Most all new Macs have an imbedded T2 chip that performs many useful functions. The Apple T2 Chip is Apple’s second-generation, custom silicon for Mac. Apple uses this chip to improve video processing, process audio input, and most of all control the security of the machine.
At this point in time,the Apple T2 Security Chip is included in these new Mac computers:
- iMac Pro
- Mac mini introduced in 2018
- MacBook Air introduced in 2018 or later
- MacBook Pro introduced in 2018 or later
- MacPro when introduced in 2019
While we all have to applaud Apple for rating up security on the Mac from software only to a hardware/Software combination, we also need to understand the ramifications of doing just that.
On these new Macs, Apple includes a new firmware based utility called Startup Security Utility. Startup Security Utility offers three features to help secure your Mac against unauthorized access: Firmware password protection, Secure Boot, and External Boot.
To open Startup Security Utility:
Turn on your Mac, then press and hold Command-R immediately after you see the Apple logo. Your Mac starts up from macOS Recovery. When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
When you’re asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.
Here is some detail on the options:
Firmware password protection
Use a firmware password to prevent anyone who doesn’t have the password from starting up from a disk other than your designated startup disk. To set a firmware password, click Turn On Firmware Password, then follow the onscreen instructions. Learn more about firmware passwords.
You can also use External Boot to prevent even those who know the firmware password from starting up from external media.
Secure Boot
Use this feature to make sure that your Mac starts up only from a legitimate, trusted operating system.
And now for the most important thing you need to know: External Boot
Use this feature to control whether your Mac can start up from an external hard drive, thumb drive, or other external media. The default and most secure setting is Disallow booting from external media. When this setting is selected, your Mac can’t be made to start up from any external media:
Startup Disk preferences displays a message that your security settings do not allow this Mac to use an external startup disk.
Startup Manager allows you to select an external startup disk, but doing so causes your Mac to restart to a message that your security settings do not allow this Mac to use an external startup disk. You’ll then have the option to restart from your current startup disk or select another startup disk.
If you are a good Mac user and are using two backups for your Mac, the second backup should likely be of the disk image type. Utilities like Caron Copy Cloner from Bombich Software make this easy to do and give you the ability to just boot to the backup in case of a disaster. Except if you are using a Mac with the T2 Chip. On those machines you need to set them to allow this type of boot.
To allow your Mac to use an external startup disk:
- Open Startup Security Utility.Select Allow booting from external media.
- Your Mac doesn’t support booting from network volumes, whether or not you allow booting from external media.
- If you want to select an external startup disk before restarting your Mac, quit Startup Security Utility, then choose Apple menu > Startup Disk.
- One important note is that to make changes to these settings you need the machine password.
If for some reason, you have forgotten the machine password, you seem to be out of luck to make these changes. Don’t confuse the machine password with the setting to turn on a firmware password. That is an additional layer of security above and beyond the machine password and FileVault disk encryption that you may be using.
Information included from an Apple Tech Note on the Startup Security Utility,