"Secure software requires a foundation of security built into hardware. That's why Apple devices - running iOS, iPadOS, macOS, tvOS, or watchOS - have security capabilities designed into silicon," Apple says in its update.
The 196-page guide goes into a deep dive on the M1 chip's security setup, which will be of particular interest for organisations running multiple Macs.
It includes an explanation of Sealed Key Protection of encrypted data against "brute force attacks" - a feature available in Apple devices since the iPhone 7 but now available to Macs for the first time via the M1 chip.
At a pre-release briefing, an Apple rep said the company's research found that only around half its customers protected their phones with passcodes.
But with the launch of TouchID fingerprint scanning and now FaceID, that number has increased to 92 per cent.
Your biometric ID is stored on your device rather than in the cloud as part of Apple's broader "zero-trust" framework.
With the new A14 processor (used in the latest iPhones and iPads) and the M1, a dedicated hardware security controller ups the level of an already secure system. It helps that Apple dropped Intel for a return to designing its own silicon for its latest Macs.
Apple also explains why you still have to type in a passcode each time you restart your device, or if you haven't used it for 48 hours.
The Platform Security guide says there is a 1 in 50,000 chance that a random person could unlock your device using TouchID, and a one in a million chance that a random stranger could unlock it using FaceID.
Asked about the security situation for those running Windows on a Mac via the likes of Parallels or VMware, a rep for Apple said a virtual session would be subject to any vulnerability in Windows, but that if a hacker did somehow "escape out of the virtual machine and then try to attack your M1 Mac - at that point, just like any other piece of malware, all of the very strong M1 security protections would come into play and make it very, very difficult for it to gain a foothold on the system".
The same goes for when for a Chrome browser extension is used on an M1 Mac.
The Apple/Google Exposure Notification Framework, recently deployed for Bluetooth tracing in the Ministry of Health's NZ Covid Tracer app, does not fall under the Platform Security Guide.
However, Privacy Commissioner John Edwards gave the tracing technology his approval, noting that Bluetooth tracing data is deleted after 14 days (and data about QR code scanning after 60 days), and that various safeguards are taken to anonymise a person's identity in the event they become infected and close contacts need to be informed.
Edwards recently suggested legal tweaks to ensure the data was only used for the purposes it was collected for, and not made available to police or other agencies. A similar law change has already been made in Australia.
Covid-19 response Minister Chris Hipkins is considering the move. In the meantime, Hipkins noted the Ministry of Health has undertaken to only use NZ Covid Tracer data for coronavirus tracing purposes, and that Bluetooth tracing data is wiped from an Apple or Android phones after two weeks.
