This is how such a policy should be enforced, not locking people out of their computers. If staff wish to use the universities resources what technical controls are in place to prevent someone from using a computer they did not purchase through the university?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac mini locked down by university
- Thread starter fishdoc
- Start date
- Sort by reaction score
Part of the new feature of the T2 security chip is the prevention of the "downgrade attack" method. A method where someone basically replaces a trusted operating system with an untrusted system. A trusted system and its related software that was provided by the university IT with T2 chip equipped Macs, the university needs to have admin access to the OP's computer. This is part of the T2 implementation; it is called "Full Security" secure boot with a secure-enclave server. Which is the reason why the OP is still seeing the reminisce of his university's IT work. This is used to identity future culprits; meaning someone who is violating and breaking the security protocol knowingly and willingly can be future identified if the university network system is being compromised by a virus and malicious attack coming or originating from an unsecured system from someone who had been operating under the radar.
The idea of securing systems is no different than in hospitals and care homes where I work. I now work in nursing and part of my duty is not to put forward my own self-interest and ego just because I feel special and if I am sick or become contagious with a virus, I come to work anyhow not thinking nor caring if my infection can spread to other patients who are ill and thinking that, well if I can hang tough with a cold or flu virus, then if those patients can't hang tough or even die from the infection, then that is their fault. Sadly, even in health care, we do have individuals who think this way which is why hospitals are not actually free of contagious diseases because people, who only care about their own self-interest bring those bugs in and don't care if it hurts others.
This is the same with IT security. The idea of IT security is to protect OTHER USERS from unwanted malicious attacks from viruses or brute-force attacks coming from unsecured or compromised systems owned by users who seemed to think that they know better than the IT people and yet only maintaining their own personal interest by taking out anti-virus software and other security provisions to prevent outside attacks from hijacking their computer in the background while working on attacking the internal systems and infecting other users.
Not everyone in the network system is as computer savvy as the OP perhaps, but the implication as is the same as in the hospital environment is that, while you might have a strong immune system to fight off most diseases, people in the hospital don't and by infecting them and then ignoring their suffering, as do other users in the network who got infected by viruses coming from unsecured systems is no different.
That is why in the hospital where I work, you can be dismissed and terminated if you ignore the rules. If you are contagious with like the Norovirus or MRSA and you refuse to heed the rules and go in and work and fly under the radar , rather staying home and get better and be completely bug free, and then got caught, there will be swift termination. This was the same treatment I saw from people who did the same with the IT issued software when I worked in the technology field. These people simply don't understand that when you are using IT resources, you are sharing these resources with other users who might not have the same computer savviness as you. Is it fair to have them suffer the consequences of a certain individual's self-interest behaviour?
The idea of securing systems is no different than in hospitals and care homes where I work. I now work in nursing and part of my duty is not to put forward my own self-interest and ego just because I feel special and if I am sick or become contagious with a virus, I come to work anyhow not thinking nor caring if my infection can spread to other patients who are ill and thinking that, well if I can hang tough with a cold or flu virus, then if those patients can't hang tough or even die from the infection, then that is their fault. Sadly, even in health care, we do have individuals who think this way which is why hospitals are not actually free of contagious diseases because people, who only care about their own self-interest bring those bugs in and don't care if it hurts others.
This is the same with IT security. The idea of IT security is to protect OTHER USERS from unwanted malicious attacks from viruses or brute-force attacks coming from unsecured or compromised systems owned by users who seemed to think that they know better than the IT people and yet only maintaining their own personal interest by taking out anti-virus software and other security provisions to prevent outside attacks from hijacking their computer in the background while working on attacking the internal systems and infecting other users.
Not everyone in the network system is as computer savvy as the OP perhaps, but the implication as is the same as in the hospital environment is that, while you might have a strong immune system to fight off most diseases, people in the hospital don't and by infecting them and then ignoring their suffering, as do other users in the network who got infected by viruses coming from unsecured systems is no different.
