3

Basically what the title says. I recently had a look at my /var/log/install.log and the earliest entries are from about 2 full months prior to me unboxing the computer.

The packaging had cellophane, no indication it was secondhand, and nothing seemed out of the ordinary at all. Everything was mint, I opened it up and went through a typical fresh install of OSX.

This was over 2 years ago.

This is the install.log from 2 months before the initial unboxing:

MacBook-Pro Language Chooser[178]: LCA+BT2: BT host controller appeared after 2 seconds
MacBook-Pro Language Chooser[178]: ISAP: Done with phase “Language Chooser”
MacBook-Pro SetupAssistantSpringboard[203]: Starting SetupAssistantSpringboard for user 0...
MacBook-Pro mbsystemadministration[204]: Starting MBSystemAdministration...
MacBook-Pro mbsystemadministration[204]: Adding client connection <NSXPCConnection: 0x7fbd6b601330> connection from pid 203
MacBook-Pro mbsystemadministration[204]: RamDisk created at /dev/disk2
MacBook-Pro mbsystemadministration[204]: newfs_hfs: Initialized /dev/rdisk2 as a 49 MB case-insensitive HFS Plus volume
MacBook-Pro mbsystemadministration[204]: mount: 
MacBook-Pro mbsystemadministration[204]: chown: 
MacBook-Pro mbsystemadministration[204]: MBSetupUser: createHomeDirectory succeeded
MacBook-Pro mbsystemadministration[204]: Commit user changes: 0
MacBook-Pro mbsystemadministration[204]: Creating background user agent for uid 248
MacBook-Pro mbsystemadministration[204]: Created preferences directory at /var/setup/Library/Preferences
MacBook-Pro mbsystemadministration[204]: Copied preference file .GlobalPreferences.plist
MacBook-Pro mbsystemadministration[204]: MBSetupUser: Wrote setup user dictionary
MacBook-Pro mbbackgrounduseragent[218]: Starting MBBackgroundUserAgent...
MacBook-Pro mbbackgrounduseragent[218]: Adding client connection <NSXPCConnection: 0x7fadf96078e0> connection from pid 204
MacBook-Pro mbsystemadministration[204]: MBSetupUser: disable screenlock succeeded
MacBook-Pro mbsystemadministration[204]: Setting one-time autologin user _mbsetupuser
MacBook-Pro mbsystemadministration[204]: Commit user changes: 0
MacBook-Pro mbsystemadministration[204]: CGSSessionCopyAllSessionProperties:(
            {
            kCGSSessionAuditIDKey = 100007;
            kCGSSessionGroupIDKey = 80;
            kCGSSessionIDKey = 257;
            kCGSSessionLoginwindowSafeLogin = 0;
            kCGSSessionOnConsoleKey = 1;
            kCGSSessionSystemSafeBoot = 0;
            kCGSSessionUserIDKey = 0;
            kCGSSessionUserNameKey = root;
            kCGSessionLoginDoneKey = 0;
            kCGSessionLongUserNameKey = "System Administrator";
            kSCSecuritySessionID = 100007;
        }
    )
MacBook-Pro SetupAssistantSpringboard[203]: Exiting successfully
MacBook-Pro mbsystemadministration[204]: Removing client connection <NSXPCConnection: 0x7fbd6b601330> connection from pid 203
MacBook-Pro loginwindow[71]: IASGetCurrentInstallPhaseList: no install phase array set
MacBook-Pro loginwindow[71]: IASGetCurrentInstallPhase: no install phase set
MacBook-Pro Setup Assistant[229]: Starting Setup Assistant with uid 248…
MacBook-Pro mbsystemadministration[204]: Adding client connection <NSXPCConnection: 0x7fbd6b428670> connection from pid 229
MacBook-Pro mbsystemadministration[204]: Restoring autologin user (null)
MacBook-Pro Setup Assistant[229]: Running as MacBuddy
