Need to Erase Mac T2 Devices? Blancco Has You Covered.

Apple’s latest Mac mini, MacBook Pro, MacBook Air and iMac Pro all use the T2 chip with secure boot. Secure boot acts like an exclusive club’s sharply dressed but no-nonsense bouncer, disallowing access for even the most well-dressed nonmembers—in this case, the majority of drive erasure software.

However, that doesn’t mean you have to give up removing confidential data from your Mac devices—even if you have tens, hundreds or thousands of them.

Vivian Cullipher

Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s communications and content manager, she supports the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.

The Apple T2 Chip and Secure Boot vs. Secure Data Erasure

Macbook Air laptops are one of several Apple devices with the Mac T2 chipApple debuted its T2 chip on the iMac Pro in late 2017, with the MacBook Pro, MacBook Air and Mac mini soon following. The T2 chip integrated several controllers from other Mac operating systems. This brought enhanced performance capabilities, particularly in video and audio processing, face and fingerprint ID functions, “Hey Siri” support and SSD encryption.

It also introduced amped-up guardianship for its operating system with “secure boot,” limiting what sort of operating systems can load on macOS devices. Essentially, the T2 chip’s secure boot function makes sure that only a legitimate, trusted operating system loads at startup.

Secure boot ensures that the lowest levels of software aren’t tampered with and that only trusted operating system software loads at startup.

Apple T2 Security Chip: Security Overview (PDF), Apple

While this provides great security for enterprises that use Macs throughout their organizations, including computer software companies, schools and universities and health organizations, it becomes an issue when those devices or the confidential or personal data on them reaches end-of-life.  After all, today’s software-based erasure solutions, including Blancco Drive Eraser, rely on that bootup method to perform data sanitization.

That presents a problem.

As the introduction of the T2 chip nears its two-year anniversary and devices near end-of-lease periods and other retirement triggers, IT security and data management teams are perplexed about how to get past this slick and powerful gatekeeper. After all, until now there hasn’t been a way to make sure their organization’s confidential and high-risk data is securely erased from T2 Mac devices, so many simply store retired IT assets in a closet or storeroom while sensitive, personal, and proprietary data remains on the devices.

Business enterprises and other organizations with newer Mac deployments are the first to encounter this conundrum, but they won’t be the last.

IT asset disposition (ITAD) operators will also soon encounter the challenge of securely erasing Macs with T2 chips as organizations hand over their Apple devices for recycling, resale or even destruction. At that point, ITAD vendors will serve their clients best by verifying device data erasure to ensure protection of clients’ sensitive business and personal data.

The Challenge of Erasing MacOS Devices with T2 Chips

Devices with the Mac T2 chip operate in full security mode by default, allowing only the current OS or signed OS software trusted by Apple to run. They also disallow booting third-party operating systems from external media like USBs. This provides protection against hackers who could potentially boot into a different operating system in order to steal data or otherwise wreak havoc. It also prevents executing third-party data erasure solutions, including our own Blancco Drive Eraser solution.

So what’s the solution for privacy-minded organizations? Although not recommended, enterprise IT teams could theoretically change settings on their Mac devices to allow third-party OS interaction.

Related Article:  Blancco Technology Group Racks Up US Patent for SSD Erasure Method

There are several downsides to this approach, however.

  • Firstly, to allow access to the OS, the T2 chip requires the user to manually change the device boot order. That requires knowing the administrative passwords for each machine, then setting the proper order to allow third-party access. While doable, carrying this out enterprise-wide becomes cumbersome and highly time consuming. This can be especially troubling if you’re a large school district, healthcare provider, bank or heavily regulated organization with a substantial Mac device deployment used to process personal or proprietary data.
  • Secondly, the T2 chip’s secure boot feature doesn’t just disallow the running of non-native OS applications, it also acts as a barrier between the erasure software and the data storage disks that need to be erased, effectively hiding them from view. So, even if the user can boot up erasure software, the software still can’t touch the data.
  • Thirdly, even if there were a way to get past the T2 function of obscuring the disks to perform an erasure, there is often no verifiable proof that data has been erased.

