159 comments

[ 0.92 ms ] story [ 260 ms ] thread
Apple expects all Mac Pro uses to own multiple Mac computers in order to do routine maintenance. Outrageous.
They could star including a refurb macbook with each purchase. The cost would basically be a rounding error.
Yea, but who would want a second hand Big Mac, when you also got a fresh one?

Most would just leave It in the fridge or on the counter and eventually throw it away.

To help with the eventual SSD swaping.
A second hand Big Mac sounds indeed disgusting. Just the thought of it would make it hard to eat the fresh one.
It seems quite reasonable to presume that the target audience of Mac Pro users wouldn't treat SDD replacement as "routine maintenance" that would be done by the user, but have it done in a service center. And it's completely reasonable to assume that a Mac service center has other macs on hand. Disks on Macs are not really expected to be a user-serviceable part, if some weird techy wants to do that, they can (with some caveats like this one), but the process is designed with service professionals in mind, not DIY end-users.
No. You have two Mac Pros inside your MacPro. Guys, it has a left hemisphere and a right hemisphere! (Obviously not in shape, but roughly analogous). Yes, it's even got a "collosum" as a little piece of tape, which broke the ability to do battery charging completely when it fell off. (Yes, you need those damnable star-shaped screwdrivers to open the case, just go buy a kit). The tape is pretty obvious to find, and located fairly centrally. You'll notice it.

You know, you can "upgrade" your Mac Pro's firmware quite easily by first removing that tape, then taking the USB-c cable and wrapping it around your laptop, connected to both sides (either of the two ports on each side works).

Then just play with it a bit and see what changes. ;)

This is great, because the supported method involves Apple Configurator 2, which is only available via the App Store (which requires an Apple ID, which requires a phone number).

It will be nice to be able to service macs bought for cash without having to dox oneself to Apple.

Don't you know that computers are services now? :).

(Yes, this sucks.)

So basically if your SSD is faulty, you have to find a new mac to fix the one you already have. Oh well, Apple is being Apple indeed. Arguably you already needed a Mac given how hard it is to download a macOS image without a Mac already.
There's a whole bunch of scripts available online to create bootable macOS images, they're often used by the hackintosh scene. You do need another computer but it doesn't have to be a Mac.

Of course, that's in no way an official,. supported solution, but it'll work.

I believe those scripts require a mac to make a full bootable image, unless you want a network boot only image.
I've used them to install High Sierra on my Hackintosh and I don't own any Apple hardware. Apple may have restricted the availability of system images, but as far as I know, you can create fully-functional installer USB drives.
I just remember reading the fetch-macos script notes which said:

  Contributing Back

  This project can always use your help, time and attention.
  I am looking for help (pull-requests!) with the following
  work items:

  * Create *full* installation (ISO) image without requiring
    an existing macOS physical/virtual installation.

  ...
hmm... maybe they figured it out?
Until this free solution is intentionally broken by Apple.

Being able to do this for free is a bug, not a feature.

> find a new mac to fix the one you already have

I mean, you don’t need to be the owner of the Mac you run the restore from, so you can visit a Mac-owning friend, or an Apple Store.

We are talking about Mac Pro users here. The likelyhood of them having a second Mac already is extremely high - a laptop would not be out of the question.

And even if they didn't, the odds of them having a friends Mac they could borrow for the 10 minutes required to mate a new drive is pretty darn high too.

This is hardly a hardship.

Indeed, I'd wager FAR less effort will be spent globally to mate new SSDs to Mac Pro's over the entire lifetime of the global supply of all Mac Pros shipped vs. the level of effort already exerted to express consternation in this thread :p

And for a current iMac, it doesn’t matter how many computers you have, you’re not upgrading it.
You can still upgrade the RAM in the 27”...for now
This is a little misleading.

The T2 firmware needs to be restored after modifying the SSD amount.

This upgrade is typically reserved for an Apple Authorized Service Provider, but sure, if you have another Mac, you can do it all alone yourself.

(comment deleted)
I agree very misleading.

What is it with HN recently and all this childish Apple bashing ? If I want Apple bashing, I'll head on over to The Register where its a well known fact they hold a long-term grudge against Apple because of some decade's old fight they picked with Apple's PR department.

Back to the case in point, this HN post is disgustingly misleading.

What the Apple support article is actually saying is that if you have : (1) A spare mac with Apple Configurator 2 installed (2) A USB-C/USB-C cable or USB-C/USB-A cable

Then you can do the repair yourself.

This is not exactly a significant obstacle !

(1) Apple Configurator is a FREE download from the App Store (2) You can run Apple Configurator on any Apple machine, you DO NOT NEED another Mac Pro! (3) Any self-respecting tech will already have USB cables by the dozen

Yes, you need "another mac", but let's face it, if you use a Mac Pro at work or at home, then you most likely have "another mac" of some description around the place. And if you don't, you probably have one or more friends who have one !

> disgustingly misleading

That strikes me as rather emotive phrasing for an discussion about SSD upgrades.

Anyway - surely the point is that something that used to be simple (upgrading storage in a personal computer) now has a potentially large hurdle in it's way.

Does finding that to be a step backwards make one an anti-Apply fanboy?

It’s more like changing the BIOS/UEFI chip, as that’s stored there.

You can always plug in a second SSD via a PCIe slot too.

