Mac 911: Time Capsule failure warnings, how to use icloud to help manage large Photos libraries, protect yourself from robocalls
Solutions to your most vexing Mac problems.
HOW TO BUY A USED MAC WITHOUT BEING LOCKED OUT
One of the great selling points for Macs has been a combination of their longevity and resale value. I know plenty of people with decade-old Macs. In the last two decades, I’ve easily gotten seven or eight years out of some Macs I’ve owned, and then sold them to folks who kept them in service.
There’s a lot to consider when buying a used Mac to make sure that it will keep working. But something that you might overlook is that security decisions made by the previous owner could conspire to lock you out in certain circumstances. This could happen on a restart, when trying to erase and reinstall macos, or even on logging in, depending on what state the Mac was left in when you purchased it.
The best way to buy a Mac is after the seller has erased the drive and installed a fresh copy of macos on it without yet completing setup, so you can do that from scratch without worrying about any software they may have installed or
passwords or accounts they’ve created. And the best scenario to receive a used Mac is to do so in person, so you can fire up the computer and see it’s working, run through tests listed below, and be sure no extra passwords or permissions are needed.
Regardless of how you receive the Mac, check out these items— preferably before finalizing the deal.
> Shut the Mac down and perform a “cold boot”—start it up and see if you can log in with account information provided or complete macos setup.
> Restart normally from the Finder and hold down Command-r to make sure you can start up in macos Recovery. (If macos Recovery isn’t installed, the Mac should attempt to retrieve it over the internet and install it. If shown a lock icon and password field by itself, see the firmware password section below.)
> In Recovery, run Disk Utility. Can you mount the disk without a password? And run Disk First Aid to ensure that no problems are reported.
That covers the basics, but you can and should dig deeper. (You should also use this checklist before selling a Mac.)
Tip: If a seller balks at providing a password to you directly for something that can be typed in while booted into macos proper—a perfectly reasonable thing to resist—you can use a slightly hidden feature for imessages. In a chat session with Messages for macos that has the blue bubbles showing an imessage connection, click the Details button in the upper right corner, and then click the overlapping screens icon. Select the Invite To Share My Screen option. The seller can then remotely type the password in as required. (They may want to and probably should change their icloud or other password after that, too.)
Were one or more accounts created?
If someone else set up a computer, you don’t necessarily know what’s running on it. I suggest erasing the drive and reinstalling macos via macos Recovery. However, if that’s not an option or you’re not concerned, at least delete all unnecessary accounts and change the password on the main account, which
must have administrator privileges.
You should also make sure if you’re retaining any accounts that the Mac isn’t logged in to the seller’s account in the icloud preference pane.
Is a firmware password set?
A firmware password locks the Mac to booting only with a particular startup disk. This can be a problem later if you want to start up from an external drive or make other changes. Check on this and then remove or change the firmware password with these steps:
1. Restart your Mac and hold down Command-r to start up in macos Recovery.
2. If you’re prompted for a password next to a lock icon, you need the seller to provide this firmware password. Enter the password.
3. After Recovery starts up, select Utilities → Firmware Password Utility (older Macs and some newer models) or Utilities → Startup Security Utility (Macs with a T2 security chip), and then Turn Off Firmware Password. Enter the password again when prompted.
4. If you want to keep the firmware password enabled, now click Turn On Firmware Password and enter a password only you know and that you make a record of, preferably in a password-management app.
If the seller doesn’t have the password, all isn’t lost, but it requires their participation to get the Mac unlocked. Apple says that the original receipt or invoice showing purchase of the Mac is required, and the Mac has to be brought in person to an Apple Store or an Apple authorized service provider.
Is Filevault turned on?
Filevault encrypts the entire contents of a Mac’s drive, making files unreadable when it’s powered
down. It’s terrific technology that I strongly advise using. However, there are two kinds of problems with having it enabled when you purchase a used Mac.
First, Filevault has to be enabled on every account that you want to be able to log in. On a used Mac that’s prepared for you, there should be a single account created with administrator privileges. Because Filevault has to be turned on for at least one account, that’s all that’s needed. I suggest deleting any other accounts created on the device and changing the password on this account.
Second, there’s a kind of security exploit available if someone else set up Filevault. When you turn on the encryption, macos generates a recovery key that allows you to decrypt a drive even if you don’t have an account password. This can be provided directly to the person setting it up or stashed in an icloud account as escrow.
