← Back to Apple macOS 26 (Tahoe) Security Technical Implementation Guide

V-277178

CAT II (Medium)

The macOS system must ensure Secure Boot level is set to "full".

Rule ID

SV-277178r1149395_rule

STIG

Apple macOS 26 (Tahoe) Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002696 CCI-002699 CCI-002702

Discussion

The Secure Boot security setting must be set to "full". Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. Note: This will only return a proper result on a T2 or Apple Silicon Macs. Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201

Check Content

Verify the macOS system is configured to ensure Secure Boot level is set to "full" using the following command:

/usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "SecureBootLevel = full"

If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to ensure Secure Boot level is set to "full" by booting into Recovery Mode and enabling Full Secure Boot.