The MacBook Pro’s T2 chip boosts enterprise security

Credit to Author: Jonny Evans| Date: Mon, 23 Jul 2018 06:51:00 -0700

You may have missed an all-new enterprise-focused feature woven inside of Apple’s all-new MacBook Pro – its new T2 chip which fundamentally enhances the security of these computers.

The successor to the T1, Apple’s T2 chip enables secure boot and encrypted storage on the machine. It first appeared on the iMac Pro.

The most widely-reported task handled by the T2 chip is the provision of “Hey Siri” support for the first time on a Mac.

That’s not all the chip does, of course: it controls Touch ID (using a secure enclave), the Touch Bar and integrates numerous tasks which once required multiple controllers, such as the system management controller (SMC), image signal processor, ambient light sensor, and audio and SSD (solid-state drive) controllers.

What should be of most interest to enterprise users is that chips built-in support for on-the-fly encryption and secure boot.

Encryption matters. The T2 chip carries a built-in hardware encryption engine that encrypts all the data stored on the SSD using security keys that are unique to each Mac.

That means that all the data stored on the Mac can only be read by the Mac itself, while Apple’s existing FileVault protection means you can ensure that in order to access any of the data on your Mac you must also use your own personal key, known only by yourself.

Data on the SSD is encrypted with 256-bit AES protection.

In a nutshell, this means that the SSD inside the Mac will be unreadable unless accessed by that Mac, even if removed from the Mac.

What’s good about this approach is that all your enterprise data is that much safer, though what’s bad is that unless you maintain a solid and secure back-up policy, you could potentially lose access to all your data.

You should always back up your data if using one of these systems.

The T2 chip also provides what Apple calls a “hardware root of trust”.

This acts as a secure starting point when booting up a Mac, with each subsequent step within the start-up process cryptographically signed by Apple to ensure system integrity.

When you first launch your Mac the process is handled by the T2 chip, which verifies and controls each step in the startup process.

What this means is that as all the system components (firmware, kernel and kernel extensions, for example) that make a Mac work are activated during start-up, they are verified as being secure. This helps protect Macs against low level attacks, and also means that only trusted software is launched at startup.

I was surprised to find that secure boot will also verify the integrity of Boot Camp Windows volumes on a Mac.

Mac users can control the secure boot process provided by the T2 chip using the Startup Security Utility that is accessed in macOS Recovery.

Access this by pressing Command-R during startup.

The utility lets you configure Secure Boot to full, medium or no security. Full security (which requires a network connection when installing software) means your Mac will only run the latest and most secure OS; medium software is a little gentler and only requires “verifiable” software to boot (you’ll use medium if your enterprise security policy demands you use older macOS versions).

The advantage of this approach is that it provides enterprises with more control over what software is installed on employee machines,

The utility also lets you turn on a firmware password that prevents the computer starting up from a different hard disk without that password. You can also allow or disallow boot from external devices, including USB and Thunderbolt drives. M

Touch ID is of course supported on these Macs. This may not be a feature approved for use across every enterprise, but does provide an additional biometric layer of protection for valuable enterprise data.

Dig around and you’ll find the new Macs don’t support Netboot/Net Install. This may annoy some system administrators who may have used this to manage large groups of Macs. In response, Apple will likely point to its Apple Device Enrolment and Deployment programmes and its many relationships with big-name MDM (Mobile Device Management) solutions such as JAMF.

Apple now provides the tools you need to automate set-up and install of new Macs on an ad hoc basis without use of custom images and with very little intervention from system admins, who can manage individual Mac device enrolments remotely.

Apple has published some information about the T2 chip and also provides a good explanation of Secure Boot.

Apple’s decision to add another obstacle to the installation of low level system software hacks and boot loading malware illustrates how closely the company monitors cybersecurity and attempts to protect its platforms. Apple has responded here to the trend toward creating firmware or zero-day attacks.

This should be of particular interest to enterprise users, who may now want to add T2 chip-toting Macs to their list of highly secure systems.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss