With the release of macOS Monterey, Apple has changed the way you set a Secure Boot policy for bootable external disks on M-Series—M1, M1 Pro, M1 Max, or M2—Macs. Here’s what you need to know to successfully boot macOS from an external drive.
Full Security is the default setting; as the name suggests, it offers the highest level of security. (This is a level of security previously available only on iOS devices) You have to use the “Set allowed boot media” to control whether your Mac can start up from external or removable media.
The default, most secure setting is to disallow that capability. If you attempt to boot from such media and you get a warning that your security settings do not allow it, you can change the setting in Startup Security Utility.
To drop from Full Security, you have to start up from the external disk, shut down, then start up in Recovery mode by holding the Power button.
That takes you into the Recovery system on that external disk, where you can change its policy using Startup Security Utility. If you’re using a Mac with the Apple T2 Security Chip, the tool offers three features to help secure your Mac against unauthorized access: firmware password protection, Secure Boot, and the ability to set allowed boot media.
Also, note that when started up from the Recovery system on the internal SSD, you can only set policy for that disk, not external disks.
i cant see how that should help on a macbook M1 14″, new bought.. i only get “full security” and “reduced Security”.. i dont get “allowed boot media” i want to downgrade from monterey to big sur, but i seems sheer impossible..
I just had to do this on an Intel Mac Book Air. So, not just M1.
Maybe you can clarify where one can find the Startup Security Utility?
Hi, Dennis. If you doublecheck the first paragraph of your article, you will probably realize that the security screen you displayed is only for Intel Macs with T2 chips. All of the Apple Silicon M-series Macs allow booting to external media without having to change startup security settings, since each volume with macOS has its own recoveryOS with its individual local security settings. When booting to the Startup Options with an Apple Silicon Mac by holding the Power Button, you get presented with the choices “Options”, as well as the choice of each volume with a macOS, including internal and external drives.
Dennis, this is one of your more tantalizing articles, giving me no idea about what actually to do in case I need to reboot my Mac from, say, a USB drive. For example, what beside a Recovery System needs to be on that external drive for a successful reboot? How do I get the RS onto the external drive to prepare it for such eventuality?
As one who rarely comes across such a problem I think it very useful to store the end-to-end solution in a place, such as an iCloud file, where I can get to it in case of panic.
Thanks!