> That strikes me as rather emotive phrasing for an discussion about SSD upgrades.

Only emotive in the context of people using HN for clickbaity Apple bashing that is unsubstantiated by actual facts.

If you could be bothered to actually read the Apple Support document, you would see the reason access to Apple Configurator is required is because the SSD is tied to the T2 security chip. So you are not "just swapping out an SSD", there is a security element too. Frankly I think that is a good thing that changing hard drives is linked to the security chip.

> If you could be bothered

Again - please take the temperature down a notch. I'm significantly less invested in this topic than you seem to be.

And to respond to your specific point - I'm not clear on how a new blank drive would be a security concern. There might be a technical reason why it has to be this way - or it could just be poor design. At this stage I'm curious to know the thinking behind this.

> Frankly I think that is a good thing that changing hard drives is linked to the security chip.

I'm trying to think of an attack where "needing a second computer" is a major hurdle once you've got physical access.

> I'm trying to think of an attack where "needing a second computer" is a major hurdle once you've got physical access.

Yawn.

Two words.

Audit Trail.

Changing a hard drive goes from something you wouldn't know has happened, so something that has a trail associated with it, potentially in more than one place.

Anyone in IT will tell you "physical access = game over", but at least you'll know !

>And to respond to your specific point - I'm not clear on how a new blank drive would be a security concern. There might be a technical reason why it has to be this way - or it could just be poor design. At this stage I'm curious to know the thinking behind this.

The Apple security guide spells it out but I can hopefully summarize: the firmware for the T2 is stored on the the SSD, and it gets signed with hardware keys present in the T2 itself so the system can know if it's code is intact or has been modified.

If you remove the existing SSD and install a new one, there is no longer any T2 firmware present. Without it, the T2 can't start and since the T2 is the starting point for the entire boot process - well, hopefully it's obvious as to why this is an issue.

Why not embed the firmware on the motherboard? Well, being able to update it is a nice thing. Not having to worry about running out of storage in firmware memory embedded on a motherboard years before is also a good thing too; especially when the trade off is a pretty darn minor hassle - IF you ever upgrade your drive (which the vast majority of people never do).

If you think this is outrageous, then you must be pretty ignorant of more than a few really gross problems with Intel's TPM (analog to Apple's T2) - many of which can't be fixed without new hardware. At least with this approach issues can be addressed and aren't burned into silicon. Intel could have made parts of their firmware updatable but they punted since it's pretty hard to maintain a secure chain; especially if you are relying just on resources in the computer you are also mucking around with at a pretty low level to update pretty sensitive things.

I'd much rather be able to keep my machine secure even if it requires occasional simultaneous access to a 2nd Mac vs. being stuck forevermore with issues in hardware. And even if you use Linux, those TPM bits are still exposed :p

Ultimately, claiming access to a second Mac for a Mac Pro (!) owner is any kind of hardship is utterly ridiculous. Every single Mac Pro owner I know (and I have and still use a cheesegrater Mac Pro) also has a Mac laptop since, you know, Mac Pro's are far from portable. And even if I didn't, as a Mac user I have many Mac friends I could bum a laptop off of for the 10 minutes it would take to swap an SSD and install.

The previous US president used the word "disgust" frequently in tirades. This seemed to resonate with his supporters.

I must live in a bubble. I don't experience the emotion of disgust. I don't know people who experience the emotion of disgust. I'm honestly not sure how one defines the word, and I get the impression that many people who use the word don't really understand it either.

On the other hand there may be some "in the womb" biological tendency toward caution, aversion to change, that correlates with Republican affiliation. Experiencing disgust may just be one of those things, like how some people taste bitter as intolerable.

I don't experience the emotion of disgust. I don't know people who experience the emotion of disgust.

I'd describe the feeling I get when seeing my cat puke out a meal, followed by her starting to eat that slimy bloody pudding again, as disgust. Just to name an example. Have you really never experienced that? Lucky you I'd say :)

Apart from that, i.e. the very literal sense ('dis' is like a negative, 'gust' is taste), disgust also gets used in the sense of morally disliking something profoundly. Again not that uncommon.

But I get your point: these days it seems to get used often when it is not very close to the actual meaning. And as such gets hollowed out a bit.

>I must live in a bubble. I don't experience the emotion of disgust. I don't know people who experience the emotion of disgust.

And yet, you went ahead to perfectly describe (in all but the explicit term), how you are effectively disgusted by the supporters of the previous US President, the people who use the word disgust, and Republicans in general - and in a completely unrelated thread to boot.

One could very well ascribe this to virtue signalling and projection.

>That strikes me as rather emotive phrasing for an discussion about SSD upgrades.

I'd say implying that having access to a second Mac for 10 minutes to bless a drive in a $6,000+ computer as a "hardship" is not just emotive but bombastic.

Hell it wasn't too long ago that some computers required other computers in order to boot. Yes, I'm being a bit cheeky but we are talking about a procedure affecting a fraction of an already small pool of users - Mac Pro owners.

This is an overblown and sensationalized "story" purely because Apple is involved.

Why such a simple upgrade has to require AAS or another Mac?
Because it was simple in the time of lax security, not in the time of current security measures...
Why is it still simple for other manufacturers, even with added security measures?
Other manufacturers security models don't work in the same way. Good luck updating your Intel TPM firmware :p

Every approach has pro's and con's. Overall not a huge fan of secure enclave type solutions but I do think their benefits still outweigh the hassles.

