Startup security in macOS
Startup security policies can help restrict who can start up a Mac and what devices can be used to start up the Mac.
Startup Disk security policy control for a Mac with Apple silicon
Unlike security policies on Intel-based Mac computers, security policies on a Mac with Apple silicon are supported for each installed operating system. This means that multiple installed macOS instances with different versions and security policies can exist on the same machine. For this reason, an operating system picker has been added to Startup Security Utility.
On a Mac with Apple silicon, Startup Security Utility indicates the overall user-configured security state of macOS, such as the booting of a kext or the configuration of System Integrity Protection (SIP). If changing a security setting would significantly degrade security or make the system easier to compromise, users must restart into recoveryOS by holding the power button (so that malware can’t trigger the signal, only a human with physical access can) in order to make the change. Because of this, a Mac with Apple silicon also won’t require (or support) a firmware password—all critical changes are already gated by user authorization. For more information on SIP, see System Integrity Protection in Apple Platform Security.
Organizations can, however, prevent access to the recoveryOS environment, including the startup options screen, through the use of a recoveryOS password, available with macOS 11.5 or later. For more information, see the recoveryOS password section below.
Security policies
There are three security policies for a Mac with Apple silicon:
Full Security: The system behaves like iOS and iPadOS, and allows only booting software that was known to be the latest that was available at install time.
Reduced Security: This policy level allows the system to run older versions of macOS. Because older versions of macOS inevitably have unpatched vulnerabilities, this security mode is described as Reduced. This is also the policy level which needs to be configured manually to support booting kernel extensions (kexts) without using a mobile device management (MDM) solution and Automated Device Enrollment with Apple School Manager or Apple Business Manager.
Permissive Security: This policy level supports users that are building, signing, and booting their own custom XNU kernels. System Integrity Protection (SIP) must be disabled before enabling Permissive Security Mode. For more information, see System Integrity Protection in Apple Platform Security.
For more information on the security policies, see Startup Disk security policy control for a Mac with Apple silicon in Apple Platform Security.
recoveryOS password
A Mac with Apple silicon with macOS 11.5 or later supports setting a recoveryOS password using MDM using the SetRecoveryLock
command. Unless the recoveryOS password is entered, a user is prevented from accessing the recovery environment, including the startup options screen. A recoveryOS password can be set only using MDM, and for MDM to update or remove an existing password, the current password must also be provided. Because the recoveryOS password can be set, updated, or removed only through MDM, unenrolling a Mac computer from MDM that has a recoveryOS password set also removes the password. MDM administrators can also verify the correct recoveryOS password is set by using the VerifyRecoveryLock
command.
Note: Setting a recoveryOS password doesn’t prevent the restoration of a Mac computer with Apple silicon through DFU Mode using Apple Configurator, which also cryptographically renders the previous data on the Mac inaccessible.
Startup Security Utility
On Intel-based Mac computers with an Apple T2 Security Chip, Startup Security Utility handles a number security policy settings. The utility is accessible by booting into recoveryOS and selecting Startup Security Utility from the Utilities menu and protects supported security settings from easy manipulation by an attacker.
Secure boot policy can be configured to one of three settings: Full Security, Medium Security, and No Security. No Security completely disables secure boot evaluation on the Intel processor and allows the user to boot whatever they want.
For more information on the security policies, see Startup Security Utility on a Mac with an Apple T2 Security Chip in Apple Platform Security.
Firmware Password Utility
Mac computers without Apple silicon support the use of a Firmware Password to prevent unintended modifications of firmware settings on a specific Mac. The Firmware Password is used to prevent users from selecting alternate boot modes such as booting into recoveryOS or Single User Mode, booting from an unauthorized volume, or booting into Target Disk Mode. A firmware password can be set, updated, or removed using the firmwarepasswd
command-line tool, Firmware Password Utility, or MDM. For MDM to be able to update or clear a firmware password, it must first know the existing password, if applicable.
Note: Setting a firmware password doesn’t prevent the restoration of the Apple T2 Security Chip firmware through DFU Mode using Apple Configurator. When the Mac is restored, any set firmware password on the device is removed and the data on the internal storage is securely erased.