Called it. Apple’s new MacBook Pro line now features the T2 Chip, a new level of security for the machine. One of the last security vulnerabilities with macOS is physical – got the machine in your hands? Then you can still mess with it.
The T2 chip changes all that. Introduced with the iMac Pro in 2017, the T2 will prevent you from changing the firmware password on the machine even if you have physical possession. You’re prevented from booting an OS without verifying its properly signed, and you can be restricted from booting from an external at all. Finally, any data that goes to the hard drive MUST go through the T2 chip for always on encryption.
“But Sean, what happens if the T2 chip fails? Wouldn’t that kill every bit of data on my computer?” Eyup. The chip dies, your encryption dies. Be sure you back up.
“But Sean, how do I fix the T2 chip if it goes bad?” Well, I’m assuming you’re an IT professional if your answer isn’t “go to the Apple Store.” Time to investigate a little program called Apple Configurator…
“But Sean, all this sounds terrible and possibly dangerous! I don’t want this in a computer…” The security far, far outweighs the danger in this case. And, hate to break it to you, you’re stuck with it. Apple is putting it in every new MacBook Pro (and plan on that to be in the MacBooks, the iMacs, the MacBook Air…. the Mac Mini if they ever get around to it, grumble, grumble…)
You can read a little tiny bit more about the T2 security with the Apple macOS Security Overview. It’s dry, dull, and like awful tasting medicine, completely necessary. Read it, love it, embrace it.
Now, if you’re a company with a fleet of computers, this is both a benefit and a bit of a problem to solve… Obviously, security is key. If the bad guys aren’t after you, you’re deluding yourself. Of course they’re after you. They’re after everyone. This is one more tool to protect, but you’re going to need a plan for how to deploy, protect, and maintain over time.
First, if you’re rolling out a new machine to someone, that old school “flash it and hand it” method of disk imaging is done – Apple says you can’t trust any OS that isn’t its official signature. Kinda the InfoSec version of “Trust nobody over 30.” Get on Device Enrollment Program and learn the wonders of the trusted, bootable OS install… https://support.apple.com/en-us/HT208020
Second, you’re going to want to turn on that firmware and FileVault password. Gonna keep all those passwords in an Excel spreadsheet, buddy? Maybe in Notepad? On a post-it in your desk? Don’t think so, pheasants. This is a league game! If you’re not going to keep the keys secure, welp. Let me know how that works out for you when you’re job hunting. Plan on a proper inventory management and tracking system. (Hint: jamf.com)
Third, if you tell your legal team they have a fleet of laptops that potentially could be subject to a legal hold that you have no way to decrypt without the employee handing over a password that you can’t control… Ever see a lawyer go from almost fainting to murderous rage within 3 seconds? Stop reading right now and try; we’ll wait for you.
Did you try it? And survive? Then you better have a policy to get a copy of those decryption keys. (Hint: jamf.com)
You will need a plan yesterday for physical security, password security, legal hold unlocks, and while you’re at it, might be a good idea to make sure the machine isn’t pwnd while the user is using it too; let’s keep that software up to date. It’s time for a management system. I happen to know a guy to help your Macs… (*cough cough jamf.com cough*)
“But, we don’t have Macs in our business, Sean, haw haw, joke is on you!” Apple has been leading the way in computer design and architecture for 10 years at least now. Think this isn’t going to affect your Windows fleet? Your random Ubuntu boxes? Secure computing is coming, folks. Start planning for winter.