30 October 2007

A star is (re)born

We are proud to release Undercover 2, the only theft recovery solution that has been designed exclusively for Mac OS X and the first native theft-recovery application for Leopard.

With Undercover 2, we hope to recover even more stolen Macs:
  • We added a dead-Mac-timeout feature: if a Mac is not connected to the net for more than two months, plan B will automatically kick in. That way, we hope to recover at least some of the stolen Macs that are never connected to the Internet.

  • Undercover now only connects to the Internet when a network change occurs, dramatically reducing network traffic, while making the system even more aggressive.

  • Memory footprint and CPU usage have been dramatically reduced. In most cases, memory footprint is down 75%.

  • In addition, Undercover 2 sports dozens of under-the-hood improvements and fixes.

  • Last but not least, Undercover is now compatible with Tiger and Leopard. One version now works on both operating systems.

Tiger instructions

First, you have to remove Undercover 1.5:

  • In the Finder, remove the following file: /Library/Launchdaemons/com.orbicule.undercover.plist
  • Restart your Mac
  • Choose Go To Folder from the Finder's Go menu
  • Enter the following path: /etc and remove the uc file in this folder

Next, you can download Undercover 2 and run the installer. You can use your existing Kagi license key (not your Undercover ID) to register Undercover 2. By upgrading, you will not use an additional license seat. In most cases, Undercover will simply recognize your 1.5 registration and it won't ask for a license key.

Leopard instructions

If you have installed Leopard by doing a 'Clean install', or by doing an 'Archive and install' you don't have to do any extra work.
Simply download Undercover 2 and run the installer. You can use your existing Kagi license key (not your Undercover ID) to register Undercover 2. By upgrading, you will not use an additional license seat. In most cases, Undercover will simply recognize your 1.5 registration and it won't prompt you to enter your license key.

If you have installed Leopard by doing an upgrade install, you first have to remove Undercover 1.5 by removing the following file: /Library/Launchdaemons/com.orbicule.undercover.plist. Restart your Mac after this removal. Next, you can install Undercover 2 as described in the paragraph above.


Anonymous said...

Thanks, the installation seems to have worked fine on Leopard. However, it would be nice to have an indicator to see if it really works again. Is there any way to find that out ? Like a web-form where on can enter his undercover-id to see when the client has connected last time ?

Peter Schols said...

If Undercover 2 recognizes your previous registration, it is true that you won't get any dialog or email confirming that Undercover 2 has been properly installed. If you want to be 100% sure about that, you can always check whether Undercover 2 is running:

- Launch the Activity Monitor application in /Applications/Utilities
- Select "All processes" from the popup menu
- You should see a process called uc owned by root

sbultez said...
This comment has been removed by the author.
Anonymous said...

Doh! I jumped the gun and saw that version 2 was out, so I installed it on my system which had the old Undercover installed and was upgraded to Leopard with an upgrade install. I see the uc process in Activity Monitor. Is it properly installed or should I uninstall and re-install version 2.0 (if so how)? Thanks in advance.

Kyle said...

yeah, i am in the same situation. I didnt uninstall 1.5! But "uc" is there!

Vasilis said...

I like the idea of the hardware faillure after 2 months if the mac is not connected. But I'd like to know if there's a way to prevent this from happening when I am more than two months offline for whatever reason. I think there should be some kind of way to show UC that it is still me who is using my mac.
Can this be done without connecting to the internet?
And I'm not sure if i'm happy with the fact that Undercover only connects when a network change occurs. What if my neighbor steels my laptop and keeps using my airport? Or is reconnecting to the same network considered a network change?
I think I'll wait for answers before I install this version.

zianac said...

That question is a good one... I was in the navy, and there would be times where I wouldn't be able to use the internet for alot longer than 2 months... I wouldn't want my computer being rendered useless...

Peter Schols said...

If you installed Undercover 2 before removing Undercover 1, simply check whether the file com.orbicule.undercover.plist is present in /Library/Launchdaemons/. If it is, simply delete it.

When Undercover 2 is installed, you should see only one Undercover related .plist file in Launchdaemons. It should be named com.orbicule.uc.plist

Peter Schols said...


You cannot turn off the 'dead-Mac' feature. But you could simply reconnect your Mac to the Net: that will reset Undercover. It does not matter how you connect: it could be through ethernet, public wifi, ....

