My Macbook Air has 2 partitions, one that is my normal everyday partition that is encrypted with FileVault2, and a 2nd partition that has Prey http://preyproject.com/ installed and ready to set my Mac as stolen as soon as it is connected to the Internet. It also has the Administrator account hidden and limits what the Standard account can do. If Safari is launched, it will also connect to Facebook, gMail, Yahoo, and Twitter to entice the user to log into these services. I have it setup like this so that I have a better chance of recovering it from theft. This post is going to walk you though setting up your own Mac laptop similar to mine.
This will work on all Intel Macs but works best with the newer models that don't allow you to reset the Open Firmware password by changing the amount of ram in the system or with a bootup disk, without knowing the original firmware. Any Mac that is a MacBook Air (Late 2010), MacBook Pro (Early 2011), and iMac (Mid 2011) and up will be work. Really any MacBook made during 2011 should also be this way but I can't find a source. Be sure to remember whatever password you set, as the only way to remove or change it on newer systems is by taking it to an Apple store.
You want to first start by dividing your disk into 2 partitions. You can use this with the "Disk Utility" program in OSX. Just click the hard drive listed in the left side panel, and then select partition. From there you can resize the current partition. Make sure to make the new one around 16GBs for now. We will resize it later to around 5gb.
Next, you'll need to create a Lion USB recovery stick. Download the Lion Recovery Disk Assistant over at http://support.apple.com/kb/DL1433. Once that is installed it will require a 4GB USB stick to turn into a bootable install stick. Once it is completed, shutdown the Mac, hold down the Option key and turn the system back on. Select the Lion USB stick and start the installation on the newly created partition.
Also be sure to set your Open Firmware password when you are at the Lion installation screen. At the Welcome screen choose "Firmware Password Utility" from the "Utilities" menu and proceed as directed. After that continue the installation as described.
After you have installed the trap OS, boot into that partition and login as the user that you created when you installed Lion. You should now create a new user named "Apple" or whatever you want to be a Standard user, this will be the account that the computer will automatically log into. The next account you want to create is your hidden Administrator. You will need to open up the Terminal application for this and then run the following commands.
sudo dscl . create /Groups/YOUR_NEW_USER_NAME
sudo dscl . create /Groups/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UniqueID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UserShell /bin/bash
sudo dscl . passwd /Users/YOUR_NEW_USER_NAME YOUR_USER_PASSWORD
sudo dscl . append /Groups/YOUR_NEW_USER_NAME GroupMembership 400
sudo dscl . append /Groups/admin GroupMembership YOUR_NEW_USER_NAME
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array YOUR_NEW_USER_NAME
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE
Be sure to change YOUR_NEW_USER_NAME and YOUR_USER_PASSWORD with the username and password you want to use. The above commands are doing exactly what the Users & Groups preference in the System Preferences is doing, except we are not creating a Home Directory, and we are manually setting the Group and User ID to 400. Then we enable a setting in OS X that hides users that have an ID lower than 500. This will prevent the user from being listed in most GUI locations and will make it harder for your account username to be located.
Now with that account created you want to go into the Users & Group panel, and click Login Options. Turn on automatic login and select it to log into your trap user account,"Apple" in my example. Logout and login as your fake user. Go back to the Login Options and click the lock if it is in the lock position and then use your hidden account username and password to remove your original Administrator account. After that is completed, click the lock again to make sure it's in the locked position.
With the users taken care of you want to now go into the Startup Disk in System Preferences, make sure the trap partition is selected and that the lock is again in the locked position. This will prevent the machine from booting into your real partition on startup.
At this point it is time to install Prey. Go ahead and download it while running under your trap account, when it asks for permission to install it, put in your hidden Admin username and password and everything should install.
Now with Prey installed if your laptop does get stolen you'll still need to mark it as such. We are going to setup a LaunchDaemon and create a script so that it does this for us automatically.
Before getting the script ready, we want to get a few things from your OpenPrey account. Your API key found at http://panel.preyproject.com/profile and your DeviceID found after you click your device the URL should be something like "http://panel.preyproject.com/devices/SIBDSD", so in this case your DeviceID would be SIBDSD.