That is why in the hospital where I work, you can be dismissed and terminated if you ignore the rules. If you are contagious with like the Norovirus or MRSA and you refuse to heed the rules and go in and work and fly under the radar , rather staying home and get better and be completely bug free, and then got caught, there will be swift termination. This was the same treatment I saw from people who did the same with the IT issued software when I worked in the technology field. These people simply don't understand that when you are using IT resources, you are sharing these resources with other users who might not have the same computer savviness as you. Is it fair to have them suffer the consequences of a certain individual's self-interest behaviour?
Last edited:
Good luck, but my guess would be if you manage to get Mojave installed and connect it to the University Network they will know. Also in answer to a couple of comments, I assume when you say you bought this computer with your funds you mean your University funds not your personal ones as otherwise it would not have gone near the IT department and would have had Mojave pre-installed.
After further consideration, I do not believe that the 2018 Mac Mini was even available with an macOS earlier than Mojave. Every source I have consulted states that the 2018 Mini was released with Mojave as the "original OS". Are we to believe that your university has a special arrangement with Apple?
If this is accurate, then why the gyrations to get Mojave on a Mac that only has shipped with Mojave?
I'm calling B.S.
Last edited:
Sounds like your mac mini is part of a Device Enrollment Program (DEP). When it images (even with internet recovery) it will contact your organization's Mobile Device Management (MDM) server.
This is a feature of Apple's School Manager or Business Manager programs.
Basically, after the installation on first boot during setup assistant the machine phones home to apple's servers and based on serial number it seems its part of DEP. It then fetches config from your organization's MDM server (at least, that is my basic understanding of it).
Even if its offline at that point, once its on internet it will phone home and fetch config.
Found this on how the enrollment program works: https://i.blackhat.com/us-18/Thu-Au...acOS-MDM-And-How-It-Can-Be-Compromised-wp.pdf
This is a feature of Apple's School Manager or Business Manager programs.
Basically, after the installation on first boot during setup assistant the machine phones home to apple's servers and based on serial number it seems its part of DEP. It then fetches config from your organization's MDM server (at least, that is my basic understanding of it).
Even if its offline at that point, once its on internet it will phone home and fetch config.
Found this on how the enrollment program works: https://i.blackhat.com/us-18/Thu-Au...acOS-MDM-And-How-It-Can-Be-Compromised-wp.pdf
I think people need to start reading Apple T2 security policy workbook available on Apple's website. The problem is not the OS, but rather the version of OS assigned to the T2 chip in the OP's mac. It's a unique signature and is part of the Full Secure boot process of the T2 chip. Prior to the introduction of the T2, most of these macs are set up equivalent to medium security, which means if you are computer savvy you can replace the OS with your own untrusted copy and remove all the bloatware. This was what the OP was doing for the past 15 years and thus flying under the radar. The T2 chip does it even better; the OS provided by the University during its first imaging is assigned to that T2 chip inside his Mac Mini; meaning only that special educational Mojave OS and its bloatware can exist in his Mac. While he did manage to remove the bloatware and the OS, he can't really install another version of Mojave because it is not keyed to his T2 chip. The T2 chip is looking for that unique signed copy of the OS that was originally in his Mac. So even he could get another copy of Mojave going, his Mac will say his computer is compromised! This is known as the "downgrade attacK'; well known method for hackers to gain access to the network system through a trusted device. So technically for 15 years, the OP had been exercising the "downgrade attack" on his university network by downgrading the secured OS and software provided by the university and replacing it with the identical OS that is not trusted nor provided exclusively by the IT department.
I find it very troubling with some people here who seemed to promote the behaviour that it is ok to use a "downgrade attack" on secured computers as though it is an ok and acceptable behaviour. In the IT world, this will constitute immediate termination by the company if caught. The reason behind this is that, the person is basically promoting self-interest and not looking out for the interest of the whole team in the network and that the person is unconcerned about the health and well being of other computer users if and when their computers get infected or attacked from unsecured systems, a system that is issued by IT to prevent or reduce the occurrences of these attacks.
