This tool provides a nice user interface to set the Security back to High. It uses the great SwiftDialog tool: https://github.com/bartreardon/swiftDialog
Apple Platform Deployment: Link Apple
"Rebuilding the AuxKC requires the user’s approval and restarting of the macOS to load the changes into the kernel, and it requires that the secure boot be configured to Reduced Security." Important: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system and Apple recommends users select solutions that don’t require extending the kernel.
I created this script to make my life easy. Because it can only be set by bputil or DFU mode and restore the device. Would be nice Apple can build it in "Erase All Content and Settings". Previously, we had to call the users to go through the steps together with the user. This all went through the terminal but took a lot of time so when Swift came along I dived into it and came up with the following idea.
This utility is not meant for normal users or even sysadmins. It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as the Startup Security Utility in macOS Recovery (“recoveryOS”). It is possible to make your system security much weaker and therefore easier to compromise using this tool. This tool is not to be used in production environments. It is possible to render your system unbootable with this tool. It should only be used to understand how the security of Apple Silicon Macs works. Use at your own risk!
- macOS 11 or higher
- Apple Silicon Macs
- SAP Privileges
- Volume Owner and Secure Token user
Script: Download
Manual: Download
- Written in Swift using SwiftUI
- Built for and compatible with macOS 11.0 and higher
- Native support for Apple Silicon
- Dark Mode support
To work properly with bputil, we need 3 smart groups. Here is an example:
- Full
- Medium
- No Security (Off)
Make a name: "Secure Boot Level" and scope it to your target "smart-group"
Remember well that the user must be an "admin" and "volumeowner" to set security to Full. Otherwise, it won't work and the policy fails. We use SAP Privileges to activate permissions in this script.
- UMC-Utrecht developed this script as a side project to add additional value you
- The script can be used free of charge and is provided ‘as is’, without any warranty
- Comments and feature request are appreciated. Please file an issue on Github