OS 10.13.6

I recently had a problem with my Mac and the technician erased my HD (Sierra) and installed High Sierra. Can I start up from an external drive that is Sierra. The external drive is virus free.

I need the documents to salvage some apps.

jaybass

If you are attempting to recover old applications the preferred method would be to Launch Migration Assistant in High Sierra and then use it recover your Applications, Data, Settings, whatever from the Sierra drive. It will save a lot of time and be a lot easier.

However the direct response to your question is, Yes you should be able to boot from an external drive that is Sierra without difficulty. You can do that by either of the following methods…

1. Changing the Startup drive in System Preferences > Startup Disk (NOTE: When going back to High Sierra that should also be done through System Preferences > Startup Disk
2. Powering down your Mac then after 10 seconds or so reboot while holding down the Option (⌥) key. (This will not change the default Startup Disk and is good for the one boot only.)

I now have everything up and running. Took quite awhile but now I can relax.

The technician told me that the firmware situation will never happen again...nice to know.

Thanks for your help joe.

Jaybass

I wonder what se based hir assurance on?

Particularly without knowing how it happened in the first place.

To the best of my knowledge, anyone with access to your machine can set a firmware password in the time it takes you to make a trip to the men's room.

Now that I know I do not have a firmware password because of a new OS, Just when does one create one?

BTW, he did know what happened because I told him.

Also, no one has access to my machine. I live alone and as far as I know, there are no ghosts around.

jaybass

You create a firmware password when you want to lock down your machine, like so:
He knew what happened, but only in the sense that he knew the password had been set. He didn't know how it happened to begin with, which makes his saying "the firmware situation will never happen again" a bit ludicrous.

(I've got a ghost, but it's never messed with my MBP.)

I neglected to mention this previously and fortunately you did not need it, but for your future reference and the benefit of others reading this thread it should also be noted that for Intel Macs with the T2 security chip it is necessary to specifically authorize booting from an external drive using the same Startup Security Utility used to set the firmware password. On M1 Macs authorization falls under the Volume Security Policy.

COMMENT: The ability to boot from an external drive is a HUGE security vulnerability permitting anyone with a bootable external drive the opportunity to grab anything and everything from an un-encrypted boot drive. My advice would be to NOT PERMIT booting from an external drive, and should you choose to allow it, all of your drives should all be encrypted.

If I made my iMac not bootable from an external drive, would that same protection then extend to the Time Machine and CCC drive copies? (Mojave 10.14.6)

It makes no difference where the external drive image comes from or how it was created the system will not boot from an external drive unless and until the security settings are appropriately reduced. There is also a setting that prevents booting from an external drive unless it is the same version of MacOS as installed on the internal drive (which may or may not be true of Time Machine restores or Clones). I unintentionally verified that a few years ago and darn near wore a bald spot scratching my head until I figured out what was going on. 🤯🤬😵‍💫☝️←(emotional gambit)

AFTER THOUGHT: I have not personally verified every permutation of this but it is possible to boot from a Recovery Drive image on the internal drive or on any external media from a bootable thumb drive to the internet. But in that case the only options available are…

• Re-install MacOS,
• Recover from a Time Machine backup
• Run Disk Utility, or
• Run Safari

…which still leaves the data on the internal drive relatively inaccessible. If the internal drive is encrypted read relatively as virtually completely inaccessible.

I need to clarify my query. I understand that, if my iMac has a firmware password, it cannot be booted by an external drive.

Does that still leave my Time Machine and CCC drives exposed? That is, if I have a break-in, can the thief just pocket one of my backup drives and have access to all my information?

What's to stop someone from booting into Recovery and changing the "no booting from an external" setting?

Should booting into Recovery require a password?

Your external drives are exposed unless they are encrypted. Time Machine offers encryption as an option and will warn you if you backup an encrypted drive to an unencrypted Time Machine volume. Encryption is at the volume level, not the file level so clones, even clones of an encrypted volume, are not encrypted unless the target drive is encyrypted. FWIW Although there may be some speed penalty using encrypted drives I have never found it to be detectable in normal day to day use.

You must know an administrative password for an account on the internal drive to change the security settings on M1 Macs running MacOS 11. I no longer have an Intel Mac to check that out.

Not in my opinion. There are too many situations where that could prevent recovery from a disaster. I think requiring an account password to change security settings is sufficient and safer. Remember there are only a limited number of things you can do in the Recovery Drive so the data is pretty well protected. But again, IMO the drive should be encrypted. Think of it as putting your data in a safe that is locked in a vault.

I just checked and found that a password is required to boot my Intel 16" MBP running macOS 11.3.1 into Recovery.

Thanks for verifying my suspicions.

BY-THE-WAY: I just downloaded and tested yesterday's release of Carbon Copy Cloner 5.1.27-b1 (6187) and there is no change in the results when creating a bootable external clone. Not that I really expected a change, but I thought that since I am running the MacOS 11.4 beta there might be a difference, but no joy.

Any thoughts about why the same version of macOS that requires a password to boot into Recovery on my Intel Mac is more permissive on your M1?

There are significant differences between Intel and M1 Macs in where security is applied. On Intel Macs with Apple's T2 security chip protection is applied at the system level while on M1 Macs it is applied at the Volume Group level. So for example if you reduce the security level on an Intel Mac that reduction applies to any bootable drive attached to that system but on the M1 it is possible to have multiple bootable volume groups on the same drive, each with its own security setting.

That brings up another interesting question to explore. Filevault encryption has always been at the drive level, but individual APFS volumes may be individually formatted APFS (Encrypted), does that mean a single drive may have encrypted and un-encrypted volumes?

Thanks for the explanation.

Complicateder and complicateder!