I'm sorry, that makes no sense. He already started with a "factory-new" Mac, then willingly gave it to the University with the knowledge that they were going to lock it down. He just (incorrectly) assumed he could defeat this like he did in the past.
So, let's take the OP at his word and assume he's a good guy and trusted member of the academic community with all the best intentions. Problem is, this isn't a private conversation with his lawyer, it's a public discussion forum. And if people suggest ways to accomplish what he wants, then maybe a bad guy with the worst intentions will learn how to do the same thing (like stealing a computer or putting malware on the university network).
I had forgotten how argumentative people are on these forums (as you can see, while I first posted here back in 2002, I dont post or read often, but had hoped this would be a good venue to get tech advice).
So, obiit - it is not at all unusual for professors and researchers at a university to buy their own hardware and software. I suspect if you asked anyone (in STEM at least) in academia you would find the same thing (I know my colleagues generally do this as well). We DO sometimes buy hardware on NSF/NIH/EPA funded grants, but then they really are the property of the university, so in that case I let them do what they will with it. I agree it seems short-sighted of them, but budgets are tight.
dwfaust - first, no need for quotes on the "your" computer - it truly IS my computer, and even the university does not argue that point. And I just want to get my work done, and am not thrilled with IT having remote access to my personal computer, so I guess you are right, I do feel my computer is special. Thankfully, while there are really effective ways IT could prevent me from accessing the network (heck, my last uni tied an assigned IP address to a hardware ID, so nobody was on the network without going through IT directly), they have yet to notice a Drobo in my lab and a Synology in my office, both acting as redundant backups for my whole lab.
I would add that you greatly underestimate tenure - while there are lots of ways a tenured professor can get themselves fired, bypassing IT rules is unlikely to qualify. Love it or hate it, the tenure system creates a higher bar than that for dismissal.
And thanks richmlow - that seems like a good idea, but at this point I have managed 99% of what I want. I wiped the drive, removing IT as a user, and the mini now does everything I would want it to, except for that odd quirk that prompted this thread - I still cannot make a Mojave installer disk because the university, after all of these months, doesnt know if Mojave is "safe", and somehow that still gets the process killed and a dialog saying "IT has not approved Mojave". Odd, since IT does of course allow Mojave on any machine the university has added since last fall, but there you have it.
EDITED because I just saw iluvmacs99 - I agree entirely, and that is precisely my point! They allow all recent macs to run Mojave (presumably because they have no choice), and yet if you try to install it on a pre-Mojave mac OR try to create an installer disk (either using Diskmaker or the terminal), the process gets stopped and a custom error dialog comes up. Which makes me think it is not anything to do with the T2 chip, but perhaps something they are doing at the server if Apple's servers get hit with a request for Mojave? That doesnt really make sense either, because on a machine WITH mojave, like my mac mini, I can do a software update when a new version comes out and that works fine.
As I say, at this point I am pleased with where I am at, so have gotten what I want out of the situation, but I am still super curious about HOW this could possibly be being imposed, and would welcome any guesses on how that sort of thing works. I will try VPN today and see if that eliminates the issue.
So, obiit - it is not at all unusual for professors and researchers at a university to buy their own hardware and software. I suspect if you asked anyone (in STEM at least) in academia you would find the same thing (I know my colleagues generally do this as well). We DO sometimes buy hardware on NSF/NIH/EPA funded grants, but then they really are the property of the university, so in that case I let them do what they will with it. I agree it seems short-sighted of them, but budgets are tight.
dwfaust - first, no need for quotes on the "your" computer - it truly IS my computer, and even the university does not argue that point. And I just want to get my work done, and am not thrilled with IT having remote access to my personal computer, so I guess you are right, I do feel my computer is special. Thankfully, while there are really effective ways IT could prevent me from accessing the network (heck, my last uni tied an assigned IP address to a hardware ID, so nobody was on the network without going through IT directly), they have yet to notice a Drobo in my lab and a Synology in my office, both acting as redundant backups for my whole lab.
