Help Desk

Macworld - - CONTENTS -


I don’t own an Ap­ple de­vice, and am op­er­at­ing my Ap­ple ac­count and mail from a Win­dows PC. How can I en­able two-fac­tor au­then­ti­ca­tion from my Win­dows 10 com­puter and gen­er­ate an app-spe­cific pass­word?


This ques­tion likely popped up be­cause of Ap­ple’s de­ci­sion to end third-party ac­cess to cal­en­dars, con­tacts, and email with­out us­ing two-fac­tor au­then­ti­ca­tion (2FA) for your Ap­ple ID/iCloud ac­count and gen­er­at­ing an app-spe­cific pass­word.

Our reader has a real prob­lem. Ap­ple only al­lows 2FA to be turned on from a Mac or iOS de­vice. Once en­abled, you can use SMS text mes­sag­ing or com­puter-syn­the­sized voice calls for con­fir­ma­tion codes, and the Ap­ple ID site for man­ag­ing app-spe­cific pass­words. (In fact, you can’t create app-spe­cific pass­words ex­cept at the site, which seems odd.)

This re­quires prim­ing the pump. My best sug­ges­tion is that Ra­jee­van finds a friend, rel­a­tive, or col­league who would let them create an ac­count on a Mac that was used solely to set up 2FA. Af­ter cre­at­ing an ac­count on that Mac, log­ging in, and en­abling 2FA, that macOS ac­count would likely never be needed again. And Ap­ple doesn’t track Mac and iOS lo­gins to your Ap­ple ID – that’s not a re­quire­ment at present. (It’s pos­si­ble at some fu­ture point, Ap­ple would make you log in with the Ap­ple ID ei­ther on an iOS de­vice or a Mac, and you’d have to a find a friend to make that hap­pen. But for now, just the setup stage is all that’s re­quired.)

Ap­ple lets you set up mul­ti­ple trusted phone num­bers as well as hav­ing at least one trusted de­vice. The de­vice will be that Mac (and specif­i­cally, your ac­count on that Mac). But you could run into trou­ble if you only set up a sin­gle phone num­ber for your 2FA con­fir­ma­tion codes and then you lose ac­cess to that num­ber. In that case, you might be un­able to log into the Ap­ple ID site to add another trusted num­ber, and would have to use the Mac on which you set up an ac­count to ver­ify your­self and change your set­tings.

For that rea­son, you might add a friend or rel­a­tive’s phone num­ber (with their per­mis­sion) as one or more ad­di­tional ways to get a code.


While the USB-C con­nec­tor type has a lot of ad­van­tages and it’s now guar­an­teed with In­tel’s full sup­port at be­ing the dom­i­nant pe­riph­eral for­mat for the next many years, there’s still a lot of con­fu­sion about the dif­fer­ence be­tween USB-C and Thun­der­bolt 3. That comes up in an email from reader Si­mon Shaw, who can con­nect his 24in Ap­ple Cin­ema Dis­play to a 12in MacBook (2016 re­lease)

us­ing a Mini Dis­playPort to USB-C, but finds his 27in Ap­ple Thun­der­bolt Dis­play doesn’t have a so­lu­tion. It prob­a­bly seems even more ar­bi­trary when MacBook Air mod­els dat­ing to 2011, in­clud­ing the ones still on sale, can work with both Cin­ema Dis­plays and Thun­der­bolt Dis­plays with no prob­lem.

No so­lu­tion is forth­com­ing, but it’s not sur­pris­ing that this re­mains a puz­zle. First the sum­mary, and then the details: A Dis­playPort-only mon­i­tor can work with the proper adap­tor with any USB-C Mac. A Thun­der­bolt-only mon­i­tor can only work with a Mac with Thun­der­bolt built in, no mat­ter the kind of port on the Mac. A Dis­playPort-only mon­i­tor can work through back­wards com­pat­i­bil­ity, which might re­quire an adap­tor, with a Thun­der­bolt-equipped Mac.

