Startup security in macOS

Question 1

What are the three security policies for a Mac with Apple silicon?

Answer 1

Full Security: The system behaves like iOS and iPadOS, and allows only booting software that was known to be the latest that was available at install time.

Reduced Security: This policy level allows the system to run older versions of macOS.

Permissive Security: This policy level supports users that are building, signing, and booting their own custom XNU kernels

Question 2

System Integrity Protection (SIP) must be disabled before enabling Permissive Security Mode

A. True
B. False

Answer 2

A. True

Question 3

Multiple installed macOS instances with different versions and security policies can be supported by the Mac with Apple Silicon

A. True
B. False

Answer 3

A. True

For this reason, an operating system picker has been added to Startup Security Utility.

Question 4

macOS utilizes kernel permissions to limit writability of critical system files with a feature called ____

Answer 4

System Integrity Protection (SIP)

Question 5

Hardware-based ____ , available on a Mac with Apple silicon, protects modification of the kernel in memory

Answer 5

Kernel Integrity Protection (KIP)

Question 6

____ are policies that set security restrictions, created by the developer, that can’t be overridden

Answer 6

Mandatory access controls

Mandatory access controls aren’t visible to users, but they’re the underlying technology that helps enable several important features, including sandboxing, parental controls, managed preferences, extensions, and System Integrity Protection

Question 7

Why does System Integrity Protection restrict components to read-only in specific critical file system locations?

Answer 7

To help prevent malicious code from modifying them

Question 8

Which security policy is the default for macOS?

Answer 8

Full Security

Question 9

What is the 64-bit identifier that’s unique to the processor in each iPhone or iPad?

Answer 9

Exclusive Chip Identification (ECID)

Question 10

Where can you access Startup Security Utility?

Answer 10

recoveryOS

Question 11

Permissive Security can be accessed only from command-line tools for users who accept the risk of making their Mac much less secure

A. True
B. False

Answer 11

A. True

Question 12

Which security policy is similar to “Medium Security” behavior on an intel-based Mac with a T2 chip?

Answer 12

Reduced Security policy

Question 13

Apple provides/support custom XNU kernels

A. True
B. False

Answer 13

B. False

Question 14

Which command disables SIP when using Terminal?

Answer 14

csrutil

Question 15

The configuration of starting from external media is always explicitly enabled on a per operating system basis, and already requires user authorization, so no additional secure configuration is necessary.

A. True
B. False

Answer 15

A. True

Question 16

How do you explicitly enable Kexts (Kernel extensions) on a Mac with Apple silicon?

Answer 16

Hold power button at startup to enter One True Recovery (1TR) mode, then downgrade to Reduced Security, then check the box to enable kernel extensions

(in recoveryOS, Utilities > Startup Security Utility > Reduced Security)

Question 17

What MDM command sets a recoveryOS password for a Mac with Apple silicon

Answer 17

SetRecoveryLock

Question 18

Unenrolling a Mac computer from MDM that has a recoveryOS password set also removes the password

A. True
B. False

Answer 18

A. True

Question 19

Which MDM command verifies the correct recoveryOS password?

Answer 19

VerifyRecoveryLock

Question 20

Setting a recoveryOS password doesn’t prevent the restoration of a Mac computer with Apple silicon through DFU Mode using Apple Configurator, which also cryptographically renders the previous data on the Mac inaccessible

A. True
B. False

Answer 20

A. True

Question 21

For Mac computers without Apple Silicon, a firmware password can be set, updated, or removed using the ____ command-line tool

Answer 21

firmwarepasswd

or also with Firmware Password Utility, or MDM