274 comments

[ 3.0 ms ] story [ 316 ms ] thread
Well, this just about confirms the worst nightmares I've had about hardware-based TPM. This "Owner" concept in particular rubs me the wrong way, it just seems antithetical to the idea of general computing.
While there are perils, there are also benefits. Organised theft of iPhones basically stopped being a problem because features like these makes the device a mostly useless brick once it’s marked in Apple’s systems as stolen.

I like the idea that should anyone be foolish enough to steal my MacBook, not only will they not be able to get my data, they won’t even be able to get much useful value out of the purloined goods.

> Theft of iPhones basically stopped being a problem because features like these makes the device a mostly useless brick once it’s marked in Apple’s systems as stolen.

Uhh, got a citation on that?

Sure, how about https://www.lifewire.com/security-settings-iphone-thieves-ha...

There’s more to be found on this new-fangled internet search engine called Google. You should try it: https://www.google.com/

People are still routinely tricked to enter their iCloud credentials into fraudlent websites designed to look just like iCloud, allowing thieves to wipe the device.

I've had this happen to three people I know. Works like this: they contact you via your contacts, pretending to be apple care specialists, ship a link, then social engineer you into entering credentials, then they disappear.

(I don't really know how they get to contacts, but this was the case in all three instances)

Can confirm, had my XR stolen. Contacted on whatsapp via a number that I put as the lost message (displays when you turn the phone on).

Story was, this girl from Italy bought my phone on ebay but then saw my message and then took it to the Apple store. Someone from the apple store would contact me to arrange recovery of my stolen phone.

Couple hours later I got a message from another number asking for me to log in to my iCloud account and arrange an appointment using this link. Opened the link and about to type my details in then I saw the domain wasn't quite right. Looked into it, realised it was a phishing attempted and bailed on that.

I know they can't access the phone whilst it's still on my iCloud account so it will remain there, in lost mode, until the heat death of the universe.

It’s not really surprising that organised criminals are trying to get around the anti-theft measures (although crazy to hear that you know that many who’ve had their phones stolen). But as you can imagine, running such social engineering schemes takes time, and success is not guaranteed, so even in this case, the anti-theft measures are making it less attractive to steal iPhones.
> While there are perils, there are also benefits

Rarely are anti-features sold to unsuspecting users without having some positives to explain their existence.

Fringe use case of using multiple operating systems != peril.
> These may seem elaborate and esoteric, but in the next few months we’re all expecting Apple to release more Apple Silicon Macs aimed well above the lower end of the market, where users often live more adventurous lives and have Macs which are far from vanilla. Yet as far as I can see, none of these subtleties are documented for those more advanced users.

At the bottom of the article he seems to address this sentiment.

I don't think it's entirely odd.

I'm still using Catalina, because Big Sur broke Display Stream Compression completely, and it's still not fixed in any of those releases, let alone Monterey.

So until Apple pays attention to the hundreds or thousands of bug reports on a completely working piece of functionality they broke (although I'm sure they'd rather we all just bought Pro Display XDR monitors), I'll dutifully stick with Catalina and cross my fingers and test each new release from an SSD, so my 27" 4K HDR 144 Hz monitors aren't completely crippled.

The other peril is not being able to run a docker machine because it’s not available for M1. Which is disappointing because, you know, because you can’t tell customers that your software wasn’t tested in Oracle, and we invented VMs to be able to run any VM on any other machine…
Had to wait 6 months since launch for it to be stable.

That there tells me it was not production ready for M1 Macs at the time, which isn't good.

> at the time, which isn't good.

At what time?

Since the month the M1 Macs first launched; November 2020.
I see you’ve edited your earlier comment so it is clearer.

So your point was to complain about how Docker took a long time to update their code. I guess that’s not good.

> So your point was to complain about how Docker took a long time to update their code. I guess that’s not good.

Not exactly. The software was not stable for general use for M1 users at the time of its launch in November 2020. That is the point.

I don't know anyone who thinks or recommends using unstable preview tools for production use is a good idea or even waiting for the software to stabilise for months on a newly unsupported machine. Means you can't use it properly for months.

Might as well use an already existing computer that works well.

> The software was not stable for general use for M1 users at the time of its launch in November 2020.

That seems like a basic fact that nobody is contesting.

> I don't know anyone who thinks or recommends using unstable preview tools for production use is a good idea

Who is recommending that?

> Might as well use an already existing computer that works well.

It seems bizzare to suggest that the computer doesn’t work well when it obviously does.

I agree it’s better to use a computer on which the software you want to use is supported. I personally ruled out buying am M1 Mac until after Docker was supported.

Is that the point you are trying to make?

> It seems bizzare to suggest that the computer doesn’t work well when it obviously does.

Unfortunately, most of the frustrations were from users who went 'all in' since November 2020 and realised that the device did not work well for them.

Not only basic updates didn't work, recovery mode also failed to work. Then Apple prevented the majority of popular iOS apps from running on the M1. Making it only up to the developer.

> I personally ruled out buying am M1 Mac until after Docker was supported. Is that the point you are trying to make?

  yes.
It's better to wait until the software you need is available, officially supported and stable; and then switch rather than buying it and going all in and realising that the software you need doesn't work well and gets in the way.
None of this has anything to do with the computer not working well. All reports are that the M1 Macs work extremely well.

Implying that the device is at fault is dishonest.

> All reports are that the M1 Macs work extremely well.

For you to say 'All reports' is straight up dishonest, when people have reported SSD wearing issues, update and recovery issues and that WAS broken on M1 Macs on launch. You have to use/buy another Mac to recover it or go to the Apple Store since November 2020 on launch day.

Maybe if it was 'working extremely well' you wouldn't need to go there and those reporting dead M1 Macs as a result of this, well lost their data and have to buy another one.

System software also counts, and particularly for M1 Macs, it did 'not work extremely well' as soon as it released in November 2020.

Even the author of this article who also uses an M1 Mac since launch day does not hide or pretend about this.

> For you to say 'All reports' is straight up dishonest

No. We’re taking about how the computer works. Not the occasional faulty unit.

> when people have reported SSD wearing issues, update and recovery issues …

Consumer products are sometimes faulty. If you ship them in volume, some consumers will receive faulty units.

If you had evidence that M1 Macs have a greater failure rate than their competitors, you would have presented it.

> No. We’re taking about how the computer works. Not the occasional faulty unit.

And the computer needs system software to run properly to be usable, otherwise it is useless on its own and cannot boot anyway.

If the system software is causing issues, you update it. On launch day, that was broken and so was recovery when they launched.

> If you had evidence that M1 Macs have a greater failure rate than their competitors, you would have presented it.

So in November 2020, 'All reports are that the M1 Macs work extremely well?' Typically, that includes the default install of the system software upon purchase that can only be macOS for M1 Macs and for it to be "usable" it 'must be switched on' and the only way to control and update the hardware is via system software on the machine. Otherwise it is useless.

If 'All' reports were that M1 Macs worked extremely well, I would not be seeing such frequent issues or reports mentioned anywhere on launch day or a month after. That was not the case.

The author of this post has the evidence themselves and does not hide the issues that happened on launch day and for several months on end.

Docker on M1 can run x86_64 containers when aarch64 isn't available in the registry. I use it everyday.
It was only true for 1 month after m1 started shipping.. because the Docker Desktop Beta was released on Dec 16, 2020: https://www.docker.com/blog/download-and-try-the-tech-previe...

It worked pretty well.. sometimes you had to use the x86 container instead of the arm version. And I had one container that hadnt been updated by the maintainer in a few years, so I had to update it myself so it would work. And sometimes qemu would crash... but those cases were all exceptions, and it generally worked well.

I'll just say my experience in early 2021 didn't match that, or I wasn't willing to invest enough to get unsupported, pre-release software working, when I had easy access to x86 macs.
That doesn't mean anything since at the time (November 2020) it explicitly says it is 'not stable' for general use. Like you said yourself 'sometimes qemu would crash' and one of the known issues in the preview and beta versions is that the kernel panics regularly.

At the time since November 2020:

> 'Docker Desktop on Apple M1 chip is still under development. We recommend that you do not use tech preview builds in production environments.'

My intention is not to 'test' this software, I am simply using it for general use and I do not suggest using beta or preview software to anyone if it is known to be that unstable. As soon as it was marked officially as a 'stable' release, then I would use it.

Those who bought the M1 would have waited 6 months for it to be stable.

I have with with docker on Mac about two years ago. Just got a dedicated server to run it and it’s made my development a lot less stressful. I’d suggest doing the same.
Not true. I use Docker every day on my Mac mini M1. Now Dropbox, on the other hand, barely does… it brings my Mac to a crawl.
This isn’t the right solution, but I’d be curious to know if these problems disappear in Permissive Security mode (aka Secure Boot off).
Right. I'm not sure we know whether the author is describing a bug or a feature.
Most likely a bug. If the instructions start with "Install Beta anything", with apple, this wouldn't garner support from them. Report the problem to apple on the beta channel. https://beta.apple.com/sp/betaprogram/ if you're a developer having an issue they have a support channel for that too
In other news, edge case use encounters edge case issues.
It’s almost as if Apple is building their Macs to be rogue nation-state resistant or something. Because otherwise is this almost actually security overkill? (Which does exist, we don’t want TSA Security to enter a grocery store, for example.)
TSA is theater, the hijackers that were stopped where stopped in the air.

