunes' flaws, it's still better than its modern successors), and it somehow felt faster despite being less than half the processing power of the M1.
I now wish I could run this on my M1 but alas I can't. At least with PCs and older Macs you could always switch to Windows or Linux, but with the M1 you're currently screwed - if Apple drops the ball or decides to take their OS in a direction you don't like you currently have no alternative (and all the "security" around locking out the user from their own machine doesn't bode well for alternative OSes).
https://asahilinux.org/about/
https://9to5mac.com/2021/06/28/linux-kernel-5-13-officially-...
And it's doubtful Microsoft would ever go through the same effort to port Windows on ARM to the M1, instead probably relying on Apple's virtualization framework to allow it to run.
I think the comments in 9to5mac are just as bewildered as I and many users are. By the time a guide is written, they would have moved on to getting an M1X or M2 Macbook, still waiting.
It's only got kernel support, but is actually still not 'user ready'. Could take months for that to happen.
https://www.openbsd.org/69.html
But now with Macbooks reaching $2k for a decent base model on the horizon, I'm really starting to just dip further into Linux every day. At least with ext4, btrfs, or zfs I can access those files on different operating systems. APFS? Have fun with recovering those backups without having to shell out for another Mac. Not to mention the OS is free. Had I still been an avid gamer Windows would hold it's leash on me, but Windows 11 is not looking better either.
I've successfully used Paragon's APFS filesystem driver to mount an encrypted APFS drive on Linux. The price was reasonable too: https://www.paragon-software.com/home/apfs-linux/
Your point still stands, though, with those soldered in SSDs needed for the boot process...
I really wish I could get Ubuntu on a Samsung Galaxy Book Go, but it seems it isn't possible (?)
And System76 are apure-Linux operation building their own open source firmware in house to get the level of support and features they want.
I don't think x86 will die so quickly, and Linux has been getting a lot more support from OEMs recently than it has historically.
Apple is introducing more and more mechanisms in the name of security but they keep access and information very close to their heart. All us Mac admins have struggled with SecureToken in combination with AD accounts and it took two major releases for Apple to actually introduce a way for us to manage these properly through MDM. In the mean time most information had to be gathered through blogs such as this one.
Another issue is that more and more enterprise management features are becoming dependent on managed (federated) Apple IDs. But Apple requires that the email and identifying account address (UPN) are the same which will never happen in our 200k user environment. So we're stuck with more and more things to work around.
This is really something that should have been considered from the start. And this owner key thing sounds worse. Security is good but the end user or corporate admin should have the keys to every lock. Not just the vendor. Now my successor can deal with this stuff.
I used to be a big fan of macOS personally too but I moved over to FreeBSD 2 years ago and I'm glad I did. I really want an OS that answers to me.
Especially the app dev guys tend to have fairly nonstandard usecases. However most of it happens in labs firewalled off the company network.
Anyway, I'm glad I'm not the one having to figure out how to work around these things with very limited documentation from Apple, like I have before ;)
Unfortunately, vendors haven't really thought about how to explain these changes to end-users. They are trying to make them fairly transparent, which probably works at least 95% of the time, but for a small percentage of people, becomes a big PITA.
The kicker was that the Windows 11 install was borked and I had to wipe everything and reinstall. Ha.
you can install windows directly on it and tell the UEFI to boot off of it with absolutely no fuss
The real problem wasn’t the update size itself. The real problem was the updating through the Mac store, which would invariably fail to properly download the update if you were on anything outside a several hundred mbps connection, and even if you did successfully download it, would potentially fail to install and/or give really poor progress updates where it looked like it hadn’t installed.
All the while eating up many gigabytes of space for I don’t know what.
Not "it's to be an unadventurous consumer of product".
Obviously all the marketing will focus on creative uses because it makes it a lot easier to sell to people on a 1500$ machine. The truth is 95% percent of people are using their computers as glorified web browsers and the computers are built to do that extremely well.
When you add a Firmware Password to a Mac, you get a long recovery code as a fallback safety in case you lose/forget the password. Apple, if provided with proof of purchase for the serial number being inquired about, can create a bootable USB stick with a certificate generated using public/private key crypto for which Apple holds the private keys.
