Everything You Need to Know About Apple T2 Security Chip Startup Security Utility

(Apple's T2 Security Chip. Image via WikiBlog.info)

(Apple’s T2 Security Chip. Image via WikiBlog.info.)

Apple’s newest Macs have a new Apple-designed chip in them — the T2 Security Chip — that integrates several other controllers on Macs (System Management Controller, image signal processor, audio controller and SSD controller) into one chip. These Macs include the iMac Pro (2017 and later) and Mac mini, MacBook Air and MacBook Pro models shipped in 2018. Working with a new app known as the Startup Security Utility, the T2 chip provides features that make these Macs more secure, but can also make them unable to boot from an external drive. In this article, we’ll talk about the new security features and how to re-enable booting from an external drive.

What Are The New Security Features Provided By the Apple T2 Security Chip?
The T2 Security Chip and Startup Security Utility work in tandem to provide three features that keep your Mac from being accessed by an unauthorized party. Those features are:

1 – Firmware Password Protection

This feature prevents anyone who does not know the firmware password from starting the Mac up from a disk other than your designated startup disk. This keeps someone from plugging an external drive into your Mac and selecting that drive as the startup drive, then accessing the main drive to steal data.

2 – Secure Boot

Secure boot makes sure that the Mac is only able to boot from a legitimate, trusted Mac operating system or Microsoft Windows operating system (under Boot Camp).

3 – External Boot

By default, the T2 chip disallows booting from any external media. This can be changed in the Startup Security Utility.

Where Do I Find The Startup Security Utility?
To open the Startup Security Utility, you must boot your Mac in Recovery Mode. To do this:

1) Turn on your Mac, and immediately press and hold Command (⌘) -R after you see the Apple logo.

2) Booting in Recovery Mode, the next thing you’ll see is the macOS Utilities window. Select Utilities > Startup Security Utility from the menu bar.

3) You’ll be asked to authenticate; click Enter macOS Password, then enter the name and password for an administrator account.

The Startup Security Utility screen appears (see screenshot below):

(Startup Security Utility, available on new Macs with the T2 chip)

(Startup Security Utility, available on new Macs with the T2 chip.)

How Do I Set a Firmware Password?
You can set a firmware password to keep anyone without that password from starting up from a disk other than your designated startup disk. Click Turn On Firmware Password, enter the password in the two fields provided, and then click Set Password. Remember this password — if you forget it, you’ll need to schedule an in-person service appointment with an Apple Store or Apple Authorized Service Provider, bring your Mac to the appointment, and also supply an original receipt or invoice as proof of purchase.

How Do I Enable Secure Boot?
The three settings available for Secure Boot are Full Security, Medium Security and No Security.

Full Security
Full Security provides the same level of security as iOS devices, and it is the default setting for Secure Boot. As the Mac starts up, it verifies the integrity of the operating system on the startup disk to ensure that it is legitimate. If the OS is either unknown or not verified as legitimate, the Mac connects to Apple to download the information it needs to verify the OS. That information is unique to each Mac and is used to make sure that the Mac is starting up from an OS that is trusted by Apple.

An internet connection is required for verification of an unknown or non-legitimate operating system, so make sure that the Mac is connected to a Wi-Fi network or Ethernet.

If the operating system doesn’t pass verification, the following happens:

macOS: The system alerts you that a software update is required to use the startup disk. Clicking Update opens the macOS installer, which can then be used to reinstall macOS on the startup disk. The other option is to click Startup Disk and select a different startup disk, which the Mac then attempts to verify.

Windows: The system alerts you that you’ll need to install Windows with Boot Camp Assistant.

Medium Security

If you prefer running an older or untrusted version of macOS or Windows on your T2-equipped Mac, you’ll need to set Secure Boot to Medium Security. When your Mac starts up with Medium Security enabled, it only checks whether or not the operating system has been properly signed by Apple or Microsoft. No internet connection is required unless Secure Boot determines that the operating system must be updated before it allows the system to boot.

No Security

With No Security set, Secure Boot doesn’t enforce any requirements on the bootable operating system. This means that any compatible version of macOS or Windows can be used to boot the Mac, or even Linux distributions that are designed for installation on Macs.

What Are My Options for External Boot?
The External Boot feature controls whether or not your Mac can start up from an external hard drive, USB thumb drive or other external media. If a Mac is equipped with a T2 chip, it is no longer possible to boot it from a network volume.

By default, Macs with the T2 Security Chip are set to disallow booting from external media, including USB and Thunderbolt drives. When you attempt to change the startup disk to an external drive, Startup Disk preferences displays a message (see screenshot below) that says that “Security settings do not allow this Mac to use an external startup disk“. It also offers instructions on how to change those settings.

(The message that appears in Startup Disk preferences when the user attempts to use an external startup disk)

(“Security settings do not allow this Mac to use an external startup disk” appears in Startup Disk preferences when the user attempts to use an external startup disk.)

Allowing A T2-Equipped Mac to Boot From An External Startup Disk
If you do happen to select an external drive to start up from, restarting the Mac brings up the same message (see above) and provides the option to either restart from the current startup disk or select another startup disk – once you’ve allowed the Mac to use an external startup disk. To do that:

1) Open Startup Security Utility using the instructions found in “Where do I find the Startup Security Utility?” towards the top of this article.

2) Select “Allow booting from external media.”

3) To select an external startup disk before restarting the Mac, quit the Startup Security Utility, then select Apple () menu > Startup Disk.

Find more macOS guides and tricks at our Tech Tips section


LEAVE A COMMENT


  • Apple should allow to completely disable T2 chip, if desired. No encryption at all. Nothing to hide. Avoid troubles and waste of energy. We are destroying planet Earth and they do not seem to care.




  • When I followed the above, my Administrator password wasn’t accepted, so I cannot allow startup from external disk! (No use having a clone on an external disk either then.)




  • What about the rest of us? Software patch ?




  • So with the default settings, if the internal drive has a catastrophic failure (such that it is not even possible to boot in recovery mode), the Mac becomes unusable.




    • One in a Millions, this will ever happen. Mac is the Mac Daddy. Second. Bring it in under Apple Care, boom,,,, done. We have never had our Mac’s go bad as far back as 2008 Mac Pro Tower which is still perfect as a server for us now. That’s one of the reasons you pay more for a Mac. Go Mac, don’t look back, fear holds us back, faith moves us Mac,,,, forward. Yes, stuff can happen, but it is so rare, & when & if it does, do something about it.




      • david, your response is useless as help and only speaks to how much you like the Apple brand.

        In my case, I am gifting a new 2018 Macbook Pro to an employee, which was only used for a month prior to making this decision. I have been an apple dev and software engineer for almost a decade and have extreme knowledge of the Mac ecosystem, however I did not hear about the concept of auto disabling boot from USB being the default action, until running into my current issue.

        I was using it on the beta update track (ver. 10.14.2, for a solution to TB3 displays not working correctly) and now I want to reinstall the standard release of Mojave. I was able to successfully boot the MBP into system recovery using the internal SSD, which is still on the beta track, then erase the system drive. Now after restarting and attempting to install from USB, I am finding out that it has been disabled. Because I have just successfully erased the disk, there is no more recovery partition (usually I would boot to USB to launch from there). So I have no options to boot the laptop in a way that I have been doing for years, nor a way to open the Startup Security Utility to enable USB booting.

        Any real assistance would be great. I am attempting network recovery now.