What Apple's T2 security chip brings to the enterprise table

Apple’s T2 security processor offers a real measure of data protection, even as it requires changes in how Apple hardware is imaged, updated or copied. But on balance, the T2 presages good things from the company.

Apple security illustration

There's been a lot of discussion about Apple's T2 security chip, particularly the restrictions it places on repairs not sanctioned by Apple. The controversy centers on an Apple utility needed to make changes like swapping out the built-in SSD drives. The overall argument ties into the right-to-repair fight, allowing hardware owners to make changes to their own devices.

It's an issue that also affects enterprises, since it's no longer a quick fix to change the drive in a company Mac or pull the drive from a dead Mac to retrieve its contents.

It also affects system imaging. That's the process businesses and schools have long used to configure, deploy and refresh systems by copying a disk image that overwrites what's on a Mac with a new configuration; the goal is to ensure all Macs have a consistent configuration from the macOS version to apps, network settings and other configuration states. The process can also be used to resolve stubborn computer issues by blasting a known, good deployment image onto a Mac rather than resorting to extensive troubleshooting. As various attendees at JAMF's user conference last month put it: imaging is dead (though in fairness, Apple has been nudging organizations to other deployment mechanisms for years).

On top of those issues, the T2's secure boot technology also affects users who want to boot and run Linux on their Macs rather than macOS or Windows 10.

Most of controversy has centered on what the T2 takes away. What's lost in the noise is what the T2 brings to the IT table and what it represents in terms of Apple's increasing ability to custom design its own silicon for its devices. In fact, the T2 is a leap forward that should be applauded and taken as a distinct indication that Apple is on the road to powering Macs more and more with its own chips — and ultimately only with its own chips.

Apple's growing role as a chip designer

As I noted two years ago when Apple announced the AirPods, the company is learning and growing as a chip designer. It is also leveraging this knowledge as a competitive advantage across its product line. A look at Apple's current line-up shows that it's relying on its own chips in iOS devices, the Apple Watch, and most of the latest Macs.

There has been a consistent chatter that the company is planning to swap out the Intel processors in its Mac lineup. There is even an indication that Macs without Intel chips are already in the pipeline in the security white paper for the T2 where references are made to the "application (Intel) processor" in the boot process. This change in nomenclature could well mean that a non-Intel processor will be designated as the "application" processor in future iterations of the document (and the Mac lineup).

Although many people have suggested A-series processors as capable of running macOS, my own thought is that Apple will develop a Mac-specific processor if it does go down this road. That might give it the chance to ease app and OS migration to an Apple processor. Apple has, of course, had a role into the design of processors used for Macs in the past. In the 1990s, the G3 chip, co-designed with IBM and Motorola, was targeted for running the classic Mac OS. Apple also has experience managing transitions between processor types, such as when it moved from Motorola's 680x0 processors to the Power PC, and then around 2005, switched from Power PC processors to Intel.

If Apple does plan such a transition, the T2 or its successors may feature significantly into the plan. Apple could, for example, move some processing functions to co-processors (as it has moved security functions to the T2). This would allow for a generation of Macs that rely on a mix of Intel and Apple hardware before the company goes all-in on Apple chips.

What the T2 delivers

The most obvious function of the T2 is that brings TouchID to the Mac (and potentially FaceID in the future). This is a convenience, bringing a secure iOS hardware feature to the Mac. But the T2 actually does a lot more. It also enables a secure boot process that elegantly embraces security at the most basic levels of Mac functioning. As with iOS devices, it contains a Secure Enclave that can be used to store sensitive data as well as a range of encryption capabilities that can be built right into the silicon. The majority of macOS cryptographic operations tap the T2, and it signs the entire boot process before handing the process off to the Intel processor.

During secure boot, the T2 serves as "the hardware root of trust for secure boot," Apple says in its T2 white paper. "Secure boot ensures that the lowest levels of software aren't tampered with and that only trusted operating system software loads at startup."

For secure storage, according to the Apple documentation, the T2 is designed with these four goals:

  • Require a user's password for decryption.
  • Protect the system from a brute-force attack directly against storage media removed from Mac.
  • Provide a swift and secure method for wiping content via deletion of necessary cryptographic material.
  • Enable users to change their password (and in turn the cryptographic keys used to protect their files) without requiring re-encryption of the entire volume.

As such, the T2 also elegantly solves the issue of a quick and secure erase. Because all the data on an internal drive is signed by the T2's Secure Enclave, simply deleting the cryptographic key data renders the contents of the drive irretrievable. That option fits better with the way flash media stores data compared to the multi-pass erase process employed with hard drives and other magnetic mediums.

This isn't just about making a Mac more secure; it draws a picture of security for today's storage technologies and positions Apple as a major player in enterprise security and data privacy. In many ways, it makes macOS as secure as iOS has always been.

Security to come

Apple is clearly going to keep designing its own chips and could eventually be the sole designer of all of the silicon in its products. This is a feat few companies could achieve. (Samsung is the only other player with these capabilities that readily comes to mind; it has leveraged some its capabilities in a similar way with the KNOX mobile security platform.) Whether Apple aims in a similar direction, it's clear that the company sees major value in the capability.

Although the T2 is an obvious example of Apple's chip and package design, the most competitive advantages may actually come in wearables. Apple's W-1 processors in the AirPods and the Apple Watch SoC package showcase Apple's ability to leverage its silicon efforts. If the company is planning its own eyewear or smartglasses, these two existing products demonstrate that it can take on the biggest challenges in this area — balancing processing power, wireless communication, and battery life — by designing silicon that does the heavy lifting (or hands that off to another Apple device like the iPhone).

From an enterprise perspective, the future for Apple hardware is bright, as the T2 represents a strong commitment to data security. Provided Apple offers enterprise mobility management vendors the ability to hook into the requisite capabilities, it will likely have a first-mover advantage of design — and can help define the product categories (whether it actually is first to market or a bit late). This will position Apple as an enterprise vendor in a way that we haven't seen at scale before.

In short, the T2 shows that using its own chip designs reflects Apple's future. It will break some existing processes that consumers, technicians and IT pros are used to and have taken as a given. There is no avoiding that with some of the technologies Apple is diving into — particularly with security and privacy. Apple often pushes the tech world forward, and in so doing it leaves the past behind. If history is any example, Apple will push ahead regardless. In this case, I'd wager the changes to come will be positive. The T2 keeps users (and their data) secure — without them even knowing the important steps Apple has taken to ensure that's the case. It's an elegant security solution that presages more such moves to come.


Copyright © 2018 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon