Running M1 with “Reduced Security”

[ThemePro]

As you can see in the screenshot, I’m running my M1 MacBook in “Reduced Security” mode in order to use applications (e.g. Boxcryptor) that requires a 3rd party kernel extension (e.g. macFUSE). Under normal circumstances, I wouldn’t want to run a device with ‘reduced security’ but what’s the reduced security here? It seems like Apple’s definition of ‘reduced security’ is simply preventing me the owner from using a past Apple signed version of MacOS or preventing me the owner from simply having the option to approve a 3rd party kernel party extension in security preferences. By the way, to get to this security menu, one has to undertake a byzantine 6 step startup option which includes entering your user account password twice.

 

[MacUser2525]

As you can see in the screenshot, I’m running my M1 MacBook in “Reduced Security” mode in order to use applications (e.g. Boxcryptor) that requires a 3rd party kernel extension (e.g. macFUSE). Under normal circumstances, I wouldn’t want to run a device with ‘reduced security’ but what’s the reduced security here? It seems like Apple’s definition of ‘reduced security’ is simply preventing me the owner from using a past Apple signed version of MacOS or preventing me the owner from simply having the option to approve a 3rd party kernel party extension in security preferences. By the way, to get to this security menu, one has to undertake a byzantine 6 step startup option which includes entering your user account password twice. View attachment 1704249

I am failing to see your problem this is a well know direction Apple has been going in for years. Locking down the OS until it resembles the phone version, it will continue until they have full control and that option does not exist anymore. Soon only Apple approved software will run on these machines and those choices will be gone, if you do not like this then you are using the wrong software for freedom of choice on a computer. There is no think different at Apple anymore...

 

[chrfr]

As you can see in the screenshot, I’m running my M1 MacBook in “Reduced Security” mode in order to use applications (e.g. Boxcryptor) that requires a 3rd party kernel extension (e.g. macFUSE). Under normal circumstances, I wouldn’t want to run a device with ‘reduced security’ but what’s the reduced security here?

Apple has some documentation:

Deployment Reference for Mac

This content has moved.

support.apple.com

While not listed in this document, I believe that running in Reduced Security mode will also prevent iOS/iPadOS apps from running on the Mac.

 

[ThemePro]

Apple has some documentation:

Deployment Reference for Mac

This content has moved.

support.apple.com

While not listed in this document, I believe that running in Reduced Security mode will also prevent iOS/iPadOS apps from running on the Mac.

Yes, I read that reference before after Apple removed the firmware password option for the M1. Fortunately though, operating in reduced security mode doesn't prevent use of iOS apps.

 

[haralds]

Why are you enabling remote management? Allowing user management should be sufficient.

 

[ThemePro]

Why are you enabling remote management? Allowing user management should be sufficient.

Thanks, I corrected that.

 

[Kung gu]

I am failing to see your problem this is a well know direction Apple has been going in for years. Locking down the OS until it resembles the phone version, it will continue until they have full control and that option does not exist anymore. Soon only Apple approved software will run on these machines and those choices will be gone, if you do not like this then you are using the wrong software for freedom of choice on a computer. There is no think different at Apple anymore...

they don't need to lock down MacOS, that's why iPads exist. If they only allow apps to downloaded from the App Store
then the Mac will be dead. Users like the fact that MacOS can download apps off the USB or the web.

 

[MacUser2525]

they don't need to lock down MacOS, that's why iPads exist. If they only allow apps to downloaded from the App Store
then the Mac will be dead. Users like the fact that MacOS can download apps off the USB or the web.

The default in macOS right now IS only allowing apps downloaded from the app store to run, you need to go out of your way to allow an app to run not downloaded from there. It is a simple matter to turn off that ability to install the third party apps, the OS has been constructed to do this.

 

[ThemePro]

The default in macOS right now IS only allowing apps downloaded from the app store to run, you need to go out of your way to allow an app to run not downloaded from there. It is a simple matter to turn off that ability to install the third party apps, the OS has been constructed to do this.

That's very true and for the M1 as well. Unfortunately, this byzantine reboot into recovery mode process for approving kernel extensions will basically force developers to rewrite their apps not to use them, or they might decide not to support Mac anymore and just support Windows and Linux.