I would add that you greatly underestimate tenure - while there are lots of ways a tenured professor can get themselves fired, bypassing IT rules is unlikely to qualify. Love it or hate it, the tenure system creates a higher bar than that for dismissal.
And thanks richmlow - that seems like a good idea, but at this point I have managed 99% of what I want. I wiped the drive, removing IT as a user, and the mini now does everything I would want it to, except for that odd quirk that prompted this thread - I still cannot make a Mojave installer disk because the university, after all of these months, doesnt know if Mojave is "safe", and somehow that still gets the process killed and a dialog saying "IT has not approved Mojave". Odd, since IT does of course allow Mojave on any machine the university has added since last fall, but there you have it.
EDITED because I just saw iluvmacs99 - I agree entirely, and that is precisely my point! They allow all recent macs to run Mojave (presumably because they have no choice), and yet if you try to install it on a pre-Mojave mac OR try to create an installer disk (either using Diskmaker or the terminal), the process gets stopped and a custom error dialog comes up. Which makes me think it is not anything to do with the T2 chip, but perhaps something they are doing at the server if Apple's servers get hit with a request for Mojave? That doesnt really make sense either, because on a machine WITH mojave, like my mac mini, I can do a software update when a new version comes out and that works fine.
As I say, at this point I am pleased with where I am at, so have gotten what I want out of the situation, but I am still super curious about HOW this could possibly be being imposed, and would welcome any guesses on how that sort of thing works. I will try VPN today and see if that eliminates the issue.
Last edited:
@fishdoc I notice that your funding bodies are American so i cannot comment on how unusual it is for professors and researchers to purchase thier own equipment but having spent 25 years in IT in the Education Sector in the UK what you have stated about purchasing personal hardware and software to use in conjuction with work business is rare as rocking horse droppings 
I also have to agree with the comments concerning security as after all it is connected to thier network.
But thank you for bringing this up as it is an interesting situation (not sure our network team will think that when i ask them what thier thoughts are about it)
I also have to agree with the comments concerning security as after all it is connected to thier network.
But thank you for bringing this up as it is an interesting situation (not sure our network team will think that when i ask them what thier thoughts are about it
)@fishdoc I notice that your funding bodies are American so i cannot comment on how unusual it is for professors and researchers to purchase thier own equipment but having spent 25 years in IT in the Education Sector in the UK what you have stated about purchasing personal hardware and software to use in conjuction with work business is rare as rocking horse droppings
Things are changing, no? Me and my group of academic friends in the UK all now use our own computers, perhaps arts is different to STEM, and either refuse the crappy Windows desktop offered, or leave it sitting in the corner of the office. It seems increasingly common.
No issue getting on to the network either, just login to the university WIFI or VPN in from home.
That's what I don't understand about the U.S. case here, not that I'm negating it, just ignorant of it. Surely all students there, like in the UK, purchase their own computer too, and are on the university network?
OK, for those following along at home - at this point it is purely an intellectual exercise, since I got what I want, but...
I brought in a never-touched-by-IT laptop (my daughter's MacBook Air), connected to the network, and it created a Mojave install USB disk both in terminal and using DiskMakerX 8.
I rebooted the Mac mini in recovery mode, and turned off the firmware security (it was set to "medium", then rebooted again, and made sure there was NO other user. Terminal and DiskMaker both failed, with a custom, university dialog box.
So I connected to a VPN, and tried again - still failed, so the problem, as best I can see, is on the computer somehow, despite the drive having been wiped.
Baffling, but now that I am the sole user and all of my customizations are in place, I will ignore it, but it IS weird! That restriction is the only (readily apparent) vestige of IT having had this machine for a day, but it is a stubborn one!
[doublepost=1558034094][/doublepost]That is one of the many things that seems so crazy about this policy - students bring their own computers and connect to the network without interference, while faculty are restricted. It is baffling, but I suspect is part of an evolving set of policies the university is creating.
