The MacBook Pro’s T2 chip boosts enterprise security

The new T2 chip in Apple's MacBook Pro provides a secure boot, even for Windows installations on a Mac.

Apple, Ma, MacBook Pro, MacBook Pro 2018, OS X, macOS, security, secure boot, T2 chip
Dan Masaoka/IDG

You may have missed an all-new enterprise-focused feature woven inside of Apple’s all-new MacBook Pro – its new T2 chip, which fundamentally enhances the security of these computers.

What is the T2 chip?

The successor to the T1, Apple’s T2 chip enables secure boot and encrypted storage on the machine. It first appeared on the iMac Pro.

What does the T2 chip do?

The most widely reported task handled by the T2 chip is the provision of “Hey, Siri” support for the first time on a Mac.

That’s not all the chip does, of course. It also controls Touch ID (using a secure enclave) and the Touch Bar, and it integrates numerous tasks that once required multiple controllers, such as the system management controller (SMC), image signal processor, ambient light sensor, and audio and solid-state drive (SSD) controllers.

What should be of most interest to enterprise users is that chip's built-in support for on-the-fly encryption and secure boot.

What encryption features does the T2 provide?

Encryption matters. The T2 chip carries a built-in hardware encryption engine that encrypts all the data stored on the SSD, using security keys that are unique to each Mac.

That means all the data stored on the Mac can be read only by the Mac itself, while Apple’s existing FileVault protection means you can ensure that in order to access any of the data on your Mac, you must also use your own personal key, known only by you.

Data on the SSD is encrypted with 256-bit AES protection.

Why you should always use back-up

In a nutshell, this means the SSD inside the Mac will be unreadable unless accessed by that Mac, even if removed from the Mac.

What’s good about this approach is that all your enterprise data is that much safer, though what’s bad is that unless you maintain a solid and secure back-up policy, you could potentially lose access to all your data.

You should always back up your data if using one of these systems.

What is secure boot?

The T2 chip also provides what Apple calls a “hardware root of trust.”

This acts as a secure starting point when booting up a Mac, with each subsequent step within the start-up process cryptographically signed by Apple to ensure system integrity.

When you first launch your Mac, the process is handled by the T2 chip, which verifies and controls each step in the startup process.

That means all the system components (firmware, kernel and kernel extensions, for example) that make a Mac work are activated during start-up; they are verified as being secure. This helps protect Macs against low-level attacks, and it means that only trusted software is launched at startup.

One more thing about secure boot

I was surprised to find that secure boot will also verify the integrity of Boot Camp Windows volumes on a Mac.

How do you control secure boot?

Mac users can control the secure boot process provided by the T2 chip using the Startup Security Utility that is accessed in macOS Recovery.

Access this by pressing Command-R during startup.

The utility lets you configure Secure Boot to full, medium or no security. Full security (which requires a network connection when installing software) means your Mac will run only the latest and most secure OS; medium software is a little gentler and only requires “verifiable” software to boot (you’ll use medium if your enterprise security policy demands you use older macOS versions).

The advantage of this approach is that it provides enterprises with more control over what software is installed on employee machines,

The utility also lets you turn on a firmware password that prevents the computer from starting up from a different hard disk without that password. You can also allow or disallow boot from external devices, including USB and Thunderbolt drives.

What about Touch ID?

Touch ID is, of course, supported on these Macs. This may not be a feature approved for use across every enterprise, but it does provide an additional biometric layer of protection for valuable enterprise data.

Why enterprises must look to Mac MDM

Dig around, and you’ll find the new Macs don’t support Netboot/Net Install. This may annoy some system administrators who may have used this to manage large groups of Macs. In response, Apple will likely point to its Apple Device Enrolment and Deployment programs and its many relationships with big-name Mobile Device Management (MDM) solutions such as JAMF.

Apple now provides the tools you need to automate set-up and install of new Macs on an ad hoc basis without use of custom images and with very little intervention from system admins, who can manage individual Mac device enrollments remotely.

Where can I find out more about the T2 chip?

Apple has published some information about the T2 chip and also provides a good explanation of Secure Boot.

How Apple's approach helps

Apple’s decision to add another obstacle to the installation of low-level system software hacks and boot-loading malware illustrates how closely the company monitors cybersecurity and attempts to protect its platforms. Apple has responded here to the trend toward creating firmware or zero-day attacks.

This should be of particular interest to enterprise users, who may now want to add T2 chip-toting Macs to their list of highly secure systems.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I'd like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

Enterprise mobility 2018: UEM is the next step
  
Shop Tech Products at Amazon