Use Microsoft Intune to set Recovery Lock for macOS
Recovery mode for macOS is a built-in troubleshooting environment that runs independently of the main operating system. End users can activate recovery mode by themselves. It provides a set of essential utilities to repair hard drives, restore from backups, reinstall macOS, or modify startup security settings. When this mode is not protected, any user can access and enter recovery mode. This post explains how to protect this environment from unauthorized access.
Recovery mode
To enter recovery mode on a macOS device, a specific key combination or button must be pressed and held for a certain period of time. Once in recovery mode, it is possible to modify the operating system and disk by selecting options in the menu.
Options are restoring from time machine, reinstall the OS, use a webbrowser and access the disk utility. Its also possible to change the Startup security policy from Full to Reduced for the hard drive. By reducing the security it's allowed to make use of older system extension.
Policy to Protect Recovery mode
In service release 2603 we have the ability to protect the recovery mode from unauthorized acces. To make use of the protection of the recovery mode we need to create a configuration profile. This profile will protect the recovery mode from being access by a user by protection this environment with a password.
From the Intune Portal
Devices > macOS > Configuration
Create a new policy type Settings Catalog and search for Recovery lock password. Select both options Enable Recovery Lock Password to enable the feature and Recovery Lock Password Rotation Schedule to automatically rotate this password on the desired schedule.
Retrieve Recovery Lock Passcode
To retrieve a recovery passcode when a Recovery Passcode is configured, navigate to the corresponding device in Intune.
From the Intune portal:
Devices > macOS
Select the relevant device. In the new device view, go to Tools and reports, then select Passwords and keys. If no policy is configured for this setting, this option appears greyed out.
A new view opens, displaying the recovery keys for this device. The recovery lock passcode is also shown here, and from this view it is possible to rotate the recovery lock passcode.
User Experience
The protected recovery mode has been tested using a Virtual Machine. To start the VM in recovery mode, the terminal on the host where the VM is running must be used. Run the following command to enter recovery mode:
prlctl start "<VM Name>" --recovery-mode
When a user boots into the recovery mode a message is shown that the recovery mode is protected with a passcode. Without the passcode the recovery mode can't be accessed. This way we have protected the recovery mode from unauthorized acces.
Recap
Recovery mode on macOS is a powerful tool for end users. To manage this environment, use Microsoft Intune to create a policy that restricts unauthorized access. By implementing this policy, unauthorized access can be prevented and the overall security of macOS devices can be strengthened.