Tl;dr: Apparently Apple Geniuses ask customers who are dropping off their Mac for repair (where the device can’t be repaired in-store) to turn off their admin password under some circumstances (even when better options exist). 😲 Be ready, because I wasn’t.
Millions of people walk through Apple Stores, and I think Geniuses asking people to turn off their Mac admin password is an unnecessary degradation of customers’ security.
About two weeks ago, I found out about an Apple screen recall program that covered my (otherwise out-of-warranty) MacBook Pro.
I was ecstatic! I’d previously looked into paying out of pocket for a screen replacement, and the total would have been $$$ and out of my price range, but this would be free! I made a Genius Bar appointment immediately and headed straight to the closest Apple Store.
Apple visit #1:
After a quick inspection my Genius rep said my MacBook Pro was covered under the program. Then he proceeded to ask some questions: Had I backed up my computer? and, most notably for this story, he asked:
Genius: Do you have FileVault turned on?
FileVault is a disk encryption program in Mac OS X 10.3 and later. It performs on-the-fly encryption with volumes on Mac computers.
Yes, I said. It was reassuring to me that he even asked this question. I told him I’d need to wait until the following week to turn over the Mac because it was needed for work.
He said I could drop it off any day before Tuesday, and then it would be shipped to a repair facility in Houston. The turn-around time would be a few days. … Great!
Apple visit #2
Fast forward to Tuesday…
Off from work and with a few other errands to make that evening, I called the Apple Store and asked when the repair pickup from the store would be made (where the devices are taken off to the repair center), so my device could be checked in before the next outgoing batch. The rep said that the delivery people hadn’t made their pickup yet, but they would probably be by very soon. I prioritized making it straight over there.
After checking my photo ID and looking at my computer’s lock screen, the first thing the Genius asks me is:
Could you disable the computer’s administrator password?
Me: Huh? What do you mean?
Genius: Could you turn off the password on the device?
Me: Are there other options?
Genius: Well, if they need to access your computer and the password is enabled, they’ll re-image your hard drive and reinstall the OS. Did you make a backup?
Turning off your computer’s password (disabling the lock screen) before handing it over is an insane proposition:, you are essentially giving any handler of that device cart blanche access to its data. Bad things have happened to unattended devices in the repair industry, computer access should be as limited as possible.
Flustered, and not excited about the prospects of having to restore my computer’s state from a single spinning external drive, I slowly made my way to System Preferences > Users. I stalled as some questions raced through my head:
– Why had the Genius from my last visit asked if I used FileVault, if I was now being asked to remove my password?
– Wasn’t Apple all about privacy? This didn’t seem in line with that.
– Was this even necessary for a screen replacement? Could this not be handled by some BIOS interface that didn’t need an admin password?
[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for].
– Why had the Genius on my last visit not notified me about this “needing to unlock the computer” thing? My preparations for the visit would have been entirely different, instead he asked about disk encryption…
The Genius seemed as rushed as I was (still trying to get my computer in the store’s outbox before the delivery people showed up).
Then, this happened:
Genius: What’s your administrator password?
I was shocked.
Why had he not started with this question?
Many normal customers would have, by this point in the story, already disabled their Mac’s administrator password.
Giving Apple your password (while still a reason for concern), where it’s stored in their customer-management platform, is a MUCH BETTER OPTION THAN REMOVING IT — and should completely NEGATE the “need” to disable the computer’s password under all circumstances.
See, if you remove your Mac’s password, anyone that handles your machine can do whatever they want with it. Including the delivery people, anyone in the room with the device at the Apple Store, unrelated or miscellaneous workers at the repair center, etc.. And when they mess with the device, there would be no trail of them having done so. That’s very scary.
However, if you give a Genius the password, only a handful of people who have access to Apple’s backend can have their way with your machine, and there will (presumably) be a log of them accessing your password. This is also somewhat scary but a bit more reasonable.
And again, the reason this is a big deal is because many normal customers would have, at this point in the story, already disabled their Mac’s admin password. This is not OK, because it represents a completely unnecessary degradation of customers’ security.
My guess is that Apple’s retail operation has seen that asking for a customer’s password is met with more resistance than asking to merely disable it. But that doesn’t matter, turning it off outright is clearly the worse option.
There’s a history of bad things happening to unprotected/unattended devices in the repair industry, see https://www.techmeme.com/search/query?q=geek+squad&wm=false. This is a point in a computer’s lifecycle, more so than any other perhaps, where device security and auditable handling is necessary.
Stressed and still wanting to turn my computer over before the pickup, I gave the Genius my password and then furiously began logging out of apps, like OneNote, Chrome, etc.. I thought about unlinking Dropbox, but what was the point — the data would have still been there. Resigned, I gave it the Genius.
When I got the device back several days later, I couldn’t have been happier from a hardware perspective — the MBPro looked brand new.
But I was dismayed (though not surprised) to learn that, despite logging out of Chrome, the browser did not clear its “Managed Passwords” from its on device storage. Whatever, it didn’t really matter anyway, if an Apple repair tech wanted to be nefarious with my password, it was hopeless anyway as the Keychain Access would have been his/her’s too.
I guess the main takeaways from the experience are the following:
Geniuses and Apple Support Advisors should…
1 – … warn customers ahead of time that handing over their passwords is something that may happen.
2 -… should stop telling people to altogether disable administrator passwords (because a better option exists).
3 – … know if the admin password is truly necessary for a given repair.
[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for, which makes #3 even more pressing. Don’t ask your customers to downgrade security unnecessarily].
When I called before my 2nd visit to the Apple Store, the rep volunteered (unsolicited) the name of the firm that was to take the devices from the store to the repair center. That implies the devices were not in Apple’s custody the entire time, another reason disabling password is a ridiculous ask.
More thoughts following reader feedback:
In comments on this article and on Twitter, I’ve received pretty thoughtful suggestions on how I should have prepared my Mac. Thanks, and this could have definitely been (somewhat) mitigated I’ve I’d had more foresight. One of the main thrusts of the article, though, was that on my first visit, the Genius asked if I had FileVault turned on – which led me to believe that my disk could remain encrypted while being repaired. Which is partly why I was blind-sided by the second visit (I’m also just stupid, as one redditor pointed out 😛 ).
My second observation is the sheer variety of requests from Apple Geniuses. From people with screen repairs saying they weren’t asked for passwords, to two accounts of keyboard repair, one where the customer was asked to disable FileVault (?) to another where the customer was asked for “an admin” password (which he didn’t give and proved to not be necessary for the repair). To my experience, where the opening question was to disable the admin (lock screen) password. There just seems to be inconsistency across the board.