Macos Big Sur Erase All Data
Karri Pretty
Hey all, I was wondering if it is possible to enable a setting to erase all my data on my Macbook after [X] failed attempts, like the iPhone's "10 failed attempts feature." I have FileVault on, but also want this layer of security as well. If there's no option to do it within base MacOS, are there any other 3rd party applications that can do the same? (That are either trusted or open source?)
Thanks for using Apple Support Communities. We understand you have some questions about your Mac, and we're happy to help. There is not an automatic feature with the Mac where your content will be erased. Is this regarding a forgotten FileVault password? If so, see what to do about that here: Use FileVault to encrypt your Mac startup disk
Any attempt to read the files on your encrypted drive without providing the login password returns the encrypted text, which would likely take more than a decade of supercomputer time to brute-force break into the encryption.
By the way, your password is not stored 'in the clear' on your Mac. Not even the length of the password is known. Passwords are encytpyted as you enter them, and all your Mac can tell you is, (after entering some characters and subjecting them to the same encryption) was that it, or not?
Use suitably complex passwords, and generally not dictionary words spelled correctly (unless you use more than three), and you will be fine, unless you are an international-calibre activist or high-profile political figure.
If you plan to give away, sell, or trade in your Mac, the first thing you should do for security and practical reasons is erase the data on it and perform a factory reset. This article shows you how. If yours is an Apple silicon Mac running macOS Monterey or later or an Intel Mac with the Apple T2 Security Chip (2017-2020 models), follow the steps to erase all content and settings instead of following the steps in this article.
Before you do anything, you should back up the files on your Mac. You could do this manually by copying across files onto an external drive. If you use iCloud, your photos, mail, contacts, documents, and so on should be automatically backed up in cloud storage.
However, we highly recommend that you take the time to perform a Time Machine backup of your system using an external drive. That way, the same backup volume can be used by Apple's Migration Assistant during a macOS installation to quickly transfer your applications, files and settings from the old Mac to a new one.
There are certain apps that will need to be manually unlinked from your Mac before you say goodbye to it. Some third-party apps require licenses that only work on a limited number of computers, so think about any licenses you may have purchased.
Similarly, you should de-authorize your iTunes account on the Mac, as this removes its access to content that you bought from the iTunes Store, iBooks Store, or App Store, including things like music, movies, TV shows, apps, and books.
MacRumors attracts a broad audience of both consumers and professionals interested in the latest technologies and products. We also boast an active community focused on purchasing decisions and technical aspects of the iPhone, iPad, Mac, and other Apple platforms.
Next, the iPhone storage was partitioned into a read-only operating system partition and a writeable data partition. The operating system partition only changed when applying an update. It remained read-only and unchangeable during normal use.
The line where the transition began is blurry, but a good place to start is with OS X El Capitan 10.11, which is when Apple introduced System Integrity Protection (SIP). SIP was the beginning of protecting the Mac operating system from external threats like malware, or even administrators, by removing their ability to modify it directly. Doing so required them to now boot to the Recovery HD to disable SIP first. And this could only be done by a human sitting in front of the computer.
Over the next several major releases, more and more of the operating system fell under SIP. To further increase security, Apple introduced its Apple File System (APFS) with macOS High Sierra 10.13, setting the stage for some major under-the-hood changes with how it could handle data on the drive. And it tied the operating system to specific hardware models by requiring firmware. That installation process required an Internet connection to download the machine-specific firmware version.
In March 2018, Apple introduced the startosinstall command in its macOS High Sierra 10.13.4 installer. It included an --eraseinstall option for completely erasing the operating system on a disk (plus its user data ) and then installing a clean macOS. Because startosinstall was a command line tool, it was easy to remotely invoke on Macs. No longer did a technician need to sit in front of the computer and boot it to an external drive to prepare it for something else.
Finally, when all the pieces were in place, macOS Monterey introduced Erase All Content and Settings to the Mac. The new process was a speedy 4-5 minutes compared to using the startosinstall command with the --eraseinstall option, which could take 20 minutes on a fast Mac or longer depending on the model.