 

[ADGrant]

That's very true and for the M1 as well. Unfortunately, this byzantine reboot into recovery mode process for approving kernel extensions will basically force developers to rewrite their apps not to use them, or they might decide not to support Mac anymore and just support Windows and Linux.

Kernel extensions do represent a significant security risk. They should be difficult to install, I would not want any of my family members to be able to install one.

 

[Honza1]

To be fair to Apple, kernel extensions were common source of system crashes. At least for me. Crashes macOS (=Apple) was blamed for (= macOS is crashing) yet they had no control over.
And kernel extensions were impossible for regular user to uninstall also. At some point I was manually reviewing my kernel extensions (not what common Apple user knows how to do) and found extensions for software I uninstalled 3+ years ago. Still being loaded, needlessly. I am not unhappy to see kernel extensions to go away, if there is other solution to provide similar functionality.

 

[pingchp]

Every NTFS tools need a reduced security. Don't understand why.

 

[chrfr]

Every NTFS tools need a reduced security. Don't understand why.

Because, as of now, they all use kernel extensions.

 

[SUGAR RAY WONKA]

Apple has some documentation:

Deployment Reference for Mac

This content has moved.

support.apple.com

While not listed in this document, I believe that running in Reduced Security mode will also prevent iOS/iPadOS apps from running on the Mac.

That's incorrect. Running in reduced security mode does NOT prevent iPadOS/iOS apps running on the Mac M1.

I changed to reduced security mode on my M1 Mac mini last night, in order to be able to boot from an external SSD after installing a secondary Big Sur instance on it, which I am using as an isolated testing/sandbox environment.

The BBC Sounds iOS app is still running fine on the M1 Mac running on the Mac mini's internal SSD today.

 

[jay-m]

Every NTFS tools need a reduced security. Don't understand why.

Because, as of now, they all use kernel extensions.

Not really, macOS can read and write NTFS partitions without additional .kext's since at least 2013 but writing support is 'experimental' and disk needs to be mounted using Terminal or app like Mounty

I'm using Mounty on M1 Air with external HDD and one SD card I stupidly formatted as NTFS and it works well.

 

[jay-m]

Every NTFS tools need a reduced security. Don't understand why.

Because, as of now, they all use kernel extensions.

Not really, macOS can read and write NTFS partitions without additional .kext's since at least 2013 but writing support is 'experimental' and disk needs to be mounted using Terminal or app like Mounty

I'm using Mounty on M1 Air with external HDD and one SD card I stupidly formatted as NTFS and it works well.

 

[Joelist]

I have no issue at all with Apple preventing third parties from writing kernel extensions. Honza puts it well - rogue kernel extensions compromise stability and are also security problems.

 

[Luba]

To be fair to Apple, kernel extensions were common source of system crashes. At least for me. Crashes macOS (=Apple) was blamed for (= macOS is crashing) yet they had no control over.
And kernel extensions were impossible for regular user to uninstall also. At some point I was manually reviewing my kernel extensions (not what common Apple user knows how to do) and found extensions for software I uninstalled 3+ years ago. Still being loaded, needlessly. I am not unhappy to see kernel extensions to go away, if there is other solution to provide similar functionality.

How to delete kernel extensions in Big Sur? Go to /Library/Extensions and simply delete the extension and I am done?

 

[Luba]

That's incorrect. Running in reduced security mode does NOT prevent iPadOS/iOS apps running on the Mac M1.

I changed to reduced security mode on my M1 Mac mini last night, in order to be able to boot from an external SSD after installing a secondary Big Sur instance on it, which I am using as an isolated testing/sandbox environment.

The BBC Sounds iOS app is still running fine on the M1 Mac running on the Mac mini's internal SSD today.

To boot from an external SSD or USB stick that I've used set up using 'createinstallmedia' in Terminal, I need to "Reduce Security" and allow kernel extensions??

 

[Tagbert]

The default in macOS right now IS only allowing apps downloaded from the app store to run, you need to go out of your way to allow an app to run not downloaded from there. It is a simple matter to turn off that ability to install the third party apps, the OS has been constructed to do this.

