Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

How to make new T2-secured Macs boot from external drives

A bundle of external drives atop a Mac mini

Last updated

Apple's security processor gets in the way when you're trying to use external drives to boot from. Fix this now because if you wait until you need to restart from one, you'll have problems.

The T2 chip that Apple has been adding to new Macs does many things to help your computer be more secure — but one of them is an issue. By default, Macs with the T2 processor will not boot from an external drive. That's fine, that's even good, but it's an inconvenience when you want to do it. Then if the reason you want to boot from an external drive is a catastrophic failure of your internal one, it's a problem.

Apple doesn't see it like that. The company believes we all have great online connections all the time and so the official advice would be to boot from the recovery partition over the internet. Even if you can definitely do that, it's a help for troubleshooting problems. If what you really need is to carry on working, then you will have created a clone of your troublesome drive yet will not be able to boot from it.

Then just to double down on how this good security system can also be a pain, there's the issue of the keyboard. To convince your Mac to boot from an external drive, you have to first restart into macOS Recovery and that requires you to hold down Command-R as the machine boots. Only, if you have a wireless keyboard, the restarting Mac may not recognize it.

Truly, if you're booting from an external then it's to solve some problem, not to find others. So take a minute to fix this now, before you have to.

It will only get worse and also better

At time of writing, the Apple T2 Security Chip is in the iMac Pro plus models of the Mac mini, MacBook Air and MacBook Pro that were launched in 2018. You can take it for granted that it will appear in all Macs eventually.

If, for any reason, you're not sure whether the Mac in front of you has the T2 processor, you can check through System Information. Hold down the Option key as you select the Apple menu and where you normally see About this Mac, you'll see System Information.

Choose that and then in the window that appears, click on Controller in the left-hand list. If the Mac has a T2 chip, it will say so here.

Where to confirm that you have a Mac with the Apple T2 Security Chip Where to confirm that you have a Mac with the Apple T2 Security Chip

If your machine has it then the default is that it will not allow you to boot from external drives. Before you go fixing that, however, take a moment to check whether anyone already has.

Plug in an external drive that you know is bootable. Go to System Preferences and Startup Disk. Click the padlock and enter your password, then try to choose that external drive to boot from.

What you see if you try to boot from an external drive on a Mac with a T2 processor What you see if you try to boot from an external drive on a Mac with a T2 processor

You will get the same information if you're using an app such as Carbon Copy Cloner. This utility lets you automatically create a bootable copy of your current drive so that in the event of any problems, you can simply swap straight over. Ordinarily Carbon Copy Cloner will tell you that the new cloned drive will be bootable, but with T2's default settings, it can't.

Instead it will show a warning triangle and when you click on that, you get the fuller explanation.

Backup software like Carbon Copy Cloner will warn you of issues too Backup software like Carbon Copy Cloner will warn you of issues too

This is particularly significant because there are other reasons why a cloned drive may not be bootable. Apps like Carbon Copy Cloner may not be able to tell you that there's a problem because it only sees that the T2 is preventing booting. So you could be regularly creating a clone drive and only find that it doesn't work when you need it.

So fix it

Plug in a wired keyboard. Restart the Mac and hold down the Command and R keys until you see the Apple logo.

Let go of the keys while the Mac goes through the rest of this special startup sequence. Instead of the regular desktop or login windows, it will bring you to the macOS Recover screen which lists options such as recovering from a Time Machine backup.

You don't want any of the options on the the Recover screen. Instead, choose the Utilities menu and click on Startup Security Utility.

Ignore all the macOS Recovery options and instead choose Startup Security Utility Ignore all the macOS Recovery options and instead choose Startup Security Utility

You'll have to enter your password to launch it, but then when you do, you're presented with three types of option to do with firmware passwords, secure boot — and lastly, External Boot.

This will be set to Disallow such booting but you can click on the button beneath to change that to Allow.

This is where you tell the T2 that you want to be able to boot from external drives This is where you tell the T2 that you want to be able to boot from external drives

Choose Allow, then quit the utility. You're taken back to the macOS Recovery window. Click the red close button at top left and lastly you'll be asked about restarting.

Click on Choose Startup Disk and then pick any bootable drive you've got attached. The Mac will restart and it will boot from that drive.

It will now boot from any drive you connect over USB or Thunderbolt so you can keep an emergency clone ready to go at any time. Now you've done all this, take the time to create a backup that regularly maintains a clone of your bootable drive.

Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.



23 Comments

Dr. Midnight 2 comments · 6 Years

Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed  unless you have the firmware password?  Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.  

cpsro 3239 comments · 14 Years

Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed  unless you have the firmware password?  Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.  

I guess if you're flying 50 employees per day to Shanghai (not to mention the number sent to other foreign destinations), there are worse things.

maciekskontakt 1168 comments · 15 Years

And in next update Apple will disable external boot again. So make sure to follow this routine after every system security patch and update. Apple really knows how to secure your data for your (in)convenience and force you to use iCloud while you prefer other cloud solutions and prefer not store any information on external sources managed by someone else. Well I don ot always have internet to be honest, but local system backup as TimeMachine always. So what is Apple point on this approach?

maciekskontakt 1168 comments · 15 Years

docno42 said:
Wireless keyboards are the worst...

Not neccessarily, but one thing that is really not understood is why the hell do we need wired keyboard when it comes to emergency resolution? Do we really need to keep one in basement just for this?