Similarly, sending the EraseDevice command from a Mobile Device Management (MDM) server like Jamf Now, Jamf Pro or Jamf School, will invoke Erase All Content and Settings on macOS Monterey and Ventura computers instead of wiping the entire drive.
To verify the security level of any Intel or Apple Silicon Mac using Jamf Pro, navigate to the computer record and select Inventory > Security. Alternatively, create an advanced computer search or smart computer group with the Secure Boot Level criterion to create a list.
Just know that even if Jamf Pro reports reduced security, simply running Erase All Content and Settings or the EraseDevice command successfully will restore the Mac to its most secure settings prior to preparing it for another purpose.
An end user can run Erase All Content and Settings directly from the computer itself or an MDM administrator can send the EraseDevice command to one or more computers. Both have the same requirements:
To run the command on macOS Ventura, open System Settings (formerly System Preferences) > General > Transfer or Reset and click Erase All Content and Settings. The Erase Assistant first prompts for administrator credentials to continue.
Using the Classic API to send the EraseDevice command to multiple Macs is especially beneficial to administrators of school lab Macs that need refreshing between quarters or semesters. This along with the PreStage Enrollment option to automatically advance through the Setup Assistant has the potential to make the entire refresh hands-free.
We can foresee a time a few years from now when Apple releases a macOS version that requires a Secure Enclave. Like iOS and iPadOS today, the need to reinstall a clean macOS will likely be limited to certain developers who work at low levels of the operating system between the kernel and the hardware. The average and not-so-average device administrator will likely never work at that level.
Hackers are always looking for ways to get personal data to access bank accounts, to find user name / password pairs, that may be reused with other accounts, and to collect data to use in identity theft.
Your browser history, auto-saved names and passwords in your browser, email contents, and sensitive documents like bank statements and tax returns, are all very valuable to someone who knows how to use it against you. Also think of photos, videos, chats and again email contents that may include sensitive and personal content that can be used to blackmail you or destroy your reputation.
Click the Erase button in the toolbar. A dialog displays asking you what to name the drive after erasing , and how you want to format it. The default settings are good as is, but you can name it if you want to. Click Security Options at the bottom of the dialog.
From the above options, Security Option 1 is, of course, the least secure. Someone will be able to recover your data without much effort. Security Option 4 is the most secure, but it is also takes a long time, especially if you are erasing a hard drive. You may have to comply with specific rules in your company, using the most secure options, but in most cases, any of the three more secure options is probably sufficient.
By using FileVault to encrypt the drive (startup drive) and Disk Utility to encrypt external drives, all the data on the drive will be garbled, unless someone has the encryption key (your password). If you want to know how to use FileVault and/or encrypt external drives, see this article. In fact, using FileVault is the best protection for any drive. You may not even need to securely erase a hard drive, if you use FileVault, though, again, company policy may require this anyway.
If you have FileVault enabled, when it comes time to part with your drive, all you have to do is a basic erase in Disk Utility. This will delete your encryption key, leaving nothing but garbled data on the drive. Without a way to decrypt the data, even if it is recovered, it will be useless.
You can use FileVault and Disk Utility to encrypt your startup drive and external drives, use a 7-pass wipe in Disk Utility or hire a professional shredding service, or use a combination of these methods. Either way, with these methods you can be sure your data does not end up in the wrong hands.
The Mac OS X Disk Utility app provides an ability to erase free space on traditional hard drives, which overwrites vacant disk space on the drive to prevent any potential recovery of deleted files (that is, files that have been removed traditionally, rather than through secure methods).
Choose whichever option is most appropriate for your needs, but it's generally recommended to use the "secure" or "most secure" option if you intend on transferring ownership of a hard drive, or if you suspect a hard drive that once contained important data has the chance of being stolen or misused. Keep in mind that the latter two options take longer to complete, because they are performing the same overwrite task either 3 times or 7 times.