One of the joys of Touch ID on a Mac laptop is using Apple Pay without needing an iPhone or iPad at hand to validate a secure credit or debit card transaction. This was extended to M1 Macs with the Magic Keyboard with Touch ID, which allows an iMac or Mac mini to add Touch ID through a special wireless connection to an M1 Mac’s Secure Enclave module.
But some readers have found Apple Pay disabled. In the Wallet & Apple Pay system preference pane, macOS offers the explanation “Apple Pay has been disabled because the security settings of this Mac were modified.” Several different causes could be the root, and Apple omits one for M1 Macs in the document linked via a Learn More button in the pane.
Full Security on an Intel or M1 Mac
To ensure Apple Pay works, system security must be set to Full Security on both Intel and M1-series Macs. This requires restarting or starting up in recoveryOS and then using the Startup Security Utility to reset system security.
You may have downgraded security on an Intel Mac to boot off an external volume or to install some low-level drivers for third-party software. With an M1 Mac, the most likely reason is you enabled its Reduced Security mode to install a kernel extension required by some software that taps into low-level drivers, like some of Rogue Amoeba’s audio software. (Apple doesn’t yet provide hooks in macOS for M1 Macs that allow certain kinds of direct access to system input and output without reducing security.)
With a reduced-security macOS startup, Apple may be unable to create the level of integrity it and the credit-card system requires for mobile payments that match the degree offered by a point-of-sale system accepting a chip on a card. If so, Apple Pay is disabled on the Mac. (Apple explains in technical detail how this relates to the M1 security policy process in this platform security document.)
There are separate paths on how to re-enable Full Security by Mac architecture type. Apple offers a full page walkthrough on reverting to Full Security with an Intel Mac with a T2 Security Chip. For an M1-series Mac, look at the “Change the security policy” heading in this support document.
Apple also suggests other causes:
- If you have a laptop, its lid must be open. This makes sense because how would you otherwise use the Touch ID sensor? There’s an exception: you can still use the sensor on a Magic Keyboard with Touch ID with an M1-series Mac with the lid closed. (Apple doesn’t list this exception; I tested it, and it works.)
- In the Software Update preference pane, click Advanced: the “Install system data files and security updates” box should be checked for automatic installation.
- Apple also notes more ambiguously that macOS disables Apple Pay “when it detects third-party software or malware that affects its ability to keep your payment information secure.”
You might wonder why Safari continues to allow you to fill in stored credit and debits cards from Safari > Preferences > Autofill if Apple Pay is disabled? Safari doesn’t perform a mobile payment transaction when it auto-fills card information—it just drops the information in without additional typing. Safari doesn’t even store the card’s verification code, the CVV, which must be entered manually.
Credit-card processors that manage transactions for online retailers treat form-entered cards as among the most potentially fraudulent transactions; they don’t differentiate—nor do they have a way to—between browser auto-filled card details or those entered manually. Apple Pay mobile payments are among the least likely to be fraudulent because of the way the transaction is created and validated, and are scored for risk accordingly.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.