Remotely Managing Startup Security Utility - Apple Silicon

EDmsm
New Contributor II

Anyone sussed out a way to remotely manage the startup security utility settings on Apple Silicon Macs? We use a lot of music production software that requires the "Reduced Security" option to be enabled and I haven't seen a way to deploy these settings either in PreStage or as part of enrollment. Is manually changing these on each device the only option here? Currently all devices on Ventura but moving to Sonoma over the summer. 

 

Appreciate any help. 

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor II

Things that control the boot state (secure boot), and system security (SIP) cannot be modified remotely by apples design. From apples perspective, if you can enable it remotely then you can find an exploit to disable it remotely, so just don't offer any remote management over it and solve both problems.

View solution in original post

6 REPLIES 6

sdagley
Esteemed Contributor II

@EDmsm Manual is it. Apple does not want to make changing those settings easy.

talkingmoose
Moderator
Moderator

@sdagley is correct. Apple doesn’t want this to be something customers can automate because then it becomes something a bad actor could automate.

I’m curious why music software would require reduced security on a computer. Has the developer provided a valid reason? If not, you should investigate.

AJPinto
Honored Contributor II

I know some Applications require SIP to be disabled for KEXTs (still amazes me that people are still using KEXTs), but I have never seen anything that wanted a lower boot security. It does seem very strange.

EDmsm
New Contributor II

Thanks both for your replies. 

An example of a software that requires it is the UAD drivers for "Satellite" boxes. 

https://help.uaudio.com/hc/en-us/articles/360057137692-Apple-Silicon-Compatibility-with-Universal-Au...

There isn't a justification for it on that page, but I know it doesn't work without the reduced security options enabled in SSU. We also use Panopto for Mac, and to record the computer audio, which also requires lower boot settings and for the System Extensions to be approved. 

I watched the video and it mentions you have to reduce security to anllow installing software “from an unidentified developer”. That tells me this developer isn’t signing their code. It could be more than that, but this is a very uncommon practice these days.

I’d push back on them (especially if you pay them for hardware and software) and demand they write their code and sign their software so that lowering security isn’t required. This is a really outlandish practice in today’s Apple world where more and more bad actors are targeting Macs.

You’re assuming a big risk here where you could lose data, have it stolen, have it held for ransom, or something else, if your computers ever receive malware.

AJPinto
Honored Contributor II

Things that control the boot state (secure boot), and system security (SIP) cannot be modified remotely by apples design. From apples perspective, if you can enable it remotely then you can find an exploit to disable it remotely, so just don't offer any remote management over it and solve both problems.