Security/Convenience - always a tug of war.

The firmware is stored on the primary storage of the computer.

Which is absent if you are replacing it.

So when you put new primary storage in the machine, a new firmware that is cryptographically signed with the hardware keys that are unique to the T2 in each computer are used.

If they didn't use Apple Configurator running on a second Mac for this they would have to put all of that functionality in firmware on the machine somewhere. Driving up cost and complexity for an obscure task on a low volume machine in the first place. Yes, sounds like a valid use of engineering resources to overcome the "hardship" of having access to a second Mac for the 10 minutes (or less) the swap requires.

Well yeah you probably have a couple of them laying around anyway since you have to upgrade every 3 years.
I always get 3-5 times the life out of my Mac's than any Windows PC I have owned. You have that flipped a bit...
So you're saying you don't have a Mac laying around ?

All thinkpads that I own are still in use to this day. The newer one is over 5 years old and the rest are 10+ years old.

I don't get the outrage. Yes, the firmware thing is something you don't have to do with other computers.

But seriously, we expect people to have a second computer around when doing anything involved with their hardware. New computer? Need to create a bootable flash drive with an OS. WiFi not working on Linux? Need to download stuff and move it to your machine. Monitor/ethernet/mouse/GPU/anything not working? Plug it into a different machine. Network settings borked? Ping it from the second machine. We're used to this.

And Apple, surprisingly, expects your other machine to be a Mac. Because why wouldn't it be a Mac. They expect you to use a Mac or an iOS device to verify your identity, to contact their support comfortably, AND to restore firmware on your other devices. They expect you to use their ecosystem of devices and software. You may not like it, and that's why you probably don't have a Mac, but it's consistent and it makes sense in the context of their philosophy.

I have a USB stick that I can use to reload Windows at any time. I downloaded Windows and put it on the USB key using their utility and if I were to replace a drive, my OS eats itself, etc. I just grab that stick. It really should be that easy with macOS too.

Most people don't have multiple computers and most people that own a Mac are unlikely to have two of them.

"Most people don't have multiple computers and most people that own a Mac are unlikely to have two of them." - I would actually be interested on the stats for this for Mac Pro owners.
You can absolutely do that with macOS, you just have to download the OS and create the macOS-installer USB stick on a Mac.

The firmware thing is a separate, unfortunate, issue.

Honestly I would assume nearly all people with a Mac Pro also have a laptop of some sort, and they have a Mac Pro it's likely the laptop is also a Mac.
For reinstalling macOS it is that easy. You can create your own USB install media either using Apple's tool or a third party one.

Or the more common and easier method is to do an "eraseinstall" which does the same thing but without the need to make the USB media. It does some APFS volume stuff automatically to copy the installer, wipe all other volumes, install, then remove the installer volume.

The need for a second Mac is something most Mac users never encounter as it means something has gone seriously wrong or they are a power user doing something "not normal".

I'm not defending Apple's decision here, I see pros and cons for it. Just saying that for almost all users reinstalling macOS doesn't require a second Mac. I have been a Mac user (and developer so not a "normal" user fwtw) for almost two decades now and never once needed a second Mac for any restore tasks.

What does reloading an operating system have to do with swapping hardware that gets cryptographically mated to the machine it's being installed in?
Except I can make a bootable Linux disk on Windows, and a bootable Windows disk on Linux. I can download Linux wifi firmware on Windows and move it across on a flash drive. I can troubleshoot my mouse on any damn computer I want because it doesn't need third party drivers. We are not used to the requirement that the second computer be running a particular OS made by a particular company.
Although it's important to have that level of freedom, it hasn't always been the case in the PC world. Furthermore, there are OSes out there working on PC which don't have that level of interop. Finally, some people don't have 2 different OSes installed, and if their setup breaks, they'll surely need another box to fix it.

OTOH, needing a second machine for that sort of maintenance (installing a second drive iiuc) seems indeed quite a big requirement.

Love it how apple fans will contort themselves telling us how every new inconvenience is normal.
I always wondered what it is that makes some products enjoy customers with very high brand loyalty and others not so much.

Microsoft sits at the opposite side of the spectrum with most of it's clients being highly critical of it, and passionately angry at nonsense, except in the case of XBox, other gaming consoles also seem to enjoy very high brand loyalty; I also see it with GNOME.

Marketing/psychology tricks.

Apple has convinced people that wearing their products give them "uniqueness". Tesla has something similar, but with "change the world".

You will hear other excuses that are more tangible, but those are the brain listing features that have little to do with why someone bought it.

Apples poor record on privacy, security, performance, and ease of use should all be stark reminders that marketing sells products.

I was first thinking about the I'm a p.c..-advertisement campaign, but GNOME has never done such a thing, as far as I know, and enjoys similar levels of loyalty, and they are often compared as well in terms of visual design choices.
It's quite similar, you are a tinkerer, you are a nerd.
Hating on GNOME has been cool for a long time.
So has hating on Apple, Microsoft, and XBox, but two out of those three enjoy extensive brand loyalty, and one does not.

It's not typically the brand loyalists that do the hating.

The only thing surprising about this whole ordeal is the "surprise". Its Apple. Its 2021. Who the fuck still thinks Apple is pro-consumer? The same person is probably surprised that smoking isnt as healthy as 1940s ads used to say. This also goes beyond that 3rd party repair dude out of New York on youtube. Apple making it a complete pain in the ass due to their highly gated ecosystem is... well... Apple. You buy into it knowing what your getting at this point. Or you can never claim with any honesty that you do any form of due diligence before buying a computer. At this point, it's being surprised that water is wet.
Apple supporting users upgrading their hardware with freely available tools is anti-consumer? A bit over the top, no?

We are speaking English and anti is the opposite of pro still, right?

Honestly, I think it's a dedication to competence and good engineering. Say what you like about Apple, but they try damn hard to make everything "just works" (often at the expense of interoperability and maintainability). People complain about all sorts of flaws, but the outrage comes from an underlying expectation that Apple products should be flawless. Apple users yell bloody murder when their phone loses signal when held a certain way; Windows users lose their work to a spontaneous reboot, and sigh and move on with their day.

When you can convince people that all they have to do is buy in to your system and everything will be fine, that gets you religious levels of dedication. And of course the people who buy in are deeply invested in their not-easily-reversed decision, so they market you for free!

> Windows users lose their work to a spontaneous reboot, and sigh and move on with their day.

I keep hearing about this, but except for BSODs (which are super rare these days), but I haven't ever had this happen to me. My guess is that the people complaining about this stuff are the ones abusing their systems, and not telling you that part (the kind that would postpone updates for <<years>> and then wonder why Sasser or whatever were a thing).

>BSODs

yup, save for overclocking (or undervolting, which is essentially the same) I have not seen BSODs for a decade plus. I have seen laptops overheat due to clogged/uncleaned air vents, but that's a hardware issue.

flip note: what's wrong w/ the parent's post to deserve the downvotes.

>flip note: what's wrong w/ the parent's post to deserve the downvotes.

Probably people are rattled at being told that the well-documented phenomenon of spontaneous Windows reboots are somehow their own fault for "abusing their systems".

Happened to me last week ¯\_(ツ)_/¯. Lost an overnight run's worth of CFD calculations.

There's a toggle switch in update settings to explicitly disallow rebooting without intervention. It was ignored. Checked the system log and everything.

I guess I'm just holding it wrong...

>disallow rebooting without intervention.

That one is a fair point. I bet it did have 'intervention', showed a message it would reboot in whatever minutes and proceeded later.

Personally I use windows offline updater, and ignore the built-in 'windows updater'. 'shutdown /a' aborts an initiated shutdown

Nope. Vanilla Windows 10 is set to download and update itself automatically, which it seems to do at the most inconvenient moments. It's absolutely infuriating.
>Honestly, I think it's a dedication to competence and good engineering.

Apple is fully form over function. Macs laptops are anything but good engineering (hardware wise)

Yup, there are aspects of Apple's offerings that are form over function (No, I do not need laptop parts in my desktop so you can make it thin just because). However, I'm a Mac user not because of the pro's/con's of just the hardware or just the software, but the overall experience - from using, maintaining, buying, servicing. It's frictionless. It feels better.

I prefer it. I have Windows and Linux boxes (gaming and tinkering respectively) but when I just want to do stuff I reflexively grab for my Macs.

If they don't have the same value to you - great. That's why it's awesome to have choice. But pretending there is no difference in value for everyone because there isn't any for you is silly (and more than a tad narcissistic).

This reads as the kind of brand loyalty of which I speak, frankness be.

> but the outrage comes from an underlying expectation that Apple products should be flawless.

This is particularly silly. Apple has a reputation for product tying and expecting one to buy other products, also made by Apple. We've all seen the MacBook Wheel parody that, though parodious and exaggerated, shows the reputation it has for form-over-function and consumers that are too loyal to see they are paying more for less.

If Microsoft were to require something such as this, no one would come to it's defence on the same level I've seen with Apple, except, as said, with XBox, but that seems to be a common thing with gaming consoles, but Nintendo seemingly enjoying even higher loyalty.

It's more like complaining that the software your mechanic uses to tune your McLaren F1 only runs on specific hardware. [1] In this case the required platform is a lot easier to come by - there might be one shop in the world whose fleet includes Mac Pros but no MBPs; I can't imagine there are two - but the point remains that exotic hardware tends to come with exotic support and tooling requirements more or less as a matter of course.

Why not complain instead about the totally needless complexity of the Mac Pro case and its spacecraft-grade CNC manufacture? Slow, wasteful, expensive - and for what? Nothing in the world I can see, save to satisfy Jony Ive's apparent thing for metal with lots of tiny regular holes in it. I'm not here to kinkshame, but I'm glad dude has finally found a different venue for it.

[1] https://jalopnik.com/this-ancient-laptop-is-the-only-key-to-...

I don't think it helps to conflate a common consumer hardware with purpose built professional racing cars.

At most, the kind of car we'd be looking at would be an Audi or BMW and they have pretty standard ports and desktop software for tuning the in car firmware. The reason it's standard and widely available is because while their cars are premium end, they're still widely bought and widely driven so those respective car manufacturers need to make maintenance accessible. Apple, on the other hand, are part of an increasing new trend where manufacturers intentionally remove the ability for 3rd parties to maintain their own hardware. So Apple (and others who pull the similar stunts) should absolutely be called up on this unethical practice.

You don’t need a MacBook for this process to work, you can use a second Mac Pro just fine (the ergonomics of moving around a 18 kg box aside). But if you own only one Mac (and it doesn’t have to be the Pro tower, similar steps apply to other Macs when they get bricked [1]), you need to find somoene else with a recent(-ish) Mac or go to an Apple Store.

[1]: https://support.apple.com/guide/apple-configurator-2/revive-...

> I can make a bootable Linux disk on Windows, and a bootable Windows disk on Linux

Have you ever noticed how Apple considers Macs a separate platform from PCs? Not as in "Windows or Linux or macOS on a computer", but as in "macOS on a Mac, or anything you want on a PC".

They don't want you to make a bootable macOS disk on Linux, because Macs and PCs are not supposed to be friends. Like PlayStation and Xbox, their hardware is similar and from the outside they both look like general purpose computers, but they're different platforms and they're not friends.

You can run macOS on generic PC hardware (Hackintoshes) and you can run Windows or Linux on Mac hardware, but that's mostly a byproduct of the platforms being similar.

You can disagree with Mac not being a PC and not being an open general computing platform, you can choose not to buy them, use them or develop for them, but I don't think it's a difficult concept to understand that Apple doesn't sell, support or care about PCs.

Your original post said you didn't understand the outrage. You then explain how Apple goes out of their way to unnecessarily inconvenience the user by forcing them to have multiple Macs. I can't understand why you don't understand the outrage...
I can flash any iOS device using iTunes for Windows. I don't see this situation as fundamentally different.
"Apple considers Macs a separate platform from PCs?"

Apple might consider paying taxes optional, or the moon to be made of cheese. But why should any of us care or be bound by that?

"and PCs are not supposed to be friends."

Wtf does this even mean, how is it helpfull or provable?

Another important distinction is that most of the operating systems you mentioned are not bound to any particular hardware.
I don't think I ever managed to create a working bootable Windows disk on linux. The hardest part was to fetch the image (from Linux).
My constant struggle is some motherboards (mine!) refuse to boot the Windows installer from the UDF-formatted image Microsoft provides as a download; IIRC I have to copy all the files to a FAT32 partition on the disk instead. (I assume their installer-creation tool, which naturally requires an already-working Windows install, plays some games with creating a disk that's both FAT and UDF, and building all the right tables for files to show up in both? Never dug into it though, this is just conjecture.)
> But seriously, we expect people to have a second computer around when doing anything involved with their hardware.

Not in this particular case. If you are installing an OS on a new drive, all you need is the installation media. You can get that from someone else or prepare it ahead of time. You certainly don't need a second machine on hand at the time of the upgrade or repair. On Macs of a certain vintage, you did not even need that. The firmware has the ability to download the operating system itself over a network connection.

Even in the other cases, a second computer is not necessary. It may be convenient to test a component that you believe has failed before purchasing a replacement, but you certainly have the option to purchase a replacement without testing it. It is also relatively rare these days to require a computer from the same vendor to do testing. As for pinging a computer on the network, that implies that you have a second computer to network with. It does not have to be from the same vendor.

Even though it is likely an unintentional consequence of Apple's design decisions, this does make a relatively simple upgrade or repair less accessible. About the only thing I can say in Apple's favour is that Mac Pro owners probably have easy access to another Mac. (After all, it is quite an expense to accept without having prior experience with Apple hardware.)

Eh, to be honest, even simple Windows and Linux installations can go so wrong that I'll never do that without having second computer with internet access.
Methinks that's excessive. All one really needs is something such as SystemRescueCD on a u.s.b. drive on hand, which I always have with me.

If one's machine be sufficiently destroyed that it can no longer boot from that, I don't think another computer can fix it.

Second machine is usually for googling unexpected problems. I'd never attempt using something like SystemRescueCD without that possibility.
Usually a phone would be enough for that. Hell, with something like DriveDroid[0] you don't even need a separate computer to flash the rescue image.

[0]: https://www.drivedroid.io/

One can do that on SystemRescueCD; I don't understand your angle.

It comes with internet and a web browser.

So would you boot the CD, google the question you want to google, write answer down to paper notebook or make photo, and then restart to resume installation?
No, I fix my machine from SystemRescueCD if anything go awry.

I wasn't thinking of “resuming installation” so much as “accidentally made my machine inoperable”, which becomes apparent when rebooting after the installation.

If the machine were not made inoperable, I would simply use the web browser that comes with the live medium of the installer.

It's good to have an internet connected computer on hand, and I haven't been in a situation in decades where that wasn't the case (even if it was just a mobile device for looking up documentation). Yet there is a bit of a difference between it being a good idea and it being required. There is an even bigger difference between it being required and requiring equipment from a particular vendor.

Requiring specialized tooling should not be required for replacing a modular component. I understand that this case involves the security chip, but surely Apple would be able to implement a solution that is integrated into the system's firmware. Macs are already capable of connecting to a wireless access point to download and install the operating system via the Internet[1], so this seems like a reasonable approach.

[1] At least they had that capability when I purchased a 2012 MacBook. I'm not sure if things have changed since then.

All I need for that are bootable usb drives. Someone would have to lock down the boot order in bios and forget the password for that to go wrong.
ever hear of right to repair movement? I can buy a right to repair computer form system76 and always know that I can replace a SSD as SSD reach end-of-life faster than HDs despite Apple's claims that they should be non replaceable.
> But seriously, we expect people to have a second computer around when doing anything involved with their hardware.

