Startup Security Policy settings are not reflected in booted OS Privacy & Security panel options.

Question

Startup Security Policy settings are not reflected in booted OS Privacy & Security panel options.

2023 M2 Pro Mac Mini with Sonoma 14.0 (23A344)

Booting off external TB4 connected PCI NVMe SSD

I booted into Recovery Mode and in the Startup Security Utility, I selected "Reduced Security" and under that, "Allow user management of kernel extensions from identified developers."

I also went into the terminal in Recovery Mode and issued the csrutil disable command to disable SIP.

I have two boot drives, but I have booted of each of these and made sure both had the same settings, and when disabling SIP, I made sure it was showing disabled on both boot drives.

Booting into the OS, and I try to install my kernel extensions, and I get the "System Extension Blocked" message telling me that I can't proceed, but not the "System Extension Update" message giving me an option to go into the System Settings and click the "Allow" button next to the "System software from developer "xxxx" has been updated." message below the "Allow applications downloaded from" control box and above the "Allow accessories to connect" control box.

In fact, my Mac Mini doesn't show the "Allow accessories to connect" control menu at all.

I have an M2 MacBook Air here, and it all works exactly as I expect it to, and I am able to manage kernel extensions fine.

I have tried creating a new profile - same result.

I have tried reinstalling Sonoma - same result.

I have a sneaking suspicion that it may have something to do with the T3 security chip and the fact that I'm booting off an external HDD, but I don't know for sure. I'm fairly certain that if I boot off the internal HDD it will be ok, but I haven't tried that just yet. I'll come back with an edit once I have done that.

If anyone has any ideas, I'd really appreciate your help.

Many thanks,

em

Mac mini, macOS 14.0

Posted on Oct 13, 2023 7:17 PM

Reply

Answer 1

Owl-53

Level 10

103,081 points

Oct 14, 2023 2:39 AM in response to ileradeltercomondo

This could be even more " Hair Pulling " but on Apple Silicon Computers the Secure Enclave comes into play

This applies to Bootable External Media

According to the small print in Apple’s Platform Security Guide, when you set up a new M1 Mac, or set one up after restoring it in DFU mode, the primary admin account created is special: it’s the Owner account of that Mac.

During that initial setup, the Mac sends a request to Apple for that Mac’s signed Owner Identity Certificate (OIC).

This is based on a private key generated in the Secure Enclave known as the Owner Identity Key (OIK).

Each M1 Mac has just a single OIK, and access to that is confined to that primary admin user of the internal SSD, who is thus its Owner.

If your M1 is configured with a single macOS boot volume group on its internal SSD, never boots from an external disk, and has no other admin users – a vanilla system – then that’s all transparent.

If you install a second operating system, on internal or external storage, the Owner needs to agree to hand over Ownership to users of that second system.

Source and except in above

https://eclecticlight.co/2021/07/18/last-week-on-my-mac-the-perils-of-m1-ownership/

Reply

Answer 2

Barney-15E

Level 10

122,252 points

Oct 31, 2023 5:58 PM in response to ileradeltercomondo

Booting from an external on Apple Silicon is sketchy at best based on reports, here. It may be that you cannot load legacy kernel extensions (or any, really) booting from an external drive. The startup security settings may not apply to the external startup drive.

I created a few external boot drives on my M1 Mini to see if it worked, but that's about as far as I got.

Reply

Answer 3

Nov 1, 2023 5:23 PM in response to Barney-15E

Yes, plenty of reports of issues with booting off external drives. That said, other than the issue with the user management of kernel extensions not working as it should, it's working perfectly on my system here in every other aspect, so I might consider myself lucky in that sense.

My NVMe drive is showing up as a PCIe device, so the Mac sees it as an internal drive. I've had an interesting suggestion involving doing a clone of the internal drive (with all the accepted and approved kernel extensions) rather than a Time Machine backup restore, so I'm going to have a go at that for what it's worth. It may provide an insight into the problem that may help the Apple techs with their investigations and may even provide a way forward to a solution if it works.

Reply

Answer 4

Barney-15E

Level 10

122,252 points

Oct 13, 2023 9:01 PM in response to ileradeltercomondo

ileradeltercomondo wrote:

Sorry, that would be the T2 security chip. My bad.

Do you have an Apple Silicon or Intel Mac. T2 applies to Intel, not Apple Silicon.

Reply

Answer 5

HWTech

Level 9

69,254 points

Nov 2, 2023 11:16 AM in response to ileradeltercomondo

Here is another similar thread:

https://discussions.apple.com/thread/255002482

As others in this thread and the one I just linked, it is thought that booting from an external drive is no longer fully supported which does not surprise me due to all the new security features, plus the trend of Apple making their computers much more like an iPad. What I've learned from supporting my organization's Mac with the recent releases of macOS, it is best not to deviate too far from system defaults even if Apple appears to allow it. macOS does not like surprises and deviating from Apple defaults is considered a surprise.

