Mac Startup Security Settings Explained

You’re trying to install a kernel extension that a vendor’s documentation says you need. Maybe it’s a virtualization tool, an external GPU driver, or a security agent for work. macOS refuses, and somewhere in the error message it mentions “Reduced Security.” You google around and end up in a maze of Apple support articles about Startup Security Utility, Boot Policy, Secure Boot levels, and recovery procedures that all read like they were written by lawyers.

The actual concepts here are simpler than Apple’s docs make them seem. Startup Security is about what your Mac will agree to boot — at a hardware-enforced level, before any user code runs. Tightening it locks out everything except Apple-blessed software. Loosening it lets you install third-party kernel extensions or older OS versions. The trade-off is real, and worth understanding before you flip any switches.

What Startup Security Controls

Modern Macs verify what they boot at multiple levels:

1. The firmware verifies the bootloader
2. The bootloader verifies the kernel
3. The kernel verifies kernel extensions and the system volume
4. The system volume’s signed seal is checked at every load

If any of these checks fail, the Mac refuses to boot. Startup Security is what determines how strict these checks are. It’s enforced by hardware (the Secure Enclave on Apple Silicon, the T2 chip on Intel Macs that have one).

Where to Find the Settings

The location differs by Mac generation:

Intel Macs with T2 chip (2018+ MacBook Pro, 2020 iMac, etc.):

• Boot into Recovery (Cmd+R)
• Utilities menu → Startup Security Utility
• Authenticate with admin credentials

Intel Macs without T2 (older models): These don’t have configurable Startup Security in the same way. They support boot-camp-style flexibility by default.

Apple Silicon Macs:

• Boot into Startup Options (hold power button)
• Click your boot volume
• Click the gear icon (“Options”) below the volume
• Authenticate with admin credentials

The Apple Silicon flow shows different settings than the Intel T2 flow, because the underlying mechanisms differ.

Intel T2 Startup Security Levels

Three levels:

Full Security

The default. Only allows booting:

• macOS that’s currently signed by Apple (the latest, plus a brief overlap window)
• Microsoft Windows via Boot Camp

External boot is also restricted. The Mac requires every load to be signed and verified.

Medium Security

Allows booting:

• Any macOS that has ever been signed by Apple (older versions still work)
• Boot Camp Windows

Used to be called “Maximum Security with offline access” or similar in older Apple wording.

No Security

Allows booting:

• Anything the Mac can read (Linux, modified macOS, custom kernels)
• No signature verification at boot

This is for tinkerers, dual-boot enthusiasts, and developers. It accepts that you’ve taken responsibility for what you boot.

The “External Boot” option is separate:

• Disallow booting from external media (default)
• Allow booting from external media

These are independent of the security level. You can have Full Security with external boot allowed, for example, to use a signed external macOS installer.

Power users use SweepSweep handles all the cleanup that articles like this describe. Get Sweep free →

Apple Silicon Boot Policy

Apple Silicon doesn’t use the Intel T2 levels. Instead, each bootable system on the Mac has its own “boot policy”:

• Full Security — only boots Apple-signed macOS, no kernel extension installation, no SIP modification
• Reduced Security — allows older macOS versions, allows installing kernel extensions, allows running unsigned kernel extensions you’ve explicitly approved
• Permissive Security — adds the ability to disable SIP and run unsigned code, including modified system

Crucially, the boot policy is per-bootable-system, not global. You can have one macOS install at Full Security and another (e.g., a developer test install) at Reduced Security on the same Mac.

To set boot policy for the current install:

1. Boot into Startup Options (power button hold)
2. Select the macOS install
3. Options → continue
4. From the Recovery menu bar: Utilities → Startup Security Utility
5. Choose Full or Reduced Security; Permissive requires additional flag-setting

For Permissive Security, you also need to disable SIP from Terminal in Recovery:

csrutil disable

And often:

csrutil authenticated-root disable

The latter unseals the system volume so the OS itself can be modified.