I suspect much of this newer functionality acts as a replacement for the Firmware Password, giving more options and making it a bit more well-known.
This is simply untrue. It may be hard to activate it, but it still has value for its screen, case, camera, and other parts.
https://cbslocal.com/2018/01/31/despite-anti-theft-features-...
And then you they go even further with stories like that: https://www.vice.com/en/article/yp73jw/apple-recycling-iphon...
Apple is doing such policy not for security, as they still own the master key to everything they produce (!), but for making sure people keep on buying new products and destroying the planet ever more. Screw this crap.
EDIT: If you like to think of yourself as an eco-responsible or eco-worried person, consider how "right to repair" (or "apple/samsung locks" on the other hand of the spectrum) fit into that worldview.
Apple recommends against this, of course, but it's your computer, so you can make your own choices!
This claim feels a little weak when there are two other posts currently on the front page discussing a zero-click iMessage exploit in iOS 14.6, which has been abused by nation-states to spy on journalists and opposition leaders.
If this is truly their aim, then they are likely a long way from having adequate software security.
For example, in Myanmar[2]:
> Most recently, there was a dispute with ProtonVPN (the company that also makes ProtonMail) over an update for its app in the App Store. Proton Technologies claimed that Apple was intentionally blocking the update amid the ongoing crackdown in Myanmar.
And in China[2]:
> "China appears to have received help on Saturday from an unlikely source in its fight against tools that help users evade its Great Firewall of internet censorship: Apple."
> "The Republic of China flag emoji has disappeared from Apple iPhone’s keyboard for Hong Kong and Macau users. The change happened for users who updated their phones to the latest operating system."
> September 2019 — Apple adopts a “SIM canary”. If you insert a Chinese carrier SIM, apps like TikTok & Apple News no longer function.
> May 2021 — Censorship, Surveillance and Profits: A Hard Bargain for Apple in China
And in Russia[2]:
> October 2020 — Apple forced Telegram to close channels run by Belarus protestors
And in Pakistan[2]:
> February 2021 — Apple Removes Apps for Pakistani Government
There are about a dozen more examples than those in this article here[2]. Here's its conclusion:
> So what does any of this have to do with app developers? Why should we care? When it comes to the iOS App Store, Apple controls where we are allowed to distribute our apps. More importantly, Apple has the unilateral power remove our apps from any App Store region at any time to nurture its relationship with whatever unsavory government it is interested in pleasing in order to pursue its political motives or financial objectives.
> Apple’s centralized power over app distribution combined with its willingness to surrender to political pressures is incredibly concerning as ostensibly “democratic” governments across the globe (including the United Sates!) increasingly exhibit far-right, fascist behavior and implement fascist policies. What will happen when you need to build your own HKmap.live?
[1] https://news.ycombinator.com/item?id=26644216
[2] https://www.jessesquires.com/blog/2021/03/30/apple-cooperati...
The argument is whether you think their people should be able to use iPhones or not. If so, the rules are the rules. And the argument is that it would be better they had iPhones than domestic phones more likely to be compromised.
If you don't like the laws of other countries, you should be angry with the Government which enacted them—not its citizens or corporate residents for complying with them.
https://en.wikipedia.org/wiki/Five_Eyes
But aside from that, looking at the threats of ransomware attacks, they probably do need to harden them that much.
Ruining the OS install is not the objective of most ransomware because that makes it harder to show your demands and accept payment.
Aside from that, with all these security features I'd be quite content if there was a way to setup an endpoint at *.myco.com instead of *.apple.com for the 'calling home'.
I just don't want my hardware being so tied to the network services of one vendor. Is it too much to ask?
>According to the small print in Apple’s Platform Security Guide, when you set up a new M1 Mac, or set one up after restoring it in DFU mode, the primary admin account created is special: it’s the Owner account of that Mac. During that inital setup, the Mac sends a request to Apple for that Mac’s signed Owner Identity Certificate (OIC). This is based on a private key generated in the Secure Enclave known as the Owner Identity Key (OIK).
I'm not trying to imply that you're wrong at all, but I'm curious how the Mac goes about obtaining the OIC without a network connection.
apple doesn't even have a comparable os to be compared to home, as it's a market they don't even target or develop for.
Deleted Comment