It also doesn't help with this new somewhat unknown feature of "ownership" pointed out by @P. Phillips. I'm still not entirely certain how ownership ties into things since Apple does not really tell us.

Reply

Answer 6

Owl-53

Level 10

103,081 points

Oct 14, 2023 1:51 AM in response to ileradeltercomondo

The Allow Accessory Only applies to Apple Silicon Laptop and does not apply to Desktop Silicon computers

Refer to Link Below from Apple on this very topic

If your Mac asks you to allow an accessory to connect - Apple Support

Excerpt from link above

When you use a new or unknown USB accessory, Thunderbolt accessory, or SD card with your Mac laptop with Apple silicon and macOS Ventura or later

Reply

Answer 7

Owl-53

Level 10

103,081 points

Oct 14, 2023 4:23 AM in response to ileradeltercomondo

Mobile Apple Silicon devices seem to work a bit differently regarding Security measures implemented by Apple

Desktops a little less so, as evidenced by the Allow Accessory aspect of this issue

Try enabling SIP and see.

You can always revert if it does not

Reply

Answer 8

Barney-15E

Level 10

122,252 points

Oct 31, 2023 12:07 PM in response to ileradeltercomondo

Can you clarify some things?

On your air, are you booting off the internal drive? And can you load the kernel extension?

On the mini, are you booting off an external drive and cannot load the kernel extension?

If so, can you load the kernel extension when booted off the internal drive?

Reply

Answer 9

Oct 14, 2023 1:55 AM in response to Owl-53

Thanks for bringing that to my attention, @P. Phillips, much appreciated. That answers that part of my question. Don't suppose you have any inkling as to why I'm getting the other parts of my problem? Even a hunch?

Reply

Answer 10

Oct 14, 2023 2:30 AM in response to Owl-53

I disabled SIP on the M2 MacBook Air when I tried it and it didn't seem to cause any problems, so I think I'm going to have to take that as being proof that this isn't the problem. Thanks anyway. It did sound feasible based on that article.

It's all getting a bit messy, this piling security measure on top of security measure... All fine, I guess, if all you're doing is browsing the web and writing emails...

Again, many thanks for trying. I really appreciate your help here.

em

Reply

Answer 11

Oct 14, 2023 3:16 AM in response to Owl-53

Hi P. Yeah, I kinda figured some weird stuff like this was responsible.

I tried desperately to make sense out of that article, however, that little monkey playing the cymbals kept appearing in a thought bubble above my head. It was all gobbledegook to me.

Do you understand what it's all about and if there's some procedure I could follow to try to transfer the OIC and OIK to my external (and primary) boot SSD?

What a mess!

Reply

Answer 12

Owl-53

Level 10

103,081 points

Oct 14, 2023 4:09 AM in response to ileradeltercomondo

I know about this and how it is supposed to work

But to get it to work, I would defer to the more learned contributor to answer your specific questions.

Sorry but the Walled Garden of Eden aka Apple Eco-System, especially since the advent of Silicon Computer is way more complicated than Intel based machines

Still learning, too

Reply

Answer 13

Oct 14, 2023 4:14 AM in response to Owl-53

I understand. Thanks again for your candour. You're very kind to have piped up and tried to help.

Do you still think there's a chance that reverting SIP to enabled may have some impact? Worth trying?

Reply

Answer 14

Oct 31, 2023 6:47 AM in response to Owl-53

Senior Apple Support rep is struggling to get any help for me on this. They've asked for photos of my Startup Security Utility, etc, which I've sent to them, but it's been three days without a response. The fact that she is actually trying really hard, though, is encouraging and very much appreciated. I'll report back on what was said.

Reply

Answer 15

Oct 31, 2023 2:00 PM in response to Barney-15E

Hi Barney-15E, Thanks so much for chiming in.

On the Air, I'm booting off the internal drive, and the kernel extensions load. I get the warnings that tell me I need to allow them, and I can and do, and they work.

On the Mac Mini, if I'm booting off the internal drive, the kernel extensions will load. I get the warnings that tell me I need to allow them, and I can and do, and they work.

On the Mac Mini, if I'm booting off the external drive, the kernel extensions will install, but not load. I get warnings, but slightly different ones, and there's no option provided for me to be able to allow them, so they don't run.

It's 100% repeatable. I have reinstalled Sonoma 14.1 numerous times on both the internal and external HDD on the M2 Pro Mac Mini. I have tried it with SIP on and off. I've tried a different NVMe drive.

If you have the resources, time and patience, I'd be very interested to see if you can replicate the issue on another machine. I’m certain that the particular legacy extension you try to install has no bearing on the result, but the one I'm trying to install is the most current version of the MOTU Audio Installer for their "USB and Hybrid" audio interface products. They can be found here. MOTU and macOS Sonoma | News | MOTU.com You don't actually need to have the device connected to observe this issue.

Looking forward to any insight you may have on this problem I’m having.

Reply