Last week, Mr. Macintosh gave a great presentation on the changes introduced with macOS Big Sur on M1 Macs for reinstalling macOS. Click here for the recorded presentation and here for the presentation slides. Having recently begun testing an M1 MacBook Air myself, I was very interested in getting a jump start on this.
There were a number of important takeaways from the presentation, but one in particular I learned was that M1 Macs no longer support the firmware password feature. Sure enough, reviewing Apple’s own support article on firmware passwords:
Having previously worked at a school, setting a firmware password was a critical security feature as it prevented anyone without this password from booting to anything other than the configured default boot volume. This ensured more tech-savvy users could not load their own bootable macOS from the organization’s hardware or boot to the recovery OS and potentially wipe the device entirely.
While Apple indicates in their support article that FileVault achieves the equivalent level of security, the question is even with FileVault enabled does this open up the ability for users to do mischief?
- On Intel Macs, the only security mechanism that prevents an admin user from booting to a different OS or the recovery OS is a configured firmware password.
- In Big Sur, external booting of validly signed macOS installers and macOS boot volumes is now permitted by default.
- Given M1 Macs do not have a firmware password option, any user with valid admin credentials can load macOS installers, other bootable macOS volumes, as well as fully erase and reinstall macOS.
- So long as your users are not admins, Apple’s claim of FileVault being an equivalent level of security is valid… but only in this context.
For more info, see past the jump.Read More