No, it is quite possible to install and run apps that don’t come from the App Store. They do need to be notarized. If not, then you need to hold down the Option key (or maybe Cmd key, I forget) the first time you run them.

 

[Krevnik]

I am not unhappy to see kernel extensions to go away, if there is other solution to provide similar functionality.

DriverKit and the Hypervisor framework are already here in Big Sur and provide that solution. Apple’s making large chunks of IOKit available in userland via DriverKit. The Hypervisor framework provides access needed for apps like Parallels and VMWare to work without kernel extensions.

 

[Yebubbleman]

As you can see in the screenshot, I’m running my M1 MacBook in “Reduced Security” mode in order to use applications (e.g. Boxcryptor) that requires a 3rd party kernel extension (e.g. macFUSE). Under normal circumstances, I wouldn’t want to run a device with ‘reduced security’ but what’s the reduced security here? It seems like Apple’s definition of ‘reduced security’ is simply preventing me the owner from using a past Apple signed version of MacOS or preventing me the owner from simply having the option to approve a 3rd party kernel party extension in security preferences. By the way, to get to this security menu, one has to undertake a byzantine 6 step startup option which includes entering your user account password twice. View attachment 1704249

You pretty much hit the nail on the head. For T2 Intel Macs, this mattered more as there are a TON of malicious x86 based operating systems that you could boot on an Intel Mac or x86 PC. So, ensuring that you're using a signed version of macOS or Windows meant that you were using an OS that was trusted to be valid and not tampered with. For Apple Silicon, I don't see much of a point. There's Asahi Linux that is trying to become a bootable alternative, but past that, the only OS that can natively boot on an Apple Silicon Mac is macOS.

As for kernel extensions and remote management of kernel extensions, given Apple's direction towards deprecating them, this makes sense and is probably the only set of security settings that REALLY make a difference on an Apple Silicon Mac. But even then, I can't imagine that there even are that many third party Apple Silicon kernel extensions out there (or anyone with any logical reason to craft one, whether malicious or not).

 

[jdb8167]

But even then, I can't imagine that there even are that many third party Apple Silicon kernel extensions out there (or anyone with any logical reason to craft one, whether malicious or not).

I know of a few. Both OWC and Caldigit have extensions to enable high power on the USB-A port for use with things like Apple’s DVD R/W drive and fast charging. Even though SoftRAID is kind of supported by Apple, I think the latest version requires a new extension. There are also a few NTFS drivers out there. I’m sure there are more and more coming for things like Audio processors and converters. Over time, I think Apple is planning on making these user space drivers with DriverKit but I don’t think it is there yet. I’ll have to check on Monterey.

 

[Yebubbleman]

I know of a few. Both OWC and Caldigit have extensions to enable high power on the USB-A port for use with things like Apple’s DVD R/W drive and fast charging. Even though SoftRAID is kind of supported by Apple, I think the latest version requires a new extension. There are also a few NTFS drivers out there. I’m sure there are more and more coming for things like Audio processors and converters. Over time, I think Apple is planning on making these user space drivers with DriverKit but I don’t think it is there yet. I’ll have to check on Monterey.

I was gonna say, you don't think that all of those have DriverKit based updates by now? OWC seems to be on top of things like that. Unsure about CalDigit. My experience with their Thunderbolt 3 docks prior to any kind of Apple Silicon transition announcement was abysmal, which, of course leads me to blindly assume that applies to the rest of their products.

 

[caribbeanblue]

I am failing to see your problem this is a well know direction Apple has been going in for years. Locking down the OS until it resembles the phone version, it will continue until they have full control and that option does not exist anymore. Soon only Apple approved software will run on these machines and those choices will be gone, if you do not like this then you are using the wrong software for freedom of choice on a computer. There is no think different at Apple anymore...

Apple will *never* disable third party app installs. The freedom of MacOS compared to Apple's other OSs is MacOS' whole selling point. MacOS will continue to exist for users who are more tech savvy and more like power users who maybe do 'real work' on their computer, and iPads will continue to exist for normies for whom it's been a while since they touched a non-mobile operating system, or apps.