Startup security utility mac os

About Startup Security Utility

Use Startup Security Utility to make sure that your Mac always starts up from your designated startup disk, and always from a legitimate, trusted operating system.

If you’re using a Mac with the Apple T2 Security Chip, Startup Security Utility offers three features to help secure your Mac against unauthorized access: Firmware password protection, Secure Boot, and External Boot.

Open Startup Security Utility

1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo. Your Mac starts up from macOS Recovery.
2. When you’re asked to select a user you know the password for, select the user, click Next, then enter their administrator password.
3. When you see the macOS utilities window, choose Utilities > Startup Security Utility from the menu bar.
4. When you’re asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

Set a firmware password

You can use a firmware password to prevent anyone who doesn’t have the password from starting up from a disk other than your designated startup disk. To set a firmware password in Startup Security Utility, click Turn On Firmware Password, then follow the onscreen instructions. Learn more about firmware passwords.

You can also change your external boot setting to prevent even those who know the firmware password from starting up from external media.

Change Secure Boot settings

Use these settings to make sure that your Mac always starts up from a legitimate, trusted operating system.

Full Security

Full Security is the default setting, offering the highest level of security. This is a level of security previously available only on iOS devices.

During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it’s legitimate. If the OS is unknown or can’t be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

If FileVault is enabled while your Mac is attempting to download updated integrity information, you’re asked to enter a password to unlock the disk. Enter your administrator password, then click Unlock to complete the download.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

If your Mac can’t connect to the Internet, it displays an alert that an Internet connection is required.

• Check your Internet connection, such as by choosing an active network from Wi-Fi status menu in the menu bar. Then click Try Again.
• Or click Startup Disk and choose a different startup disk.
• Or use Startup Security Utility to lower the security level

Medium Security

During startup when Medium Security is turned on, your Mac verifies the OS on your startup disk only by making sure that it has been properly signed by Apple (macOS) or Microsoft (Windows). This doesn’t require an Internet connection or updated integrity information from Apple, so it doesn’t prevent your Mac from using an OS that is no longer trusted by Apple.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. This requires an Internet connection. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

No Security

No Security doesn’t enforce any of the above security requirements for your startup disk.

Источник

About Startup Security Utility

Use Startup Security Utility to make sure that your Mac always starts up from your designated startup disk, and always from a legitimate, trusted operating system.

If you’re using a Mac with the Apple T2 Security Chip, Startup Security Utility offers three features to help secure your Mac against unauthorized access: Firmware password protection, Secure Boot, and External Boot.

Open Startup Security Utility

1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo. Your Mac starts up from macOS Recovery.
2. When you’re asked to select a user you know the password for, select the user, click Next, then enter their administrator password.
3. When you see the macOS utilities window, choose Utilities > Startup Security Utility from the menu bar.
4. When you’re asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

Set a firmware password

You can use a firmware password to prevent anyone who doesn’t have the password from starting up from a disk other than your designated startup disk. To set a firmware password in Startup Security Utility, click Turn On Firmware Password, then follow the onscreen instructions. Learn more about firmware passwords.

You can also change your external boot setting to prevent even those who know the firmware password from starting up from external media.

Change Secure Boot settings

Use these settings to make sure that your Mac always starts up from a legitimate, trusted operating system.

Full Security

Full Security is the default setting, offering the highest level of security. This is a level of security previously available only on iOS devices.

During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it’s legitimate. If the OS is unknown or can’t be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

If FileVault is enabled while your Mac is attempting to download updated integrity information, you’re asked to enter a password to unlock the disk. Enter your administrator password, then click Unlock to complete the download.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

If your Mac can’t connect to the Internet, it displays an alert that an Internet connection is required.

• Check your Internet connection, such as by choosing an active network from Wi-Fi status menu in the menu bar. Then click Try Again.
• Or click Startup Disk and choose a different startup disk.
• Or use Startup Security Utility to lower the security level

Medium Security

During startup when Medium Security is turned on, your Mac verifies the OS on your startup disk only by making sure that it has been properly signed by Apple (macOS) or Microsoft (Windows). This doesn’t require an Internet connection or updated integrity information from Apple, so it doesn’t prevent your Mac from using an OS that is no longer trusted by Apple.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. This requires an Internet connection. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

No Security

No Security doesn’t enforce any of the above security requirements for your startup disk.

Источник

About Startup Security Utility

Use Startup Security Utility to make sure that your Mac always starts up from your designated startup disk, and always from a legitimate, trusted operating system.

If you’re using a Mac with the Apple T2 Security Chip, Startup Security Utility offers three features to help secure your Mac against unauthorized access: Firmware password protection, Secure Boot, and External Boot.

Open Startup Security Utility

1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo. Your Mac starts up from macOS Recovery.
2. When you’re asked to select a user you know the password for, select the user, click Next, then enter their administrator password.
3. When you see the macOS utilities window, choose Utilities > Startup Security Utility from the menu bar.
4. When you’re asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

Set a firmware password

You can use a firmware password to prevent anyone who doesn’t have the password from starting up from a disk other than your designated startup disk. To set a firmware password in Startup Security Utility, click Turn On Firmware Password, then follow the onscreen instructions. Learn more about firmware passwords.