Sometimes we even expect a second computer with a different operating system or even different architecture. I had a retail Seagate harddrive in my Mac that was going bad during the warranty period. Seagate expected me to run their diagnostic software to get an authorization code to return the drive--and at the time that authorization software only ran on DOS or Windows.

I had a Windows PC that I could move the disk to and run the diagnostics on, so just went ahead and did that. I don't know what they would have done if I had not had a PC available.

The box explicitly listed the Mac as being supported and said nothing about a PC being required for warranty replacement so I assume they could have been forced to honor the warranty without running the diagnostic, but don't know how much of a hassle that would be.

It could make sense to have an iphone and a mac. But who needs two Macs? Why are you sp eager to defend them?
> But who needs two Macs?

There are many reasons. I'm a developer, I like having computers around, so I have multiple computers, including two Macs. Some people just have multiple computers and I'd guess that people who own a Mac Pro will probably have a second, more portable machine.

> Why are you sp eager to defend them?

Because I believe the i3-Linux-Thinkpad crowd needs to be constantly reminded that there are other people using computers with different opinions who may be actually happy and productive on their Apple hardware and who prefer dealing with minor hiccups like these over running Windows or Linux on generic PC hardware.

>Because I believe the i3-Linux-Thinkpad crowd needs to be constantly reminded that there are other people using computers with different opinions who may be actually happy and productive on their Apple hardware and who prefer dealing with minor hiccups like these over running Windows or Linux on generic PC hardware.

Yup. When I just want to get work done and not feel like I'm having to spend more time tending to an active science fair project than getting stuff done I turn to my Macs. I have plenty of friends who prefer Windows and even a few masochists who prefer Linux on their desktops. I never feel the need to criticize them for their choices.

I'm not so curious about why someone would defend their choices, but why others who have no idea what someone else's wants or needs are feels that it's OK to pontificate as if their thoughts were relevant or even needed.

Mac Pro is an expensive desktop computer; people are saying it makes sense someone would also have a laptop for portability in that situation. A MacBook Air is 5-15% the price of a Mac Pro depending on the configuration, not exactly doubling the computing budget.

Pros are supposedly typically bought by businesses, too, which would have a fleet of devices.

Just explaining—hopefully it helped.

This will really blow your mind - I have three. And they all three have uses.

I also have two windows and three linux boxes. I guess I'm a windows and linux defender too? :p

In no case you need a second computer, except for convenience. I can have bootable usb w/ linux and even use my phone with an usb cable to transfer files, or even attach usb wifi with drivers I have already.

I can create bootable usb both on Windows and Linux. All of the statements are pretty much false.

I know. Especially when we are talking about Mac Pro (!) users. Even in the HIGHLY unlikely probability that they don't have a second Mac of their own already, they more than likely know someone with a Mac they could borrow for the 10 minutes (tops) it would take to perform this procedure.
(comment deleted)
Anyone with a Mac Pro has a Mac laptop or a friend with a Mac laptop.
Ssshh - don't spoil their faux outrage with logic and common sense :)
I get the outrage, but I also understand where the problem originates in terms of Apple's use of the T2 chip.

To maintain the security of the T2, which is tied to the encryption of the SSD, the SSD is bound to the T2 in a non-reversible way.

So when you change the SSD, you have to rebind it with the T2. This is not a "field supported" operation of the T2 standalone, so requires the use of a secure path via Apple Configurator, with, I assume, a tunnel back to Apple's RA equivalent.

Should they make this a function of the T2 that is available in the field standalone? Absolutely.

Why haven't they? I can think of any number of reasons, some nefarious (the "remove right to repair") side of things, but, more likely, you don't muck around with a security chip too often or without a real need.

I just heard Lenovo is locking server chips to the motherbord now which is a similar story: you know that major chips on the board are authentic but when somebody tries to recycle the cpu later it doesn't work.
It's really hard to design secure systems that do not harm convenience, serviceability, etc., since someone trying to compromise the system is... "servicing" it.
For such maintenance operations, you could support a mode where a barebones OS is copied into RAM. Then you can remove any SSD you want.
Do SSDs support hot plugging? Can you unplug them from a Mac Pro without removing power from the system?

Even if they do, I wouldn’t expect anybody to test that enough to make it absolutely reliable.

I don't know about the Mac hardware specifically, but SSDs can be hotplugged in linux boxes. If your sata controller doesn't support hotplugging, you will have to reboot for the block device to be accessible but that does not seem like an insurmountable problem in this case. Hotplugging is also a pretty basic feature for such an expensive computer.
The SSDs in this case are M.2 NVME which is a PCIe-based standard. I have no clue if the M.2 or NVME standards address hotplugging but PCIe based hotplug is almost never a thing on consumer hardware iirc.
Isn't Thunderbolt basically hotplug PCIe?

I wonder if hotplug M.2 NVMe requires any kind of special hardware or if it's pure software.

At minimum you need to have a special connector like USB in which data lines are disconnected before the power lines. Or a dedicaed pair of cables to detect the link state.

Both will of course require additional support at both software and hardware level. The DVI interface supported hot plugging in theory but I've seen many cases of monitors not working without a full restart.

Apple is assuming all supported repairs and replacements are being performed by an AASP, where external troubleshooting is the norm.