Now the gory bits. Dis­playPort is a video stan­dard that also has a cou­ple of con­nec­tor types: full-sized Dis­playPort and Mini Dis­playPort. You can also use an HDMI-to-Dis­playPort ca­ble for con­nec­tions as well. The Ap­ple Cin­ema dis­plays push Dis­playPort (the video data spec­i­fi­ca­tion) na­tively over Dis­playPort (the hard­ware port spec­i­fi­ca­tion).

Thun­der­bolt is a gen­eral data-trans­fer stan­dard that used the Mini Dis­playPort style jack for its first two ver­sions, and can carry Dis­playPort video data along with other kinds of data. Dis­playPort is pack­aged as an al­ter­nate data mode within the larger Thun­der­bolt spec­i­fi­ca­tion. (The Dis­playPort-

only Cin­ema Dis­plays also work over older ver­sions of Thun­der­bolt, which is how the MacBook Air and other Macs pro­vide com­pat­i­bil­ity.)

Fi­nally, USB-C is a gen­eral hard­ware port type for pe­riph­er­als, which is de­signed to work with bus con­trollers – the hard­ware that han­dles traf­fic over the port – that can have vary­ing ca­pa­bil­i­ties. Some com­put­ers and phones will only sup­port USB 2 and 3 and Dis­playPort. That’s true of the 2015 and later 12in MacBooks.

Other com­put­ers will sport 40Gb/s Thun­der­bolt 3 in their con­trollers, along­side back­wards

com­pat­i­bil­ity and in­ter­op­er­abil­ity with Thun­der­bolt 2, USB 2 and 3, Dis­playPort, eth­er­net, and other stan­dards. That’s the case with 2016 MacBook Pros and 2017 iMacs.

Be­cause the MacBook only han­dles USB and Dis­playPort over its USB-C port, it can’t in­ter­act with a Thun­der­bolt-only mon­i­tor, be­cause that mon­i­tor re­quires a Thun­der­bolt con­troller to un­pack the Dis­playPort video data.

How­ever, be­cause the MacBook Pro and iMac mod­els with Thun­der­bolt 3 can read Thun­der­bolt 2 sig­nals, the use of a sim­ple Thun­der­bolt 2 to Thun­der­bolt 3 adap­tor al­lows th­ese Macs to push video to a Thun­der­bolt Dis­play.


Reader G. Mur­ray needs to restart his Mac at times when it’s not within easy reach. He’s won­der­ing what op­tions are avail­able with mod­ern Macs. His Mac is lo­cated on a net­work cre­ated by a Time Ma­chine, so it has a pri­vately as­signed IP ad­dress us­ing NAT (Net­work Ad­dress Trans­la­tion).

Two kinds of op­tions ap­ply here: for when the Mac is still tick­ing away but isn’t do­ing what you want, so you want to restart it if only you could con­nect remotely to it; or when the Mac is un­reach­able and os­ten­si­bly crashed or ex­pe­ri­enc­ing other prob­lems, and you want to power cy­cle it.

Remotely con­nect to a work­ing Mac

Screen shar­ing and re­mote ter­mi­nal ac­cess can both let you con­trol a Mac remotely, but reach­ing

that Mac over the In­ter­net is of­ten the fly in the oint­ment. While macOS in­cludes Back to My Mac, which pairs with iCloud to al­low re­mote ac­cess to a Mac via the Screen Shar­ing app, it only works in its reg­u­lar con­fig­u­ra­tion from another Mac signed into the same iCloud ac­count. Ap­ple of­fers no guest ac­cess from other Macs – though you could set up an ac­count on another Mac tem­po­rar­ily – nor does it have an iOS app.

In­stead of Back to My Mac and the Screen Shar­ing app, you can use the generic screen­shar­ing pro­to­col VNC. (Just to be more con­fus­ing, Ap­ple’s Screen Shar­ing app is based on VNC, but not iden­ti­cal.) VNC can work over Back to My Mac,

but doesn’t al­ways, as it’s not a sup­ported fea­ture. Third-party macOS and iOS apps let you ac­cess any VNC-ca­pa­ble sys­tem.

