How to Boot T2 Mac from External Startup Drive
Newer Mac models with Touch ID, Touch Bar, and/or the T2 security chip default to having a secure boot mode that disallows booting the Mac from external startup drives. This security setting is recommended for most users to keep enabled, but some users may wish to turn the feature off, at least temporarily, usually to be able to boot from an external volume, or to be able to perform something like a clean macOS install using a USB boot install disk.
Let’s walk through how you can allow a T2 equipped Mac to boot from external startup drives, whether they’re an external hard drive, external USB flash drive, or any other external disk that you’d like to boot the Mac from.
Again, this is only necessary on modern Macs with a T2 security chip, including MacBook Pro with Touch Bar, MacBook Air with Touch ID, modern Mac Pro, the latest Mac mini, and latest iMac models.
How to Enable & Allow External Drive Booting on Mac with T2 Chip
- Turn on or reboot the the Mac and immediately hold down COMMAND + R keys once you see the Apple logo on screen, continue to hold Command+R until the Mac boots into MacOS Recovery mode
- Authenticate with an admin user account, and at the macOS Utilities screen, pull down the “Utilities” menu and choose “Startup Security Utility” from the menu bar options
- Enter the admin password when requested again
- At the Startup Security Utility screen, check the box for “Allow booting from external media.” to enable external drives too boot the Mac
- Exit out of Startup Security Utility and restart the Mac as usual
At this point, booting from an external drive is the same as it always is. To boot from a connected external volume, connect the boot drive if you haven’t done so already, then hold down the OPTION key during system restart and select it during system start. You can also change the startup disk from within System Preferences in MacOS.
If you’re allowing booting from an external drive for the purpose of performing a clean install or a system software update, you’ll likely want to disable external boot volumes when you’re finished doing so. You can do that by simply repeating the steps above but instead checking the box for “Disallow booting from external media” to again restrict external boot drives.
Of course if you turned this off because you plan on running Windows 10 from an external drive, or maybe a different version of macOS from an external volume, or you intend on using any other boot disk whether a USB macOS installer or linux installer, you’ll need to keep the feature disabled to continue to allow booting from that or any other external disk.
This is an added security feature that prevents unwanted users from accessing data on the Mac by using an external boot disk, something that was theoretically possible before, or when the feature is disabled. Of course you should also encrypt the Mac hard disk with FileVault either way, as an added security bonus.
The Startup Security Utility can also be used to set a firmware password on the Mac if you’re looking for further boot level security, aside from the standard system startup login and authentication. The firmware password would need to be entered before being able to boot from any external media too.
This process is detailed specifically for Intel based Macs, but aside from booting into recovery mode which is different on Intel than ARM, the process is basically the same for Apple Silicon Macs as well.
Do you have any experience, insights, or thoughts about this boot disk security feature on modern Macs? Share in the comments!