We really need a way to manage these settings!!!

I opened a ticket, for config profile control of "SIP" before it was released to the public ... Apple eng said I was nuts and current they are saying use a firmware password.

C

Hi @donmontalvo ,
We currently have the ability to report on System Integrity Protection:
Enabled under the Security section of an inventory record. As to Secure Boot, that would be a feature request. Please file that if you so desire.

Given it's a whole new hardware subsystem that might have it's own storage who knows...
But given SIP status is stored in NVRAM (csr-active-config), it might be worth looking at nvram -p to see if there are any security settings included now.
If the behaviour was the same as SIP they would only show if they had been changed from the default setting.

Try this if you're still looking: Secure Boot EA