William Gallagher
Apple's security processor gets in the way when you're trying to use external drives to boot from. Fix this now because if you wait until you need to restart from one, you'll have problems.
The T2 chip that Apple has been adding to new Macs does many things to help your computer be more secure — but one of them is an issue. By default, Macs with the T2 processor will not boot from an external drive. That's fine, that's even good, but it's an inconvenience when you want to do it. Then if the reason you want to boot from an external drive is a catastrophic failure of your internal one, it's a problem.
Apple doesn't see it like that. The company believes we all have great online connections all the time and so the official advice would be to boot from the recovery partition over the internet. Even if you can definitely do that, it's a help for troubleshooting problems. If what you really need is to carry on working, then you will have created a clone of your troublesome drive yet will not be able to boot from it.
Then just to double down on how this good security system can also be a pain, there's the issue of the keyboard. To convince your Mac to boot from an external drive, you have to first restart into macOS Recovery and that requires you to hold down Command-R as the machine boots. Only, if you have a wireless keyboard, the restarting Mac may not recognize it.
Truly, if you're booting from an external then it's to solve some problem, not to find others. So take a minute to fix this now, before you have to.
It will only get worse and also better
At time of writing, the Apple T2 Security Chip is in the iMac Pro plus models of the Mac mini, MacBook Air and MacBook Pro that were launched in 2018. You can take it for granted that it will appear in all Macs eventually.
If, for any reason, you're not sure whether the Mac in front of you has the T2 processor, you can check through System Information. Hold down the Option key as you select the Apple menu and where you normally see About this Mac, you'll see System Information.
Choose that and then in the window that appears, click on Controller in the left-hand list. If the Mac has a T2 chip, it will say so here.
If your machine has it then the default is that it will not allow you to boot from external drives. Before you go fixing that, however, take a moment to check whether anyone already has.
Plug in an external drive that you know is bootable. Go to System Preferences and Startup Disk. Click the padlock and enter your password, then try to choose that external drive to boot from.
You will get the same information if you're using an app such as Carbon Copy Cloner. This utility lets you automatically create a bootable copy of your current drive so that in the event of any problems, you can simply swap straight over. Ordinarily Carbon Copy Cloner will tell you that the new cloned drive will be bootable, but with T2's default settings, it can't.
Instead it will show a warning triangle and when you click on that, you get the fuller explanation.
This is particularly significant because there are other reasons why a cloned drive may not be bootable. Apps like Carbon Copy Cloner may not be able to tell you that there's a problem because it only sees that the T2 is preventing booting. So you could be regularly creating a clone drive and only find that it doesn't work when you need it.
So fix it
Plug in a wired keyboard. Restart the Mac and hold down the Command and R keys until you see the Apple logo.
Let go of the keys while the Mac goes through the rest of this special startup sequence. Instead of the regular desktop or login windows, it will bring you to the macOS Recover screen which lists options such as recovering from a Time Machine backup.
You don't want any of the options on the the Recover screen. Instead, choose the Utilities menu and click on Startup Security Utility.
You'll have to enter your password to launch it, but then when you do, you're presented with three types of option to do with firmware passwords, secure boot — and lastly, External Boot.
This will be set to Disallow such booting but you can click on the button beneath to change that to Allow.
Choose Allow, then quit the utility. You're taken back to the macOS Recovery window. Click the red close button at top left and lastly you'll be asked about restarting.
Click on Choose Startup Disk and then pick any bootable drive you've got attached. The Mac will restart and it will boot from that drive.
It will now boot from any drive you connect over USB or Thunderbolt so you can keep an emergency clone ready to go at any time. Now you've done all this, take the time to create a backup that regularly maintains a clone of your bootable drive.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
AppleInsider Staff
Chip Loder
Christine McKee
Malcolm Owen
Andrew Orr
23 Comments
Wouldn't setting a firmware password accomplish the same thing from a security perspective? That is by setting a firmware password, booting from an external drive is not allowed unless you have the firmware password? Seems like Apple's default approach with no external boot allowed, will cause some users problems down the road.
Wireless keyboards are the worst...
And in next update Apple will disable external boot again. So make sure to follow this routine after every system security patch and update. Apple really knows how to secure your data for your (in)convenience and force you to use iCloud while you prefer other cloud solutions and prefer not store any information on external sources managed by someone else. Well I don ot always have internet to be honest, but local system backup as TimeMachine always. So what is Apple point on this approach?