Perhaps someone could tell us what the order would look like in GSX?

>Apple is assuming all supported repairs and replacements are being performed by an AASP, where external troubleshooting is the norm.

If that were the case they wouldn't have published the technote publicly using software they also freely make available (Apple Configurator). Having more than one Mac is hardly something novel, and even if you don't have a second of your own how many Mac owners don't know someone with a Mac they could borrow for 10 minutes to do the pairing?

Would it be nice if the firmware for the Mac Pro could do this without needing a second computer? Sure. Is it a hardship warranting this level of scrutiny? Seems a bit overblown to me.

This isn't apologism, but at least Apple provided a way for customers to fix this and a plethora of other issues without strictly needing an AASP.

We frequently have to revive T2 Macs whose batteries won't charge, and the only way to do that in the not too distant past was to ship it off for a logic board replacement.

Telling customers they can fix things themselves means the 10% of people who want to on their own now can, but it's already negated a turnaround of 1-3 months for Apple repairs sent to facilities that are being impacted by covid-19. It's safe to suspect myriad causes.

Security chips shouldn't be black boxes in the first place.
Agreed, what's going on should be completely transparent. The security of the system must only depend on the private keys and implementation correctness.
While security by obscurity is not ideal, it is an additional hurdle. Apple knows that security flaws in their stuff is very valuable for both nefarious and state hackers, so the chances of someone finding an issue and reporting it to them to resolve it are kinda low.
Not if the bounty is high enough and payable to an anonymous recipient (perhaps vis cryptocurrency).
I don't think state-affiliated hackers really care about money.
Good point, though I imagine a large bounty payable to an anonymous bitcoin address could encourage individuals within such an organization to divulge vuln info.
It being a black box seems to be a seperate unrelated issue?
Not really since it generated the requirement that is the topic of the article in the first place.

For example, if it wasn't a black box it could be re-configured with alternative firmware negating this requirement.

Not that I'm interested in such a thing, but I can see how it would have value to a non-trivial group of users.

I guess it depends how we're defining "black box".

T2 and its firmware could be completely open source - arguably its no longer a "black box" because its completely transparent now - but unless you have the keys you still can't reprogram it.

And you should have all the keys for a device you bought. It should be a legal requirement.
That isn't related to the issue at all. On Linux, you can have a TPM + Secure Boot + Full-Disk Encryption setup with the TPM schematics all open and you will have your SSD bound to your system similarly, which is good security practice.
So what happens if the SSD goes bad or refuses to mount....you have a mult-thousand dollar brick because of a hundred dollar part?

I assume you can recover from corruption...but what if its a hardware defect.

No, you can swap the SSD, you just have to have another Mac on hand to reset the security chip and encrypt and install into your new SSDs.
And if you don’t have one?

I have exactly one Mac in my house. I also have linux and windows in various forms. But only one Mac.

And the nearest “Genius Bar” is 200 miles away with only affiliate repairs (or whatever they call them) locally.

Then you have a machine that's unusable until you find one, but it's not bricked (which means that the hardware is irreversibly unusable).
>(which means that the hardware is irreversibly unusable).

In my case that would in effect be a distinction without a difference...

Apple is putting a lot of efforts into securing its hardware but I don't feel it's reflected in their marketing and I don't feel like people are buying Apple products for their secure hardware (people from HN and elsewhere excluded).

So why are they doing so much and not advertising it more ?

Probably because it allows them to extert control over their hardware even when users hold it in their hands. Given System Integrity Protection this allows them to enforce rules on the client and trust them on the server. For example shipping apps from the app store that can't be pirated and trusting that iMessage clients are actual hardware owners with unmodified clients.

It is basically a DRM system.

Because Apple only cares about keeping devices secure from their owners, not about security that benefits the device's owner.
Apple’s problems are multitude, and I’m no fanboy, but they do work pretty hard to keep their devices secure from government hacking. https://epic.org/amicus/crypto/apple/
Apple's unwillingness to implement e2e encryption of user iCloud data says otherwise.

https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

Unwillingness? That's a big assumption.

Not that I'm defending it. And I also expect Apple to do better and not just pay lip service.

On the other hand, who is doing as much or more? Again, not saying that to excuse them but just point out there is likely far more going on than them just making an arbitrary decision here. Just saying...

> who is doing as much or more?

Google does end-to-end encryption for Android for free. Just saying...

There is a big difference between “doesn’t care at all” (which was what the GP said) and “hasn’t done everything” which is what you are arguing.

Has Apple done absolutely everything? No. Have they done a lot? Yes.

This is total speculation, but here’s one reason the strategy might be smart: You can be held legally responsible for your specific marketing claims, but not for your reputation.

Since security is difficult, aggressively marketing your products as secure is fraught with liability. Sooner or later, some oversight is likely to bite you, and if you’ve made promises, you’re now on the hook for those promises.

But if, instead, you just talk about what technical steps you’ve taken to improve security, and then let enough time pass, you can get a reputation for being secure without ever having made any guarantees. You just let people notice how you respond to security issues, and the relative frequency with which you have breaches. That strategy takes longer to work, but it’s harder to sue you for a public perception which you never actually endorsed.

Assuming this is the strategy, I don’t even think it’s particularly nefarious. It’s fairly incentive-aligned, since it only works if your track record is cleaner than your competitors, and it hacks around the fact that consumers aren’t willing to pay the price for actual security guarantees (which would probably involve SLAs, and Apple essentially acting as both a vendor and an insurance broker).