You can also change your external boot setting to prevent even those who know the firmware password from starting up from external media.

Change Secure Boot settings

Use these settings to make sure that your Mac always starts up from a legitimate, trusted operating system.

Full Security

Full Security is the default setting, offering the highest level of security. This is a level of security previously available only on iOS devices.

During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it’s legitimate. If the OS is unknown or can’t be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

If FileVault is enabled while your Mac is attempting to download updated integrity information, you’re asked to enter a password to unlock the disk. Enter your administrator password, then click Unlock to complete the download.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

If your Mac can’t connect to the Internet, it displays an alert that an Internet connection is required.

• Check your Internet connection, such as by choosing an active network from Wi-Fi status menu in the menu bar. Then click Try Again.
• Or click Startup Disk and choose a different startup disk.
• Or use Startup Security Utility to lower the security level

Medium Security

During startup when Medium Security is turned on, your Mac verifies the OS on your startup disk only by making sure that it has been properly signed by Apple (macOS) or Microsoft (Windows). This doesn’t require an Internet connection or updated integrity information from Apple, so it doesn’t prevent your Mac from using an OS that is no longer trusted by Apple.

If the OS doesn’t pass verification:

• macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. This requires an Internet connection. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
• Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

No Security

No Security doesn’t enforce any of the above security requirements for your startup disk.

Источник

Чип T2 в новых Mac запрещает загрузку с внешних дисков. Решаем проблему

Безопасность пользовательских данных всегда была одним из главных приоритетов для разработчиков Apple. Выпускаемые гаджеты оснащаются как физическими так и программными средствами для шифрования, идентификации пользователя и защиты файлов в случае попадания устройств в руки злоумышленников.

Система регулярно совершенствовалась в данном направлении, но, похоже, в прошлом году купертиновцы серьезно перемудрили.

Речь идет о новом чипе T2, который устанавливается практически во все современные модели Mac.

Зачем нужен чип T2 и что в нем плохого

Все началось в 2016 году с появлением первых моделей MacBook Pro с сенсорной панелью Touch Bar. Тогда за работу этой фишки отвечал чип Apple T1.

Модуль был предельно схож с платой S2, которой оснащались часы Apple Watch Series 2. Оба модуля отвечают за шифрование данных и безопасность. Чип в MacBook при этом контролировал сенсорную панель, хранил связку ключей и выполнял ряд других менее значимых действий.

В конце 2018 года купертиновцы презентовали кардинально обновленный MacBook Air и минорный апдейт линейки MacBook Pro. Одним из новшеств этих ноутбуков стал новый чип Apple T2.

Помимо уже известных задач своего предшественника новый модуль отвечает за шифрование SSD, контролирует загрузку системы и позволяет активировать Siri на Mac при помощи голоса.

T2 имеет жесткую привязку к Touch Bar и в случае поломки последней тоже нуждается в замене. Все, как у связки Touch ID\Face ID с материнской платой в iPhone.

Самую неприятную особенность данного чипа начали замечать пользователи, которые решили переустановить операционную систему на новеньких компьютерах. Чип Apple T2 блокирует загрузку Mac с любого внешнего накопителя. Только загрузка со встроенного SSD или сетевое восстановление системы.

Так не получится установить macOS с загрузочной флешки, загрузиться с любого другого внешнего диска с развернутой ОС. Даже сторонние средства для бекапа не будут работать с подобным ограничением.

Какие компьютеры в зоне риска

На данный момент подобный чип устанавливается на такие устройства:

▪️ iMac Pro
▪️ Mac mini (2018 г.)
▪️ MacBook Air (2018 г. и более поздние модели)
▪️ MacBook Pro (2018 г. и более поздние модели)

Проверить наличие модуля можно по пути  – Об этом Mac – Отчет о системе, в разделе Контроллер будет указан установленный на устройстве чип безопасности.

В актуальном модельном ряду компьютеров Apple T2 нет лишь в iMac и Mac Pro. Скорее всего, линейку обновят уже осенью и проблема коснется всех моделей.

Как исправить ситуацию

К счастью, у проблемы есть решение. Ограничение на загрузку с внешнего накопителя программное и его можно отключить.

Вот, что нужно для этого сделать:

1. Перезагрузите Mac и во время включения зажмите сочетание клавиш Command + R. Для настольных компьютеров необходимо подключить проводную клавиатуру.

2. После загрузки из раздела восстановления системы выберите пункт меню Утилиты – Утилита безопасной загрузки.

3. Нажмите Ввести пароль для macOS и пройдите аутентификацию при помощи учетной записи администратора.

4. В открывшемся меню рекомендуем сменить две настройки:

Для безопасной загрузки установить Средний уровень безопасности. Так при сбое macOS на Mac можно будет запустить любую версию операционной системы Apple без подключения к сети. В противном случае ноутбук должен будет выкачать установочный образ последней актуальной системы для компьютера с сайта Apple.

Ниже следует разрешить загрузку с внешних накопителей.

Лишь при включении этих параметров можно будет переустановить macOS с загрузочной флешки, запуститься с другого диска или загрузиться через клонированный на диске раздел.

В случае неработоспособности macOS, повреждения загрузочной области или выхода из строя накопителя Mac без измененных параметров переустановить систему будет крайне проблематично.

Источник