MacBook-Pro mbsystemadministration[204]: Commit user changes: 0
MacBook-Pro mbsystemadministration[204]: couldn't get language ordering from file
MacBook-Pro mbsystemadministration[204]: There is [NO] existing Kerberos realm, running configureLocalKDC.
MacBook-Pro mbsystemadministration[204]: configureLocalKDC: 
MacBook-Pro mbsystemadministration[204]: certtool systemdefault:...System identity already exists for domain com.apple.systemdefault. Done.
MacBook-Pro Setup Assistant[229]: MBSA pre MacBuddy tasks: SUCESS
MacBook-Pro Setup Assistant[229]: --- MBCopyNetworkConfig ---
MacBook-Pro Setup Assistant[229]: IP: (null)
MacBook-Pro Setup Assistant[229]: Mask: (null)
MacBook-Pro Setup Assistant[229]: Router: (null)
MacBook-Pro Setup Assistant[229]: Domain: (null)
MacBook-Pro Setup Assistant[229]: Config Method: (null)
MacBook-Pro Setup Assistant[229]: NetworkingManager: Listening for reachability information.
MacBook-Pro Setup Assistant[229]: NetworkingManager: Network unreachable: catch-all case.
MacBook-Pro Setup Assistant[229]: CloudConfigurationManager: Network unreachable. Waiting to trigger ManagedClient request.
MacBook-Pro Setup Assistant[229]: CloudConfigurationManager: Can't cancel nonexistent activation request: (null)
MacBook-Pro systemmigrationd[268]: systemmigrationd: Starting
MacBook-Pro storagekitd[271]: Starting SKDaemon...
MacBook-Pro storagekitd[271]: Client entitled for destructive operations
MacBook-Pro storagekitd[271]: Adding client connection <NSXPCConnection: 0x7feaabe01300> connection from pid 268
MacBook-Pro installd[277]: installd: Starting
MacBook-Pro installd[277]: installd: uid=0, euid=0
MacBook-Pro systemmigrationd[268]: Connected to daemon. Language set to: English
MacBook-Pro systemmigrationd[268]: systemmigrationd: New connection for System Selection
MacBook-Pro systemmigrationd[268]: systemmigrationd: New connection for Progress
MacBook-Pro systemmigrationd[268]: systemmigrationd: Adding client <SMDProgress_XPCClientConnection: 0x7f9d33d49cb0>
MacBook-Pro systemmigrationd[268]: systemmigrationd: Adding client <SMDSystemScanner_XPCClientConnection: 0x7f9d33d4a100>
MacBook-Pro systemmigrationd[268]: Inform Remote Client of new System A63B3DED-C9E5-41A0-A25F-0D1E2B004506
MacBook-Pro systemmigrationd[268]: systemmigrationd: New connection for Progress
MacBook-Pro systemmigrationd[268]: systemmigrationd: Adding client <SMDProgress_XPCClientConnection: 0x7f9d33d4a790>
MacBook-Pro Setup Assistant[229]: Current Language=en, 10 countries found. 228 known
MacBook-Pro Setup Assistant[229]: Current Iso LC = en, en
MacBook-Pro Setup Assistant[229]: Found 2 keyboards for the locale: en
MacBook-Pro Setup Assistant[229]: SwitchController thinks we are pointed to Prod
MacBook-Pro Setup Assistant[229]: Posting MacBuddy ready
MacBook-Pro Setup Assistant[229]: Setting progress to 100%, reporting done, and aborting the progress UI
MacBook-Pro Setup Assistant[229]: ISAP: Done with phase “Setup Assistant”
MacBook-Pro Setup Assistant[229]: ISAP: Abort progress UI called.
MacBook-Pro Setup Assistant[229]: Gestures Disabled
MacBook-Pro Setup Assistant[229]: First Pane -- CountryController
MacBook-Pro Setup Assistant[229]: Warning: Attempting to initialize an mbuseragent without a user to target
MacBook-Pro Setup Assistant[229]: Setup Assistant is exiting…
MacBook-Pro Setup Assistant[229]: Warning: Attempting to initialize an mbuseragent without a user to target