En­able screen shar­ing in the Shar­ing sys­tem pref­er­ence pane, and click the Com­puter Set­tings but­tons to turn on VNC. Warn­ing! Al­ways set a strong pass­word for VNC, as it’s easy for at­tack­ers to scan for VNC and find yours if it’s reach­able from the In­ter­net.

Back to My Mac fails with ‘dou­ble NAT’ sit­u­a­tions, which I un­for­tu­nately have and which aren’t en­tirely rare. A dou­ble NAT hap­pens typ­i­cally when an ISP pro­vides a mo­dem that also acts as a router, and which has features you can’t repli­cate or turn off. If you con­nect, say, an Air­Port Ex­treme with DHCP and NAT en­abled to a LAN port on the ISP’s mo­dem, you’re cre­at­ing a NAT in­side a NAT. All out­bound con­nec­tions work fine, but in­bound ones can be a mess. (In my case, the pro­vided mo­dem has some ob­scure net­work­ing features used by Cen­tu­ryLink’s fi­bre-op­tic net­work.)

In­stead of re­ly­ing on macOS, you can turn to third-party re­mote ac­cess soft­ware, al­though my favourites have faded away and left ac­tive de­vel­op­ment, while ones that used to have free or af­ford­able ver­sions have gone com­mer­cial and ex­pen­sive.

TeamViewer ( re­mains the ex­cep­tion, be­ing still con­tin­u­ously de­vel­oped and free for per­sonal, non-com­mer­cial use. It can punch through a dou­ble NAT, and it’s my pre­ferred tool as if works on prac­ti­cally ev­ery plat­form,

in­clud­ing macOS and iOS. The com­pany charges a pretty hefty rate if you’re us­ing it for busi­ness pur­poses, start­ing at £94 per month for remotely ac­cess­ing up to three de­vices. For busi­ness users with­out big bud­gets, I rec­om­mend LogMeIn, which is $250 (around £194) per year from (se­cure. for two de­vices.

Cre­at­ing a re­mote Ter­mi­nal ses­sion via SSH, a se­cure pro­to­col that’s trust­wor­thy over the In­ter­net, re­quires set­ting up port map­ping on a router or WiFi base sta­tion us­ing DHCP reser­va­tion (so your Mac has the same pri­vate IP ad­dress all the time) and NAT port for­ward­ing (so an In­ter­net-reach­able net­work cub­by­hole maps to the Mac you want it to).

Un­for­tu­nately, Ap­ple no longer of­fers a de­tailed guide to Air­Port con­fig­u­ra­tion as it did years ago.

I’m re­luc­tant to blow my own trum­pet, but if you re­ally need to set up this kind of re­mote ac­cess for SSH or other ser­vices, you’ll find com­plete in­struc­tions on this topic in my book, Take Con­trol of Your Ap­ple Wi-Fi Net­work.

Remotely power cy­cle your Mac

Now long ago I owned a surge pro­tec­tor power strip from So­phis­ti­cated Cir­cuits (the Pow­erKey line) that had a dial-up mo­dem built in. You could call into a phone line and it would let you use a touch-tone phone to con­trol power cy­cling in­di­vid­ual out­lets, among other features.

In the days of run­ning Mac and other servers that needed ‘re­mote hands’, the sev­eral Pow­erKey mod­els I owned saved a lot of latenight car trips to of­fices.

But we have the In­ter­net now, and you can pur­chase the same kind of item that works over IP in­stead of a voice line. Un­for­tu­nately, th­ese de­vices tend to cost a lot, but they’re de­signed to be ro­bust and con­nect via eth­er­net to in­crease re­li­a­bil­ity.

Another op­tion would be to set up HomeKit with re­mote ac­cess, and use aHomeKi tcom­pat­i­ble smart out­let.


My friend was wip­ing my Mac so I could sell it and I’m pretty sure they’ve deleted the startup disk? It’s not let­ting me reinstall the op­er­at­ing sys­tem on a re­cov­ery startup.


