Learn about startup security in macOS
Startup security policies can help restrict who can start up a Mac and what devices can be used to start up a Mac. Security policies on a Mac are supported for each installed operating system. This means that multiple installed macOS instances with different versions and security policies can exist on the same computer. For this reason, Startup Security Utility includes an operating system picker.
Startup disk security policy control for a Mac
Startup Security Utility indicates the overall user-configured security state of macOS, such as the booting of a kext (kernel extension) or the configuration of System Integrity Protection. If changing a security setting can significantly degrade security or make the system easier to compromise, users must restart into recoveryOS by holding the power button (so that malware can’t trigger the signal, only a human with physical access can) to make the change. Because of this, Mac also won’t require (or support) a firmware password—all critical changes are already gated by user authorization.
Organizations can, however, prevent access to the recoveryOS environment, including the startup options screen, through the use of a recoveryOS password. For more information, see the recoveryOS password section below.
For more information, see System Integrity Protection in Apple Platform Security.
Security policies
macOS has three security policies:
Full Security: macOS behaves like iOS and iPadOS and allows using only software that was known to be the latest that was available at install time.
Reduced Security: This policy level allows the system to run older versions of macOS. Because older versions of macOS inevitably have unpatched vulnerabilities, this security mode is described as Reduced. This is also the policy level that needs to be configured manually to support booting legacy kernel extensions (kexts) without using a device management service and Automated Device Enrollment with Apple School Manager or Apple Business Manager.
Permissive Security: This policy level supports users who are building, signing, and starting up using their own custom XNU kernels. System Integrity Protection must be disabled before enabling Permissive Security Mode.
For more information on the security policies, see Startup Disk security policy control in Apple Platform Security.
recoveryOS password
Mac computers with Apple silicon support setting a recoveryOS password with device management using the SetRecoveryLock command. Unless the recoveryOS password is entered, a user is prevented from accessing the recovery environment, including the startup options screen. A recoveryOS password can be set only using device management. For device management to update or remove an existing password, the current password must also be provided. Because the recoveryOS password can be set, updated, or removed only through device management, unenrolling a Mac from device management that has a recoveryOS password set also removes the password. Device management administrators can also verify that the correct recoveryOS password is set by using the VerifyRecoveryLock command.
Note: Setting a recoveryOS password doesn’t prevent the restoration of a Mac with Apple silicon through device firmware update (DFU) mode using the Finder or Apple Configurator, which also cryptographically renders the previous data on the Mac inaccessible.