Need help keeping all these dang Apple locks straight?
Hey, me too! It can be confusing to remember which locks do what to which hardware — so I made you a cheat sheet. 🫶
Types of Mac locks
The four locks most commonly referred to within macOS are:
Activation Lock
FileVault Lock
Firmware Lock
Recovery LockÂ
Activation Lock
Related terms: Find My
**Activation Lock screen displayed after Erase and after an attempt to contact Apple Servers upon startup. Source: x.com @RDKLInc
Location in System Settings to enable Find My
Requirements:
Hardware: iOS and friends; T2, Apple Silicon for macOS.
Software: Available on iPhone, iPad, iPod touch, and Apple Watch running iOS 7, iPadOS 13, watchOS 6, tvOS 10.2, and macOS 10.12 or later. Find My feature should be enabled.
TL; DR: This lock protects against device and data theft.
Activation Lock is the Apple lock feature you've heard most about since it applies to iOS and macOS. Apple Activation Lock is a security feature on Apple devices that prevents anyone else from using your device if lost or stolen, and your Apple ID controls this lock.
For iOS:
Activation Lock is turned on automatically when you sign into an iOS device with an Apple ID and enable the Find My feature. It requires your Apple ID and password to erase the device, reactivate it, or turn off Find My feature.
For macOS:
On Mac computers, Activation Lock is available on models introduced in 2018 or later (T2 Security Chip models), and it activates when you turn on Find My Mac. Activation Lock enhances the security of your devices by requiring your Apple ID and password before anyone can erase or reactivate your device.
You can leverage Activation Lock to protect the device if any iPhone, iPad, or Mac — enrolled in your Mobile Device Management solution — is reported as lost or stolen. You can secure the device with a passcode, display a custom message with your contact number on the lock screen, and continuously track the device's location.
Want to find out more? Learn how to remotely manage Activation Lock for your enterprise environment. |
FileVault Lock
Related terms: FileVault Recovery
Location in System Settings to enable FileVault.
Requirements:
Hardware: Available on a Mac with X Lion or later with XTS-AES-128 encryption.
Software: Mac OS X 10.3 and later.
TL; DR: This is Apple's proprietary disk encryption.
FileVault is a disk encryption program that uses XTS-AES-128 encryption with a 256-bit key to prevent unauthorized access to information on the startup disk. FileVault is an extra security feature, so if a user forgets their login password, they can use the recovery key to reset it and access their encrypted data.
FileVault Lock and Recovery Lock are designed to protect your data even if the user credentials are lost. They allow users to regain access to their Macs using the recovery keys set during activation (Recovery Lock) or while turning on FileVault.
Firmware Lock
Related Terms: EFI Lock, Firmware Password
Firmware (EFI) Lock screen that appears before a device boots to the recovery partition. Source: https://support.apple.com/en-us/HT204156
Requirements:
Hardware: macOS Intel models
(Tip: Check your hardware model by MacBook Pro.)
Software: Available on a Mac with macOS 10.10 or later.
TL; DR: This is an older feature that prevents unauthorized disk booting on Intel machines.
A Firmware Lock on macOS systems prevents unauthorized users from booting your Mac in single-user mode or from an alternate disk without your inputting your firmware password.
Nearly all Macs with Intel processors support this feature. It was part of Apple's implementation of Intel's Extensible Firmware Interface (EFI), which replaced the traditional BIOS used in earlier PCs. The EFI Firmware Lock is available on Intel-based Macs, released from about 2006 to around 2021 when Apple switched to Intel processors.
What is EFI?
EFI stands for Extensible Firmware Interface. It's a software interface between an operating system and the firmware of the computer's hardware, acting as the initial program that runs when the computer is powered on.
EFI controls the booting process for the computer and enables the computer's operating system to start. When you power on a Mac, EFI is responsible for initializing the hardware components, selecting an operating system, and running that operating system.
