Contents

How to List Startup Security Settings Across All Macs

Using Kolide, you can easily view and query Mac Startup Security Settings across your fleet.

Introduction

Depending on the model of Mac, modern versions of macOS come equipped with boot/startup security options. Options like firmware passwords, secure boot, and external boot, can be set in Apple's Startup Security Utility when macOS is booted into Recovery OS. For more information, please read Apple's support article.

What Mac Startup Security Setting Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Startup Security Settings from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Startup Security Settings Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
efi_boot_mode	Enum::Text	The mode of the EFI Boot Can be one of the following: `none` `unknown` `command` `full`
efi_option_roms_allowed	Boolean	`true` if PCI option roms are allowed to load; otherwise `false`
efi_password_enabled	Boolean	`true` if a startup password is set; otherwise `false`
external_boot	Enum::Text	The state of the Mac's external boot setting Can be one of the following: `allowed` `medium` `not_applicable`
secure_boot	Enum::Text	The state of the Mac's secure boot setting Can be one of the following: `full` - Ensures that only the current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connect at software installation time. `medium` - Allows any version of signed operating system software ever trusted by Apple to run. `disabled` - Does not enforce any requirements on the bootable OS `not_applicable` - This setting is not available or applicable to the current Mac (likely due to lack of a Secure Enclave)
windows_boot	Enum::Text	The state of the Mac's windows boot setting Can be one of the following: `allowed` `medium` `not_applicable`
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

Why Should I Collect Mac Startup Security Settings?

The settings reported in the device property can help administrators better understand the security posture of a Mac. For example, a Mac with Secure Boot off may be at greater risk of being infected by malware that changes the master boot record (MBR).

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

The data collected only contains the status of the Mac's startup and boot settings. It does communicate sensitive data like firmware passwords, or the names of any internal or external volumes.

When you use Kolide to list Mac Startup Security Setting data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.