...and this is the equivalent part of install.log from the moment I initially unboxed it, up to my first recorded user interactions:

MacBook-Pro Language Chooser[188]: ISAP: Done with phase “Language Chooser”
MacBook-Pro SetupAssistantSpringboard[197]: Starting SetupAssistantSpringboard for user 0...
MacBook-Pro mbsystemadministration[198]: Starting MBSystemAdministration...
MacBook-Pro mbsystemadministration[198]: Adding client connection <NSXPCConnection: 0x7fdada700240> connection from pid 197
MacBook-Pro storagekitd[200]: Starting SKDaemon...
MacBook-Pro storagekitd[200]: Client entitled for destructive operations
MacBook-Pro storagekitd[200]: Adding client connection <NSXPCConnection: 0x7f8cf3700780> connection from pid 198
MacBook-Pro installd[204]: installd: Starting
MacBook-Pro installd[204]: installd: uid=0, euid=0
MacBook-Pro mbsystemadministration[198]: Connected to daemon. Language set to: English
MacBook-Pro mbsystemadministration[198]: RamDisk created at /dev/disk2
MacBook-Pro mbsystemadministration[198]: newfs_hfs: Initialized /dev/rdisk2 as a 49 MB case-insensitive HFS Plus volume
MacBook-Pro mbsystemadministration[198]: mount: 
MacBook-Pro mbsystemadministration[198]: chown: 
MacBook-Pro mbsystemadministration[198]: MBSetupUser: createHomeDirectory succeeded
MacBook-Pro mbsystemadministration[198]: Commit user changes: 0
MacBook-Pro mbsystemadministration[198]: Creating background user agent for uid 248
MacBook-Pro mbsystemadministration[198]: Created preferences directory at /var/setup/Library/Preferences
MacBook-Pro mbsystemadministration[198]: Copied preference file .GlobalPreferences.plist
MacBook-Pro mbsystemadministration[198]: MBSetupUser: Wrote setup user dictionary
MacBook-Pro mbbackgrounduseragent[222]: Starting MBBackgroundUserAgent...
MacBook-Pro mbbackgrounduseragent[222]: Adding client connection <NSXPCConnection: 0x7fb241f00970> connection from pid 198
MacBook-Pro mbsystemadministration[198]: MBSetupUser: disable screenlock succeeded
MacBook-Pro mbsystemadministration[198]: Setting one-time autologin user _mbsetupuser
MacBook-Pro mbsystemadministration[198]: Commit user changes: 0
MacBook-Pro mbsystemadministration[198]: CGSSessionCopyAllSessionProperties:(
            {
            kCGSSessionAuditIDKey = 100008;
            kCGSSessionGroupIDKey = 80;
            kCGSSessionIDKey = 257;
            kCGSSessionLoginwindowSafeLogin = 0;
            kCGSSessionOnConsoleKey = 1;
            kCGSSessionSystemSafeBoot = 0;
            kCGSSessionUserIDKey = 0;
            kCGSSessionUserNameKey = root;
            kCGSessionLoginDoneKey = 0;
            kCGSessionLongUserNameKey = "System Administrator";
            kSCSecuritySessionID = 100008;
        }
    )
MacBook-Pro SetupAssistantSpringboard[197]: Exiting successfully
MacBook-Pro mbsystemadministration[198]: Removing client connection <NSXPCConnection: 0x7fdada700240> connection from pid 197
MacBook-Pro loginwindow[83]: IASGetCurrentInstallPhaseList: no install phase array set
MacBook-Pro loginwindow[83]: IASGetCurrentInstallPhase: no install phase set
MacBook-Pro Setup Assistant[234]: Starting Setup Assistant with uid 248…
MacBook-Pro mbsystemadministration[198]: Adding client connection <NSXPCConnection: 0x7fdada4133f0> connection from pid 234
MacBook-Pro mbsystemadministration[198]: Restoring autologin user (null)
MacBook-Pro Setup Assistant[234]: Running as MacBuddy
MacBook-Pro mbsystemadministration[198]: Commit user changes: 0
MacBook-Pro mbsystemadministration[198]: couldn't get language ordering from file
MacBook-Pro mbsystemadministration[198]: There is [NO] existing Kerberos realm, running configureLocalKDC.
MacBook-Pro mbsystemadministration[198]: configureLocalKDC: 
MacBook-Pro mbsystemadministration[198]: certtool systemdefault:...System identity already exists for domain com.apple.systemdefault. Done.
MacBook-Pro Setup Assistant[234]: MBSA pre MacBuddy tasks: SUCESS
MacBook-Pro Setup Assistant[234]: --- MBCopyNetworkConfig ---
MacBook-Pro Setup Assistant[234]: IP: (null)
MacBook-Pro Setup Assistant[234]: Mask: (null)
MacBook-Pro Setup Assistant[234]: Router: (null)
