Granting Volume Owner status on Apple Silicon Macs
macOS on Apple Silicon Macs includes a concept known as volume ownership. You must be a volume owner to perform the following tasks on an Apple Silicon Mac:
* There may be multiple installations of macOS on one Apple Silicon Mac; each macOS install would have their own startup security policy.
For more information on volume ownership, please see Apple’s Platform Deployment article linked below:
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web (see the Volume ownership section.)
How do you get volume ownership though? It turns out that Apple has this currently set up on macOS as a two-fer deal: If an account account has Secure Token, it is also granted volume ownership. For more details, please see below the jump.
To see which users on the Mac have Secure Token, run the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The user accounts with Secure Token assigned should appear listed with the following information:
- Type: Local Open Directory User
- Volume Owner: Yes
In place of the account’s username, the account’s assigned UUID identifier (also referred to as a GeneratedUID) is listed. To get the account username, run the following command with the UUID identifier in the appropriate place:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the account you want to be a Volume Owner isn’t listed, you can check the account’s Secure Token status by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the account does not have Secure Token assigned, the output of the command should tell you this.
To assign Secure Token (and Volume Owner) to the desired account, run the following command with root privileges.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If you want to be prompted for passwords in place of including them as part of the command in plaintext, enter a dash ( – ) where you would otherwise enter the relevant account’s password when running the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Once this has been done, you can verify that Secure Token has been assigned to the desired account by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The output should now tell you that Secure Token has been assigned to the account.
To verify that the desired account is now also a Volume Owner, run the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
You should see a new entry listed with the following information:
- Type: Local Open Directory User
- Volume Owner: Yes
To get the account username, run the following command with the UUID identifier in the appropriate place:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The desired account’s username should appear in the output.
Gloss