JamesBrickley

There is more to it than just having a servo press or press-hold the power button.  You need to have some sort of KVM connected to HDMI or USB-C Display and KB/mouse and route the video to remote control of some sort.  The SSD's are factory encrypted and turning on FileVault only generates a public/private key, stuffs the private key into the Secure Enclave and uses the public key to generate the FileVault Recovery Key which gives you a way to reset the password if forgotten.  If a M1 / M2 Mac Mini is rebooted in the data center, it comes up to a pre-boot authentication screen and it's not online with the network.  When you enter your ID/PW it then boots macOS and single-signs onto the desktop. If the passwords are out of sync it will have a second real login screen.  The pre-boot authentication screen is skinned to look like the real login screen but it most certainly is not.  Using Pi-KVM you can attach to HDMI & KB/Mouse and the Pi-KVM is networked so you can load it's web page, login and manually login to the Mac Mini.  The servo solution is to physically press the power button.  Using a Pi-KVM with a server you could mount the Pi-KVM internally with a PCI slot cover passing cables in and out of a racked server.  Internally you can reach the power pins on the server motherboard.  Pi-KVM is useful when your server / PC / Mac doesn't have enterprise class BMC which allows for IPMI, iDRAC, iLO found on real servers.  The old Apple Xserves had iLO Lights-Out management.  But none of the modern Macs have the necessary BMC chips and remote management functionality of PC servers.  It would be nice to have that.  Companies like MacStadium are no-doubt developing internal solutions to solve the problem.  

Good luck actually sourcing RaspberryPi hardware there are severe shortages globally.  Seems some commercial vendors are buying up all the rPI's and they are being given priority by the manufacturer.

rob53 said:

What about formatting external RAID HDD as APFS? OWC’s SoftRaid is waiting for Big Sur to make this happen. My RAID can’t be used to backup my Catalina APFS volumes. 

You do not need to format your NAS as APFS.  But you need to setup something to act like an Apple Time Capsule. For example, my ZFS NAS has a tiny virtual machine running Linux that simulates the Apple Time Capsule.  When I create a backup using the Apple Time Capsule it creates a DMG sparse image for each Mac.  When doing so from a Big Sur Beta test Mac it creates the DMG sparse disk using AFPS.  If I encrypt that image it still works.  This is how off-the-shelf NAS providers like Synology work. They run the open source tools to simulate a Time Capsule over SMB (Netatalk). 

You can do this without a Time Capsule emulation but it's a bit harder and requires you enable Time Machine over SMB on each Mac which is officially unsupported.  It does in fact work.  Here is the override.  But I don't recommend this method.

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

The supported method is if you were to run say a Mac mini with macOS High Sierra or above you could do it that way.  Just mount the NAS storage on the Mac mini  and turn on File Sharing select the mounted NAS folder and right-click it select Advanced Options and check the box to enable Time Machine network location.  It will provide the intermediate Time Capsule like functionality and it will be fully supported by Apple.  You don't even need macOS Server.  It's quite a bit overkill in overhead and cost considering you can do the same with even an old Raspberry Pi and Netatalk open source project for far less and with far less overhead. Heck you could run quite a bit more on a Raspberry Pi 3+ and not even stress it much.  Like a print server and a Pi-Hole (network wide ad-blocker), etc.  But you could probably find alternative uses for the Mac mini to do many more things as well.

Remember that Mac's are still UNIX and they play extremely well with UNIX/Linux and when there is a will there is a way.  You don't need to do everything with Apple. But Apple still makes things rather easy, you just need to know how to peel back the layers to find it at times.  Bet most people didn't know that macOS High Sierra can run a Time Machine server.   I just checked it's still an option.  

The event was rather lame.  But we aren't the target audience.  Hollywood and TV Networks were the target.

Physical access to any device would result in potential exploit. If one were to hand over a device to law enforcement or especially border control and received it back, you should immediately reset the device via DFU mode and set an entirely new strong passcode.  I wouldn't even unlock it, I would shut it off and connect it to a computer in DFU mode then wipe it and re-download and install the signed operating system. Then restore backup from the computer.  Previous backups being made regularly to the computer and not iCloud as your iCloud backups are not encrypted and Apple could supply your iCloud backups to law enforcement.  

For maximum security, don't use iCloud and especially not iCloud backups. Set a very strong passcode of 20+ characters.  If handing over to someone else disable FaceID/TouchID so only the passcode is allowed.  If they give the device back, you either destroy it or DFU wipe and restore the OS and restore a local encrypted backup.  

