By Timofey Furyaev
Project Manager

September 10, 2019
Last updated on October 31, 2019

  0

How the Apple T2 Security Chip Affects SCCM Administrators | Managing Mac with SCCM

Starting with the iMac Pro® in 2018, Apple® has incorporated their new T2 security chip into all new Mac® models. More security sounds good to IT professionals at first. After all, data security is one of the primary concerns of any corporate IT team. On the technical level, the T2 chip is a new kind of Trusted Platform Module (TPM). But in fact, the T2 chip is involved in much more than just authentication and hardware integrity. The T2 device is also a solid state drive (SSD) controller, a controller for the MacBook® Touch ID® fingerprint sensor and more.

T2 thwarts tried-and-tested practices

In practice, this means that the T2 chip not only makes sure that the Unified Extensible Firmware Interface (UEFI) and other basic software components have not been compromised—it also performs hardware encryption on the system’s internal SSD unit. This facilitates new safety options for macOS that can make life distinctly more difficult for IT administrators. The strictest safety settings do not allow a Mac device to be booted or restored from external media any more. In such a case, a Mac can only be booted from a restore partition on the internal drive.

What does this mean for administrators managing their corporate Mac computers with the help of Parallels® Mac Management for Microsoft® SCCM? The T2 chip does away with a number of well-known procedures used by IT professionals to set up and handle Mac computers. For instance, NetBoot—starting and installing macOS from a system image over the network—is no longer possible with T2-equipped Mac computers. Additionally, USB drives can only be used as a medium to start and install present-day Mac computers from under specific circumstances.

Anyone who has been using Parallels Mac Management USBBoot to set up Mac computers or repair defective systems has to make sure that the Safe Boot settings are set to the lowest safety level on the respective Mac. Otherwise, a T2 Mac will not accept the USB drive as a boot drive.

Learn more about how to manage Mac devices like PCs with Parallels Mac Management for Microsoft SCCM in our weekly webinars. Register now for free!

Learn more:

Parallels Knowledge Base | Imaging with T2 Chips

Apple Security | Apple T2 Chip (PDF)

Apple Support | About the Apple T2 Security Chip

Parallels Mac Management | Documentation