But aside from that, looking at the threats of ransomware attacks, they probably do need to harden them that much.

What about device Ownership prevents an app with Full Disk Access from encrypting files as it pleases?

Ruining the OS install is not the objective of most ransomware because that makes it harder to show your demands and accept payment.

I assume the idea is to prevent rootkits.
Considering the recent ransomware epidemic I would not agree for this to be security overkill. Maybe this level of paranoia is the minimum required baseline in 5 years. It looks like after a decade of relatively few big and public security incidents we are starting to go downhill again.
I think rendering stolen devices useless is also on the feature list. iPhone theft has become super rare, because a stolen device is neigh-impossible to activate and thus has little to no resale value.
lol you give thieves too much credit. Literally two minutes ago I was watching a video of thieves trying to ram a car into an ATM in France.
Even the stupid thief will learn, once he tries to fence a stolen device and gets little-to-nothing for his efforts.
Presumably the ATM has money in it, rather than iPhones.
I think the point is that their technique is unlikely to work
(comment deleted)
I've heard stories of people getting their phone snatched from their hand by a thief on a moped, then seeing the thief checking if the phone is unlocked while driving away and throwing it away immediately if it is (probably smashing it to the ground)
Seems like it'd be mostly useless, though - everyone I know sets up the iPhone without messing with too many settings, which means enabling Find My iPhone (which is on by default). The only place I imagine it being worth it is outside of Apple Stores or cell carrier stores where there's a higher chance they haven't set up FMI yet.
Presumably when you snatch a phone, you don’t know if you’re getting a (worthless) iPhone until after the deed is done…
I don't have an iPhone so I don't really know what I'm talking about, but maybe there's ways to reset the phone as long as it's already unblocked? It would take a while for a victim to get to a computer and use Find My iPhone

Anyway, I assume they do something with these unblocked phones, but maybe only androids :shrug:

This has already been a thing for Macs as well for many, many years. If you boot into recovery mode, there is a menu option to add a Firmware Password. You cannot access recovery mode or enter the boot selection menu without providing that password, which means a thief cannot reinstall any operating system or boot from a Linux thumb drive.

When you add a Firmware Password to a Mac, you get a long recovery code as a fallback safety in case you lose/forget the password. Apple, if provided with proof of purchase for the serial number being inquired about, can create a bootable USB stick with a certificate generated using public/private key crypto for which Apple holds the private keys.

I suspect much of this newer functionality acts as a replacement for the Firmware Password, giving more options and making it a bit more well-known.

> iPhone theft has become super rare,

This is simply untrue. It may be hard to activate it, but it still has value for its screen, case, camera, and other parts.

https://cbslocal.com/2018/01/31/despite-anti-theft-features-...

The GP was incorrect to describe it as "super rare" but rates of phone theft did plummet and have not subsequently recovered. Exactly what you'd expect for an asset which had its fenced value drop from ~$500 (a fully working second hand device) to ~$100 (a bunch of used parts which require non-trivial labour to extract).
You think a junkie will stop stealing an easily grabbed item because he can only get $25 for it instead of $50?
There are no absolutes. Most all crime carries some risk—or perceived risk—of getting caught, even if that risk is low. If the value of the device changes, the risk/reward trade-off changes. Yes, even for a tripped out junkie.
It is less common these days thanks to activation lock, Find My Phone, etc. but it still happens a fair bit for parts. The system board is useless thanks to activation lock but the battery, screen, cameras, housing, etc. are all useful to any repair business. I think the only part they can't replace is the FaceID module as Apple require specific software to configure it only available to certified repair techs so a small repair store won't have access to it but a genuine battery or screen or camera on the cheap from a stolen phone is good money to smaller repair shops.
> but the battery, screen, cameras, housing, etc. are all useful

Wasnt there a video a while back where a famous repair guy from Australia could not use the camera of another exact same iphone. The original phone was not usable but when you put the orignal camera back it starts working.

Apple might start doing that for each and every component soon in the name of safety and security.

It's not a feature, it's an anti-feature. Preventing people from using a device they get second-hand is actively hurting poorer economies, because they can't benefit from all the hardware at disposal but have to dispose of it as part of global "recycling" trade (which has nothing to do with recycling and everything to do with piling up devices in areas where random folks will use dangerous chemicals to scrap parts or tiny bits of gold).

And then you they go even further with stories like that: https://www.vice.com/en/article/yp73jw/apple-recycling-iphon...

Apple is doing such policy not for security, as they still own the master key to everything they produce (!), but for making sure people keep on buying new products and destroying the planet ever more. Screw this crap.

EDIT: If you like to think of yourself as an eco-responsible or eco-worried person, consider how "right to repair" (or "apple/samsung locks" on the other hand of the spectrum) fit into that worldview.

You know that they will unlock devices if you bring them to an Apple store and have proof of purchase, right?
which requires effort, and requires proximity to the store, requires time, etc.

Why can't I, as an owner, choose to unlock the mac myself without having an external authority to "let" me?

I’m not sure what the situation for the M1 is, but as the parent comment referenced similarity to the iPhone to prevent theft, with the iPhone, the owner can unlock the device prior to resale. Is this really not possible with an M1 Mac?
Probably but many people forget to. Or sell the device once they haven't used it for years, and forgot the passphrase. Or give it away without leaving contact information and without thinking about the passphrase at all.

I don't have statistics at hand, and overall the M1 is pretty new so it's not a problem for this device YET, but it's a serious problem i notice several times a year in my close circle.

If a device ever enters the second hand market, it is nearly always sold soon after it is replaced. Phones contain ungodly sums of private and intimate data, most everyone knows to find the button which wipes it. If they press that button, they are prompted to disable activation lock.

Activation lock has nothing to do with the phone's pin or passphrase, by the way. It's tied to an iCloud account. In the exceedingly rare instance where someone has forgotten the pin they used to unlock a device continuously for two or three years, they can disown the device by signing into icloud.com from any web browser.

It's curious that you don't even know how the process works, which makes me begin to doubt that you've ever had to deal with it.

> most everyone knows to find the button which wipes it

Not talking about Apple hardware/software specifically here, but i don't see the same here. Most computers donated to associations i'm involved with was never wiped, even when coming from corporations/institutions. Sometimes though, we do receive computers without (EDIT:) harddrive, but it's still the minority. I can count on my two hands the times someone has donated to us fresh system installs (user data wiped), in over two decades.

> they can disown the device by signing into icloud.com from any web browser

That is, assuming you know these credentials. Most people who are not entirely locked inside the Apple walled garden create an account because they're forced to but don't care/remember actual credentials, then forget it. Same goes with other kinds of credentials, not just Apple... but only forgetting Apple (and a few others, like Samsung) credentials turns hardware into useless paperweights.

Or maybe the person has diseased, or moved to a foreign country. Or maybe they've just donated the old phone in a box full of random stuff and by the time you realize the phone is locked the person has already gone and you have no way to reach them. In my personal experience, even with hardware directly donated by friends, fishing for an old passphrase more often than not raises "uuuuuuugh i gotta have this password somewhere, let me check and i'll call you back in a few days" (<-- loop here for about 3 months before you give up).

> It's curious that you don't even know how the process works

I pretty much know about it, thanks. I was suggesting precisely that iCloud lock be entirely removed, and instead a recovery mechanism would wipe the entire device as a privacy-protecting measure.

Most people don’t think about the private data on their computer. Most people don’t know how to wipe a computer, and there’s no simple button like there on an iPhone, so they don’t.

You have no idea how much of the stuff you receive is dumped on you after being stolen (or otherwise misappropriated) and judged too worthless to fence.

But we certainly know that only the tiniest fraction of devices go to recycling centres like yours, and so of course you’re going to see mostly activation locked ones which have no market value—and not the other 99.9% of devices where activation lock didn’t preclude second hand sale, trade in, or commercial refurbishing/recycling.

If you have an Apple store nearby. If you have some "proof of purchase" they deem legit. I guess buying/acquiring from a second-hand shop isn't gonna cut it.

That's a lot of ifs to simply use a device. Most devices, including pencils, bikes and cars, do not come with such troubles. Hell, even most phones and computers do not come with that.

Are you seriously claiming that your "right" to use my stolen phone outweighs my right to own a device that is less attractive for thieves?

If you like to think of yourself as an eco-responsible or eco-worried person, consider how much conspicuous consumption occurs because stolen items tend to get replaced. Theft causes people to "...keep on buying new products and destroying the planet ever more. Screw this crap."

> Are you seriously claiming that your "right" to use my stolen phone outweighs my right to own a device that is less attractive for thieves?