MacBook-Pro Setup Assistant[234]: Domain: (null)
MacBook-Pro Setup Assistant[234]: Config Method: (null)
MacBook-Pro Setup Assistant[234]: NetworkingManager: Listening for reachability information.
MacBook-Pro Setup Assistant[234]: NetworkingManager: Network unreachable: catch-all case.
MacBook-Pro Setup Assistant[234]: CloudConfigurationManager: Network unreachable. Waiting to trigger ManagedClient request.
MacBook-Pro Setup Assistant[234]: CloudConfigurationManager: Can't cancel nonexistent activation request: (null)
MacBook-Pro systemmigrationd[258]: systemmigrationd: Starting
MacBook-Pro storagekitd[200]: Client entitled for destructive operations
MacBook-Pro storagekitd[200]: Adding client connection <NSXPCConnection: 0x7f8cf3409d60> connection from pid 258
MacBook-Pro systemmigrationd[258]: Connected to daemon. Language set to: English
MacBook-Pro systemmigrationd[258]: systemmigrationd: New connection for Progress
MacBook-Pro systemmigrationd[258]: systemmigrationd: Adding client <SMDProgress_XPCClientConnection: 0x7f93f842bad0>
MacBook-Pro systemmigrationd[258]: systemmigrationd: New connection for System Selection
MacBook-Pro systemmigrationd[258]: systemmigrationd: Adding client <SMDSystemScanner_XPCClientConnection: 0x7f93f8439c10>
MacBook-Pro systemmigrationd[258]: Inform Remote Client of new System A63B3DED-C9E5-41A0-A25F-0D1E2B004506
MacBook-Pro systemmigrationd[258]: systemmigrationd: New connection for Progress
MacBook-Pro systemmigrationd[258]: systemmigrationd: Adding client <SMDProgress_XPCClientConnection: 0x7f93f861feb0>
MacBook-Pro Setup Assistant[234]: Current Language=en, 10 countries found. 228 known
MacBook-Pro Setup Assistant[234]: Current Iso LC = en, en
MacBook-Pro Setup Assistant[234]: Found 2 keyboards for the locale: en
MacBook-Pro Setup Assistant[234]: SwitchController thinks we are pointed to Prod
MacBook-Pro Setup Assistant[234]: Posting MacBuddy ready
MacBook-Pro Setup Assistant[234]: Setting progress to 100%, reporting done, and aborting the progress UI
MacBook-Pro Setup Assistant[234]: ISAP: Done with phase “Setup Assistant”
MacBook-Pro Setup Assistant[234]: ISAP: Abort progress UI called.
MacBook-Pro Setup Assistant[234]: Gestures Disabled
MacBook-Pro Setup Assistant[234]: First Pane -- CountryController
MacBook-Pro Setup Assistant[234]: Warning: Attempting to initialize an mbuseragent without a user to target
MacBook-Pro Setup Assistant[234]: Country set successfully
MacBook-Pro Setup Assistant[234]: Local set successfully
MacBook-Pro Setup Assistant[234]: IntlSetValue(0, "AppleDateResID", 0) returned 0
MacBook-Pro Setup Assistant[234]: IntlSetValue(0, "AppleTimeResID", 0) returned 0
MacBook-Pro Setup Assistant[234]: IntlSetValue(0, "AppleNumberResID", 0) returned 0
MacBook-Pro Setup Assistant[234]: User has chosen US set locale to: en_US. result=(en,US)
MacBook-Pro Setup Assistant[234]: NSLocale: US
MacBook-Pro Setup Assistant[234]: Next Pane -- from CountryController
MacBook-Pro Setup Assistant[234]: Next Pane -- to SelectKeyboard
MacBook-Pro Setup Assistant[234]: Warning: Attempting to initialize an mbuseragent without a user to target
MacBook-Pro Setup Assistant[234]: Current Iso LC = en, en
MacBook-Pro Setup Assistant[234]: Found 2 keyboards for the locale: en_US
MacBook-Pro Setup Assistant[234]: User selected input method: U.S. (resID=0, scriptID=0, bundleID=com.apple.keyboardlayout.all)
MacBook-Pro Setup Assistant[234]: User selected typing styles: <_NSCachedIndexSet: 0x7fbbe2409150>[number of indexes: 1 (in 1 ranges), indexes: (0)]
MacBook-Pro Setup Assistant[234]: Keyboards: Current Input Source <TSMInputSource 0x7fbbe25a4460> KB Layout: U.S. (id=0)
MacBook-Pro Setup Assistant[234]: Keyboards: Current source is layout, ASCII capable
MacBook-Pro Setup Assistant[234]: Keyboards: Default ASCII layout: <TSMInputSource 0x7fbbe25a4460> KB Layout: U.S. (id=0)
MacBook-Pro Setup Assistant[234]: Keyboards: Current ASCII layout: <TSMInputSource 0x7fbbe25a4460> KB Layout: U.S. (id=0)
MacBook-Pro Setup Assistant[234]: Next Pane -- from SelectKeyboard
MacBook-Pro Setup Assistant[234]: TIS setting succeeded

