What could be more timely than the release of the first version of my new tool to check whether your Mac’s EFI firmware is up to date, to check its security settings, and whether it also has the latest security updates for Gatekeeper, XProtect, MRT, and others?
SilentKnight uses the same checking engine as that in EFIcienC, but has significant improvements to its interface and reporting. To check your Mac, simply open the app. It then runs a series of automatic checks:
- whether your EFI firmware is current, against a list which I maintain for each model;
- settings of key security systems such as System Integrity Protection (SIP);
- security data files for MRT, Gatekeeper, XProtect, TCC, and the KEXT blocker, testing whether they are up to date;
- whether there are any security updates available from Apple.
If the answer to the last is that there are updates available, it provides a single button which will download and install them immediately.
SilentNight replaces EFIcienC, which I will soon be withdrawing as it was intended purely for development and testing the engine now in SilentNight. Compared with EFIcienC 1.0b2, this first release of SilentKnight:
- Improves the text output to the lower view by removing debugging information and neatening the output.
- Changes app behaviour following successful installation of a security update. Because macOS seems incapable of updating the version number correctly without quitting the app, SilentKnight identifies updated items using the emoji 👈.
- Takes into account the great variation in Mac Pro firmware when reporting their results.
- Help and Reference files have been extensively revised, and now include advice on what to do after updates.
- Text boxes in the app’s window now have Tooltips.
SilentKnight isn’t intended as a complete replacement for LockRattler, which offers similar coverage but without automatic comparison against expected results. LockRattler remains the preferred option when you need more flexibility, perhaps running deliberately with older EFI firmware, or only wanting to download and install certain named updates.
SilentKnight is fully compatible with El Capitan (10.11) to Catalina (10.15b3), and all models capable of running those versions of macOS. However, EFI firmware versions are only given for currently-supported versions of macOS, which is quite complicated enough. If you’re running a Catalina beta, you may notice the following apparent anomalies:
- EFI firmware is likely to be several versions ahead, e.g. 126.96.36.199.0 instead of 188.8.131.52.0. Note that SilentKnight reports these versions, but doesn’t flag them as a problem, as it tolerates the use of newer firmware.
- The latest XProtect installed is 2103, but the version shown is still 2102. This is a macOS error.
- The latest MRT installed is 1.45, but the version shown is still 1.43 (which appears to have been pushed to Catalina beta systems only). This too is a macOS error.
- Catalina doesn’t have a KEXT blocker extension, but uses a different mechanism to prevent loading of unacceptable extensions. This is detected and noted by SilentKnight.
As I fix any remaining issues in that, I will be progressing a command tool to provide similar features.