The Apple T2 Chip and Secure Boot vs. Secure Data Erasure
Apple debuted its T2 chip on the iMac Pro in late 2017, with the MacBook Pro, MacBook Air and Mac mini soon following. The T2 chip integrated several controllers from other Mac operating systems. This brought enhanced performance capabilities, particularly in video and audio processing, face and fingerprint ID functions, “Hey Siri” support and SSD encryption.
It also introduced amped-up guardianship for its operating system with “secure boot,” limiting what sort of operating systems can load on macOS devices. Essentially, the T2 chip’s secure boot function makes sure that only a legitimate, trusted operating system loads at startup.
Secure boot ensures that the lowest levels of software aren’t tampered with and that only trusted operating system software loads at startup.
While this provides great security for enterprises that use Macs throughout their organizations, including computer software companies, schools and universities and health organizations, it becomes an issue when those devices or the confidential or personal data on them reaches end-of-life. After all, today’s software-based erasure solutions, including older versions of Blancco Drive Eraser, rely on that bootup method to perform data sanitization.
That presents a problem.
As the introduction of the T2 chip nears its two-year anniversary and devices near end-of-lease periods and other retirement triggers, IT security and data management teams are perplexed about how to get past this slick and powerful gatekeeper. After all, until now there hasn’t been a way to make sure their organization’s confidential and high-risk data is securely erased from T2 Mac devices, so many simply store retired IT assets in a closet or storeroom while sensitive, personal, and proprietary data remains on the devices.
Business enterprises and other organizations with newer Mac deployments are the first to encounter this conundrum, but they won’t be the last.
IT asset disposition (ITAD) operators will also soon encounter the challenge of securely erasing Macs with T2 chips as organizations hand over their Apple devices for recycling, resale or even destruction. At that point, ITAD vendors will serve their clients best by verifying device data erasure to ensure protection of clients’ sensitive business and personal data.
The Challenge of Erasing MacOS Devices with T2 Chips
Devices with the Mac T2 chip operate in full security mode by default, allowing only the current OS or signed OS software trusted by Apple to run. They also disallow booting third-party operating systems from external media like USBs. This provides protection against hackers who could potentially boot into a different operating system in order to steal data or otherwise wreak havoc. It also prevents executing most third-party data erasure solutions.
So what’s the solution for privacy-minded organizations? Although not recommended, enterprise IT teams could theoretically change settings on their Mac devices to allow third-party OS interaction.
There are several downsides to this approach, however.
- Firstly, to allow access to the OS, the T2 chip requires the user to manually change the device boot order. That requires knowing the administrative passwords for each machine, then setting the proper order to allow third-party access. While doable, carrying this out enterprise-wide becomes cumbersome and highly time consuming. This can be especially troubling if you’re a large school district, healthcare provider, bank or heavily regulated organization with a substantial Mac device deployment used to process personal or proprietary data.
- Secondly, the T2 chip’s secure boot feature doesn’t just disallow the running of non-native OS applications, it also acts as a barrier between the erasure software and the data storage disks that need to be erased, effectively hiding them from view. So, even if the user can boot up erasure software, the software still can’t touch the data.
- Thirdly, even if there were a way to get past the T2 function of obscuring the disks to perform an erasure, there is often no verifiable proof that data has been erased.
Thankfully, health, education, technology and other industries can indeed make sure that confidential data is securely erased, even if they use newer Mac devices. In keeping with our commitment to support changing security technologies across a variety of drive types, Blancco offers two innovative solutions that tackle Mac erasure: Blancco LUN Eraser and Blancco Drive Eraser.
Blancco Provides Secure Mac T2 Data Erasure and 100% Tamper-Proof Reporting
By using Blancco LUN Eraser, your organization can ensure all sensitive data is securely erased from…macOS devices with T2 chips, with 100% tamper-proof reporting for a complete audit trail. Remote activation is supported.
Blancco enterprise clients who used Apple laptops throughout their organizations (and that were already Blancco Drive Eraser users), approached us with the T2 issue. In response, our research and development teams quickly met the challenge.
To provide an effective and secure erasure solution for these new Mac devices, they first drew upon the strengths of one of our other data erasure solutions, Blancco LUN Eraser.
Blancco LUN Eraser was originally developed to allow organizations to erase data in active storage environments while allowing the operating system to remain intact. Because it doesn’t interfere with the operating system, it is able to boot and deploy seamlessly on many different UNIX-based operating systems. Like other Blancco data erasure solutions, it provides the most secure and permanent data erasure functionality on the market to guarantee sensitive data is properly sanitized.
The good news? macOS is based on UNIX, making Blancco LUN Eraser an ideal solution. The T2 chip recognizes the UNIX-based club card, so to speak, and while it turns other third-party solutions away and prevents access from external operating systems to the disks, it gives Blancco LUN Eraser welcome entry.
Dhia Haddej, Blancco Enterprise and Data Center Product Manager, describes it this way:
“To access the device, you have to be native to Apple. That’s what we simply did. We used our LUN software, which does not come with its own operating system. When you install it on top of other operating systems, on Windows, for example, it leverages the operating system to talk to the disks. We expanded this idea to Mac.”
He continues, “We created a version of LUN that is installable, or executable, on top of Mac OS. So, when you go to these Apple devices, you’re not going to boot anything externally. You’re just going to run this new LUN for UNIX on top of the macOS operating system and now we have access to the disks and we can perform erasures that create reports.”
Blancco’s R&D teams later incorporated T2 erasure functionality in Blancco Drive Eraser (BDE) itself. BDE can now boot these machines, detect and overwrite their internal drives and incorporate Blancco’s patent-pending Two-Way Communication, facilitating integration with your existing APIs and asset management systems.
Both solutions issue tamper-proof reports to validate data erasure that produces a state-of-the-art digital signature for added security. Both data erasure solutions also adhere to the most stringent data erasure algorithm standards, including NIST SP 800-88 and DoD 5220.22-M, along with 24+ other standards, to meet security and regulatory compliance requirements. Report details include system information such as system serial number, manufacturer, model number, CPU and battery information and much more, providing an audit trail for all erased devices.
Get Your Free Trial of Blancco’s Mac T2 Erasure Capabilities
Blancco LUN and Blancco Drive solutions support Clear-level erasure of Apple computers with the T2 chip.
- Organizations don’t have to give up removing data from Mac devices. Instead, enterprises can rest assured that when the time comes, they can securely dispose of or redeploy their Mac T2 devices.
- ITADs that use Blancco solutions will be able to offer this service to their customers as devices begin trickling in for disposal, resale and recycling.
- Buyers and sellers in the secondary device market will be able to confidently conduct transactions on Blancco-erased devices knowing that no residual data from previous users has been left behind.
Experience how these capabilities can work in your environment: Simply visit our Blancco LUN Eraser and Blancco Drive Eraser product pages to get started with your free trial, now applicable to Mac T2 devices.
Apple, Mac and macOS are trademarks of Apple Inc., registered in the U.S. and other countries.
This article was originally published August 2019 and updated April 2020.