Is EFI Firmware Lock compatible with Apple M1 silicon machines? No, the EFI Firmware Lock is incompatible with Apple M1 Silicon machines. The EFI Firmware Lock was a functionality used with Intel-based Macs. With the transition to the M1 chip, Apple introduced new security functionalities suitable for the architecture of these new chips. The Apple Silicon M1 machines use a different system and have built-in security features, like the hardware-verified Secure Boot, and functionality similar to recovery mode facilitated by Apple's Recovery Lock feature. |
Recovery Lock
Requirements:
Hardware: macOS T2, Apple Silicon.
Software: macOS 12.
TL; DR:Â Recovery Lock is the new Firmware Lock.
This security feature was introduced later with the advent of Apple's proprietary chips. Therefore, it requires newer hardware and is only supported on Macs equipped with an Apple Silicon chip (M1, M1 Pro, M1 Max) or a T2 Security Chip. These are typically Mac models released around 2018 and onwards. In terms of the operating system, it requires macOS Monterey (macOS 12) or newer.
With the shift in hardware from Intel processors to the new Apple Silicon, Recovery Lock has taken over the role of the Firmware Lock. Recovery Lock sets a password for the recovery partition on Macs with an M1 or T2 chip, and it helps users regain access to their account in case they forget their Mac login password. Recovery Lock automatically generates a password during Mac activation.
To confirm the status of Recovery Lock for endpoints, administrators can dispatch a 'VerifyRecoveryLock' command through their MDM solution. The device then assesses the validity of the Recovery Lock and provides feedback. The VerifyRecoveryLock command makes it simpler for organizations to confirm that their devices are secured and easily recoverable in case of misplaced user credentials.
FAQ about Apple Locks
What are some examples of iOS locks?
iOS has several lock options, including Passcode Lock, Touch ID, Face ID, Screen Time Passcode, and SIM PIN.
Passcode Lock: This is the simplest form of protection offered on Apple devices such as iPhone, iPad, and Apple Watch. Passcode lock requires a numeric code or an alphanumeric password (iPhone X and later or iPad Pro models) to unlock the device.
Touch ID: Available on specific iPhone and iPad models and the MacBook Pro, Touch ID uses your fingerprint as a passcode for unlocking the device, authorizing purchases, and auto-filling passwords.
Face ID: On iPhone X and later models, as well as some iPads, Face ID uses facial recognition technology to unlock your device, validate purchases, and autofill saved passwords.
Screen Time Passcode: Screen Time is a feature on iPhones, iPads, and iPod touch devices that tracks device and app usage. You can set limits on specific apps and features; a Screen Time Passcode prevents changes to those settings.
SIM PIN: The SIM PIN locks your SIM card to protect it from being used in other devices, preventing unauthorized cellular usage.
Did Apple Intel models use EFI or UEFI?
Apple's Intel-based Mac models use EFI, specifically a modified version of the earlier Intel-designed Extensible Firmware Interface (EFI) 1.1 standard. While the Unified Extensible Firmware Interface (UEFI) is the successor to EFI and commonly used in modern PCs, Apple's implementation on their Intel-based machines was based on the earlier EFI standard, not the full UEFI. While there is much overlap, EFI and UEFI are not identical, with UEFI having more extended functionality.
What is a hardware-verified Secure Boot?
Hardware-verified Secure Boot is a security feature that ensures your computer runs only trusted operating system software during startup. It features Apple's M1, M1 Pro, and M1 Max chips and earlier models with the T2 Security Chip.
During startup, the Secure Boot feature uses cryptography to verify the integrity and authenticity of the operating system's boot files and bootloader. This adds extra protection and prevents the system from loading malicious or compromised operating system versions. If the BootROM finds the signature is correct and the software version is trusted, the boot process continues; otherwise, the boot fails.
With hardware-verified secure boot, even physical access to an Apple device gives an attacker no additional access to user data, providing an extra level of security to devices, particularly if they're lost or stolen.
Can Firmware Lock or Recovery Lock be bypassed?
EFI Firmware Password can be bypassed or reset by Apple or Authorized Service Providers, while the Recovery Lock, as per Apple's user guide, cannot be reset if forgotten.
Feeling tied up in knots with Apple Lock terms? Unlock clarity with SimpleMDM! Enhance your MacAdmin skills and go further in the Apple lock sphere with a 30-day free trial of SimpleMDM.