A 'network change' means that the Mac is disconnected or reconnected, even if it's connected to the same network. So if your neighbour or colleague steals your Mac and connects it to the same network, Undercover will still be triggered (if your Mac has been reported as stolen, at least).

Vasilis said...

Thank you for your answer, Peter. I still have some doubts about the new dead-mac feature, I can think of many situations where I can't connect to the internet for a long time.
Do you have plans to change this feature in the near future? Couldn't you just unlock it with a password? Or offer the possibility to (temporarily) disable the feature? Or a more clever solution which I can't think of.

George Dick said...

If you neighbor steals your mac, you'd be able to go into your airport utility and still see it attached. You could also change your password on the airport once in a while to prevent it from being used by anyone but you!

Vasilis said...

I'd need my stolen mac to do that (-:

pegleggedpete said...

the only time that it will go into dead-mac mode is when it's reported stolen, if i understand correctly.

if it's not reported stolen then it doesn't matter how long you keep it off a network.

Anonymous said...

How would it know it was stolen if it was not connected to the internet?

Colin said...

lol that would be my question as well.

Colin said...

Another question I have is, will Undercover detect that it is stolen if the theif logs in using the Guest account feature in Leopard? or do I need to create a new account and name it "Guest" like before?

Peter Schols said...

Please note that Undercover will start plan B on any Mac that is not connected to the net for more than two months. In that respect, the comment from pegleggedpete is wrong: even if the Mac is not reported as stolen, it will be blocked after two months of not being connected.

However, it is very easy to remove this screen block: simply reconnect the Mac to the net (either using WiFi or a wired connection) and restart it. At that point, Undercover will reset the timer and you could disconnect your Mac again for another two months.

We will post more information on this new 'dead-Mac-timeout' feature soon.

Peter Schols said...


We encourage you to make use of the Leopard guest account: Apple has made it easier for all Undercover users by providing a default guest account with all the right settings. You just have to enable the guest account in System Preferences - Accounts.

Attila Szegedi said...

I second the first comment:

"... a web-form where on can enter his undercover-id to see when the client has connected last time". Would be a great feature to be 100% sure machine is protected.

Bart said...

just want to agree with Attilla. I see the uc process running, but I worry that, if my computer ever gets stolen, then I will find out if UC really worked, or if there was some weird network or other problem that prevents it from doing its thing. a web place where I can run a dummy scenario would be great.

Stevenb18hsr said...

i agree...... A sandbox would be great.

Anonymous said...

I'm not sure on the "only send information when reconnecting" feature. This is what's holding me off for now. Look at this scenario: Computer gets stolen, thief plugs it in at his house to the internet BEFORE I've had time to report it as stolen.

Basically, even after I report it, if the thief doesn't unplug the connection, it could be sitting there for eternity without phoning back to Orbicule? Or am I mistaken?

cobrabyte said...

Please consider adding the ability to test the installation of UC. I've always worried that something would go wrong in the event my Mac was stolen. I'm sure I'm not the only one who runs Little Snitch so I know there's at least one barrier that could block access when it's most needed.

A simple site where we can just see that our UC installation is functioning correctly would suffice.


Anonymous said...

Hi! A little tip for changing your hardware. I've sold a new MBP and use the migration assistant. So, in this way, after a restart UC says, that the MBP is stolen ;-( I'm happy, that I've setup, before the migration process, a second admin account. With this account, I install UC again. Now, it works :-)
Greets from Austria, Peter

pdaformac said...


I got two questions:

1 although I am a user of 1.5 that upgraded to version 2 because I visited your site accidentally, not because I received an email from you does that mean I am not registered with you? Does that also mean that the people that are using undercover 1.5 have no protection anymore?

2 does my undercover ID means something to someone else (like a thief)? with other words should I keep it secret?

polom said...

I too, found out accidentally about v2. That's one occasion where a newsletter would be nice :)

I also agree with those asking for a sort of "good installation test" to check if UC is running well.

Last point : I can't find any Kagi serial in my mail archive. I only found the email containing my UC ID. How should I upgrade ??

HKMacs said...

Firmware Password Utility doesn't work in Leopard. What's to prevent someone installing a new System on a stolen Mac now?

Tim Pritchard said...

Firmware Password Utility (1.4.1) works fine for me on a number of different pieces of Apple hardware, all running 10.5.1. Installs as expected and throws up the familiar password window with the option key down, whether Undercover is installed or not.