They're saying something like "We're doing everything we can to eliminate the hackintosh, now please do not google the phrase or do badthink of even merely thinking about the concept of a hackintosh."
More people do than you think. Apple doesn’t have a significant historical presence in Washington DC for the weather and easy traffic situation.
They may have chosen to let the annual 150-200 page PDF security technical reports speak for themselves, especially if their research suggests that the average United States consumer doesn't care about any of this. One recent time they went to the press to say "we defend against state-sponsored attackers", the United States FBI sued them for defending against the state-sponsored attacker Cellebrite. These prior posts may offer more context:

https://news.ycombinator.com/item?id=26184793

https://news.ycombinator.com/item?id=11135201

At least it isn't second MacPro ;- )
I get using the T2 to encrypt the drives, as I understand it makes for very good hardware security, but what I do not get is why the machine cannot either: A. Wipe and then 'claim' an SSD, adding it the T2 by itself without another machine, or B. Give you a big fat warning when reinstalling macOS that your drive will not be encrypted.

Maybe Apple figures it's not a big deal to require another Mac simply because these machines are priced such and targeted at professionals and corporations.. having an old Macbook or something around isn't unlikely.. this is the kind of thing that would be a deal breaker for me but that's moot since I don't think anyone like me would ever buy one.

(comment deleted)
(comment deleted)
Part of the problem is that swapping the SSD at all was originally not a thing. T2 drive encryption started off on laptops with soldered-on SSDs where I would imagine Apple had zero intent of supporting any attempt by a user (or, more likely, Louis Rossman) to swap chips out. When they shipped the Mac Pro with socketed SSD modules they needed to hack together a way to actually pair the T2 and new SSDs, so they released Apple Configurator to let that happen.

The main problem I could see with a field-pairing mechanism is properly messaging it to the user while the SSD is in an unusable state. Remember: once you change the SSD pairing, the data on the old drive is unreadable by anyone and the new drive will be wiped accordingly. So it absolutely should not be an automatic process - what if someone swaps the SSD modules without knowing about the drive encryption? At the very least, you need to flash a warning up on screen and accept a user acknowledgement, which means you need display drivers, USB, and so on all working in the boot ROM. It's not insurmountable, but it is a technical challenge.

> At the very least, you need to flash a warning up on screen and accept a user acknowledgement, which means you need display drivers, USB, and so on all working in the boot ROM.

Pretty sure Apple has some form of this. On Intel Macs, the boot picker [0] supports displaying text and graphics, accepting keyboard and mouse input, and even connecting to Wi-Fi. There’s also the FileVault password screen, which does not live in the firmware, but it’s a full-screen UEFI app resembling macOS’ login UI.

It’s also a thing in the PC world these days. The UEFI setup menu on modern machines is a bitmap-graphics GUI with mouse and keyboard support, for example [1] (a random YouTube video).

[0]: https://www.ninjastik.com/support/how-to-choose-a-startup-di... [1]: https://www.youtube.com/watch?v=Q1NDjD2RuGM

> T2 drive encryption started off on laptops with soldered-on SSDs

Deliberately unrepairable products should be against the law. The consequences of that first unethical decision just cascade.

No, I don't buy the argument that people would choose to make their laptop 5 grams lighter or whatever and give up repairability, and to be honest, they shouldn't have that choice. It's simply irresponsible to buy an expensive machine full of unrecyclable parts produced at great cost to the planet, and expect to throw the whole thing out when any part goes bad.

I suspect the code to do the pairing is fairly complex, and putting it into firmware that can work on a computer with NO storage while also not bricking the rest of the machine is more trouble than just requiring a second computer to do all the grunt work.

I think I have swapped hard drives three times in over 10 years on my Mac Pro (that I still use!) Also acting like it's extreme hardship for a Mac Pro (!) user to have access to more than one Mac is a bit bombastic.

TL;dr - this whole thing is a hell of a lot of fuss for a non-issue for what I would wager is an utterly minuscule number of people.

And if you are upgrading a Mac Pro SSD drive, even if you had to buy a Mac Mini, use it once to bless the drive and toss it, it would probably be a fraction of the cost of the SSD you are putting in your Mac Pro and still cheaper than buying a similar sized drive from Apple (even if Apple offered a larger SSD - which is the main reason I would suspect someone would be wanting to upgrade the SSD in the first place).

The good thing is I dont use mac
Now that the iPad has USB-C, I wonder why they don’t build a version of Apple Configurator for it. Since they’re Apple, they can use whatever private APIs they want to use the USB port, and most people with a Apple Silicon (or T2) Mac may not have an old Mac but probably have an iPad.
If they were willing to do that then why not just embed the functionality into the firmware of the Mac Pro?

I think it's far simpler than that - this is such an infrequent issue it doesn't warrant engineering time beyond what they already support - using Apple Configurator on a second Mac to sign the drive to install it.

This is likely a dictionary definition of "edge case" after all. Mac Pro's aren't exactly high volume computers (something that is normally touted with great enthusiasm on this site).

Replacing a hard drive is an "edge case"? Something that has literally taken just a couple of minutes on virtually any consumer desktop (and laptop) for _decades_?

What sort of twisted Stockholm Syndrome has afflicted you?