If you wanna go all pedant on it, let's do... Are you seriously claiming that your "right" to own a device that cannot be used by anyone else without your explicit approval even after your death outweighs my presumption of innocence?

Going around and claiming everyone who hasn't got a specific passphrase is a thief isn't helping make your case credible. You're just ridiculing yourself to people who can't afford first-hand devices.

Yes. That's exactly what I'm saying. If you have my phone and it's still activation locked, then it was lost or stolen and should be returned to me or my next of kin.

My right to own a secure device massively outweighs any desires held by criminals, or downstream beneficiaries of criminal activity.

> If you have my phone and it's still activation locked, then it was lost or stolen and should be returned to me or my next of kin.

If i find your phone and it lets me know of a way to contact you, i'll probably return it to you whether there's an activation lock or not. It's a common courtesy that applies to wallets as well.

> My right to own a secure device massively outweighs any desires held by criminals

Your device is not in any case secure, as Apple has all the keys to break in. That's why there's an entire gray-market of icloud unlocking based on corrupting Apple workers.

Since you are so much in favor of private property, i suggest you invest in a self-destructing phone, wallet and car. If anyone who doesn't match your DNA even just touches it, they should get blown up along with the device. Because that's the only way to be sure you own stuff while making everyone else's life terrible for your little material comfort. /s

(comment deleted)
> Preventing people from using a device they get second-hand

The word "get" is doing a lot of heavy lifting there. Activation lock does NOT block the second-hand trade of non-stolen devices. It blocks the illegal second-hand trade of stolen devices.

You are essentially advocating in favour of crime.

Based on your logic, you should be demanding that vehicle immobilisers and anti-theft devices are also anti-features. We wouldn't want car thieves (ahem, sorry, "second-hand owners") to be inconvenienced either. Once your car is stolen (ahem, sorry, "sold"), anything which impedes the free use by the new "owner" is ecological vandalism.

While you're at it, perhaps we should require all security safes to be openable with a paperclip, just in case you lose your keys. Otherwise people will keep buying new safes.

> The word "get" is doing a lot of heavy lifting there. Activation lock does NOT block the second-hand trade of non-stolen devices. It blocks the illegal second-hand trade of stolen devices.

It also blocks the re-use of devices that were thrown away or given to a recycling center (because 95% of people who do this won't remember to turn off activation lock). I'm pretty sure that's what GP was referring to.

How's that Apple's fault, though?
Apple built a system that makes discarded devices unusable. Whether the trade-off is worthwhile is debatable, but the environmental cost is real.
The environmental cost is real either way. Without activation lock, more phones get stolen, then more phones are manufactured and sold to replace them.

There are already plenty of perfectly good phones in the world; putting stolen iPhone 12 Pro devices into the second hand market lowers the value of existing devices.

> Without activation lock, more phones get stolen, then more phones are manufactured and sold to replace them

Source?

> putting stolen iPhone 12 Pro devices into the second hand market lowers the value of existing devices

Funny argument. So would you be OK to remove iCloud lock from all devices except the newer line? That would be fine by my book for legit second-hand purposes. (Though i'm pretty sure Apple and its fanboys would be still pretty hostile to it)

> Source?

I don’t need one, it’s entirely deductive reasoning. Do you dispute that people generally acquire a replacement phone if theirs is stolen? Do you dispute that phones have the same environmental footprint whether they’re an upgrade or a replacement for a stolen device?

As for your last paragraph, I have no idea what you’re talking about. That doesn’t sound like a response to what I said. I don’t want activation lock removed from any device.

> Do you dispute that people generally acquire a replacement phone if theirs is stolen? Do you dispute that phones have the same environmental footprint whether they’re an upgrade or a replacement for a stolen device?

No, i dispute that locking phones reduces theft. Because as i've explained, unlocking phones is perfectly possible and there's an entire gray-market industry dedicated to that. But yes i dispute your last statement, because it is true on an individual level but false on a collective level. If you get your phone stolen, you will buy a new one, but on a global scale, stolen goods are still circulating and therefore do not lead to increase in production of devices, and therefore has ZERO environmental impact.

> I don’t want activation lock removed from any device.

Then you truly are an enemy of the planet and the people, because you wish to keep your owner's privileges just for yourself and don't care if you have to set the entire planet on fire and ruin lives for that. I hope in a few decades, when we are struggling for basic survival (eg. finding drinkable water that has not been polluted by silicon/lithium/oil refinement), you remember that it is your choices and your acceptance of this fucked-up society that took us there.

Wrong - Apple built a system where their devices need to be taken out of the cloud before selling them on. Which takes about three taps and less than minute, so I'm asking you again, why blame Apple here?
Preventing data theft through wiping the entire device is perfectly legit in case of passphrase recovery.

Simply preventing passphrase recovery apart from a trusted centralized third party (Apple) is wrong on many levels: it's an ecological disaster, it's a disappointment to good-faith second-hand buyers, it's incentives for corruption within Apple and a shady iCloud unlocker business...

In essence, it's fundamentally incompatible with right to repair and fuels an Apple-insider mafia that honest people have to bribe in order to use a device. That's pretty much Apple's fault no doubt.

You do understand that second-hand Apple devices are being sold and bought every day? Only those where the previous owner was too blasé to turn off the cloud lock can't be sold on.

Which is not Apple's fault.

Wow, are we recursing? Yes of course it's Apple's fault. Apple could allow to remove the phone locking mechanism on the condition to fully erase data on the phone. That would make their phones suitable for second-hand market and as a consequence more eco-friendly.

But they have decided to go against right to repair and against basic principles of ecology. Just as they have, in other fields, decided to go against basic principles of interoperability (Micro-USB/USB-C charger? Jack plug? Standard screws? who needs that, right?).

So yes Apple is harming users and is harming the environment. No amount of greenwashing can undo that.

Their phones are fully suitable for 2nd hand markets as-is. I sense a bit of a an Anti-Apple dogma here, so please excuse me not coming back to this.
Have you ever tried to send an iPhone to a recycling service? I have. They are extremely diligent about ensuring activation lock is disabled. If you can’t unlock it, the recycling centre will only pay you a small fraction of what they would otherwise.

The point is, this is a solved problem.

(This was five years ago, by the way.)

I don't know what kind of recycling service you're talking here, but here in France "recycling" electronics (huge emphasis on the quotation marks, as electronics are usually NEVER recycled) does not involve speaking to anyone.

You have cardboard boxes for electronics devices at the entrance of every supermarket of a certain size (by law) and you simply drop it there. Although admittedly most devices thrown in there do not end up on the second hand market (though i can't say i've never helped myself from these boxes in the past :D)

But the same goes for most ressourceries and other second-hand market: some people donate cardboard boxes full of stuff anonymously, the workers triage through it, then stumble upon devices to which they don't have a passphrase... and don't have any way of contacting the original owner.

Definitely not a solved problem in 99% of the world.

Like five seconds of googling and I don’t speak French.

https://comparecycle.com/

This is the kind of recycling service many people use. Very common here in Australia; companies pay a non trivial price for even a five year old iPhone or iPad.

> You have cardboard boxes for electronics devices at the entrance of every supermarket of a certain size (by law) and you simply drop it there.

It baffles me that on one hand you scorn me for my supposed affluence while inferring that people in your neighbourhood supposedly just dump perfectly good iPhones into a bin without wanting any money for them. If that’s not affluence, I don’t know what is.

That was my thought as well. I change my phone every couple of years. I have used HTC and Nokia in the past. It's way easier to recycle an Apple device and they're very diligent about ensuring it's unlocked. They pay a decent price for up-to 3 year old phones. It's also way way easier to get an iPhone fixed than the other ones I have owned.

People talk about Apple lock-in issues in general terms. No one seem to look at from a matter of practicality. I have fixed my iPhones every time there's an issue - because I actually can. My HTC camera had the purple glare issue. HTC refused to service it unless I pay $200 + shipping back and forth and be without a phone for 3 weeks!!! Same with my LG TV or Sony laptop.

I used to complain about the same things people in this thread too - about how draconian Apple is. Until I actually started using their products and realized they both last long and are repairable. The only downside is the cost - even that is not expensive in the long run (my Pro is now 7 years old and runs like a champ with just a battery replacement).

> https://comparecycle.com/

I can assure you noone uses that in France. When people want money from second-hand devices, they either go to Cash Converters (a chain of local stores) or sell them directly on LeBonCoin.fr (our craigslist equivalent). I don't know a single person who has ever sold a device apart from those avenues.

> It baffles me that on one hand you scorn me for my supposed affluence while inferring that people in your neighbourhood supposedly just dump perfectly good iPhones into a bin without wanting any money for them.