I brought in a never-touched-by-IT laptop (my daughter's MacBook Air), connected to the network, and it created a Mojave install USB disk both in terminal and using DiskMakerX 8.
I rebooted the Mac mini in recovery mode, and turned off the firmware security (it was set to "medium", then rebooted again, and made sure there was NO other user. Terminal and DiskMaker both failed, with a custom, university dialog box.
So I connected to a VPN, and tried again - still failed, so the problem, as best I can see, is on the computer somehow, despite the drive having been wiped.
Baffling, but now that I am the sole user and all of my customizations are in place, I will ignore it, but it IS weird! That restriction is the only (readily apparent) vestige of IT having had this machine for a day, but it is a stubborn one!
[doublepost=1558034094][/doublepost]That is one of the many things that seems so crazy about this policy - students bring their own computers and connect to the network without interference, while faculty are restricted. It is baffling, but I suspect is part of an evolving set of policies the university is creating.
When you say connect to the network are you speaking of wi-fi ? The university I work for allows wi-fi connection for all personal devices, but that is very different from connection to the core Network which is severely restricted.
Double edged sword for me as a techie I hope you find a way to manage it, but as an IT admin just not on my network
Double edged sword for me as a techie I hope you find a way to manage it, but as an IT admin just not on my network
I’m an IT Admin and I not will allow someone like you in my Network, point. You trying to circumvent all the security measures imposed to protect your university data that cost hundreds of millions if not thousands. Doesn't matter if is your own device or an assigned one, still the Network Policies and agreements are valid. What you are doing is illegal and mostly dangerous for you university. Then you will complain why you data has been compromise with some ransomware or deleted by some hacker.
No sympathies from my part, sir. And you’re the one who has to teacher properly the new generations? Keep the network hacking for the computer classrooms and learning.
No sympathies from my part, sir. And you’re the one who has to teacher properly the new generations? Keep the network hacking for the computer classrooms and learning.
Last edited:
Indeed. IMO, there's nothing worse that an intellectual, whose arrogance appears to be exceeded only by his sense of entitlement. While every nuance of every security policy may not be openly welcomed by every end user, those safeguards are put in place to protect the integrity of the network and the data stored on it.
The reason I ask is that if they are truly blocking Mojave from installing from the App Store, it would be interesting to see what happens with a forced Internet Recovery since it pings a completely different server/service within Apple.
One thing that's often missed in all of this: These kind of policies are not just about protecting the organization, but they also exist to protect the individual. If you have an IT run machine and it gets compromised, then that's an IT problem. If you are running the machine instead, then if it gets compromised, that's not just an employment agreement violation, but it's a WILLFUL employment agreement violation... What that means is if the network is penetrated from your compromised computer, then you could have legal liability; IOW a potentially sizable lawsuit against you
Also look for a certificate or provision certificate in your settings. Those are what give your school/admin FULL/root level control over the computer.
https://developer.apple.com/support/certificates/
Yeah ultimately when they provisioned it, they set it up as if it was their computer, so there's probably JAMF or some overall admin software that's locking it down, I'd bet it's a provision certificate.
HOWEVER, I'm guessing when they provisioned your computer they might have put a admin account onto your computer, thus the only way of really getting rid of everything might be to Boot into recovery mode.
SEPERATELY, sometimes there's reasons why they don't upgrade to the latest and greatest versions, for instance at my office, our server STILL doesn't offer Mojave drivers yet for MACs, so if we upgraded to Mojave we couldn't access our petabytes of data. Or your school might be paying for certain software that is only certified to run up to a certain point. I'm just mentioning that as examples that I deal with, may not apply to your case..
I appreciate the helpful comments and suggestions - I do think this is fascinating, from a technical standpoint, and I have learned much through the process of "liberating" my machine.
Less thrilled with the few pious rants, but this IS the internet, after all. And I have been (mostly lurking) on this forum off and on for 17 years, so I should have anticipated that there would be a few folks looking for a reason to be indignant.