Be­cause Re­cov­ery didn’t work, the fastest way to in­stall fresh is to make or bor­row a macOS in­staller on a USB flash drive or a disk drive. We have in­struc­tions for mak­ing a bootable in­staller with macOS Sierra (as well as archived ver­sions for sev­eral pre­vi­ous re­leases). You need at least an 8GB flash drive. The ar­ti­cle in­cludes in­struc­tions on ob­tain­ing the in­staller, which might in­volve you hav­ing to use some­one’s else Mac to download it, if you don’t have a re­place­ment Mac on hand yet.

But if you can’t get ac­cess to another Mac or the nec­es­sary drive, it’s still pos­si­ble to use a dif­fer­ent Re­cov­ery mode on all re­cent Macs, dat­ing back to 2010. Nor­mally, you can start up a Mac while hold­ing down Com­mand-R to boot into what Ap­ple now calls macOS Re­cov­ery. That al­lows you to run Disk Util­ity, reinstall or wipe and in­stall the sys­tem,

ac­cess Ter­mi­nal for com­mand-line func­tions, and so on. In that mode, when you choose to reinstall with­out eras­ing the drive, my rec­ol­lec­tion is that Re­cov­ery looks for the cur­rent OS sys­tem in­staller on your startup disk in the Ap­pli­ca­tions folder, and uses that. (Ap­ple doesn’t doc­u­ment that, and I haven’t had to test that for years.)

Fail­ing find­ing it, Re­cov­ery down­loads the cur­rently in­stalled ver­sion of macOS (or OS X), which is about 5GB. When com­plete, it in­stalls it and re­boots, and places the in­staller in the Ap­pli­ca­tions folder.

How­ever, there’s yet another op­tion: macOS Re­cov­ery over the In­ter­net, which re­quires ei­ther a Mac model re­leased in 2012 or later, or most 2010 and 2011 mod­els with a firmware up­grade ap­plied. There, the Mac reaches out over a Wi-Fi or eth­er­net con­nec­tion to download the rel­a­tively mod­est Re­cov­ery soft­ware, which then boot­straps the download of the full macOS in­staller.

Ap­ple says In­ter­net-based Re­cov­ery should hap­pen au­to­mat­i­cally on sup­ported mod­els, and you should see a spin­ning globe when that mode is in­voked while the download oc­curs. How­ever, if you have nor­mal Re­cov­ery in­stalled and it re­fuses to in­stall macOS for some rea­son, you can man­u­ally in­voke In­ter­net Re­cov­ery.

While Com­mand-R at startup al­ways in­stalls what­ever the most re­cent ver­sion you in­stalled on your Mac, hold­ing down Com­mand-Alt-R brings down the very lat­est com­pat­i­ble ver­sion that can be in­stalled. Ap­ple also of­fers Shift-Com­mand-Alt-R,

which in­stalls the ver­sion of OS X or macOS with which your com­puter shipped, or the next old­est com­pat­i­ble sys­tem still avail­able for download.

(Ap­ple just changed this be­hav­iour with 10.12.4, but if you’re us­ing In­ter­net Re­cov­ery for a clean in­stall on an erased drive, the new be­hav­iour should be ac­tive as it will be pulled from the ver­sion of Re­cov­ery that’s boot­strapped from Ap­ple’s servers. The pre-10.12.4 op­tion is sim­ply Com­mand-Alt-R, but it acts like the new Shift-Alt-Op­tion-R, in­stalling the shipped OS or the old­est com­pat­i­ble ver­sion.)

Ap­ple rec­om­mends the Com­mand-Alt-R op­tion as the only safe way to reinstall a Mac with El Cap­i­tan or ear­lier ver­sions of macOS if you want to be sure your Ap­ple ID doesn’t per­sist even af­ter era­sure.

Screen Shar­ing in macOS lets you use the built-in ver­sion as well as en­able VNC

TeamViewer can punch through a dou­ble NAT

Re­cov­ery lets you in­stall onto an erased par­ti­tion, but only if Re­cov­ery wasn’t erased, too

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.