How to make new T2-secured Macs boot from external drives

Posted:
in General Discussion
Apple's security processor gets in the way when you're trying to use external drives to boot from. Fix this now because if you wait until you need to restart from one, you'll have problems.

A bundle of external drives atop a Mac mini
A bundle of external drives atop a Mac mini


The T2 chip that Apple has been adding to new Macs does many things to help your computer be more secure -- but one of them is an issue. By default, Macs with the T2 processor will not boot from an external drive. That's fine, that's even good, but it's an inconvenience when you want to do it. Then if the reason you want to boot from an external drive is a catastrophic failure of your internal one, it's a problem.

Apple doesn't see it like that. The company believes we all have great online connections all the time and so the official advice would be to boot from the recovery partition over the internet. Even if you can definitely do that, it's a help for troubleshooting problems. If what you really need is to carry on working, then you will have created a clone of your troublesome drive yet will not be able to boot from it.

Then just to double down on how this good security system can also be a pain, there's the issue of the keyboard. To convince your Mac to boot from an external drive, you have to first restart into macOS Recovery and that requires you to hold down Command-R as the machine boots. Only, if you have a wireless keyboard, the restarting Mac may not recognize it.

Truly, if you're booting from an external then it's to solve some problem, not to find others. So take a minute to fix this now, before you have to.

It will only get worse and also better

At time of writing, the Apple T2 Security Chip is in the iMac Pro plus models of the Mac mini, MacBook Air and MacBook Pro that were launched in 2018. You can take it for granted that it will appear in all Macs eventually.

If, for any reason, you're not sure whether the Mac in front of you has the T2 processor, you can check through System Information. Hold down the Option key as you select the Apple menu and where you normally see About this Mac, you'll see System Information.

Choose that and then in the window that appears, click on Controller in the left-hand list. If the Mac has a T2 chip, it will say so here.

Where to confirm that you have a Mac with the Apple T2 Security Chip
Where to confirm that you have a Mac with the Apple T2 Security Chip


If your machine has it then the default is that it will not allow you to boot from external drives. Before you go fixing that, however, take a moment to check whether anyone already has.

Plug in an external drive that you know is bootable. Go to System Preferences and Startup Disk. Click the padlock and enter your password, then try to choose that external drive to boot from.

What you see if you try to boot from an external drive on a Mac with a T2 processor
What you see if you try to boot from an external drive on a Mac with a T2 processor


You will get the same information if you're using an app such as Carbon Copy Cloner. This utility lets you automatically create a bootable copy of your current drive so that in the event of any problems, you can simply swap straight over. Ordinarily Carbon Copy Cloner will tell you that the new cloned drive will be bootable, but with T2's default settings, it can't.

Instead it will show a warning triangle and when you click on that, you get the fuller explanation.

Backup software like Carbon Copy Cloner will warn you of issues too
Backup software like Carbon Copy Cloner will warn you of issues too


This is particularly significant because there are other reasons why a cloned drive may not be bootable. Apps like Carbon Copy Cloner may not be able to tell you that there's a problem because it only sees that the T2 is preventing booting. So you could be regularly creating a clone drive and only find that it doesn't work when you need it.

So fix it

Plug in a wired keyboard. Restart the Mac and hold down the Command and R keys until you see the Apple logo.

Let go of the keys while the Mac goes through the rest of this special startup sequence. Instead of the regular desktop or login windows, it will bring you to the macOS Recover screen which lists options such as recovering from a Time Machine backup.

You don't want any of the options on the the Recover screen. Instead, choose the Utilities menu and click on Startup Security Utility.

Ignore all the macOS Recovery options and instead choose Startup Security Utility
Ignore all the macOS Recovery options and instead choose Startup Security Utility


You'll have to enter your password to launch it, but then when you do, you're presented with three types of option to do with firmware passwords, secure boot -- and lastly, External Boot.

This will be set to Disallow such booting but you can click on the button beneath to change that to Allow.

This is where you tell the T2 that you want to be able to boot from external drives
This is where you tell the T2 that you want to be able to boot from external drives


Choose Allow, then quit the utility. You're taken back to the macOS Recovery window. Click the red close button at top left and lastly you'll be asked about restarting.

Click on Choose Startup Disk and then pick any bootable drive you've got attached. The Mac will restart and it will boot from that drive.

It will now boot from any drive you connect over USB or Thunderbolt so you can keep an emergency clone ready to go at any time. Now you've done all this, take the time to create a backup that regularly maintains a clone of your bootable drive.



Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
larz2112MacPro

Comments

  • Reply 1 of 18
    Dr. MidnightDr. Midnight Posts: 2unconfirmed, member
    Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed  unless you have the firmware password?  Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.  
    reciprocity
  • Reply 2 of 18
    cpsrocpsro Posts: 2,439member
    Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed  unless you have the firmware password?  Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.  
    I guess if you're flying 50 employees per day to Shanghai (not to mention the number sent to other foreign destinations), there are worse things.
    edited January 15
  • Reply 3 of 18
    docno42docno42 Posts: 3,271member
    Wireless keyboards are the worst...
    raoulduke42toysandme
  • Reply 4 of 18
    And in next update Apple will disable external boot again. So make sure to follow this routine after every system security patch and update. Apple really knows how to secure your data for your (in)convenience and force you to use iCloud while you prefer other cloud solutions and prefer not store any information on external sources managed by someone else. Well I don ot always have internet to be honest, but local system backup as TimeMachine always. So what is Apple point on this approach?
  • Reply 5 of 18
    docno42 said:
    Wireless keyboards are the worst...
    Not neccessarily, but one thing that is really not understood is why the hell do we need wired keyboard when it comes to emergency resolution? Do we really need to keep one in basement just for this?
  • Reply 6 of 18
    This is Apple once again preventing you from using your Apple rental i mean purchase. I get the security and there are ways to do it without totally blocking the external boot option. 
  • Reply 7 of 18
    Suppose I'd like to make sure my MacBook Pro is as good as a paperweight for any potential thieves (assuming they don't know my password). Assume also I'm paranoid about requiring Apple's blessing at the time I'm reinstalling my OS. Setting Secure Boot to "Medium Security" should solve the second problem (or even "No Security", but unless you intend to install anything other than macOS, I don't see the point). To solve the first problem, set External Boot to "Allow", set a firmware password, and make sure you use FileVault full-disk encryption. This way, a thief can't boot your installed OS (either regularly or in single user mode) without your account's password due to FileVault, and can't boot an external drive to reinstall the OS without your firmware password. Thus, it's effectively a brick to them. Of course, it will also become a brick to you should you ever forget your passwords, but I heard you can take it to an Apple store or an authorized repair shop (presumably with some proof of ownership) to get it reset. Can anyone shoot holes in this idea?
  • Reply 8 of 18
    Helpful article. Thanks!
    toysandme
  • Reply 9 of 18
    glad to learn this before I get a new computer. Oh Apple Apple Apple
    jdw
  • Reply 10 of 18
    This is Apple once again preventing you from using your Apple rental i mean purchase. I get the security and there are ways to do it without totally blocking the external boot option. 
    Seems pretty straightforward to change the setting though. Sure it’s a lot easier in MacOS 8, but it’s a different, more connected world now. 
  • Reply 11 of 18
    neilmneilm Posts: 572member
    Sure, you're fixing one potential issue by enabling external boot, but at the same time creating another by defeating the T2's security. Advocating this as a general measure ("So take a minute to fix this now, before you have to") is irresponsible. Using the term fix is especially poor: it ain't broke and doesn't need fixing. A user may want to change this default, but only after carefully thinking through the ramifications.

    Most users will never have occasion to boot their Macs from an external drive, and would be better served by the internet 
    recovery method if it becomes necessary. Yes, not everyone has good internet all the time, but most people can get access to usable internet most of the time — even if that involves a trip to Starbucks to make it happen.
  • Reply 12 of 18
    tbornottbornot Posts: 106member
    Anyone see a fix for the problems the Mini is having with Bluetooth mice?  Mine keeps disconnecting and reconnecting, making the motion stutter.  Lots of chatter at the Apple support site, and Apple has acknowledged that it is working on the problem.  It seems to be connected to a USB underpower event, like in the early days of USB, but this one also cycles the Bluetooth chip.  Any ideas?
  • Reply 13 of 18
    Mike WuertheleMike Wuerthele Posts: 4,184administrator
    neilm said:
    Sure, you're fixing one potential issue by enabling external boot, but at the same time creating another by defeating the T2's security. Advocating this as a general measure ("So take a minute to fix this now, before you have to") is irresponsible. Using the term fix is especially poor: it ain't broke and doesn't need fixing. A user may want to change this default, but only after carefully thinking through the ramifications.

    Most users will never have occasion to boot their Macs from an external drive, and would be better served by the internet recovery method if it becomes necessary. Yes, not everyone has good internet all the time, but most people can get access to usable internet most of the time — even if that involves a trip to Starbucks to make it happen.
    Bringing a MacBook Pro to Starbucks is one thing. Bringing a Mac mini is an entirely different matter.

    This is a matter of personal preference. My MacBook Pro has default security on. I've turned it off on my mini. Also, as a point of fact, every Mac before the T-series chip secured ones had no prohibitions on booting from externals. I agree with you that the better security option is good for mobiles. It is less needed on desktops.
    edited January 16
  • Reply 14 of 18
    chabigchabig Posts: 622member
    I see no reason to override Apple's default security on the one in a million chance that my SSD fails. Even if that happens, I can still boot from internet recovery and change the security setting.
  • Reply 15 of 18
    And in next update Apple will disable external boot again. So make sure to follow this routine after every system security patch and update. Apple really knows how to secure your data for your (in)convenience and force you to use iCloud while you prefer other cloud solutions and prefer not store any information on external sources managed by someone else. Well I don ot always have internet to be honest, but local system backup as TimeMachine always. So what is Apple point on this approach?
    The 10.14.2 update did not change this setting on a 2018 Mac mini originally running 10.14.0 it is set in a place (the T2) independent of the installed OS.
  • Reply 16 of 18
    montanacoppermontanacopper Posts: 2unconfirmed, member
    Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed  unless you have the firmware password?  Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.  
    I think that if you do a PRAM/NVRAM blast, you can overcome that - but that may be out of date. OTOH, I notice no Disk Utility in that drop-down menu on the T2 Macs? Wuddup with that?
  • Reply 17 of 18
    entropysentropys Posts: 1,546member
    Thank you for this AppleInsider.
  • Reply 18 of 18
    shaminoshamino Posts: 409member
    Old news - Apple talked about this when the T2 was first introduced (in the iMac Pro).  But it's good to remind people of it.

    Worse is that even with external booting enabled, you can't boot Mojave from an external encrypted APFS volume.  So bootable backups must either be un-encrypted or on HFS+ formatted media.  I hope Apple fixes this soon.
Sign In or Register to comment.