11

Today I left my MBP Retina at local authorised Apple service (it's a mid 2012 model, and it's having some gfx issues), and then I got an email telling me that I have to go back there and decrypt my hard drive, because they can't test if it qualifies for the free repair program.

If I will have to do it, then what should I do before giving them my laptop back (is just disabling keychain and deleting important files ok)?

Why do they need me to decrypt the whole disk? Isn't it just the hardware thing?

bmike
  • 235,889
wesolyromek
  • 211
  • 2
    I find it hard to believe these people are legit. Nothing on the hard drive should be required. They may be in the business of selling personal data. If they need to boot your computer, tell them to use an external drive with their own installation. I'd think a real repair place would know that though... I'd be wary of these people. – William T Froggard May 26 '15 at 22:05
  • This is exactly what I thought. I can't really see any reason to access the content of my hard drive if they only need to check whether the graphic card is working. Having in mind that it's an authorized service it's really strange. – wesolyromek May 26 '15 at 22:08
  • My mail-in Apple repair centre also wants access to the hard drive. I kept an older rotational drive (which got replaced by an SSD) aside for just those occasions, mostly empty, apart from bare-bone installations. The second time the MBP went in (same issue - graphics) I had partitioned it with one encrypted and one accessible volume; to the latter I gave them the password. – Redarm May 26 '15 at 22:50
  • Create them a bootable USB stick or tell them about the repair partition ;P – n1000 May 27 '15 at 14:51

5 Answers5

8

You should have to remove an EFI password or permit them to reset that since it prevents Service Providers from network booting to diagnostic images or selecting an attached bootable volume to run test software.

You don't need to decrypt FileVault 2 in any service I've ever seen unless you want them to log in to your user account and look at your software. With physical access they can wipe a drive, make a clone/copy of it, but encryption is your way to protect the contents of the files reasonably well without impacting service testing.

My guess is that the person communicating with you mis-spoke or mis-understood the notes from the technician and if you call them back (or have AppleCare update the case notes and alert the technician), they can confirm if you have EFI locked firmware password set.

Apple documents this in the repair terms and conditions both online and you should have received them before signing the machine in for service.

Technically, they could wipe your drive and reset all passwords per the terms, but generally they give you a courtesy notice before doing so intentionally.

See: https://support.apple.com/en-us/HT203253

Despite my generally trusting Apple repair employees, I would not give a machine password to an AASP until I had a very good understanding of who in that organization would have access to it, how it would be protected and when it would be destroyed. As to an iCloud password, the bar for yielding that is far, far, far higher bordering on almost never ever.

Community
  • 1
bmike
  • 235,889
  • Don't worry, I won't give them my password. It's synced with my whole iCloud account, so it would be kind of stupid. – wesolyromek May 27 '15 at 08:24
5

That indeed sounds very strange. Keep in mind that there can also be stores which only fake their licenese and aren't real service providers.

If you want to be sure, look up here: https://locate.apple.com/ | There you can search for official Apple Authorized Resellers.

You also could contact Apple-Support and ask them: https://support.apple.com/en-us/HT201232

Gabkano
  • 462
5

Repair centers generally need to boot your device. They do NOT need to access your account.

  • You will need to remove an EFI password if there is one

  • If you use filevault just create a separate account for them. Something obvious like "AppleService" with "password" and delete it when they are done. It does not need to be an admin account unless you took it in for software issues.

  • If they say they need admin access, ask for specifics. Push back on platitudes like "we need it to complete the service". Program name, settings etc.

  • Tell them to boot from an external. All Macs can do this, any service center that doesn't have a bootable external is borderline incompetent.

  • Remove the drive and tell them to boot from an external. How practical this is depends on the model and your screwdriver skills. Service centers do NOT need an internal drive unless you are sending it in for a drive or software issue. This option may have consequences for your warranty.

I have returned a couple of machines without the drive, the service center said absolutely nothing about it.

paul
  • 2,665
  • 12
  • 8
1

Yes, they either need FileVault turned off or need you to enter the FileVault password to evaluate the Mac for the free repair program. The test used to see if the Mac qualifies for the program does not work on mid-2012 15-inch Retinas with FileVault enabled, unless someone enters the password into that test. This is a specific issue with those models and this test; while it's not needed for most repairs, it is for this one. Source: I work for an AASP.

cpast
  • 171
  • Please explain why. – Reid Jun 07 '15 at 03:19
  • @Reid Because Apple says so. It is in the manual for performing these repairs. It is impossible to run the specific test designed for the purpose of this repair program on this model with FileVault 2 but without the password. Presumably, the test needs to access stuff on the installed SSD, and does not allow you to access it on an external drive. I'm not sure what else you want, but I'm pretty sure only an Apple engineer could answer. – cpast Jun 07 '15 at 03:22
0

When I took my early 2011 into an official Apple Store for a battery replacement, I did have to give them my password, but I did not need to decrypt the drive

Mark Bidewell
  • 143