I don't intend to scorn anyone by pointing out material privileges. Owning a brand new iPhone is upper-class privilege, as it's over 1000$ which is about twice social support (RSA) in France (~500€/month) and is the same order of magnitude as french minimum wage for full-time (35h/week) work (~1100€ after taxes). In some corners of France, you can buy a house (though not the best/biggest one) with that kind of money. In Paris, you can rent a two-bedrooms apartment with that kind of money. Wherever you live in France, you can eat for more than a year (as a single person) with that kind of money. So yes it's a privilege to afford that kind of amount.

EDIT: Just to give you perspective, of all my relatives/acquaintances, the typical phone budget is between 50€ and 200€, which gets you a brand new super-crappy Samsung/Huawei phone (super crappy software wise because you're locked with the manufacturer's Android, hardware is a charm), or a decent second-hand Apple/Samsung phone. I know one or two geeks who put more because they want to acquire a FairPhone or a Librem, but they are the exception, not the norm. And to give more perspective, i live in one of the top10 richest countries on Earth, just imagine how the phone economy works in India or South Africa.

Now i'm not exactly saying most people in popular districts throw away their functioning phones in such bins. I'm saying if they're getting rid of anything electronics for recycling that's where they put it. More specifically, and in this order, folks would typically: donate it to a relative/acquaintance, sell it second hands via CashConverters/LeBonCoin or donate it to a local ressourcerie (donation-based second-hand hardware store), sell it for a few bucks on a flea market to a phone dealer, or as last resort throw it away with the old lightbulbs in supermarket "recycling" bins.

> Activation lock does NOT block the second-hand trade of non-stolen devices.

No, it just makes it harder and feeds a gray market of phone unlocking. You appear to be a person who mostly deals with first-hand hardware in a rich western country, where there are Apple stores nearby.

Most people who sell or give away their devices DO NOT change/reset passphrases. This is true for all devices, and i've often had to recontact sellers in order to obtain such credentials. Sometimes, such communication is impossible, or the owner has forgotten the passphrase after leaving the device for years in a cupboard.

With usual computers, i can usually do without even the BIOS password and just boot on USB to setup a new system. Or at least i can take the hard drive into another computer, set it up and move it back in order to boot. With Apple/Samsung devices i end up piling them in my own cupboard and/or throwing them away, which is OK because i didn't pay for them.

It's infuriating when friends/neighbors came to me with devices they acquired in good faith for a reasonable price (<= 100€ for second-hand phone), and can't get it to boot. They then have to go to a phone store and pay 30-50€ more to get the phone (whether Apple or Samsung) unlocked, through a shady mafia (there's articles online about that). All this because of these evil companies.

> We wouldn't want car thieves (ahem, sorry, "second-hand owners") to be inconvenienced either. (...) While you're at it, perhaps we should require all security safes to be openable with a paperclip

You're making a bad faith argument here. Inconvenience is not the problem. Having to follow procedures to reset a device, changing a car security system because you were sold the car without the keys, or changing a safe lock are all possible though inconvenient. Apple/Samsung make it deliberately IMPOSSIBLE to reuse their device without going through shady third parties.

> You are essentially advocating in favour of crime.

In some circumstances, yes. I'm generally advocating in favor of burning down these Silicon Valley companies destroying our lives and our planet and making billions of the backs of workers. However, in this case i'm merely advocating for the right to repair and the second-hand market, both of which are perfectly legal occupations, at least in my country of residence (France).

I'd like to emphasize that through locking devices to a single "owner", you are essentially advocating in favor of crime, by creating incentives for corruption within iCloud services, while at the same time placing the burden of POTENTIAL theft (which i suspect is just a tiny portion of second-hand devices, though making statistics would be complex as we're talking illegal stuff here) on the good-faith customer who bought the phone on craigslist (or local equivalent) or a second-hand market without knowing it was locked. Yes, most people are that gullible. I don't think placing the cost of unlocking on second-hand owners is fair in any way, or creating any kind of sane incentives on a global scale.

And yes, it's a complete ecological disaster: ask me, i have a drawer full of apple devices (donated to me over the years) to which i don't have passwords. They are essentially highly-polluting paperweights, though i keep hoping they can at least come in handy one day when someone needs a spare part. Speaking of which, locking devices does not prevent scavenging for parts and therefore does not disable theft incentives, contrary to your argument.

> I don't think placing the cost of unlocking on second-hand owners is fair in any way

> It's infuriating when friends/neighbors came to me with devices they acquired in good faith

If you don’t have the activation lock removed, you’re not the second-hand owner, you’re more than likely in possession of stolen property which has been dumped in your hands.

A stolen device doesn’t become ethically cleansed because someone bought it off the criminal “in good faith.” It’s still stolen goods.

All serious recycling services pay money for phones. Every single one I know of pays almost nothing if the device is activation locked, so it’s in the interest of the seller to deactivate it.

I have never bought a new laptop (desktops are another thing) for more than 30 years now. I just get old ones. Usually from clients or friends at bigger companies, that are replacing them at a Windows upgrade. Then I wipe the disks (even if I would hope they are already wiped) and install Linux. Works for me. And I have lost a few to theft, heavy rain, drops, bumpy bus rides, wine spilling, etc. So I was happy it was not new macbooks.

But I doubt that I could have gotten a firmware password for most of them. They would just have been thrown in the garbage.

I also got a couple of phones that could be used for testing web-apps. The last one was locked, and it would be pointless to try to get it unlocked.

Maybe the BIOS should give you full ownership if it can check that the device is not reported missing after one week. But I guess that would give robbers a motive to kill the owners.

Maybe devices should just unlock when they 5 years old.

> But I doubt that I could have gotten a firmware password for most of them. They would just have been thrown in the garbage.

Exactly! Thanks for confirming my personal experiences. I almost thought i was going crazy with all those Silicon Valley fanboys telling me my personal experience does not exist in the real world :)

> Maybe the BIOS should give you full ownership if it can check that the device is not reported missing after one week. But I guess that would give robbers a motive to kill the owners.

I don't think most people (even most thieves) would kill for a few hundred euros. But hey it's just my personal bet i don't have actual statistics :)

> Maybe devices should just unlock when they 5 years old.

Yeah maybe auto-timeout of BIOS lock could be nice to enforce for reusability of hardware. Something like you have to re-enable BIOS hardware (such as iCloud lock) every year or let it will auto-expire. This way the Apple cult can be happy with their brand new iCloud-locked iPhone which costs more than a second-hand car, while older devices could be reused instead of being thrown away or piled in a drawer.

The nice thing about the M1 Macs (as opposed to iOS devices or, uh, apparently Windows 11?) is that these systems can be turned off if you feel so inclined. More specifically, "Permissive Security Mode" can be enabled from the Terminal inside 1TR.

Apple recommends against this, of course, but it's your computer, so you can make your own choices!

Technically Windows 11 runs just fine without TPM, but that might change eventually.
The beta does, I was under the impression Microsoft was still saying the final release won’t?
Afaik they pulled those statements after two days of backlash and have yet to update their policy. I'd expect a more solid backtracking closer to release date.
It's a stretch to describe Windows 11 as "running fine" if you cannot run it at all without hacking the installer.
To be clear, it's still not "your computer": Apple still controls the boot process and coprocessors, as well as all of the firmware that might be running on it.
So does any other computer except for, like, Purism.
See the trending top story right now as to why they are doing so.
And yet Apple is cooperating with authoritarian governments[1].

For example, in Myanmar[2]:

> Most recently, there was a dispute with ProtonVPN (the company that also makes ProtonMail) over an update for its app in the App Store. Proton Technologies claimed that Apple was intentionally blocking the update amid the ongoing crackdown in Myanmar.

And in China[2]:

> "China appears to have received help on Saturday from an unlikely source in its fight against tools that help users evade its Great Firewall of internet censorship: Apple."

> "The Republic of China flag emoji has disappeared from Apple iPhone’s keyboard for Hong Kong and Macau users. The change happened for users who updated their phones to the latest operating system."

> September 2019 — Apple adopts a “SIM canary”. If you insert a Chinese carrier SIM, apps like TikTok & Apple News no longer function.

> May 2021 — Censorship, Surveillance and Profits: A Hard Bargain for Apple in China

And in Russia[2]:

> October 2020 — Apple forced Telegram to close channels run by Belarus protestors

And in Pakistan[2]:

> February 2021 — Apple Removes Apps for Pakistani Government

There are about a dozen more examples than those in this article here[2]. Here's its conclusion:

> So what does any of this have to do with app developers? Why should we care? When it comes to the iOS App Store, Apple controls where we are allowed to distribute our apps. More importantly, Apple has the unilateral power remove our apps from any App Store region at any time to nurture its relationship with whatever unsavory government it is interested in pleasing in order to pursue its political motives or financial objectives.

> Apple’s centralized power over app distribution combined with its willingness to surrender to political pressures is incredibly concerning as ostensibly “democratic” governments across the globe (including the United Sates!) increasingly exhibit far-right, fascist behavior and implement fascist policies. What will happen when you need to build your own HKmap.live?

[1] https://news.ycombinator.com/item?id=26644216

[2] https://www.jessesquires.com/blog/2021/03/30/apple-cooperati...

