Secure Boot

Ensures only trusted operating system software loads during startup. On Apple Silicon, policies like ‘Full Security’ or ‘Reduced Security’ can be managed.

What to Know

Secure Boot prevents malware from infecting the boot process, ensuring that only Apple-signed operating system code can run during startup. This protects against bootkits and rootkits that attempt to compromise the system before security tools can load. On Apple Silicon Macs, Secure Boot policies determine what software is allowed to boot: Full Security (only current signed OS), Reduced Security (older or developer-signed OS), and Permissive Security (no signature enforcement).

For enterprises, Secure Boot settings impact compatibility with legacy boot management tools, netboot solutions, and alternative operating systems. While Full Security provides maximum protection, some organizations need Reduced Security to support specific workflows. MDM can remotely configure Secure Boot policies on Apple Silicon, eliminating the need for local administrator intervention in Startup Security Utility.

Common Scenarios

Enterprise IT: Corporate Macs are typically configured for Full Security to maintain maximum boot protection. When deploying kernel extensions or system extensions that require specific signing, IT may temporarily adjust Secure Boot settings via MDM, then restore Full Security once deployment completes.

MSP: Most managed clients use default Full Security settings, but clients with specialized requirements (virtualization, development, legacy tools) may need Reduced Security. MSPs document these exceptions and ensure clients understand the security trade-offs involved in weakening boot protection.

Education: Schools maintain Full Security on all student and staff devices to prevent unauthorized OS installations or boot modifications. This prevents students from attempting to boot from external drives or install unauthorized operating systems that would bypass school content filtering.

In Addigy

Addigy can deploy configuration profiles to remotely manage Secure Boot settings on Apple Silicon Macs, eliminating the need for users to access Startup Security Utility. Admins can view current Secure Boot status in device inventory and deploy policies that enforce Full Security across the fleet. For devices that require Reduced Security, Addigy tracks these exceptions and can report on policy compliance.