If traveling across nation state borders either don't bring your primary device or bring a burner you can discard. They may demand you unlock the device so they can inspect / image it. Border security laws are drastically different than normal law enforcement. They may seize your device. The US, Australia and New Zealand have highly invasive demands.

But the truly paranoid will simply go off grid.  Zero electronics whatsoever.  Your smartphone is constantly broadcasting unique identifiers over cellular, wi-fi, bluetooth, or NFC and you can certainly be tracked. When you see that COVID-19 map of those cell phone users on the Daytona FL spring break beach and each device was tracked back to their homes across the country.  That should open ones eyes that metadata is extremely valuable.  Many retail stores are tracking your movement through the store by using these broadcast identifiers and if you pay with a credit card or store card or use a membership card they tie all that data together and identify you.

The encrypted data stores on an iPhone contain far more detail that never leaves the device.  But Android phones send all that data back to Google.  Notice how Google is not being hounded by the DOJ only Apple.  The most sensitive privacy data is kept on the device and as such Apple is providing the highest level of privacy at this time. 

In many cases these Grayshift articles are not explaining the details such as the latest model iPhones not being vulnerable but because there are so many older models these devices are still viable for law enforcement.  When the DOJ mentioned that latest crack against the terrorists iPhones they mentioned that the technique used already doesn't work on the latest models.  That might have been a reference to the hardware flaw that Apple fixed after the iPhone X that was the beginning stage of a jailbreak.  The Grayshift device has found some way to side-load a hidden App that breaks the rules sandboxed apps normally follow.  It's possible the device is indeed jailbroken.  Some Apps such as BlackBerry Work among others will detect the jailbreak and cease functioning as well as destroying the encrypted corporate email storage. Most MDM managed devices would also report on a jailbreak and an MDM administrator would then remotely nuke the device for security purposes.  

If a device leaves your possession you can no longer trust it.  This has always been the case.  

Here is a good explainer of how updates have changed in macOS and what is happening:
https://eclecticlight.co/2022/03/19/explainer-macos-updaters/

Howard Oakley has a lot of information on his blog posts and quite a few extremely useful MacAdmin tools. 

You really cannot compare Linux / FreeBSD / Windows to macOS in regards to OS updates, it's radically different and goes well beyond simply updating files. Apple's security and chain of trust changes are considerable.

Something tells me Intel won't be so smug in 2 years.  Apple has none of the constraints that tie the hands of Intel / AMD. Apple will move forward much faster than they can imagine.  Looking at what they did the last few years should be proof of that.  Apple will hit 5nm sooner than Intel and AMD will be there as well but even AMD won't be able to keep up for long.  Apple chips won't be sucking down hundreds of watts and they will be going much faster than chips that do.  

But the real threat is if Apple decides to start producing server class silicon or perhaps licensing it...

New hardware can drop at any time when Apple is ready. They will just have a smaller event like they did for the M1 launch.  It could happen next month or this fall, etc. Remember, they are planning to update the entire Mac lineup by the end of 2022.  For many tasks right now the M1 is doing extremely well. A beefier updated version with more cores, RAM, GPU is coming.  We just have to be patient.  For me, I can breathe a sigh of relief that the most popular MBP line isn't going away just yet. Thus giving corporate more time to buy up the remaining Intel 16" models.  Most corporate and student MDM environments are not ready for Apple Silicon just yet.  There's a lot of legacy software still taking their sweet time to produce Universal Apps, etc. If they do ship 16" MBP with Apple Silicon M1X / M2 or whatever they decide to call the new SoC designs, I hope they still sell the Intel models for a bit longer.  At least a year longer. 

Everything is going to go USB-C in the very near future.  Chromebooks and other Ultrabooks are starting to use it as well as smartphones. Eventually Apple will switch to USB-C for iPhone and iPad maybe next year.  Yes there are some aches and pains such as older USB-C docking stations being incompatible.  Power issues between devices, etc.  I quick charge my iPad Pro 12.9" (80% in an hour) using the MacBook 12" 29Watt USB-C charger with a USB-C to Lightning cable.  I cannot charge a smaller iPad Pro nor iPad Air2 that way nor can I charge an iPhone that way.  But I can use the cable to charge off the MacBook USB-C port for those devices.  Having 2-4 USB-C ports changes the game considerably.  So expect similar power charging issues with other devices.  The voltage and amperage needs to be compatible.