For those of you truly concerned about my university network being protected, let me put your minds at ease. Recall that any of our many thousands of students are allowed on the same network without those restrictions placed on my machine. I feel the risk they are running by me having the privileges a bunch of kids fresh out of high school on their Macs and Windows machines have is pretty nominal.
I DO agree they have the right to impose any policy they want, no matter how irrational (recall my other department's IT refused to allow ANY macs on their network). But as long as I can safely bypass those regulations and speed up my mac (that antivirus software is AWFUL) and also not have others have remote access, I will.
Thanks folks for the info - my newly-liberated mini is doing 99.9% of what I want at this point, but I will spend some time trying to sort out that last bit, just because I find it fascinating. If I come up with anything, I will post here and let you know.
ps StralyanPithecus - I LOVE that username!
EDIT: I had mostly just skimmed the rants, but in looking at them now, I feel like mentioning how counterproductive and impotent those ad hominem attacks are. There were a couple of folks who rationally and politely took issue with my actions, which gave me pause and helped me think critically about my choices. On the other hand, name-calling or character assaults may feel good at the moment (I guess? Not sure I completely understand the goal), but are VERY unlikely to sway anyone's mind, and tend to either be ignored (as I mostly did) or further entrench people in their beliefs, since it paints the opposing viewpoint as irrational. YMMV, of course, but as I have gotten older I more often stop to think "what do I hope for as an outcome of this email/post" before sending, and I think it has made me a more effective advocate.
Less thrilled with the few pious rants, but this IS the internet, after all. And I have been (mostly lurking) on this forum off and on for 17 years, so I should have anticipated that there would be a few folks looking for a reason to be indignant.
For those of you truly concerned about my university network being protected, let me put your minds at ease. Recall that any of our many thousands of students are allowed on the same network without those restrictions placed on my machine. I feel the risk they are running by me having the privileges a bunch of kids fresh out of high school on their Macs and Windows machines have is pretty nominal.
I DO agree they have the right to impose any policy they want, no matter how irrational (recall my other department's IT refused to allow ANY macs on their network). But as long as I can safely bypass those regulations and speed up my mac (that antivirus software is AWFUL) and also not have others have remote access, I will.
Thanks folks for the info - my newly-liberated mini is doing 99.9% of what I want at this point, but I will spend some time trying to sort out that last bit, just because I find it fascinating. If I come up with anything, I will post here and let you know.
ps StralyanPithecus - I LOVE that username!
EDIT: I had mostly just skimmed the rants, but in looking at them now, I feel like mentioning how counterproductive and impotent those ad hominem attacks are. There were a couple of folks who rationally and politely took issue with my actions, which gave me pause and helped me think critically about my choices. On the other hand, name-calling or character assaults may feel good at the moment (I guess? Not sure I completely understand the goal), but are VERY unlikely to sway anyone's mind, and tend to either be ignored (as I mostly did) or further entrench people in their beliefs, since it paints the opposing viewpoint as irrational. YMMV, of course, but as I have gotten older I more often stop to think "what do I hope for as an outcome of this email/post" before sending, and I think it has made me a more effective advocate.
Last edited:
The wifi network they can access is very likely routed through different hardware than the wired network you're wanting to access, and therefore it's not really a good comparison. Do you need to sign in/authenticate any wired connections? I'd bet you do have to for wireless ones.
My school, for example, has two wifi networks. One for faculty laptops (everything else is locked out by mac address, ipads are not registered because they never got around to it) and one for everything/everything else. Same login credentials, but one is unrestricted in terms of websites we can access and internet speeds, where the other has speed caps and has - in the past - had filters placed on content. The point is that the students aren't necessarily accessing the same network you are via wifi.
He can when not using THEIR network.
Also this post starter can't seem to grasp Student network is separate from the Faculty network.
He would also be the first complaining when a hacker has his SSI # and info.
Also this post starter can't seem to grasp Student network is separate from the Faculty network.
He would also be the first complaining when a hacker has his SSI # and info.
Last edited: