Apple’s newest Macs have a new Apple-designed chip in them — the T2 Security Chip — that integrates several other controllers on Macs (System Management Controller, image signal processor, audio controller and SSD controller) into one chip. These Macs include the iMac Pro (2017 and later) and Mac mini, MacBook Air and MacBook Pro models shipped in 2018. Working with a new app known as the Startup Security Utility, the T2 chip provides features that make these Macs more secure, but can also make them unable to boot from an external drive. In this article, we’ll talk about the new security features and how to re-enable booting from an external drive.
What Are The New Security Features Provided By the Apple T2 Security Chip?
The T2 Security Chip and Startup Security Utility work in tandem to provide three features that keep your Mac from being accessed by an unauthorized party. Those features are:
1 – Firmware Password Protection
This feature prevents anyone who does not know the firmware password from starting the Mac up from a disk other than your designated startup disk. This keeps someone from plugging an external drive into your Mac and selecting that drive as the startup drive, then accessing the main drive to steal data.
2 – Secure Boot
Secure boot makes sure that the Mac is only able to boot from a legitimate, trusted Mac operating system or Microsoft Windows operating system (under Boot Camp).
3 – External Boot
By default, the T2 chip disallows booting from any external media. This can be changed in the Startup Security Utility.
Where Do I Find The Startup Security Utility?
To open the Startup Security Utility, you must boot your Mac in Recovery Mode. To do this:
1) Turn on your Mac, and immediately press and hold Command (⌘) -R after you see the Apple logo.
2) Booting in Recovery Mode, the next thing you’ll see is the macOS Utilities window. Select Utilities > Startup Security Utility from the menu bar.
3) You’ll be asked to authenticate; click Enter macOS Password, then enter the name and password for an administrator account.
The Startup Security Utility screen appears (see screenshot below):
How Do I Set a Firmware Password?
You can set a firmware password to keep anyone without that password from starting up from a disk other than your designated startup disk. Click Turn On Firmware Password, enter the password in the two fields provided, and then click Set Password. Remember this password — if you forget it, you’ll need to schedule an in-person service appointment with an Apple Store or Apple Authorized Service Provider, bring your Mac to the appointment, and also supply an original receipt or invoice as proof of purchase.
How Do I Enable Secure Boot?
The three settings available for Secure Boot are Full Security, Medium Security and No Security.
Full Security provides the same level of security as iOS devices, and it is the default setting for Secure Boot. As the Mac starts up, it verifies the integrity of the operating system on the startup disk to ensure that it is legitimate. If the OS is either unknown or not verified as legitimate, the Mac connects to Apple to download the information it needs to verify the OS. That information is unique to each Mac and is used to make sure that the Mac is starting up from an OS that is trusted by Apple.
An internet connection is required for verification of an unknown or non-legitimate operating system, so make sure that the Mac is connected to a Wi-Fi network or Ethernet.
If the operating system doesn’t pass verification, the following happens:
macOS: The system alerts you that a software update is required to use the startup disk. Clicking Update opens the macOS installer, which can then be used to reinstall macOS on the startup disk. The other option is to click Startup Disk and select a different startup disk, which the Mac then attempts to verify.
Windows: The system alerts you that you’ll need to install Windows with Boot Camp Assistant.
If you prefer running an older or untrusted version of macOS or Windows on your T2-equipped Mac, you’ll need to set Secure Boot to Medium Security. When your Mac starts up with Medium Security enabled, it only checks whether or not the operating system has been properly signed by Apple or Microsoft. No internet connection is required unless Secure Boot determines that the operating system must be updated before it allows the system to boot.
With No Security set, Secure Boot doesn’t enforce any requirements on the bootable operating system. This means that any compatible version of macOS or Windows can be used to boot the Mac, or even Linux distributions that are designed for installation on Macs.
What Are My Options for External Boot?
The External Boot feature controls whether or not your Mac can start up from an external hard drive, USB thumb drive or other external media. If a Mac is equipped with a T2 chip, it is no longer possible to boot it from a network volume.
By default, Macs with the T2 Security Chip are set to disallow booting from external media, including USB and Thunderbolt drives. When you attempt to change the startup disk to an external drive, Startup Disk preferences displays a message (see screenshot below) that says that “Security settings do not allow this Mac to use an external startup disk“. It also offers instructions on how to change those settings.
Allowing A T2-Equipped Mac to Boot From An External Startup Disk
If you do happen to select an external drive to start up from, restarting the Mac brings up the same message (see above) and provides the option to either restart from the current startup disk or select another startup disk – once you’ve allowed the Mac to use an external startup disk. To do that:
1) Open Startup Security Utility using the instructions found in “Where do I find the Startup Security Utility?” towards the top of this article.
2) Select “Allow booting from external media.”
3) To select an external startup disk before restarting the Mac, quit the Startup Security Utility, then select Apple () menu > Startup Disk.
Find more macOS guides and tricks at our Tech Tips section.