This again. In authoritarian regimes, it’s either you comply or you are gone. The regime can cut every one of your phones off their networks in seconds. Noncompliance is not an option. It’s not like the US where you can fight with the FBI in court.

The argument is whether you think their people should be able to use iPhones or not. If so, the rules are the rules. And the argument is that it would be better they had iPhones than domestic phones more likely to be compromised.

(comment deleted)
I mostly agree but I think it’s still a shame that American companies are forced to comply with draconian regulations like this. It’s probably more of a problem for diplomacy and state policy to solve than private actors though.
It's interesting that you don't see the military junta that performed a coup[1] in Myanmar and contributed a genocide[2][3] as a rogue nation-state, but see cooperating with them as just the cost of doing business.

[1] https://en.wikipedia.org/wiki/Myanmar#2020_elections_and_202...

[2] https://www.npr.org/2021/02/11/966923582/what-myanmars-coup-...

[3] https://www.mei.edu/publications/myanmar-february-coup-and-r...

I’m not disputing what Myanmar did. I’m saying that let’s say Apple didn’t comply:

1. Within minutes, every iPhone is disabled from accessing the state owned cellular systems.

2. Any employees or executives in Myanmar risk arrest and, possibly, torture or death for allowing free speech and disobeying the government.

3. The average Myanmar citizen gets free speech for an hour or so, then gets informed they must buy a new phone, possibly made by a state owned enterprise, that is much more invasive to their privacy.

So what, exactly, did making a stand accomplish? Absolutely nothing, and everyone is worse off.

This is what would happen in China. Myanmar is not capable of it.

> Within minutes, every iPhone is disabled from accessing the state owned cellular systems.

Ludicrous. Myanmar has multiple private telcos. During the coup the military controlled internet access by the highly sophisticated means of cutting wires in data centers. It would take them days or weeks to individually block iPhones.

> Any employees or executives in Myanmar risk arrest and, possibly, torture or death

Some of those employees are US citizens. They all represent America's premier megacorporation. Killing them would not be a good move, especially as the US military finishes opening a spot on its "developing countries to demolish" list.

> they must buy a new phone, possibly made by a state owned enterprise, that is much more invasive to their privacy.

The junta can't make phones.

Apple has no power in China but China and Myanmar are very, very different places. If they wanted to, they could exercise significant influence.

That was when the military was trying to take over an already established government. No reason why, now that they are in charge, things might be different.

In nations considered authoritarian, “private” should be taken with a grain of salt. In China, all businesses with over 50 employees must have a dedicated CCP representative.

Finally, it doesn’t matter if they can’t make phones. They’ll call a Chinese company in Shenzhen and they’ll rush in a pile of branded phones in weeks.

Nearly everything you list involves Apple blocking features and material which individual Governments consider illegal or objectionable. Apple is merely complying with the laws of each country it trades within, just as you would expect Xiaomi to comply with US laws when they sell their electronics in America.

If you don't like the laws of other countries, you should be angry with the Government which enacted them—not its citizens or corporate residents for complying with them.

The issue here is that Apple makes phones (the iOS App Store is the subject of much if these articles) where they are the gatekeepers to the only method of software installation, making this compliance more problematic.
I’d rather Apple be the ultimate technical gatekeeper than to have a device which, for all I know, comes pre-rooted by my dystopian government. Or where apps are distributed openly and are thus potentially loaded with spyware.
It's the opposite. For this "security" you are handing control to a private corporation that when it comes down to it will pick money over democracy and freedom.
>It’s almost as if Apple is building their Macs to be rogue nation-state resistant or something.

This claim feels a little weak when there are two other posts currently on the front page discussing a zero-click iMessage exploit in iOS 14.6, which has been abused by nation-states to spy on journalists and opposition leaders.

If this is truly their aim, then they are likely a long way from having adequate software security.

To be fair security is often a car and mouse game. You beef up where you can and try to stay ahead as you go.
One question: can I finish the setup of an M1 Mac without giving it an internet connection? As in, could I get it from unboxing to desktop without it sending a single network packet to Apple?
Yes, right now you can on M1. Windows 11 Home will not support that in the final release, but there are workarounds in the beta period.
From the article:

>According to the small print in Apple’s Platform Security Guide, when you set up a new M1 Mac, or set one up after restoring it in DFU mode, the primary admin account created is special: it’s the Owner account of that Mac. During that inital setup, the Mac sends a request to Apple for that Mac’s signed Owner Identity Certificate (OIC). This is based on a private key generated in the Secure Enclave known as the Owner Identity Key (OIK).

I'm not trying to imply that you're wrong at all, but I'm curious how the Mac goes about obtaining the OIC without a network connection.

The OIC, if I understand correctly, is an Apple vetted OIK which is created on-device.

This mainly would come into play, as the article says, if you install another operating system. By default, the OS is in Full Security mode, so it would contact Apple when installing the other OS and the OIC may come into play.

But if you aren’t installing another OS, or you set your Mac to permissive security which needs no internet, perhaps the OIC is not required because you’ve downgraded the security?

Im just speculating.

Still, somehow, the fact remains you can fully set up an M1 Mac without internet. The technicals of how it does this while reconciling that with the security guide is unknown.

Can you disable secure boot without Apple having a say in the process? I trust myself much more than I trust Apple.
There are three levels of M1 security, Full, Reduced, and Permissive. You can downgrade at any time without internet, but you cannot re-enter Full without contacting Apple over the internet.
No, you cannot downgrade before creating a user account in setup.
Technically true, but no internet is required to make that account, so it’s a minor inconvenience.
Wait, really? What mechanism makes a user account required? Since the change has to be made from 1TR, I’d have thought you’d never need to log in...
You need to log into 1TR with a local admin account, which is used to prevent thieves from wiping the drive and reselling. This process apparently works even if macOS is damaged, meaning your account credentials are likely stored in the enclave which is persistent and has storage inside the chip.
1TR?
"One True Recovery". It's a special recovery environment that the user enters when they hold down the power button on an M1 Mac. It looks identical to a standard recovery environment, but it allows you to do things turn off secure boot.
Yes, it's after reading this that I'm asking. I really don't like my own hardware phoning home without my explicit consent. Ideally I'd install a firewall before I first connect it to the internet, and I'd block *.apple.com by default.
It is currently unknown how it reconciles with the security guide, but the fact remains that you can set up a M1 Mac without any internet.
To clarify, Home will not. But home is targeted to the non techy layman. pro / Enterprise will allow this. comparing window home to oax is like complaining that my Honda civic doesn't have the towing capacity that my f150 has. different class and purpose.

apple doesn't even have a comparable os to be compared to home, as it's a market they don't even target or develop for.

> But home is targeted to the non techy layman.

Yet it will be sold on laptops to anyone that buys them, even if the customer is a 'pro'. It's their prerogative, but I would rather see 'Want to set up with an offline account? Upgrade to pro now for $80'.

> omparing window home to oax is like complaining that my Honda civic doesn't have the towing capacity that my f150 has. different class and purpose.

Microsoft puts garbage into Pro/Enterprise too, surely you know.

(comment deleted)
No, because of activation lock. Setup doesn’t differentiate whether it’s been wiped or not, and activation lock would be weak if a simple wipe could defeat it.
False. Setup is actually quite aware of whether it’s been wiped or not, because of the Secure Enclave.
Trying to ship software for OSX *in general* drives me crazy, and this seems like more.

This quote: "I’ve been unable to find any information provided by Apple (or anyone else) which explains what’s going on, what the errors mean, or how to address them."

That's my experience constantly.

My development build had weird behavior when I explicitly launch it? Oops, Apple launched a cached version of the app inside a private temp directory (thanks Gatekeeper!) associated with the protocol handler.

But no way to tell until I casually check the process working directory. No documentation indicating how to troubleshoot this.

Countless issues like this.

Whenever I develop for JavaScript, if I find a module that just has weird undefined and undocumented behavior, I get rid of it no matter how powerful. I wish I could do that with the Mac developer ecosystem. It's closed and Apple will say that gives them a premier experience but it's the little snags that cost me 90% of my time and are impossible to troubleshoot other than grunting through it.

Could the same not be said for Windows developers, or Linux developers? Or, heck, almost any developer?
Nope.

Have been a developer for windows applications for 20 and some years. Software I build back then still runs fine.

Have been a developer for macOS since 2013, since around 2019 I need to bring out patches for changes in the core OS multiple times per year. macOS is not a pleasant OS for a developer. Documentation is pretty shitty and the rugs that get pulled from under you all the time are frustrating.

At least you aren’t paying for this sub par environment… oh wait.
Actually, I'm fine with that part :)

For Windows you nowadays need EV code sign certificates in order to be able to distribute without any troubles and -while you don't pay that directly to Microsoft- these certs are significantly more expensive than the "macOS developer tax".

Yes, you can also distribute to the Windows App store, which is cheaper (a one time tax). But I'm not really a fan of "App Store's" be it from Apple/Google or Microsoft.

