How to Boot T2 Mac from External Startup Drive
Newer Mac models with Touch ID, Touch Bar, and/or the T2 security chip default to having a secure boot mode that disallows booting the Mac from external startup drives. This security setting is recommended for most users to keep enabled, but some users may wish to turn the feature off, at least temporarily, usually to be able to boot from an external volume, or to be able to perform something like a clean macOS install using a USB boot install disk.
Let’s walk through how you can allow a T2 equipped Mac to boot from external startup drives, whether they’re an external hard drive, external USB flash drive, or any other external disk that you’d like to boot the Mac from.
Again, this is only necessary on modern Macs with a T2 security chip, including MacBook Pro with Touch Bar, MacBook Air with Touch ID, modern Mac Pro, the latest Mac mini, and latest iMac models.
How to Enable & Allow External Drive Booting on Mac with T2 Chip
- Turn on or reboot the the Mac and immediately hold down COMMAND + R keys once you see the Apple logo on screen, continue to hold Command+R until the Mac boots into MacOS Recovery mode
- Authenticate with an admin user account, and at the macOS Utilities screen, pull down the “Utilities” menu and choose “Startup Security Utility” from the menu bar options
- Enter the admin password when requested again
- At the Startup Security Utility screen, check the box for “Allow booting from external media.” to enable external drives too boot the Mac
- Exit out of Startup Security Utility and restart the Mac as usual
At this point, booting from an external drive is the same as it always is. To boot from a connected external volume, connect the boot drive if you haven’t done so already, then hold down the OPTION key during system restart and select it during system start. You can also change the startup disk from within System Preferences in MacOS.
If you’re allowing booting from an external drive for the purpose of performing a clean install or a system software update, you’ll likely want to disable external boot volumes when you’re finished doing so. You can do that by simply repeating the steps above but instead checking the box for “Disallow booting from external media” to again restrict external boot drives.
Of course if you turned this off because you plan on running Windows 10 from an external drive, or maybe a different version of macOS from an external volume, or you intend on using any other boot disk whether a USB macOS installer or linux installer, you’ll need to keep the feature disabled to continue to allow booting from that or any other external disk.
This is an added security feature that prevents unwanted users from accessing data on the Mac by using an external boot disk, something that was theoretically possible before, or when the feature is disabled. Of course you should also encrypt the Mac hard disk with FileVault either way, as an added security bonus.
The Startup Security Utility can also be used to set a firmware password on the Mac if you’re looking for further boot level security, aside from the standard system startup login and authentication. The firmware password would need to be entered before being able to boot from any external media too.
This process is detailed specifically for Intel based Macs, but aside from booting into recovery mode which is different on Intel than ARM, the process is basically the same for Apple Silicon Macs as well.
Do you have any experience, insights, or thoughts about this boot disk security feature on modern Macs? Share in the comments!
but macmini2018 have ssd onboard. but it soldered to logic board.
I liked Mac’s before the T2 security chip came along. It was a mess reverting back to Catalina when I upgraded to Big Sur and realized what a mess that was. Used to be it wasn’t so difficult to install a OS like Linux on a older Mac. Now with T2 even Windows 10 is a trick beyond using Boot Camp. It’s so nice these companies are protecting us from ourselves. At least with Windows PC’s you can simply turn off Secure Boot and get back the freedom to do what you want. But let’s face it, with the Apple silicon replacing Intel the Mac’s will be pretty much locked down anyway.
How does this process work out if the internal drive has died? What admin password would you use then?
Or does that mean the computer without a working internal boot drive will be unbootable, bricked? At the very time you’d most want to boot from an external?
Maybe you must replace the internal drive before it becomes possible to enable booting from an external drive?
In the event of a Failed internal drive, you can still boot into recovery modem from there you can enable booting from an external drive and download the OS to the external drive.
Booting from an external drive is just about the only way to make a mac mini usable. It kills me that apple builds a decent machine, then hamstrings it by using SLOW 5400 rpm, cheap HD’s. (unless you want to overpay rather significantly for an SSD.