What's unclear is how one installs it without a Tiger install or restore disk lying around - FPU appears not to be available on any Leopard install disk I've seen, although I've only done upgrades or drop-in DVD installs, not installs from a full Leopard install disk.

Somewhat off-topic - anyone know if Firmware Password Utility is on a full Leopard install DVD? And more importantly, why isn't it available online in Apple's support section, instead of only on discs that ship with hardware? An earlier version was available in the Support section way back when, but that changed at the Tiger release, I think.

Great product, Peter - keep on innovating!

Peter Schols said...


The FWP is still on the Leopard DVD, and it's still in /Applications/Utilities, but this folder is now hidden.

In order to view it in the Finder:
Press Command + Shift + G (Go To Folder) and type:

/Volumes/Mac OS X Upgrade DVD/Applications/Utilities

Where Mac OS X Upgrade DVD is the name of your Leopard DVD (this name might be different).

Anonymous said...


Thanks for the new release. I hope it further improves recoveries - and that I never get to test it!

I'd also like to add my support to Polom's comments about letting the existing Undercover users know about the new release.

Like Polom I just happened across the new release - an email to existing customers would be great!

Thanks, Marc

Anonymous said...

Personally I think it is a bad idea to show publicly how to uninstall under cover. For instance, if a thief knew of "undercover" like software that protects Mac's, they could look for and delete the software before connecting to the internet...Hmm

Anonymous said...

Keep your admin password to yourself, and the thief cannot uninstall anything . . . it's that simple.

I'm concerned about the dead-mac feature, as I have a big 24" iMac that I've had for over a year, and I've never connected it to the internet. It's not available way out in the country where I live. Would I have to carry my iMac to town, and plug it in somewhere every two months? I would hope not.

Anonymous said...

No, Undercover only works when it knows that it is on the list of stolen macs, and if you do connect it to the internet, it will check if the same ID number is up on that list is on your computer. And only you have the ID so no one else can put it up on the list.

Hope that answers your question.

Anonymous said...

Hi. I was wondering if the Undercover 2 "Plan B" really works. Orbicule says that if a mac is not connected to the internet for more than two months, it will present a hardware failure. Here's the thing for retail; They say that if Undercover is connected to the internet at the retail. But doesn't that mean also for if the thief connects to the internet after two months? I am so worried and will not be buying this product if that's the case.

Hope to hear from anybody real soon!

Peter Schols said...

To clear things up, plan B only starts:

- If a Mac is not connected for more than two months (even if it's not in our list of stolen Macs)


- If a Mac is stolen and we have decided (together with the owner) to activate plan B.

If any of these two conditions are met, plan B will start. In the former case, it will immediately display a fullscreen message. In the latter case, it will first simulate a hardware failure.

Anonymous said...

Am I to understand that if I want to avoid the 2 month PLan "B" rule all I have to do is plug my MAC into a switch that has DHCP or NAT and this will count as "on the net"? I ask this for all the guys deployed to Iraq that have very limited access.

Peter Schols said...

The Mac should be connected to the net: e.g. the Apple website should be accessible.

Alan said...

Booting from any OSX install DVD allows me to change the admin password on the Mac, at which point I can uninstall UnderCover. Or, I can boot in Target mode and remove UnderCover's components parts. Even if Firmware Password Utility is installed, I can boot into single user mode and uninstall UnderCover's component parts. It's a good tool against an opportunistic thief, but no match for someone who knows what they are doing.


Peter Schols said...

Alan, you are forgetting that you need to enter an Admin password first before you can even boot from the Mac OS X install DVD

Anonymous said...

I've been thinking about the dead Mac feature for a few months now and the more I think of it the less I like it. Some people in the comments mentioned some pretty common situations where a computer is not connected to the internet for a long time or even forever. But there's another risk: what if for some reason the orbicule database is inaccessible for a long period? That would mean all macs with Undercover installed will be useless.
I think the dead mac feature should only be activated when a computer is stolen and plan A doesn't work. Right now it looks like a security risk to me if I don't have a simple way to reset it without the need to connect to the internet.
Please give us the option to disable this feature.

Peter Schols said...


I see the issue you are having and we will definitely consider this for the next update.

However, I would like to point out that in case our server would go down, that this will *not* trigger plan B on all Macs with Undercover installed. Actually, a server outage would not affect any Undercover enabled Mac at all, except for the fact that we no longer receive information from stolen Macs. Again: it's not like all Undercover enabled Macs will suddenly be blocked when our server goes down! I just wanted to clear that up.