One thing I noticed about the session from 2 months prior was that the very first entry is: MacBook-Pro Language Chooser[178]: LCA+BT2: BT host controller appeared after 2 seconds, which seems like it could be related to USB or Bluetooth (but I'm not sure).

From the logs it does seem like the Setup Assistant is doing normal things. It simply displays the Country Selection pane, and then exits, which seems to indicate the laptop was opened, the setup assistant loaded the country selector, and then the computer was shut down.

My questions are:

  1. Could this be the result of a QA step in the factory, or is this definitely an indication that the MacBook was opened by someone stateside before I bought it?
  2. This computer was provided to me by an organization. Is it possible that organization is the one who opened it, and that they did it with intent to install some form of spyware before rewrapping the computer in cellophane so that I wouldn't know?

Another important thing to note is the timestamps in the questionable logs were only for approx. a 30-second window, from "BT host controller" to "Setup Assistant is exiting", and that's the cutoff.

Editing to add: I already considered the possibility that this could be related to ntp updating the system clock when the computer makes its first contact with the internet, but this was definitely not the case. That happens a little later in the log shortly after unboxing, and it's clear that it's happening at that point because the timestamps travel back in time about 4 minutes.

I also forgot to mention the OS version at the time: it was OS X 10.11 El Capitan. Edit: The initial install was actually OS X 10.10 Yosemite; the upgrade to El Capitan occurred several hours later.

Next-day edit to add:

I've done some comparative analysis of a separate MacBook Pro that I own, and based on the various creation/access/modification times of certain system files and hidden user accounts, it might not necessarily be unusual to find pre-unboxing artifacts in /var/log/install.log.

However, I don't have an install.log to compare that still has its original first-unboxing log entries intact, so I haven't been able to compare the lines in this specific install.log (above) to determine whether the activity is unusual or not.

If anyone has a MacBook Pro that they recently purchased, or one that they know has only ever had the operating system installed once (right after unboxing), especially one that initially installed OS X 10.10 Yosemite (early- and mid-2015 models), it'd be a big help if you could provide your earliest post-unboxing /var/log/install.log entries, so we can see if the behavior above is unusual.

Specifically, I'd like to know if it's normal for a brand new MacBook Pro to have install.log entries that predate their purchase, where Setup Assistant is loaded (First Pane -- CountryController). I'd also like to know if LCA+BT2: BT host controller appeared after 2 seconds is normal to see in those entries, or if it's an indication that a USB or Bluetooth device was connected.

If you have access to such a computer and you'd like to help, please check the output of head -200 /var/log/install.log | less and let me know what you find (being careful not to share any sensitive data that it may surface). Thanks.

Adelmar
  • 151
  • 5
  • It might be worth reading up on the manufacturing process for laptops. I know that in the automotive industry, for example, as part of the assembly line all the electronics are imaged, then powered up and connected to the internet to download the latest versions of everything. – Mike Ounsworth Sep 02 '18 at 18:07
  • 4
    @MikeOunsworth Yeah, after looking into this more deeply I'm 90% sure it's just a part of manufacturing. Compounding my confusion was the fact that the log's timestamps didn't record the year... so I think those logs that I thought were 8 weeks before unboxing were actually 1 year 2 months before unboxing, which perfectly fits the timeline for the model year of early-2015. :) macOS has since started including the year in install.log entries (most of the time...) – Adelmar Sep 02 '18 at 20:15
  • Awesome. Can you post a self-answer on your findings? (for future googlers) – Mike Ounsworth Sep 02 '18 at 20:19

1 Answers1

2

For future Googlers:

I was able to confirm that the entries predating the initial unboxing were logged during one of the final steps of Apple's manufacturing process, where the laptop is briefly booted to the macOS installer for the purposes of quality assurance.

Adding to the confusion was the fact that in earlier versions of macOS — before unified logging was introduced in macOS 10.12 Sierra — these log entries were not recording the year (a legacy oversight). This caused me to mistakenly assume the entries occurred at some point after being distributed to retail, when it's actually very likely (and perfectly fits the timeline) that the log entries actually occurred a full year prior.

Adelmar
  • 151
  • 5