Does Apple Track MacBook Serial Numbers Every Time We Connect to the Internet?
March 13, 2019
A customer emailed to say he loved the computer I sold him, but he also asked why he was getting constant popups stating that “Device Enrollment XXX can automatically configure your Mac”? I wasn’t sure. He sent me a screenshot:
As a refurbisher, I buy thousands of broken MacBooks from recyclers every year, fix them, and sell them. These computers are donated/sold to recyclers by academia, corporations, and government.
I called the recycler I bought this laptop from to ask what was going on, and he was familiar with the issue. Apparently some schools and other organizations use an Internet-wide software deployment solution from Apple called DEP (Device Enrollment Program) — they register serial numbers with a management tool, and when a serial is detected on the Internet, the user gets a pop-up asking if they want the organization's software dumped to their machine. The user is also informed of this while stepping through the initial setup wizard. This way organizations can issue a new computer to someone, perhaps in a remote location, and simply by virtue of that serial number being registered, the user can be assured a full deployment of the company software. Handy and sort of cool, right?
As I already witnessed, one problem occurs when the organization offloads computers to recyclers without de-registering them first. Perfectly good laptops that deserve a second life are plagued with pop-ups suggesting ownership — essentially a scarlet letter giving any reasonable person the impression that their laptop was stolen. The recycler explained to me that his many requests to de-register machines were unanswered, and that Apple also failed to help. I’ve since gotten confirmation of this reality from other recyclers as well. Without being de-registered from DEP, the logic board of the laptop is effectively bricked and can’t be sold. Most of them are therefore scrapped.
So sad, I thought. Yet another way that thousands of perfectly good devices will end up destroyed and recycled instead of re-used, and as usual Apple fails to help. They’ve proven many times they want all their older machines put out of commission, so this is nothing new.
But I started thinking — how exactly does a laptop, simply by having a “registered” serial number, start receiving these alerts? It must have something to do with the OS as well, since a serial number does not have a mind of its own, and computers do not automatically broadcast serial numbers.
The recycler told me that in order to check for “registered” computers, it’s necessary to step through the startup wizard to the third screen, where you are asked to log into WIFI. If it’s not a registered machine, it will move on to the fourth screen, but if it is, you will see this:
Good to know, I thought. I’ll add this to my checklist in order to avoid more embarrassing situations! Going with the idea that the OS is involved, I then wondered if ALL Mac operating systems do this check? Long story short, I tried setting up a registered laptop with every OS, and Yosemite and older do not produce this screen, while El Capitan and newer do. And also: I wiped the machines completely and installed a fresh copy of the OS, so I know this is not an instance of lingering “management drivers” or some other element that I forgot to erase. It's the serial number and the OS that triggers it -- that's all. You can bypass the screen by skipping the WIFI login (after which point you'll get the pesky pop-ups), but if you connect to WIFI and find out you have a managed computer, you're stuck. As a test, I walked through setup of a Sierra laptop, skipped the WIFI and iCloud logins, said "no" to location services and other requests to send information, and STILL got the popup instantly when I connected to WIFI from the desktop.
The stubborn messages that my customer saw appear all the time, at regular intervals. It seems pretty clear that if you have an Internet-connected MacBook with El Capitan or newer (pretty much everyone), Apple is likely checking your serial number against a database regulary.
This struck me as scary, and probably an invasion of privacy. It seems innocuous enough on the surface, but if Apple is regularly checking your serial number against a database of managed computers, then what else are they checking for? What other databases are involved? Could they be recording location data, since most people have that turned on? And who gets to see this information? Apple is supposedly “big on security”, but courtesy of Edward Snowden’s findings, we know they participated in the PRIZM program, which essentially means an NSA network sniffer existed on Apple’s network, at least at one point.
What gives Apple the right to do this? While setting up our computers we’ve all clicked past terms of service agreements, so it may be that we’ve given permission. But still, seeing what it means in action — realizing that your computer may be sending a periodic heartbeat to the mothership — is fairly alarming. I know this sort of thing is business as usual with phones, but aren't phones a different animal? We fully expect our phones to be permanently connected and a node on many networks, and for (mostly) good reasons. But with a laptop, shouldn't we have a right to be a solitary computer user connected to the Internet, without the leash of the manufacturer around our necks?
I want to make it clear that I’m not an expert on this topic. Lawyers, technologists, and people who have actually read the terms of service agreements: Please tell me where I’m wrong. Is this something important? Is this nothing? Am I misinformed? Am I correct that our MacBooks are pinging Apple all day long? Please let me know — I want to flesh this out and realize whether I’m crazy or not.
Here’s Apple’s overview of the Device Enrollment Program (DEP):