Glad to know it isn't just me. Same general developer history, same experience.

Windows has its quirks and bad decisions they made over the years but the developer experience is consistent, even when bad.

Apple's experience is like being in an Arabian desert: sometimes you see a mysterious oasis that wasn't there before, but mostly it is shifting dunes that cost days or months.

There was an article talking about how we train ourselves to our tools to not do the things that cause problems.

This works a lot better when the set of "things that cause problems" stays relatively constant.

I think this is one of the reason Microsoft leadership was historically so rabid about reminding their employees that developer experience was core (because it's the indirect upstream of user experience).

Third party developers are an example of "out of sight, out of mind." It's easy to forget how a feature impacts them. And it's easy to say "We still have apps coming into the platform."

But what you don't see is the frustration, resentment, or apps that were never written because developers found something better to do with their time.

Mac and iOS development isn't there yet, but it sure feels like they aren't trying very hard to steer the ship in any other direction.

Oh and if you have an older Mac Mini, you need to upgrade the OS to run a newer Safari? (that's the first platform I've ever seen that needed an OS update to install the OS's own browser).

So the kids are now using Brave.

> that's the first platform I've ever seen that needed an OS update to install the OS's own browser

Used to be the case for Windows as well with Internet Explorer.

And Microsoft Edge right after that for a few years.
You can install Microsoft Edge right now still on Windows 2008 R2 as well as on Windows 7. [1]

They even support this for WebView2, the embedded version of MS Edge that you can use in your applications. [2]

Both of those operating systems have been retired for a while.

Microsoft has its flaws as well, but at least in this part they are doing quite well.

I just happen to be working on a WebView2 ActiveX control and this is one of those areas that really did surprise me.

[1] https://docs.microsoft.com/en-us/deployedge/microsoft-edge-s...

[2] https://docs.microsoft.com/en-us/microsoft-edge/webview2/#su...

My mistake then, I guess I never hit that despite using Windows way more than IOS (Windows has a lot better at backward compatibility, at least in my experience).

Personal experience with trying to switch to Mac has been...well, both expensive and unpleasant. Single data point, but new hardware that fails every 4 minutes after power on and the fix being an upsell has really put me off.

Windows is much better documented and mostly stable. The main downside from a developer perspective is framework churn.
> framework churn

Aka "never trust Microsoft's pronouncements and stick with legacy frameworks forever, because it's the least risky option."

(comment deleted)
Windows? No fscking way. Backwards compatibility is Windows strength.

Linux? Sometimes. Trying to run DXX-Rebirth in a modern Linux is an exercise in frustration.

The Windows version still runs flawlessly in Windows 10.

DXX-Rebirth is under active development[0], it shouldn't have backwards compatibility issues on Linux. Are you trying some older version?

Personally a few years ago i tried some older game demos from early 2000s from publishers like LinuxGamePublishing and TuxGames and they pretty much all worked fine after some tinkering (usually removing bundled libraries like SDL so that the binary will use the system provided libs that are more up to date and/or installing OSS support for audio). A few required some missing libraries but those were available either on the repository (Debian) or from older distros (i grabbed some RPMs and extracted the .so files manually). Two games i couldn't get run because they relied on Gtk1 though - it shouldn't be impossible to run, but lost interest (Slackware contains Gtk1 so i could have copied it from there).

[0] https://github.com/dxx-rebirth/dxx-rebirth/

> Whenever I develop for JavaScript, if I find a module that just has weird undefined and undocumented behavior, I get rid of it no matter how powerful.

`rm -rf Chrome.app`

The equivalent between native development and web is not the quirks of a library, it's the quirks of browsers. That's the metal you're running on.

> I wish I could do that with the Mac developer ecosystem. It's closed and Apple will say that gives them a premier experience but it's the little snags that cost me 90% of my time and are impossible to troubleshoot other than grunting through it.

Might be worth reading the entire post and commenting on it in its entirety, not cherry picking.

I'm not sure what you mean by cherry-picking, I'm directly addressing their comment. The kinds of struggles `xrd` mentions (Gatekeeper, protocol handlers) are not library level dependencies, they are the platform their code is running on. Comparing that to a js library is just the wrong equivalence. If their beef was with AppKit, or NSWindow or something at the dependency level then yeah it's fair to compare that to an npm package.

The bulk of my experience has been with native development, so I find these struggles familiar and un-threatening. However, when I do browser-based development and I'm faced with one of those massive "Browser compatibility" tables on Mozilla.org explaining how this "standard" is implemented in wildly different ways across the major browsers, and then the reality turns out to be different from what the table suggested, I get as frustrated as `xrd` is.

> The equivalent between native development and web is not the quirks of a library, it's the quirks of browsers. That's the metal you're running on.

Unfortunately, the one browser causing the most miserability for web developers these days is Safari itself, not Chrome as you implied. It is the only web browser engine that's allowed to be used on iOS devices, and many people use it on Macs since it is able to use all the undocumented quirks and nooks in OS X to smash Chrome/FF in battery usage.

The problem is that it has so much stuff that's outright broken (IndexedDB), is outdated (its developer tools) or just plain sucks (it won't play <video> elements if the server doesn't serve Range HTTP headers, for example - painful if you're streaming from inside a CMS). And that's been the case for years.

Safari is the new IE. Apple should be forced, just like Microsoft, to de-bundle it from the OS and open up and document their private APIs to allow Chrome and Firefox to be competitive!

If they did that, you’d risk Chrome taking over and extending it’s browser engine monopoly to be even bigger.

And Firefox, remember, laid off most of the engineering team. The only real people benefiting would be Chrome based browsers, with their ability to spread Chrome to even more places.

> Unfortunately, the one browser causing the most miserability for web developers these days is Safari itself

I think it's a bit of a straw man to say that the only reason web development is hard is safari. Browser support is irreducibly difficult as long as we live in a world with more than one browser. Safari may stand out as the odd duck, but I for one don't want to stream video on my 3gb a month data connection if it has to load the full content in order to jump ahead 2min.

The Apple security feature I hate the most is notarization. I get the point of it, but Apple’s execution of it is poor. Sometimes it takes 10+ mins to notarize an app and the service regularly returns random failures.

My software has a feature where you can package certain files into a basic no-frills installer. This is a minor feature that pre-dates notarization in a much bigger suite of tools and it causes a lot of issues because users contact tech support every time Apple’s notarization service goes down (which is often). At this point I’m considering just removing the whole feature from the suite.

Apple did a talk recently about how notarization will be easier with MacOS 12. Might help.
> users contact tech support every time Apple’s notarization service goes down (which is often).

Isn't notarization stapling supposed to prevent this? Or does it do a OSCP/"is this signature still good" check on every launch?

Sounds like OPs app is calling the notarization APIs directly to notarize user created installers
Yes, it notarizes using the end-user’s Apple ID.
Same for iOS. It's just 10x harder than Linux or android for no good reason.
It seems like these changes have good intentions (i.e. improved security), but introduce a lot of complexity that can have unintended consequences for end-users. This reminds me somewhat of my process setting up UEFI Secure Boot on my Windows PC that wasn't originally configured for it. Not in the exact steps, but in that there is a ton going on behind the scenes and the UX is horrendously bad.

Unfortunately, vendors haven't really thought about how to explain these changes to end-users. They are trying to make them fairly transparent, which probably works at least 95% of the time, but for a small percentage of people, becomes a big PITA.

I wanted to try out Windows 11 on my desktop, and one of the requirements was that UEFI secure boot is turned on. Took me the better part of a day to figure out how to turn it on, which required deleting some random partitions that had been created on my drive when I had upgraded from Windows 8 to Windows 10 because the tool to enable UEFI requires a _very specific_ number of partitions in the drive that it's being set up on. The error messages to figure out that was the problem were incredibly frustrating. The BIOS UI to turn it on was also so confusing; everything seems to be named differently in different places.

The kicker was that the Windows 11 install was borked and I had to wipe everything and reinstall. Ha.

something I found really handy for testing/retaining windows installs was a $30 external USB SSD (not a flash drive, a "external drive" that is flagged as "non-removable")

you can install windows directly on it and tell the UEFI to boot off of it with absolutely no fuss

How do I flag a drive as non removable?

This is from years back, but my experience is that running Windows from an external drive isn't really easy. I hardly use the OS any longer, but I'd like to keep it around on an external drive if possible.

I bought a disk that was already flagged!

apparently some USB flash drives have a bit you can toggle with some vendor specific tool, but I've not tried that

for a non-removable device installing Windows is exactly the same as for a normal hard drive (no fuss with Windows To Go or other rubbish)

Agreed. I don't think Apple is intending to be malevolent here, but this is pain for people like myself who value the ability to create bootable clones on external media. This has always been an area where the Mac excelled, but it looks like those days are over.
You don't buy a Mac (M1 or otherwise) to live an adventurous life. You get it because it has really well executed take on an opinionated computing platform that just works for normal people.
For a lot of normal people, Mac is what you buy if you want to work with your computer, but it is not what you buy if you want to work on your computer.
Do you work with your screwdriver or on your screwdriver?
With my screwdriver.

