{"id":35887,"date":"2022-05-16T16:21:51","date_gmt":"2022-05-16T20:21:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35887"},"modified":"2022-06-03T11:13:56","modified_gmt":"2022-06-03T15:13:56","slug":"apple-platform-security-guide-may-2022","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/05\/16\/apple-platform-security-guide-may-2022\/","title":{"rendered":"Apple Platform Security Guide (May 2022)"},"content":{"rendered":"<p><a href=\"https:\/\/support.apple.com\/guide\/security\/welcome\/web\">Apple<\/a> (<a href=\"https:\/\/help.apple.com\/pdf\/security\/en_US\/apple-platform-security-guide.pdf\">PDF<\/a>):<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/guide\/security\/welcome\/web\"><p>Unless otherwise noted, this documentation covers the following operating system versions: iOS 15.4, iPadOS 15.4, macOS 12.3, tvOS 15.4, and watchOS 8.5.<\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/support.apple.com\/guide\/security\/document-revision-history-secb82d6b274\/web\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/guide\/security\/document-revision-history-secb82d6b274\/web\"><p>Topics added:<\/p><ul><li><a href=\"https:\/\/support.apple.com\/guide\/security\/paired-recoveryos-restrictions-sec4cf9d63a6\/1\/web\/1\">Paired recoveryOS restrictions<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/contents-a-localpolicy-file-mac-apple-silicon-secc745a0845\/1\/web\/1#sec1d7c0b1fe\">Local Operating System Version (love)<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/protecting-access-to-users-health-data-sec88be9900f\/1\/web\/1#sec9d35bf721\">Health sharing<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/cloudkit-end-to-end-encryption-sec3cac31735\/1\/web\/1#sece267af3d4\">iCloud Private Relay<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/account-recovery-contact-security-secafa525057\/1\/web\/1\">Account recovery contact security<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/legacy-contact-security-secebf027fb8\/1\/web\/1\">Legacy Contact security<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/tap-to-pay-on-iphone-sec72cb155f4\/1\/web\/1\">Tap to Pay on iPhone security<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/access-using-apple-wallet-sec75f6d5040\/1\/web\/1\">Access using Apple Wallet<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/access-credential-types-sec30bdef041\/1\/web\/1\">Access credential types<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/ids-in-apple-wallet-secc50cff810\/1\/web\/1\">IDs in Apple Wallet<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/guide\/security\/communication-security-sec3a881ccb1\/1\/web\/1#seca5773eb35\">Siri-enabled HomeKit accessories<\/a><\/li><\/ul><\/blockquote>\n<p><a href=\"https:\/\/support.apple.com\/guide\/security\/paired-recoveryos-restrictions-sec4cf9d63a6\/1\/web\/1\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/guide\/security\/paired-recoveryos-restrictions-sec4cf9d63a6\/1\/web\/1\"><p>In macOS 12.0.1 or later, every new macOS installation also installs a paired version of recoveryOS into the corresponding APFS volume group. This design is familiar to users of Intel-based Mac computers, but on a Mac with Apple silicon, it provides additional security and compatibility guarantees. Because every macOS installation now has a dedicated paired recoveryOS, this helps ensure that only that dedicated paired recoveryOS can perform security-downgrading operations. This helps protect installations of newer versions of macOS from tampering initiated from older versions of macOS, and vice versa.<\/p>\n<p>[&#8230;]<\/p>\n<p>To boot into a paired recoveryOS for any macOS installation, that installation needs to be selected as the default, which is done using Startup Disk in System Preferences or by starting any recoveryOS and holding Option while selecting a volume.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/eclecticlight.co\/2022\/05\/15\/last-week-on-my-mac-the-slim-hope-of-recovery\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2022\/05\/15\/last-week-on-my-mac-the-slim-hope-of-recovery\/\">\n<p>Don&rsquo;t be put off by its title: Apple Platform Security Guide is mandatory reading for all advanced Mac Users, and the only way we get to learn about important details of macOS, iCloud, and much else.