Sending a Mac away

By Chris Pepper on Tuesday, August 17 2010, 15:00 - security - Permalink

I have to send my MacBook Pro to Apple for service again, so it's time to review my list of Sensitive Data: Things to Delete and other preparation for giving up physical control of a Mac. Unfortunately last month my MacBook Pro completely died, and I didn't have a chance to do any of this. The Genius asked for my password, and I just laughed at her. She explained they'd probably replace the hard drive with a new install if they couldn't get in, and I said I'd deal with that, but suggested they just use the installer to reset the password to something they liked. As it turned out, they apparently decided not to bother -- I got the MBP back with some security settings changed, so perhaps Apple techs have a different tool that grants them access.

Before Shipment

Make a backup. I use SuperDuper for these, in addition to automatic CrashPlan & Time Capsule backups.
Test the backup!
Log out of any sensitive services, such as MobileMe & Dropbox.
Sign out of & deauthorize iTunes (don't forget Audible & Home Sharing).
For each browser/user: clear history, cookies, & cache. Clear any saved passwords in browsers & email clients.
Create an apple user, and make it an administrator. Give it a simple password (don't forget to write it on a note for the tech -- you don't want to wait a couple extra days while they ask for the password!).
Set autologin for the apple account.
Remove sensitive files for all active accounts, (including root if relevant):
- ~/Library/Keychains/
- ~/.ssh/ (except authorized_keys)
- Password wallets (assuming you're not using something like 1Password on Dropbox)
- Any sensitive email (location depends on client -- might be ~/Library/Mail/; I don't do this -- I have a lot of mail, and it's not generally sensitive)
Change any passwords, if worried Apple might decrypt them (don't forget sudo passwd root).

After Return

If the motherboard has changed, the serial number & MACs will change.

Log out of the apple account.
Log back into your regular account, and hold the Shift key down to avoid launching all your standard applications (and prompting for a bunch of passwords which are in the removed keychain).
Reverse all the above.
Re-enable MobileMe sync.
Update any static DHCP assignments if MAC changed.
Re-pair Remote.app or other paired devices if Bluetooth changed.
Re-pair anything else confused by changed MAC.
Reboot and make sure everything works as expected.

Comments

1. On Wednesday, August 18 2010, 09:47 by Russ

I find pgp full disk encryption to be a very useful tool. No worries if you can't boot the machine and have to send it back. Also helpful if your machine is stolen. It requires a password on boot so no disk targeting or anything without that password. Not free but nice for peace of mind.

2. On Wednesday, August 18 2010, 09:53 by reppep

Russ,

True. If my MBP traveled outside our apartment often I'd look for FDE. On the other hand, there are some problems Apple wouldn't be able to diagnose or check (anything that requires OS X) without using an external boot disk if I had the internal fully encrypted, and I doubt they'd boot from a FW or USB disk to test my non-standard system. More likely they'd replace the disk with one from the shelf, which would be problematic because this is an aftermarket 500gb disk.

But yes. 1) FDE is good, and 2) FDE makes backups even more critical.

3. On Thursday, August 26 2010, 08:03 by FincaMallorca

pgp full disk is a very useful tool! THX

4. On Thursday, September 2 2010, 01:14 by reall

Hi reppep! I need some information in this article. Can I copy a part of this article for Microsoft Fan Club web site? Im writing an article and I need this.

http://www.microsoftfan.com

Regards!

5. On Sunday, September 19 2010, 02:08 by MMA

Great advice, I had to send my Macbook Pro for repair and wasn't able to do this because I did not have the info. Is there a cost for MobilME?

6. On Monday, September 27 2010, 10:16 by webdesign overijssel

Keep on the good job. I find pgp full disk encryption to be a very useful tool.

7. On Tuesday, October 19 2010, 14:08 by commercial buildings for sale

Well It needs a password on boot so no computer disk aiming at or any thing without that password. Not free but pleasant for calm of mind.

8. On Monday, November 29 2010, 17:47 by christian

I recently had one of my pc's to crash that contained a large amount of sensitive data. I decided to just abolish it and demolish it. I trashed it in different areas not know what to do. I guess some could still get the info, but i don't think it is likely. That is the problem with computer these days, they crash and contain personal data that we don't want everyone seeing.

Extra Pepperoni