Open Terminal once again, and type "su YOUR_ADMIN_NAME". Once you're logged into your admin user, run "sudo su", this will now have you running as root. Now to create the script, open up your favorite text editor and create a file called "prey.sh" at "/usr/bin/".
Be sure to change the API and DEVICE ID with yours.
<--Copy after this for /usr/bin/prey.sh contents-->
#!/bin/bash
API_KEY="DF2323"; //replace this with yours
DEVICE_ID="SIBDSD"; //replace this with yours
curl --user $API_KEY:x "http://control.preyproject.com/devices/$DEVICE_ID.xml" -X PUT -d "device[missing]=1";
<--Copy before this for /usr/bin/prey.sh contents-->
Make sure to make the script executable. Now the last thing to do is to create the LaunchDaemon and have that run automatically on startup.
Creating the LaunchDaemon, I named mine "com.jaku.prey.plist" but you could have "jaku" replaced with pretty much anything. So let's open up your text editor one more time and create the file "com.jaku.prey.plist" at "/Library/LaunchDaemons/" or whatever you called it, just be sure to replace jaku in the text below as well.
<--Copy after this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jaku.prey</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/prey.sh</string>
</array>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
<key>StartInterval</key>
<integer>300</integer>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
<--Copy before this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->
Once you are all done with that you'll need to register the LaunchDaemon with this command "launchctl load /Library/LaunchDaemons/com.jaku.prey". From now on, when the system starts up the script will run every 5 minutes and try to make the laptop as stolen on OpenPrey. You could change the "StartInterval" amount in the LaunchDaemon to a higher or lower value if you want.
After this run the following command a few times, "history -c && exit" basically run it until you are logged out of your terminal. This will wipe all the commands from history that you just ran so that no one can figure out what you just did.
You are almost done now! Just a few last things and you're all set.
Now let's log into your original partition, you will need to hold down the "Option" key on startup to choose your original partition, and it will ask for the Open Firmware password you set earlier. Once you are in your original partition, go into System Preferences and click "Startup Disk", like before you may have to unlock it but make sure that the disk selected is the trap partition. After that we can now go back into the "Disk Utility" program and resize the trap partition to a smaller partition. Once it is resized you can now (re)enable FileVault2 on your original partition.
The only thing left to do after this is to test the machine, make sure that when it first boots up it always logs into the trap partition and that for you to get into the real one you need to hold down the Option key and type in your firmware password followed by your FileVault password.
That is about it for now. If you have any comments or questions be sure to let me know by commenting below. Thanks!
Jaku how did you get your trap partition down to 7GB? For me it seems that OS X's install takes up 15GB minimum. Did you go through and selectively delete some native files and folders that take up space?
Posted by: James Lynn | 30 March 2013 at 03:38
When you resize your trap partition, I end up with an un-reclaimable "gap" at the very end of the partition scheme i.e. the free space gained from reducing the size of the trap partition is unable to be consolidated with my main partition. I suppose this makes sense since you cannot change where a partition begins, only where it ends, correct? If so, wouldn't that make resizing the partition pointless?
Posted by: James Lynn | 24 March 2013 at 02:48
Thank you jaku! :-)
Posted by: James Lynn | 17 March 2013 at 17:41
James,
If you type "chmod +x /usr/bin/prey.sh" without quotes and if that is the path you put the prey.sh file, then that will make it executable.
Posted by: jaku | 17 March 2013 at 03:14
Everything was going fine following this guide until I got to the bit about the "prey.sh" file, in particular, "make sure the script is executable" without explanation. wtf? Please help!
Posted by: James Lynn | 17 March 2013 at 03:04
Hi,
Thanks for the posting. Very interesting.
Two questions:
1) Why do you add specific scripts for Prey? If you have installed the product won't these already be installed and working? What do these add to a normal installation?
2) When you boot normally into the 'trap' partition you still see an attempt to mount the other partition and if using FV2 you see the password request. Is there an easy way to prevent this automount of the second 'secure' partition when booting into the 'trap' partition?
Thanks
Paul
Posted by: Paul | 29 November 2012 at 05:44
Nice posting. Two questions if I may:
1) Why do you need the extra Prey scripts if you have installed the Prey product? Doesn't that already include all you need? What extra do your scripts do?
2) Is there are way of not trying to automount the second (working or 'real') partition? Otherwise when you boot of the 'trap' partition you are asked for the password for the second partition?
Thanks
Paul
Posted by: Paul | 28 November 2012 at 11:07
Kenshin,
Thanks for going though the guide and letting me know what did and did not work.
1. Thanks, I did this on my new MacBook Air 2012 and was able to use the Apple tool. Which I didn't realize only worked on the newer ones.
2. I'll change the guide to make sure people set a password on that account first.
3. You could have better luck using the command line. If you type "diskutil list" it will show your partitions. From there if your trap partition was "disk0s4", you can type "diskutil resizeVolume disk0s4 -5gb" and reduce the size by 5gb. I've gotten mine down to just around 7gb. You may have issues if you already encrypted your main partition.
4. Thanks. I could of sworn it didn't need the .plist in the command but I confirmed that it does indeed need the full filename.
Thanks again!
Posted by: jaku | 04 July 2012 at 17:04
Great i got it all working now. Fyi some minor stuff i noticed:
#1. The recovery disk assistent didn't work for me (Macbook Air late 2011 https://dl.dropbox.com/u/72498/Screen%20Shot%202012-07-04%20at%207.18.08%20PM.png).
I think it doesn't have a recovery partition. So i used this guide to create a bootable usb: http://www.tuaw.com/2011/08/11/build-your-own-lion-install-usb-thumb-drive-for-cheap
#2. In the script where it says to use "sudo" i got an error. This was because the account didnt have a password set. "sudo" only works for accounts with a password...
#3. I can't shrink the newly created partition. It says "this partition can't be modified": https://dl.dropbox.com/u/72498/Screen%20Shot%202012-07-04%20at%2011.11.44%20PM.png
No idea why.
#4. Small typo: ...register the LaunchDaemon with this command "launchctl load /Library/LaunchDaemons/com.jaku.prey" should be: "launchctl load /Library/LaunchDaemons/com.jaku.prey.plist"
Thanks again for the guide Jaku :-)
Posted by: Kenshin Himura | 04 July 2012 at 16:31
Kenshin,
That is odd, it should allow you to remove a user if you're logged in like that. You can delete the old user using a similar command to the way you created your hidden account.
dscl . delete /groups/admin GroupMembership ORIGINAL_ADMIN
dscl . delete /groups/ORIGINAL_ADMIN GroupMembership ORIGINAL_ADMIN
dscl . delete /users/ORIGINAL_ADMIN
Make sure you are running in root on terminal by first running "su HIDDEN_ADMIN" and then "sudo su".
Posted by: jaku | 04 July 2012 at 14:55
Fast reply, thanks!!
Now another problem; i'm logged in as the normal user ("Apple"), i click the lock icon in the "Users & Groups" window, then enter the hidden admin username & password.
So far so good, but when i select the original Administrator account, the "delete the selected user account" button is disabled. So i can't delete it...
Posted by: Kenshin Himura | 04 July 2012 at 14:50
Kenshin,
You're right a step was missing. Run this command to add your user to the Administrator group.
dscl . append /Groups/admin GroupMembership YOUR_USER_NAME
I'll get this updated in the actually post soon. Thanks for letting me know!
Posted by: jaku | 04 July 2012 at 14:35
Hi there, thanks for the guide!
I just followed the steps but i've run into a problem; After executing the terminal commands to create the hidden user it says:
"...and then use your hidden account username and password to remove your original Administrator account..."
This is not possible, because i can't login with my hidden account. I think the hidden account is no Admin (not a member of the admin group).
Is this a problem in the script?
Cheers :-)
Posted by: Kenshin Himura | 04 July 2012 at 14:31