Anonymous said...

Thanks for your answer Peter!

Nick said...

Just out of curiousity, it's possible to reset the admin password in single user mode, presumably its also quite easy to delete UC in single user mode. Does a firmware password stop the would-be thief from booting to SUM?

Anonymous said...

Hello Peter - rather than the arbitrary 2 months time period, have you thought of adding a user-specified time period (entered at setup time) for rendering the machine inactive ... ie. for people like the submariner above or the soldiers with limited access who may not be able to connect to the internet for months at a time ...?



Ben said...

I would like to echo the comments of others about the arbitrary plan b period. Two months is not a particularly long period, for example i am taking a trip in the summer for longer than this time. If i had undercover installed (which i am considering doing after the trip) i would return to a computer with the message. I have no reason to suppose that i would have no internet at this point, but its certainly a worrying "what if..." Perhaps this feature, as others mentioned, should only be activated once the computer has been reported stolen. Otherwise, this sounds like a fantastic product. Thanks. Ben.

Anonymous said...

> dead Mac, 2 months

Sorry, but there has to be a way around this. Maybe you could provide some secret code the owner can, say, put on a USB flash drive instead (the dreaded "dongle" key) kept separately but usable to reset the dead Mac time.

Military, longterm field researcher people who want to leave a computer in a remote location, or even people who don't want to be noticed.

What happens to someone using, say, TOR and blocking referrers routinely?

Anonymous said...

I am also concerned about the two month time frame for Plan B to kick in. I was considering purchasing this for a school that has a few hundred Macbooks, but during the summer all of them would go into Plan B. Starting up and connecting hundreds of laptops just to extend the time frame would be something we wouldn't be willing to do. We will now have to look for another solution. You may want to reconsider that feature - or make it customizable.

Anonymous said...

For all the people confused:

The Firmware Password stops people doing these things without first entering the password you specify when you activate it:

Booting to an external drive (firewire or USB)
Booting to a CD/DVD by holding C
Getting into the EFI Start-Up Disk Utility by holding Option.
Single User Mode (Command + S)
And because it's embedded in the firmware, you could not even format the internal HD, replace it with a new OS X HD and boot from that.

Btw, I too think the *non-customisable* 2 month cut-off point is not a good idea.

Karl-Franz said...

"peter schols said...
To clear things up, plan B only starts:

- If a Mac is not connected for more than two months (even if it's not in our list of stolen Macs)


- If a Mac is stolen and we have decided (together with the owner) to activate plan B.

If any of these two conditions are met, plan B will start. In the former case, it will immediately display a fullscreen message. In the latter case, it will first simulate a hardware failure."

I too have a concern with plan B being triggered after two months of no net access. If you immediately display the fullscreen message stating that this Mac has been stolen, I would imagine that the crook would immediately destroy the machine. I doubt any criminal would like a piece of evidence lying around that boldly states that it was stolen. If he or she destroys your Mac, you will never have a chance to recover it.

The new "no net access Plan B" feature should be modifiable in several ways:

- Allow the user to enable/disable the feature as their choice.

- If the user chooses to use the "No Net Access Plan B" feature, allow them to determine the period without access in a range from 1 week to 1 year.

- Once Plan B has been triggered by lack of network access, simulate a hardware failure rather than displaying the "This Mac is Stolen" message.

- If the simulated hardware failure is triggered, allow a user defined, multi-key bypass that would allow the owner to get to a screen where they can type in their password and reset the timer for another period of their chosen "no net access" time. In other words, allow the user to define a backdoor.

Anonymous said...

I have to agree with previous comments on the 2 month Plan B. If it weren't for that particular feature, we'd buy the product without compliant. All that needs to be done is make the Plan B timeout customizable and we'd be sold.

Re said...

This is an interesting thread now. I too would have bought this immediately but was concerned by this feature and looked a little closer ... so ultimately found myself here. Its interesting on reading this entire thread how this has developed. However i wonder if this is ever going to be sorted. Its now nine months since this was first raised and I reckon that if there was any desire to do this it would be relatively achievable task to offer a "cut down"version with this feature simply removed. I hope that this happens someday as I would definitely but this app if this was the case.

Peter Schols said...

Hi Re and other posters,

Please be assured that we listen to the feedback we get by email and on this weblog. For example, we are currently working on Undercover 2.5 which will address major concerns raised in this thread. Please keep an eye on this weblog, we will have an announcement soon.