Help

Remotely Managing Startup Security Utility - Apple Silicon

Go to solution
EDmsm
New Contributor II

Posted on ‎06-06-2024 02:20 AM

Anyone sussed out a way to remotely manage the startup security utility settings on Apple Silicon Macs? We use a lot of music production software that requires the "Reduced Security" option to be enabled and I haven't seen a way to deploy these settings either in PreStage or as part of enrollment. Is manually changing these on each device the only option here? Currently all devices on Ventura but moving to Sonoma over the summer. 

 

Appreciate any help. 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎06-06-2024 06:23 AM

Things that control the boot state (secure boot), and system security (SIP) cannot be modified remotely by apples design. From apples perspective, if you can enable it remotely then you can find an exploit to disable it remotely, so just don't offer any remote management over it and solve both problems.

View solution in original post

Reply
6 REPLIES 6

Go to solution
sdagley
Esteemed Contributor II

‎06-06-2024 05:00 AM - edited ‎06-06-2024 05:00 AM

@EDmsm Manual is it. Apple does not want to make changing those settings easy.

Reply

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎06-06-2024 06:23 AM

@sdagley is correct. Apple doesn’t want this to be something customers can automate because then it becomes something a bad actor could automate.

I’m curious why music software would require reduced security on a computer. Has the developer provided a valid reason? If not, you should investigate.

Reply

Go to solution
AJPinto
Honored Contributor III
In response to talkingmoose

Posted on ‎06-07-2024 05:16 AM

I know some Applications require SIP to be disabled for KEXTs (still amazes me that people are still using KEXTs), but I have never seen anything that wanted a lower boot security. It does seem very strange.

0 Kudos
Reply

Go to solution
EDmsm
New Contributor II
In response to AJPinto

Posted on ‎06-07-2024 05:22 AM

Thanks both for your replies. 

An example of a software that requires it is the UAD drivers for "Satellite" boxes. 

https://help.uaudio.com/hc/en-us/articles/360057137692-Apple-Silicon-Compatibility-with-Universal-Au...

There isn't a justification for it on that page, but I know it doesn't work without the reduced security options enabled in SSU. We also use Panopto for Mac, and to record the computer audio, which also requires lower boot settings and for the System Extensions to be approved. 

0 Kudos
Reply

Go to solution
talkingmoose
Moderator
Moderator
In response to EDmsm

Posted on ‎06-07-2024 06:09 AM

I watched the video and it mentions you have to reduce security to anllow installing software “from an unidentified developer”. That tells me this developer isn’t signing their code. It could be more than that, but this is a very uncommon practice these days.

I’d push back on them (especially if you pay them for hardware and software) and demand they write their code and sign their software so that lowering security isn’t required. This is a really outlandish practice in today’s Apple world where more and more bad actors are targeting Macs.

You’re assuming a big risk here where you could lose data, have it stolen, have it held for ransom, or something else, if your computers ever receive malware.

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III

Posted on ‎06-06-2024 06:23 AM

Things that control the boot state (secure boot), and system security (SIP) cannot be modified remotely by apples design. From apples perspective, if you can enable it remotely then you can find an exploit to disable it remotely, so just don't offer any remote management over it and solve both problems.

Reply