78 Macworld • December 2019FEATURE
be a single account created with administrator
privileges. Because FileVault has to be turned on
for at least one account, that’s all that’s needed. I
suggest deleting any other accounts created on the
device and changing the password on this account.
Second, there’s a kind of security exploit
available if someone else set up FileVault. When
you turn on the encryption, macOS generates a
recovery key that allows you to decrypt a drive even
if you don’t have an account password. This can
be provided directly to the person setting it up or
stashed in an iCloud account as escrow.
The seller could and should provide that key
to you. However, you should also reset FileVault
encryption. Without the recovery key you could
be locked out. Or, in the unlikely event you’re
purchasing a computer from someone criminal who
might try to get it back later, they could decrypt the
drive without your permission or password.
Follow Apple’s instructions (fave.co/2NYrWDE)
to turn off FileVault and then turn FileVault back on.
It can take a while to complete both decryption and
encryption, but it’s worth it.In Catalina, check Find My Mac
Apple is extending the activation lock protection
that it added several releases ago to iPhones and
iPads with macOS 10.15 Catalina to any Mac with a
T2 security chip. That chip offers the same ‘secure
enclave’ that makes Apple Pay, Touch ID, and
other features available on Macs as it has been on
generations of iPhones and iPads.