When You Actually Need to Loosen Security

A short list of things that genuinely require Reduced Security on Apple Silicon (or No Security on Intel T2):

• Older third-party kernel extensions that Apple hasn’t notarized — most modern equivalents use System Extensions instead, which don’t require Reduced Security
• DTrace, dtruss, or other deep debugging tools that need kernel-level access
• Some virtualization tools during specific operations (most major VM tools work at Full Security now)
• Custom Linux installs that boot directly from the SSD (not from a USB)
• Asahi Linux on Apple Silicon — needs Reduced Security and additional setup

What doesn’t need it (despite older docs claiming otherwise):

• Most modern third-party security tools (they use Endpoint Security framework now, not kernel extensions)
• VPNs (use System Extensions or Network Extensions)
• File system drivers like NTFS for Mac (Apple Silicon versions use FSKit or System Extensions)

If a tool insists it needs Reduced Security and there’s no newer version that doesn’t, that’s a signal the tool may be neglected. Look for alternatives first.

What Loosening Security Costs You

The trade-offs are concrete:

Full Security guarantees:

• The OS you’re booting hasn’t been modified
• No unsigned code can run in the kernel
• A bad actor with physical access can’t easily slip a rootkit into your boot chain
• FileVault’s protections are coupled with the boot chain

Reduced Security weakens:

• Apple’s verification of older OS versions (you can boot ones with known security issues)
• Kernel extension verification (third-party extensions can be loaded)
• Some integrity checks the Secure Enclave normally performs

Permissive Security additionally weakens:

• SIP, which protects system files from modification at runtime
• The signed system volume seal
• Apple’s ability to verify your OS is unmodified at any point

For a personal Mac that’s heavily locked down, the loss of Full Security guarantees is real. For a developer Mac that needs flexibility, the trade-off may be acceptable.

There’s a faster waySweep does this kind of cleanup automatically. Try Sweep free →

Tightening Back Up

One useful property: lowered security can be raised back. If you temporarily set Reduced Security to install a kernel extension, you can re-enter Recovery later and put it back to Full.

To go back to Full Security on Apple Silicon:

1. Boot into Startup Options
2. Select the install, click Options
3. Utilities → Startup Security Utility
4. Choose Full Security

If SIP was disabled, re-enable it:

csrutil enable

Reboot, and the system is back at maximum lockdown. Any kernel extensions that were loaded under Reduced Security may stop working — they need their security level to remain.

How to Check Current Security State

From Terminal in your normal user session:

csrutil status

Tells you whether SIP is enabled.

spctl --status

Tells you whether Gatekeeper is enabled (related but separate — Gatekeeper checks signatures of apps you launch).

nvram -p | grep csr-active-config

Shows the raw SIP configuration value.

For boot policy on Apple Silicon, the configuration is stored on the boot volume itself and isn’t easily read from the running system. Apple’s intent is that you check it through Startup Security Utility in Recovery.

When Recovery Itself Is Affected

A subtle interaction: on Apple Silicon, Recovery Mode is part of the boot chain that’s also subject to verification. If your boot policy is set to Permissive, Recovery operates differently — some operations that would normally require additional confirmation become accessible.

Don’t leave Permissive Security on permanently. It’s meant for specific tasks (installing a custom kernel, running a research tool), not as a default state.

What Goes Wrong

Three failure modes worth being aware of:

“I disabled security and now things are weird”

Some apps lose features when they detect the system isn’t at Full Security. Banking apps, some DRM-protected media, and certain enterprise tools refuse to run on Macs at Reduced or Permissive Security. This is rare but real.

”I can’t get back to Full Security”

If you installed a kernel extension that the system now depends on for booting (rare on modern macOS), going back to Full Security may fail because the extension isn’t signed. The fix is to uninstall the extension first, then change the security setting.

”I forgot the admin password”

Startup Security changes require admin auth. If you’ve forgotten the password and the Mac is in Reduced Security, you may be able to reset it via Recovery’s resetpassword tool. If it’s Full Security and you’ve forgotten and don’t have iCloud recovery, the path is harder — typically a full erase via Apple Configurator.

The Right Default

For 95% of Mac users, Full Security on Apple Silicon or Full Security with external boot disabled on Intel T2 is the right setting. It’s what Apple ships, it’s what most software is designed to work with, and it’s the strongest protection against a class of attacks that target boot-time integrity.

Drop it down only when you have a specific reason, and put it back when that reason no longer applies. Treat Reduced Security as a temporary state, not a permanent one. The protections you give up are real, even if you can’t see them working most days.