Thankfully, health, education, technology and other industries can indeed make sure that confidential data is securely erased, even if they use newer Mac devices. And, as far as we know, there’s only a single data erasure solution capable of erasing Macs with this T2 chip: Blancco LUN Eraser.

The Only Mac T2 Data Erasure Solution: Blancco LUN Eraser

By using Blancco LUN Eraser, your organization can ensure all sensitive data is securely erased from…macOS devices with T2 chips, with 100% tamper-proof reporting for a complete audit trail. Remote activation is supported.

⁠— Blancco LUN Eraser: Implement Data Erasure Policies that Enforce Compliance

Blancco enterprise clients who used Apple laptops throughout their organizations (and that were already Blancco Drive Eraser users), approached us with the T2 issue. In response, our research and development teams quickly met the challenge.

To provide an effective and secure erasure solution for these new Mac devices, they drew upon the strengths of one of our other data erasure solutions, Blancco LUN Eraser.

Blancco LUN Eraser was originally developed to allow organizations to erase data in active storage environments while allowing the operating system to remain intact. Because it doesn’t interfere with the operating system, it is able to boot and deploy seamlessly on many different UNIX-based operating systems.  Like other Blancco data erasure solutions, it provides the most secure and permanent data erasure functionality on the market to guarantee sensitive data is properly sanitized.

The good news? macOS is based on UNIX, making Blancco LUN Eraser an ideal solution. The T2 chip recognizes the UNIX-based club card, so to speak, and while it turns other third-party solutions away and prevents access from external operating systems to the disks, it gives Blancco LUN Eraser welcome entry.

Related Article:  Blancco Granted Data Erasure Certification from NYCE in Mexico

Dhia Haddej, Blancco Enterprise and Data Center Product Manager, describes it this way:

“To access the device, you have to be native to Apple. That’s what we simply did. We used our LUN software, which does not come with its own operating system. When you install it on top of other operating systems, on Windows, for example, it leverages the operating system to talk to the disks. We expanded this idea to Mac.”

He continues, “We created a version of LUN that is installable, or executable, on top of Mac OS. So, when you go to these Apple devices, you’re not going to boot anything externally. You’re just going to run this new LUN for UNIX on top of the macOS operating system and now we have access to the disks and we can perform erasures that create reports.”

These tamper-proof reports validate data erasure that adheres to the most stringent data erasure algorithm standards, including NIST SP 800-88 and DoD 5220.22-M, along with 24+ other standards, to meet security and regulatory compliance requirements. We’ve also added a new, state-of-the-art digital signature for reports for added security. Report details include system information such as system serial number, manufacturer, model number, CPU and battery information and much more, providing an audit trail for all erased devices.

Get Your Free Trial of Blancco’s Mac T2 Erasure Capabilities

Blancco LUN Eraser’s support for Clear level erasure of Apple computers with the T2 chip means organizations don’t have to give up removing confidential data from Mac devices. Enterprises can rest assured that, when the time comes, they can securely dispose of or redeploy their Mac T2 devices without sensitive data leaving their protection.

Furthermore, ITADs that use Blancco solutions will be able to offer this service to their customers as devices begin trickling in for disposal, resale and recycling.

And finally, buyers and sellers in the secondary device market will be able to confidently conduct transactions on Blancco LUN-erased devices knowing that no residual data from previous users has been left behind.

View the original LUN Eraser 2.3 release notes, then see how these capabilities can work in your environment: Simply visit our Blancco LUN Eraser product page to get started with your free trial of our LUN solution, now applicable to Mac T2 devices.


Apple, Mac and macOS are trademarks of Apple Inc., registered in the U.S. and other countries.

How to Securely Erase Different SSDs: NVMe, PCIe and More
Download the White Paper
managing and automating data erasure for mobile devices
White Paper
Managing and Automating Data Erasure for Mobile Devices
Download Now
desktop erasure
Case Study
Infotheek Data Erasure Case Study
Read Case Study

Top Categories