Mac admin'ing

What can you do at the password prompt in Catalina’s recovery mode?

The mysterious password prompt

Starting in macOS 10.15 (Catalina), Apple started requiring a password to do anything useful after booting into recovery mode:

It’s not exactly clear what this password is for. T2-chip Macs have hardware-based encryption, and that encryption is able to turn on instantaneously. Without mounting the encrypted drive, you can’t really reset a password or have access to the data on the drive. This prompt just seems like a rather odd choice, especially since it appears to act as almost some kind of firmware lock… except it’s not.

Option 1: Erase without password or recovery key

If you don’t know the password to a user account and also don’t know the recovery key to FileVault, you can still use recovery mode to erase the current installation and reinstall macOS. Yes, that’s that menu item hidden in the top-left corner.

You can just click Recovery Assistant and then select Erase Mac….

You’ll then be prompted to join a wireless network, and then some kind of Internet recovery is downloaded and booted to, and then you’ll be back at recovery mode with a prompt to activate your Mac, and then with the opportunity to reinstall macOS on the freshly wiped drive.

Option 2: Use FileVault recovery key with no password

But let’s say you don’t want to wipe the drive necessarily—you just want to do other recovery mode stuff, and you don’t know any user passwords. Well, you can click Forgot all passwords?

Then you can enter the FileVault recovery key for the drive.

Option 3: User FileVault-enabled user password

And if you do know a user password, of course, you can select the user, and then enter a password when prompted.

The only odd thing about that is it doesn’t actually get you past FileVault encryption.

That’s right. Even though you’ve entered a user password, if you want to mount the Macintosh HD – Data partition, you’ll still be prompted for a FileVault-enabled user’s password again.

Mac admin'ing

Using Munki to ignore Catalina upgrade in macOS

Update: Apple has deprecated the --ignore flag, so this probably will never work again.

Apple used to make you go out of your way to download an OS upgrade. Then, Apple started having those OS upgrade installers auto-download to the /Applications folder. Then Apple made it so OS upgrades appeared as regular updates.

For Mac admins who aren’t ready to have their clients upgrade to Catalina (and potentially have a lot of things break), there is a way to tell the client machine to ignore the update and thus not advertise it to the user.

For those who are Munki admins, I’ve created a nopkg that will allow you to “install” ignoring the Catalina upgrade (but you can easily tweak the script to ignore any update) and also “uninstall” ignoring the Catalina upgrade (or any update).

Note: If you “ignore” Catalina, you can still find it in the Mac App Store, but if you try to install it, it will open up System Preferences and say it can’t be found. So “ignoring” actually means “disabling.” That doesn’t stop you from using Munki to install an upgrade, though.