Unless you're a blacksmith who makes his own drivers or a wordworker who makes her own handles, the same is true for you.

I have a custom wrench in my toolbox. I forget what the issue was, but 15 years ago I think I was working on someones skis or something? Anyway, I had to cut the handle in half and welded it back together at a different angle.

Quick and easy hack job. I'm not a machinist, mechanic, or metal working professional of any sort. But I had access to a shop at the time, so I was able to take my tools that were almost what I needed and turned them into exactly what I needed.

Literally no biggie. I feel like I'm hanging out in the kind of crowd that unironically asks "why do you change your oil yourself?"

That's completely orthogonal to Apple's take. They talk about how much your development efforts will speed up, your creative production. So on, so forth.

Not "it's to be an unadventurous consumer of product".

Who they market their users are != who their users actually are.

Obviously all the marketing will focus on creative uses because it makes it a lot easier to sell to people on a 1500$ machine. The truth is 95% percent of people are using their computers as glorified web browsers and the computers are built to do that extremely well.

apple doesn’t care about technical users, they sell a product designed to be of use to the most people who can pay. They are trying to move towards an IOS security model while preserving most of the features of a general purpose computer. we’ll see where it’s headed. in my use case, I dual boot and am the only user of my machine. If this ever becomes untenable I’ll switch mainly linux and dual boot windows, until and unless windows stops letting me dual boot, at which point I’ll have to reevaluate.
Interesting. I just bought an M1 Mac mini. I added a nvme m.2 ssd (Samsung PM9A1 + Orico SCM2T3-G40) over thunderbolt 3 and moved the admin user over. Unfortunately I had to send back the ssd and adaptor since it was reading at only 75MB/s for some reason. Anyway I created a new admin on the internal ssd before deleting the external ssd. If I understand this article correctly it’s saying that I will no longer be able to update since I now only have a secondary admin user. Is that correct?
Were you getting those speeds with random reads or sequential? I have one of the Orico enclosures and it works great.
I used initially 'Blackmagic disk speed test'. This tool seems to only have an option for 1-5GB. I did not find a random or sequential option. I've definitely seen screenshots of this tool giving high read speeds using the Orico.

Then I tried 'ATTO disk benchmark'. This tool tries a variety of read and write I/O size ranges. The results I got here were strange. As expected as the I/O size range grows, the read bytes/s increase. Then it hits 1MB I/O size and the throughput drops to almost 0. Write was consistent across the range, perhaps since it simply hits a buffer on the SSD to be processed later.

With dd I achieved good performance transferring a 5GB file, after a reboot to ensure the file cache was definitely flushed.

Perhaps it was an issue with the firmware version for the Orico or the SSD itself. Unfortunately I was unable to update the latter since the 'Samsung Magician' software is windows only. On my windows devices I have no thunderbolt ports.

Bizarre. I'm on Linux and only really ever tested it with dd (use it for backups/installing Windows on metal so I don't have to deal with PCIe pass-throughs with a VM), but the results have been great for me.
Update: The Big Sur 11.5 update with the second admin user, and no primary admin home directory, worked without issue.
Wow I'm so happy I'm moving away from Mac administration. I currently manage a big userbase but we still don't have M1s in our environment as our antivirus solution (Cylance) is really slow in supporting it.

Apple is introducing more and more mechanisms in the name of security but they keep access and information very close to their heart. All us Mac admins have struggled with SecureToken in combination with AD accounts and it took two major releases for Apple to actually introduce a way for us to manage these properly through MDM. In the mean time most information had to be gathered through blogs such as this one.

Another issue is that more and more enterprise management features are becoming dependent on managed (federated) Apple IDs. But Apple requires that the email and identifying account address (UPN) are the same which will never happen in our 200k user environment. So we're stuck with more and more things to work around.

This is really something that should have been considered from the start. And this owner key thing sounds worse. Security is good but the end user or corporate admin should have the keys to every lock. Not just the vendor. Now my successor can deal with this stuff.

I used to be a big fan of macOS personally too but I moved over to FreeBSD 2 years ago and I'm glad I did. I really want an OS that answers to me.

You could just set security to Permissive. It’s as secure as any Windows machine and disables this, even though the only time you’d ever run into this would be if you ran 2 Mac installs on the same machine, which surely a corporate deployment isn’t doing.
You'd be surprised. Macs for us are only half a percent of our userbase (yet still many hundreds), and are mainly used by app developers and graphical design roles.

Especially the app dev guys tend to have fairly nonstandard usecases. However most of it happens in labs firewalled off the company network.

Anyway, I'm glad I'm not the one having to figure out how to work around these things with very limited documentation from Apple, like I have before ;)

Also of note is that this article only applies to M1 macs, so unless you running a beta of Monterey, you’d have to be dual-booting Big Sur for some reason.
The logic board on my M1 failed after 2 months of very light use. Was also surprised when it wouldn't let me use an external webcam while connected to an external monitor.
Was also surprised when it wouldn't let me use an external webcam while connected to an external monitor.

What do you mean? Using an external webcam while connected to an external monitor works fine.

(Source: I have been using such a setup in a course for the last few weeks.)

Was using a 4K monitor with an M1 macbook air and the external webcam would only work with the monitor unplugged, tried both ports.
Since your mainboard also failed, it sounds like you got a bad machine. It happens. Hopefully you were able to get a replacement.
This is worth knowing about, but it is really a distant edge case. Calling it a peril of M1 ownership is a bit dramatic when you consider how few people it will affect.
This blog is well known for both deep original knowledge, and extreme hyperbole. There was a post about MacOS update size that compared the size of the updates to beating the backs of Mac users raw and ignoring their pleas.
Ok then. Literary license :)
I am not sure which specific article you’re talking about, but MacOS update sizes were a massive issue.

The real problem wasn’t the update size itself. The real problem was the updating through the Mac store, which would invariably fail to properly download the update if you were on anything outside a several hundred mbps connection, and even if you did successfully download it, would potentially fail to install and/or give really poor progress updates where it looked like it hadn’t installed.

All the while eating up many gigabytes of space for I don’t know what.

The problem is still persistent now, I wouldn't talk in the past tense. Update sizes are positively ginormous.
I think the title was meant to be wordplay: the perils of the M1 "Ownership System" and the perils of owning an M1 Mac.
Isn’t there a chance this could show up in Macs provisioned by enterprise IT before being assigned to employees who sign in with their own Apple ID?
The other peril of M1 ownership is the lack of alternative operating systems. The other way I reinstalled an older Macbook through "internet recovery" and it downloaded the version it was originally shipped with - macOS Mojave.

The UI was a breath of fresh air compared to Big Sur. Despite the screen being smaller than my M1 the information density was higher and it felt more like a tool than a toy. The lack of bullshit apps such as Apple TV, News & co and useless "widgets" was also good (for all of iTunes' flaws, it's still better than its modern successors), and it somehow felt faster despite being less than half the processing power of the M1.

I now wish I could run this on my M1 but alas I can't. At least with PCs and older Macs you could always switch to Windows or Linux, but with the M1 you're currently screwed - if Apple drops the ball or decides to take their OS in a direction you don't like you currently have no alternative (and all the "security" around locking out the user from their own machine doesn't bode well for alternative OSes).

…and Mojave is EOL this year, so here comes Catalina, with the shit show that was that experience which kept me on Mojave so long.
T2 Macs are still handicapped when it comes to Linux. It can run but with too many caveats. Needs special kernel versions with custom modules to have working keyboard/trackpad and at least last time I looked couldn't have both audio and sleep. Too big of a compromise on a laptop for me to use it. Wish I could. Seems like M1 Macs are going to have better Linux support than the T2 ones where BridgeOS throws a bunch of complications into the mix.
Well, in Apple’s defense, backporting old versions of MacOS makes no sense and would cause developers much headache, Linux already boots to a GUI on the M1 Mac mini (just no HW acceleration), and the list of available operating systems will grow each year there is a MacOS release. Just like you can’t run MacOS 10.6 Snow Leopard on the MacBook you restored.
I'm glad I'm not the only one who truly loved Mojave! Once Apple cut off 32-bit support, it seemed like stuff really started going downhill. I still might pick up an M1 machine secondhand once Linux support is ironed out, it would be a fun little tinker-toy.
You might be happy to hear about Linux running on M1 Macs already then (and Windows ARM version will run as soon as Microsoft gets around to it, I expect).

https://asahilinux.org/about/

https://9to5mac.com/2021/06/28/linux-kernel-5-13-officially-...

That's great news but how do users go about 'installing it' right now?

I think the comments in 9to5mac are just as bewildered as I and many users are. By the time a guide is written, they would have moved on to getting an M1X or M2 Macbook, still waiting.

It's only got kernel support, but is actually still not 'user ready'. Could take months for that to happen.

