According to Apple’s support page ‘The Apple T2 Security Chip brings a new level of integration and security to Mac’. This is all well and good for security if you carry around sensitive client data, as it adds a new layer of protection to Touch ID data and other drive related encryption, but it has added a whole new level of confusion for end users who are unsure of what security level to enable on their new machine and what each of them means. (The link can be found here)
The reason for this post is to first; give some clarity for the average user on what the different levels of security mean, and secondly; to provide some basis for the repair work carried out by TheBookYard, and the recycle/trade-in service offered by Mac2Cash, as both services are affected by this chip to a certain extent. But as they say, knowledge is power, and giving the details of each feature for you to decide how secure you’d like your machine to be is the best result all around.
Two such features relate to repairability from an engineering perspective, these are ‘encrypted storage’ and ‘secure boot’.
Up until now there were 2 different levels of protection. The first protects user data on the boot drive to as high a level as possible and is called FileVault. It not only encrypts the data so that it requires a password to unlock, but it also cannot be reset if you lose your password without going direct to Apple with a receipt and proof of ownership. But your data is all encrypted and protected. That’s a good thing, right?
So in theory, you can access a hard drive by means of a hack in a normal setup if you had the means, but this is not possible with FileVault enabled.
(Please note, the security password set for this is different to the admin password for the machine. It is typically set the same as the first admin user account when the machine is first setup, but if you ever change your password, or create a new admin account, the password is not carried over and will stay the same. This is the most common cause for loss of password by customers we’ve dealt with)
The other protects the machine from external access, and is known as ‘EFI firmware‘ level security. When enabled this prevented the machine from being able to boot to the disk selection screen (and other EFI screens), which is used to boot to an external hard drive. This is the way we carry out our repairs so no customer data is accessed, but it also allows you to boot to the recovery partition to run disk repairs, or to install a clean operating system if needed.
But unless FileVault is enabled, the internal customer drive will mount on the desktop while booted externally (although admin password access is still required to access the data if a password has been set, it is just more secure to have FileVault enabled). You also can’t carry out any major resets (such as SMC or PRAM resets, used in a lot of diagnostics situations), or create drive backups using certain applications with this enabled.
Effects on Repairs
So from a repair perspective, a machine cannot be repaired (or recycled through Mac2Cash) with an EFI password enabled, as a repairer would be unable to complete a full hardware test on the machine before and after, thus preventing any real diagnostics.
We have always been very good at diagnostics because of the extent we go through to ensure stability after a repair. Most repairers will offer low or free diagnostics (but then will charge a high fitting fee, or a charge if you decide not to repair), but their diagnostics are done by way of probability, because they wont order or fit parts until they have been paid for. Some repairers do it better than others, but that is mostly due to experience in identifying probable faults based on symptoms. Deduction becomes easier with experience, but it is not a confirmed diagnosis until the parts have been ordered and fitted, so it is always a bit of a gamble. Its not uncommon for more than one part to be faulty either.
Because we are a parts specialist. We have all parts required for most repairs in-house, so when completing a full diagnosis we don’t go with a ‘best guess’ approach, we fit the required parts, then complete a full hardware test to ensure stability after the fact. This enables us to be sure the fault has been fixed, which is why we offer 3-months warranty on repair work and diagnostics.
(intermittent faults, or software issues invariably add time to repairs)
With that being said, we are able to carry out a full hardware test with FileVault enabled (but not a full hard drive (or SSD) scan for a drive health checkup) but we cannot complete any hardware testing with an EFI password enabled. This goes for a Mac2Cash recycle as well. (a FileVaulted drive will not mount its partitions, but it can be securely sanitised from an external drive. It prevents data from being accessed but does not completely immobilise the SSD or HDD)
So if you have a repair that doesn’t need a drive scan, and/or you have no concerns over the health of your drive, FileVault can be left enabled. But if you have a drive related fault, it is best to disable FileVault before it comes in for repair. That way we can carry out a drive scan without needing to know your admin password for the machine, thus providing more security to you, the client. But if it comes in with FileVault enabled and it is decided afterwards that a drive scan is requested or required, the admin password for the machine would be needed by the engineer.
With the new T2 chip enabled, security has been taken to a new level. Most of the security features go way beyond what most users would even think to enable, but they are enabled as standard. But we cannot carry out repairs, or recycle machines through Mac2Cash with these features enabled because the machine can not be booted via a test drive for a hardware test, but we also cannot securely erase the internal drive (in the case of a recycle). Because the T2 chip is on the main logic board, this renders the most valuable part of the machine completely unsellable, as according to ADISA regulation that we abide by (due to GDPR), ‘a drive that cannot be effectively sanitised must be physically destroyed.’ So dont be surprised when the value of your machine goes down dramatically when the condition is changed from ‘Fully Working’ to having a ‘locked T2 chip’ because you cannot remember the password you set for it.
The machines that have the new T2 chip in them as of the writing of this post (May 2019) are as follows:
iMac Pro (2017<)
Mac mini (2018<)
MacBook Air (2018<)
MacBook Pro (2018<)
Levels of Security
The new T2 chip has still allowed the enabling of a firmware password and FileVault separately, but it has enabled a new level of security known as ‘Secure Boot’. (Encrypted storage is the new name for FileVault)
Secure boot has 3 levels of security, but from what we can ascertain, it covers Apple more than the consumer, as it basically authenticates any boot source for genuine software before booting. This is a good thing if you worry about running a hacked or pirated version of an operating system, but the risk is very minimal if the OS was installed from Apple’s system in the first place and the user doesn’t alter their OS in anyway. The major risk is if it detects an alteration for some reason, this feature would render the machine un-bootable, as it completes the check at the start of each startup.
As described by Apple they cover the following setups:
1 – Full Security
Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.
2- Medium Security
Allows any version of signed operating system software ever trusted by Apple to run.
3 – No Security
Does not enforce any requirements on the bootable OS
External Boot Enabler
The other feature that has been added is known as ‘External Boot’.
This simply allows the enabling and disabling of the ‘disk selection’ or external booting options noted above. For repair work carried out by TheBookYard, we need this option disabled so we can boot to an external test drive to complete diagnostics.
In brief, when they reference ‘security’ it doesn’t add any encryption or protection to your machine or personal data. It just ensures that your Mac is always started up from a legitimate, trusted Mac or Windows operating system. This effectively makes OSX machines run a lot like iOS devices, because customer data and its accessibility is controlled by the logic board instead of the end user. But because it authenticates the ‘legitimacy’ of the software on each boot, it doesn’t just fail when software fails verification. it also would fail if it cannot connect to the server to authenticate it, thus running a risk of making your machine a non-starter if access cannot be gained during a boot up if it fails to validate the authenticity of your boot OS. (from what we gather, it doesn’t need a network connection at every boot. it completes an authentication check on each boot internally, then if it doesn’t pass, it then requires network activity to fix it, or to re-install the OS)
This security setup has been known to directly prevent data migration from one machine to another, as well as a number of other issues, such as interfering with Thunderbolt accessories when used. But in essence, this chip is added to give more control to Apple over what software is put on the machine.
See this link for a description of what checks are carried out during a verification of the OS.
In short, there are now multiple security options you can enable, but hopefully you are now more educated in what they do so you can make a decision on whether its worth enabling.
The last thing you want to do is enable high levels of security, then in the event of a software or hardware failure, risk losing all your personal data, as would happen in an iOS device.
But as always, diligently backing up your data is the best way of eliminating that risk as well.