The seller could and should provide that key to you. However, you should also reset Filevault encryption. Without the recovery key you could be locked out. Or, in the unlikely event you’re purchasing a computer from someone criminal who might try to get it back later, they could decrypt the drive without your permission or password.
Follow Apple’s instructions ( go. macworld.com/fvlt) to turn off Filevault and then turn Filevault back on. It can take a while to complete both decryption and encryption, but it’s worth it.
In Catalina, check Find My Mac
Apple is extending the activation lock protection that it added several releases ago to iphones and ipads with macos 10.15 Catalina to any Mac with a T2 security chip. That chip offers the same “secure enclave” that makes Apple Pay, Touch ID, and other features available on Macs as it has been on generations of iphones and ipads.
With the activation lock turned on, you won’t be able to erase the Mac and reinstall macos from scratch. Check for the activation by logging in to the main or sole account and looking at the icloud preference pane—is Find My Mac enabled?
If it is, that’s bad from a couple fronts, because it means the seller is sharing other icloud information with you, too, as well as the Mac being locked against future erasure. The seller should be amenable to making sure activation lock is disabled.
Deauthorize itunes
As a courtesy when buying remind the buyer to deauthorize itunes ( go. macworld.com/daut) on a Mac before they erase it or pass it on to you. The itunes Store has a five-computer limit for use with a single account, and you can’t deauthorize individual computers after they’ve had their drives wiped, even after reinstalling macos.
You can deauthorize all computers associated with an itunes account, however, and then log back in to just the computers you want to keep in the set. You can only deauthorize all computers twice a year.
GETTING TIME CAPSULE FAILURE WARNINGS? HERE’S WHAT YOU CAN DO
Apple no longer sells its Time Capsule, a combination of a backup drive, Time Machine, and an Airport Extreme Base Station. However, many are in use, and some components inevitably fail, especially the internal hard drive.
If you receive an error on a Mac using the Time Capsule for Time Machine backups that you can no longer back up to it, you can try to work your way out of the problem by using Airport Utility.
Warning! This approach erases all the backup snapshots stored on your Time Capsule. There may be no way to recover them—hence the error—but you should perform full Time Machine backups or disk clones of all devices that used the Time Capsule for archiving files, as well as trying step 4 below.
1. Launch Airport Utility and connect to your Time Capsule.
2. Click the Disks tab.
3. Select the internal Time Capsule disk. If it doesn’t appear—well, that’s a problem and jump below.
4. If the Archive Disk button is available, you can attach an external drive to the Time Capsule with at least as much available storage as is in use on the Time Capsule drive, and attempt to copy the snapshots already stored.
5. Click the Erase Disk button and follow prompts.
Now try to perform a Time Machine backup from one of your Macs to the Time Capsule drive. If it succeeds, then data may have been corrupted on the drive for some reason, but it’s still functioning.
If you get a failure in step 3, 4, or 5, or can’t back up to the Time Capsule after step 5, you should remove the Time Capsule drive as a destination on every Mac that’s been backing up to it, otherwise you’ll receive regular errors on each Mac. Open the Time Machine preference pane on each Mac and remove the drive from the list of destinations.
If the Time Capsule drive won’t accept backups, it’s failed in some sense of the word. Most people will find the steps to replace the internal drive are too involved and not worth the effort. You can instead attach an external drive via USB to the Time Capsule and use that for Time Machine backups, or attach a drive to any Mac on a network and use it as a networked destination instead.
Note: If you’re concerned about properly disposing of data stored on a hard drive you can’t access that’s within a Time Capsule—or with a Time Capsule that itself has failed—see this sibling column, “Your Time Capsule has died.
How can you wipe its data?” ( go.macworld. com/tcdy).
HOW TO USE ICLOUD TO HELP MANAGE PHOTOS LIBRARIES TOO LARGE FOR AN INTERNAL MAC DRIVE
In a recent column, “How to cope with a Photos library too big to fit on an internal Mac drive ( go.macworld.com/phlb),” I
explained that there aren’t any methods supported by Apple that let you have a Photos library at full resolution on a Mac if the library can’t fit on your internal drive with the spare room you need—or exceeds the drive entirely.
Macworld reader Matt wrote in with a terrific workaround that offers an approach much closer to what other readers were looking for: one copy of a Photos library set up with icloud Photos that’s only thumbnails and stored on your internal drive, and a second icloud Photos–linked copy that’s linked to an external drive.