You don't. Asahi is far away from usable. They've got initial kernel support in, which allows it to boot. However no drivers have been written yet, there's nothing ready in the userspace and it definitely doesn't have an installer.

* Not decrying Asahi, they've done a lot of work and continue to do so. But it's best not to misrepresent the project's status.

> They've got initial kernel support in, which allows it to boot. However no drivers have been written yet, there's nothing ready in the userspace and it definitely doesn't have an installer.

Exactly my point as I have already said. We know it is not user ready but the parent comment is making as if it is already running on M1 Macs; which is hardly true.

To debunk the M1 Linux hype squad again, it does not work to the point of it being usable and will take months to get it 'user ready'.

Your description isn't quite accurate either. IRQ, DART drivers have been written; I2C, UART, NVMe, USB, PCI, USB-C/PD, Wi-Fi drivers have been adapted.

I'm currently working on reverse engineering the display controller and will move onto the GPU after that. Alyssa has been working on the GPU userspace stack and the GLES2 tests are 80% or so passing, running mesa on macOS (open source userspace, Apple's kernel driver).

I've spent a lot of time brainstorming the installer and researching the approach, and we already have manual install guide. I'll work on that as soon as the GPU kernel stuff is on track.

As for userspace, there's nothing to be done for basic support; you can install any distro userspace you like. The main things there are the Mesa driver and, eventually, helpers for stuff like the Touch Bar (obviously we'll get the non-TB Macs running nicely earlier, TB is an annoying complication).

Things are in various stages of development and review, and yes, only IRQ, UART and basic bring-up is upstreamed, but I think you'll find things get to end-user usability a lot faster than you might think.

I'm hoping it will be 'user ready' by the time the M5 multitronic Macbook comes out. That will be the ultimate computer.
Until the M7 ... or M9 ... or some not-so-power-savvy-but-beast of a Ryzen shows up ... or ....
Hopefully Captain Kirk doesn't end up destroying the M7 or M9. That would be annoying.
It'll never be "user ready". It'll be like a Hackintosh: a quaint toy for hobbyists that is constantly broken by Apple's new stuff and therefore unlivable as a daily driver. Only the most fanatical folks would be willing to live on a flavor of Linux that can only survive hardware revisions through extensive reverse engineering efforts. I say this despite having a huge amount of respect for the developers.
My job description is literally to prove you wrong :-)
Asahi Linux hardly runs on M1. They're definitely spearheading research into the hardware and have done a ton. But the project is well into it's infancy.

And it's doubtful Microsoft would ever go through the same effort to port Windows on ARM to the M1, instead probably relying on Apple's virtualization framework to allow it to run.

Sure, it doesn't happen overnight. My point was to point out to parent that Apple is not explicitly trying to block other OS's from booting, and alternatives will become available as the systems mature.
You said “already” for Linux and “soon” for Windows. Neither (well one definitely the other speculatively) of which are true.
You're right, I hadn't checked the site recently and I thought the project were further along - I should've said "booting already" to be conservative.
It is implicitly so. As far as I know you need to reverse engineer the whole process and disguise the kernel you want to run as a macOS Mach kernel. They keep a finger on the trigger by having an encrypted Secure Boot system, too. Not to mention how much the system is locked in (soldered SSD necessary for booting, Internet connection mandatory for starting the system the first time, etc..)

One or two steps short of the hermetic lockdown of iOS devices.

All of your talking points are the reason why I can't devote myself to the Apple ecosystem anymore. On top of making it borderline impossible to retrieve any of your data as a file, they have been focusing way too much on Apple One and their SaaS models than they have their actual products. It wasn't until the M1 came around that I really looked upon them very disfavorably.

But now with Macbooks reaching $2k for a decent base model on the horizon, I'm really starting to just dip further into Linux every day. At least with ext4, btrfs, or zfs I can access those files on different operating systems. APFS? Have fun with recovering those backups without having to shell out for another Mac. Not to mention the OS is free. Had I still been an avid gamer Windows would hold it's leash on me, but Windows 11 is not looking better either.

There are two open source FUSE drivers for APFS that, theoretically, should work on any system with userspace file system support. They don't support all APFS features, though, and I wouldn't rely on them for anything serious or that you care about.
My general solution to this kind of predicament is to install VirtualBox and do everything inside the VM :)
And then in the VM you get half the RAM and a crippled GPU.
VirtualBox is not supported on M1 architecture
Will the coming of ARM laptops spell the death of a solid native Linux laptop?

I really wish I could get Ubuntu on a Samsung Galaxy Book Go, but it seems it isn't possible (?)

No. Both Dell and Lenovo are now selling Enterprise laptops with Linux officially available as a supported pre-installed option.

And System76 are apure-Linux operation building their own open source firmware in house to get the level of support and features they want.

I don't think x86 will die so quickly, and Linux has been getting a lot more support from OEMs recently than it has historically.

A friend of mine runs Arch on his Samsung Chromebook Plus, and there's also the Pinebook Pro. Both ARM. Both happen to use the RK3399 SoC, I believe, but there are other supported machines like the Asus Chromebook C201 as well.
The lack of documentation is concerning, it makes me wonder why Apple are rushing the rollout since they could have provided a lot more technical info in advance to prepare users.

Aside from that, with all these security features I'd be quite content if there was a way to setup an endpoint at *.myco.com instead of *.apple.com for the 'calling home'.

I just don't want my hardware being so tied to the network services of one vendor. Is it too much to ask?

Note that the BootPolicy mechanism changed quite a bit in macOS Monterey betas, and will continue to do so within the beta cycle.

Installing betas tends to come with caveats...

I personally would be more concerned that it was made by a company that uses slave labor in collaboration with an authoritarian state that is perpetrating a genocide on a minority religion. But I guess if you are okay with that ... then maybe this will bother you.
So is your PlayStation, your Nintendo Switch, your Surface Laptop, your Lenovo desktop, your Pixel phone…
> So is your PlayStation, your Nintendo Switch, your Surface Laptop, your Lenovo desktop, your Pixel phone…

Not things I own. There are other places that manufacture electronics than China. And "everyone does it" does not a justification for being complicit in genocide.

Here are good places to start looking:

- https://notmadeinchina.directory/

- https://chinanever.com/

- https://bestfreereviews.com/best-laptops-not-made-in-china/

- https://www.republicworld.com/technology-news/gadgets/non-ch...

Maybe if Europe stopped colluding and glad handing with Tyrannical governments like China and Russia they too could offer up some alternatives. Doubtful though, Germany is all about double speak, saying that they are against genocide while doing everything in their power to prop up genocidal regimes to maintain their regional hegemony.

(comment deleted)
I get despising the CCP, but your sources are significantly flawed.

For example, best laptops not made In China showed a Surface Pro 7. Which is Made in China.

Apologies for that. The point is I guess that there is production in South Korea, Taiwan, Japan and India.
Will Macs still work in 15 to 50 years if Apple goes out of business?
(comment deleted)
Anyone hanging on to a computer for that long will have found a workaround
The oldest computer I have is a 2009 mac mini, which still works, but it gets hot and it's pretty slow. The second oldest is a 2011 fujitsu esprimo e900 which has unreliable capacitors, and has to be plugged in for a while before it can boot up without shutting down randomly. My point is, computers are fragile, even more so the newer one with smaller parts with tighter tolerances. And with the quick advancement of the technology, I think 15 years is already an excessive lifetime.
For most (almost all) Mac users this will not be a problem. For me, it was a problem when installing the beta macOS Big Sur a few months ago. For a while I was worried that I may have bricked my fairly new MacBook Pro laptop, but I eventually got it sorted out.

I don't like that you apparently can no longer boot into the setup tools and reset a Mac to factory new condition. I had wanted to do this when I could not get LispWorks running with the newest beta macOS - I ended up just deciding to use SBCL until this gets sorted out.

> I don't like that you apparently can no longer boot into the setup tools and reset a Mac to factory new condition.

I recently did this on an M1 Mac mini (wiped boot drive + did a clean install of macOS via the internet), so unless I'm misunderstanding what you mean this is definitely possible.

https://support.apple.com/en-us/HT201255

Thanks Charles. So, you installed meta macOS Big Sur, then wiped from there? Good to know.
I did this on a Mac Mini M1 running a production version (I can't recall which version exactly) of Big Sur.
I'm with Richard Stallman on this one, even if the machine isn't quite free of binary blob (management engine if applicable, wifi drivers).

How much longer? Will Windows 11 finally choke off the supply of perfectly good, cheap, secondhand Linux capable hardware (by no longer requiring an unlockable bootloader)?

So, one of the conclusions should be “don’t buy used M1 Mac”. Do I understand this correctly?
Ah, no. This is an extremely niche situation when dual-booting multiple versions of MacOS that could possibly just be a bug.
Wow! A good reason to hold off until all the kinks have been worked out.

Even with "secure boot" and "UEFI", I have no trouble installing other OSs on the latest Intel hardware from Microsoft, Supermicro, or Dell.