With the iMac Pro, Apple didn’t just increase the average sales price of its iMac line of computers but also added some new security features exclusive to this model. These new features, all listed under Startup Security Utility, could also hint at Apple’s future plans for macOS.
Startup Security Utility serves a well-defined scope: it makes sure that the high priced – starting at $5,000 – all-in-one computer always boots from the built-in startup disk and from a legitimate operating system. As you have already guessed, it’s a utility that protects the iMac Pro from people who manage to get physical access to it.
Customizing the Security Features
To customize this tool users need to start the iMac in macOS Recovery by holding down the Command + R buttons on startup. macOS Recovery is a separate boot partition and allows users to perform various actions to fix any problems on the main partition.
Once the iMac Pro boots into macOS Recovery, select Utilities and then Startup Security Utility to get access to the two new features: Secure Boot and External Boot. The third option, Firmware Password Utility, is available on other Macs as well and prevents unauthorized users from starting the computer from volumes other than the startup disk.
Secure Boot and Its Options
This option locks the iMac Pro so that only a legitimate, trusted macOS or Microsoft Windows operating system loads on the computer at startup. It includes three levels of security: Full Security, Medium Security, and No Security. This range of security was previously only available on iOS, so it’s new to the Mac.
Full Security is enabled by default and with it the Mac verifies the integrity of the operating system; if it fails to pass verification then the Mac connects to Apple’s servers (an internet connection is required) and downloads the updated integrity information, which it needs to properly verify the OS. This could easily signal Apple’s possible future plan to lock down Macs and control which versions of macOS and which apps will run on the computer.
Just as its name suggests, Medium Security isn’t quite as strict. It verifies the OS signature during startup but requires neither an internet connection nor the updated integrity information from Apple, so it doesn’t check whether the OS was modified or not. The third option, No Security, allows the installation of other operating systems.
A handy feature to lock the Mac to its own startup disk, called External Boot, can be used to prevent the computer from starting up from an external hard drive, thumb drive, or any other external media. While this could cause problems when troubleshooting, fortunately, External Boot restrictions can be disabled.
To customize the External Boot security, users are required to provide authentication, enter the macOS password, and then select the administrator account that they would like to use and enter that account’s password.
The Brain Behind the Brain: T2 Chip
The two new security features bundled into Startup Security Utility are possible because of the new T2 chip that ships with the iMac Pro. The T2 chip has the ability to run the subsystems of the iMac from Apple’s custom-built silicon. It is responsible for controlling the iMac Pro’s speakers, internal microphones, dual cooling fans, and SSD. Since the disk controller is built into the T2 chip, it gives the silicon complete control over the startup disk and if FileVault is turned on then the data is encrypted on the fly by the chip.
At startup the T2 chip validates the boot process, looks for signatures from Apple or Microsoft and, if everything looks fine, it allows the computer to move on to the next phase of the boot process. The rigor of these checks is controlled by the user through the options available in Startup Security Utility.
Best Mac Optimization Software of 2018