<\/p>\n<p>[&#8230;]<\/p>\n<p>Indeed, several of us have experienced problems trying to get a downgraded copy of macOS on an external disk to load third-party kexts. Could this be the result of our not setting that boot volume group as &ldquo;the default&rdquo;?<\/p>\n<p>[&#8230;]<\/p>\n<p>What the Guide says currently is incorrect at the least. If M1 Recovery Mode really does have two different ways of selecting the boot volume group to be used next, their differences need to be explained properly and not left to inference and guesswork. Users, who are hardly likely to pore over the Guide or study bputil&rsquo;s man page, need clear explanation of how they should start their M1 Macs from an external boot disk, how its local Recovery system is paired to it, and how to use Startup Security Utility effectively.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/03\/09\/apple-platform-security-february-2021\/\">Apple Platform Security Guide (February 2021)<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/12\/19\/apple-platform-security-guide-fall-2019\/\">Apple Platform Security Guide (Fall 2019)<\/a><\/li>\n<\/ul>\n\n<p id=\"apple-platform-security-guide-may-2022-update-2022-05-19\">Update (2022-05-19): <a href=\"https:\/\/pxlnv.com\/linklog\/apple-platform-security-2022\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/linklog\/apple-platform-security-2022\/\">\n<p><a href=\"https:\/\/twitter.com\/maxzks\/status\/1525465484195516416\">Max Zinkus<\/a> tweeted a thread of notable new sections and updates, like <a href=\"https:\/\/twitter.com\/maxzks\/status\/1525502972976832513\">this one<\/a>[&#8230;] This is part of a broader question about whether Apple could switch any iMessage discussion to Messages for Business Chat, which has looser security and privacy standards than peer-to-peer iMessage.<\/p>\n\n<p>iMessage itself retains a <a href=\"https:\/\/support.apple.com\/en-ca\/guide\/security\/secd9764312f\/web\">misleading description<\/a> of its security architecture[&#8230;]<\/p>\n<\/blockquote>\n\n<p id=\"apple-platform-security-guide-may-2022-update-2022-06-03\">Update (2022-06-03): <a href=\"https:\/\/eclecticlight.co\/2022\/06\/03\/is-apples-malware-removal-tool-dropping-out-of-macos-13\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2022\/06\/03\/is-apples-malware-removal-tool-dropping-out-of-macos-13\/\">\n<p>This year, eagle-eyed readers noticed a significant absence: all mention of the Malware Removal Tool, MRT, has gone.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Apple (PDF): Unless otherwise noted, this documentation covers the following operating system versions: iOS 15.4, iPadOS 15.4, macOS 12.3, tvOS 15.4, and watchOS 8.5. Apple: Topics added:Paired recoveryOS restrictionsLocal Operating System Version (love)Health sharingiCloud Private RelayAccount recovery contact securityLegacy Contact securityTap to Pay on iPhone securityAccess using Apple WalletAccess credential typesIDs in Apple WalletSiri-enabled HomeKit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-05-16T20:21:54Z","apple_news_api_id":"8bbdedea-272d-4b0a-a25e-81c103326df3","apple_news_api_modified_at":"2022-06-03T15:14:03Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAw==","apple_news_api_share_url":"https:\/\/apple.news\/Ai73t6ictSwqiXoHBAzJt8w","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2014,1892,1572,706,16,1417,140,31,2078,30,2077,2088,504,355,48,573],"class_list":["post-35887","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-m1","tag-business-chat","tag-face-id","tag-filevault","tag-icloud","tag-icloud-keychain","tag-imessage","tag-ios","tag-ios-15","tag-mac","tag-macos-12","tag-macos-recovery","tag-malware","tag-privacy","tag-security","tag-touch-id"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=35887"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35887\/revisions"}],"predecessor-version":[{"id":36057,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35887\/revisions\/36057"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=35887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=35887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=35887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}