Apple just added an important security feature for iMac Pro users, one that allows users to precisely control which storage devices are allowed to boot up their Macs. It’s called Startup Security Utility, and it allows users to designate allowed boot drives and require a password to change that. This will, in theory, stop someone from using their own boot drive to access, copy data from, or install malware or keyloggers on an iMac Pro.
The key phrase, though, is iMac Pro, as Startup Security Utility is currently “available only on iMac Pro.” As of this writing, there’s no indication on whether this feature will be rolled out to other Mac models in the future, though it’s a reasonable guess Apple’s next Mac Pro will feature this or a similar technology.
Startup Security Utility
Apple’s new Startup Security Utility has three components: Firmware password protection, Secure Boot, and External Boot. Each offers different levels of granular control over how an iMac Pro can be booted up.
The base level of control in Startup Security Utility is Firmware Password. Apple positioned this as a step beyond filevault, one that requires a password to use any bootup storage device other than one’s designated startup disk. From Apple’s description [emphasis added].
A firmware password prevents users who don’t have the password from starting up from any disk other than your designated startup disk. As a result, it also blocks the ability to use most startup key combinations.
Firmware Password also works alongside Lost Mode in Find My Mac. According to Apple, “Lost Mode works even while using a firmware password. Unlike the passcode set by Lost Mode, a firmware password remains on until you turn it off with Firmware Password Utility.”
Apple has a dedicated KnowledgeBase article for setting up a Firmware Password.
Secure Boot tackles startup security from a difference angle by allowing users to ensure their iMac Pro starts up only from a, “legitimate, trusted operating system.” It does so with three levels of security: Full Security, Medium Security, and No Security. The screenshot below shows those options.
Below, we have descriptions of each option.
During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it’s legitimate. If the OS is unknown or can’t be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.
During startup when Medium Security is turned on, your Mac verifies the OS on your startup disk only by making sure that it has been properly signed by Apple (macOS) or Microsoft (Windows). This doesn’t require an Internet connection or updated integrity information from Apple, so it doesn’t prevent your Mac from using an OS that is no longer trusted by Apple.
The No Security setting doesn’t enforce any of the above security requirements for your startup disk.
The third security option in Startup Security Utility is External Boot.
Use this feature to control whether your Mac can start up from an external hard drive, thumb drive, or other external media. The default and most secure setting is ”Disallow booting from external media.” When this setting is selected, your Mac can’t be made to start up from any external media.
This option would prohibit you or anyone else from booting your iMac Pro up from any external media under any circumstances (other than having access to your designated startup disk and changing the option there.) That might well be important for users with highly sensitive data and/or iMac Pros operating in unsecure locations, but it could mean trouble if something happens to your designated startup disk.
My reading of this feature is that not even knowing the Firmware Password would allow you to boot an iMac Pro from external media. At all.
Security as a Feature
All in all, Startup Security Utility is a significant boost for iMac Pro, and one that could be particularly valuable in sensitive enterprise, defense industry, and other government uses. I hope it gets rolled out to future Macs, as well/