Matt’s idea relies on how macos lets you create multiple accounts, each of which can be uniquely linked to an icloud account. However, it’s also possible for two accounts or more to both link to the same icloud account.
Normally, you wouldn’t want this, because it would mean syncing the same data in two places on your startup drive. But with the way in which icloud Photos and Photos for macos works, it’s a nifty solution.
Here’s the schematic of how to make this work:
1. Attach an external drive with sufficient storage for your full icloud Photos library at full resolution. (You can find this number at icloud.com: log in, click the Settings icon, and hover over the Photos and Videos section of the Storage usage bar.)
2. Next, create a second macos account called, for instance, Yourname Plus Photos, via the Users & Groups preference pane.
3. Log in to that macos account (optionally using Fast User Switching), open the icloud preference pane, and log in to the icloud account used with your main macos account and with icloud Photos.
4. Hold down the Option key and launch Photos.
5. In the Choose Library window that appears, click Create New, and save the library on your external drive. Photos now launches with that empty library.
6. Choose Photos → Preferences → icloud and check icloud Photos if it isn’t already, and select Download Originals to This Mac. Your full icloud Photos library will now download from icloud.com, and this may take a long while if you have a lot of media and not super-speedy broadband. When complete, you have a full copy on the external drive.
7. Log out of the photos-oriented account.
8. In your main account, if you haven’t already, launch Photos and in Photos → Preferences → icloud, make sure that Optimize Mac Storage is selected.
Now, whenever you want to ensure you have a full backup of your icloud Photos library, attach the external drive, log in to the second account, and icloud will download and update any media that isn’t already present.
This still requires some monkeying around, but it’s the closest thing to an easy way to ensure a local backup of icloud Photos without working against how Apple designed its icloud Photos synchronization.
HOW TO BETTER PROTECT YOURSELF FROM ROBOCALLS ON YOUR IPHONE
Automated calls that offer unwanted or illegal products or that attempt to defraud you are known as robocalls. And they have risen into the billions in recent years. The FCC is trying to fight it as are the telephone carriers, who waste large sums of money trying to block such calls legally from their networks and have to field millions of angry questions from subscribers.
(Some robocalls are legal and desirable: school announcements, doctor appointment reminders, and automated messages from companies that you do business with and gave permission to call you.)
Part of the problem is that FCC rules limit the way in which telcos can prevent calls from passing over their networks. That’s to prevent phone operators from blocking competitive companies. But it also ties their hands a bit regarding fraud.
But if you opt into call blocking of scams and spam, the phone companies have your permission and it’s just fine. (The FCC and telcos are working on a comprehensive solution called STIR and SHAKEN [ go.macworld.com/stir] that will block forged Caller ID messages, too.)
Protect yourself from robocalls
Apple added the option in IOS 9 for third-party apps to annotate incoming calls based on Caller ID. Several of these are available, some with free tiers and some with paid options. The best of
them, such as Hiya ( go.macworld.com/ hiya) and Nomorobo ( go.macworld.com/ nmbo), show a message alongside an incoming call that matches their databases that reads “robocall” or “scam or fraud”—or the great “neighbor scam,” in which the area code and prefix (next three numbers) of the incoming call are changed to match your number, making you think it might be a call from someone you know.
You can also turn to free services that can be enabled via apps or your account from three of the four biggest U.S. wireless carriers. Because these work at the network level, you’ll have fewer calls pass through to your phone that are problematic.
> AT&T Call Protect ( go.macworld.com/ clpr). The free flavor installs as an app for controlling features and viewing information, and blocks calls before they hit your phone as well as identifies ones that are sketchy. You can also create a personal block list. A paid flavor adds reverse-number lookup and a few other security features. (I’m an AT&T customer, and have the free flavor installed for years; I receive nothing like the volume of robocalls most people I know complain of.)
> T-mobile Scam ID and Scam Block ( go.macworld.com/blck). These two services don’t require apps. Scam Block prevents calls identified as scams from reaching a customer, while Scam ID alerts customers during the incoming call that T-mobile analyzed a call as but not positively a scam. Name ID, a paid service (free for ONE Plus subscribers) uses an app that can route nuisance callers by category to voicemail, perform reverse number lookups, and allows for a personal blocklist.
> Verizon Call Filter ( go.macworld.com/ filt). This Verizon app can be set to block and mark calls. A paid version adds a separate personal spam and block list. Verizon joined AT&T and T-mobile with the free version just a few days ago, and it has fewer features than the free tier of the other two carriers. ■