How to buy a used Mac without being locked out

Apple offers protections for owners with more to come—buyers be aware!

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

One of the great selling points for Macs has been a combination of their longevity and resale value. I know plenty of people with decade-old Macs. In the last two decades, I’ve easily gotten seven or eight years out of some Macs I’ve owned, and then sold them to folks who kept them in service.

There’s a lot to consider when buying a used Mac to make sure that it will keep working. But something that you might overlook is that security decisions made by the previous owner could conspire to lock you out in certain circumstances. This could happen on a restart, when trying to erase and reinstall macOS, or even on logging in, depending on what state the Mac was left in when you purchased it.

The best way to buy a Mac is after the seller has erased the drive and installed a fresh copy of macOS on it without yet completing setup, so you can do that from scratch without worrying about any software they may have installed or passwords or accounts they’ve created.

And the best scenario to receive a used Mac is to do so in person, so you can fire up the computer and see it’s working, run through tests listed below, and be sure no extra passwords or permissions are needed.

Regardless of how you receive the Mac, check out these items—preferably before finalizing the deal.

  • Shut the Mac down and perform a “cold boot”—start it up and see if you can log in with account information provided or complete macOS setup.

  • Restart normally from the Finder and hold down Command-R to make sure you can start up in macOS Recovery. (If macOS Recovery isn’t installed, the Mac should attempt to retrieve it over the internet and install it. If shown a lock icon and password field by itself, see the firmware password section below.)

  • In Recovery, run Disk Utility. Can you mount the disk without a password? And run Disk First Aid to ensure that no problems are reported.

That covers the basics, but you can and should dig deeper. (You should also use this checklist before selling a Mac.)

Tip: If a seller balks at providing a password to you directly for something that can be typed in while booted into macOS proper—a perfectly reasonable thing to resist—you can use a slightly hidden feature for iMessages. In a chat session with Messages for macOS that has the blue bubbles showing an iMessage connection, click the Details button in the upper-right corner, and then click the overlapping screens icon. Select Invite to Share My Screen. The seller can then remotely type the password in as required. (They may want to and probably should change their iCloud or other password after that, too.)

Were one or more accounts created?

If someone else set up a computer, you don’t necessarily know what’s running on it. I suggest erasing the drive and reinstalling macOS via macOS Recovery. However, if that’s not an option or you’re not concerned, at least delete all unnecessary accounts and change the password on the main account, which must have administrator privileges.

You should also make sure if you’re retaining any accounts that the Mac isn’t logged into the seller’s account in the iCloud preference pane.

mac911 firmware lock screen apple Apple

If you see this screen at startup, you need a firmware password from the seller to unlock the Mac.

Is a firmware password set?

A firmware password locks the Mac to booting only with a particular startup disk. This can be a problem later if you want to start up from an external drive or make other changes. Check on this and then remove or change the firmware password with these steps:

  1. Restart your Mac and hold down Command-R to start up in macOS Recovery.

  2. If you’re prompted for a password next to a lock icon, you need the seller to provide this firmware password. Enter the password.

  3. After Recovery starts up, select Utilities > Firmware Password Utility (older Macs and some newer models) or Utilities > Startup Security Utility (Macs with a T2 security chip), and then Turn Off Firmware Password. Enter the password again when prompted.

  4. If you want to keep the firmware password enabled, now click Turn On Firmware Password and enter a password only you know and that you make a record of, preferably in a password-management app.

mac911 firmware password cant change startup apple Apple

Wtih a firmware password enabled, the startup disk cannot be changed.

If the seller doesn’t have the password, all isn’t lost, but it requires their participation to get the Mac unlocked. Apple says that the original receipt or invoice showing purchase of the Mac is required, and the Mac has to brought in person to an Apple Store or an Apple authorized service provider.

Is FileVault turned on?

FileVault encrypts the entire contents of a Mac’s drive, making files unreadable when it’s powered down. It’s terrific technology that I strongly advise using. However, there are two kinds of problems with having it enabled when you purchase a used Mac.

First, FileVault has to be enabled on every account that you want to be able to log in. On a used Mac that’s prepared for you, there should be a single account created with administrator privileges. Because FileVault has to be turned on for at least one account, that’s all that’s needed. I suggest deleting any other accounts created on the device and changing the password on this account.

Second, there’s a kind of security exploit available if someone else set up FileVault. When you turn on the encryption, macOS generates a recovery key that allows you to decrypt a drive even if you don’t have an account password. This can be provided directly to the person setting it up or stashed in an iCloud account as escrow.

The seller could and should provide that key to you. However, you should also reset FileVault encryption. Without the recovery key you could be locked out. Or, in the unlikely event you’re purchasing a computer from someone criminal who might try to get it back later, they could decrypt the drive without your permission or password.

Follow Apple’s instructions to turn off FileVault and then turn FileVault back on. It can take a while to complete both decryption and encryption, but it’s worth it.

In Catalina, check Find My Mac

Apple is extending the activation lock protection that it added several releases ago to iPhones and iPads with macOS 10.15 Catalina to any Mac with a T2 security chip. That chip offers the same “secure enclave” that makes Apple Pay, Touch ID, and other features available on Macs as it has been on generations of iPhones and iPads.

With the activation lock turned on, you won’t be able to erase the Mac and reinstall macOS from scratch. Check for the activation by logging into the main or sole account and looking at the iCloud preference pane—is Find My Mac enabled?

If it is, that’s bad from a couple fronts, because it means the seller is sharing other iCloud information with you, too, as well as the Mac being locked against future erasure. The seller should be amenable to making sure activation lock is disabled.

Deauthorize iTunes

As a courtesy when buying remind the buyer to deauthorize iTunes on a Mac before they erase it or pass it on to you. The iTunes Store has a five-computer limit for use with a single account, and you can’t de-authorize individual computers after they’ve had their drives wiped, even after reinstalling macOS.

You can deauthorize all computers associated with an iTunes account, however, and then log back into just the computers you want to keep in the set. You can only deauthorize all computers twice a year.

This Mac 911 article is in response to a question submitted by Macworld reader Noah.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Related:
  
Shop Tech Products at Amazon