Home Forums Peripherals & Multimedia Peripherals Boot from external drive with T2 chip

If your iMac has the T2 chip, it will not boot from an external drive by default. To fix this, see How to make new T2-secured Macs boot from external drives.

It'll be quite (I hope) a while before I need those instructions, but thanks.

I'm a little lost, so I'd appreciate some perspective on why Apple has done this.

(Not just iMacs, but others as well as per Jon's linked article.)

The ability to boot from an external drive presents a huge hole in the security of your data. If a malefactor steals your MacBook, MacBook Air, or MacBook Pro and can boot it from an external drive that puts them halfway home to stealing your data, and all the way home if all they want to steal is your laptop. Given the propensity for laptops to "grow legs" this seems a reasonable precaution, especially for business and/or government "road warriors" who often have extremely sensitive data on their laptops. if you think the threat is not real I have a friend who travels extensively around the world on business for a fast food chain and she encountered a laptop thief who used sleeping gas to put an entire train car to sleep just to steal the travelers' laptops apparently to be mined for their data.

Since the feature can be switched off, it shouldn't present any significant obstacle to home users such as yourself. Given Apple's avowed intent to protect user's data from prying eyes this seems a reasonable and well thought out feature. I am confident something similar will be appearing on PCs in another year or so, but in the meantime it is likely PC manufacturers will cast aspersions on Apple for the feature.

I don't question the reality of the threat as respects any Mac, even my own homebound MBP; what I do question is both the feature's reasonableness and its well-thought-out-ness:

• It makes maintaining a clone on an external drive an IMMENSE nuisance, because its bootability - its ESSENCE - can't be verified without going through the cumbersome procedure of booting into Recovery, changing your pref, booting from the clone, booting back into Recovery, changing your pref back, and, finally, booting back into your boot volume...every time your clone updates. WHEW!
• The feature doesn't appear to be secure, because it requires only a password to toggle it off, and changing a password is an awfully easy task.
• And under any circumstances, a thief's ability to boot into an install disc or Recovery and change our admin passwords has always left our Macs vulnerable, and
  1. I don't see any indication that that functionality has been removed (nor would its removal be very widely appreciated).
  2. If there's any advantage to be gained from booting a Mac from an external over simply changing its password and booting it regularly, I'm missing it.

As far as I can see, this "feature" is no more than a half-baked, poorly thought out alternative to a firmware password, perhaps envisioned with the thoughtful intention of saving people from the possibility of forgetting their passwords when they're not in close proximity to an Apple store, but security and stupidity are incompatible, and unless I've missed something, Apple's apparent(?) attempt to deal with them as a unit is, if not a failure, not particularly robust security either.

You might want to take a look at the Apple Privacy Site. I won't say it is succinct, but it does a pretty good job of laying out Apple's privacy policies and gives the numbers of requests for user data requested and how many were answered in every country where Apple does business.

Securing user's data privacy takes many forms and it is dead certain that some of these are going to create at least some inconvenience. For example in the latest version of Safari Technology Preview (Safari Technology Preview Release 73 (Safari 12.1, WebKit 14607.1.18.3)) there is a new feature for Apple Devices that are capable of biometric identification and it is activated. When there is an opportunity to autofill a userid or userid/password pair biometric authorization is required for each transaction. It takes a little while to become accustomed to touching the fingertip to the right end of the Touch Bar but it quickly becomes automatic. I presume that facial recognition will work as well as the fingerprint — if and when it becomes available on the Mac. (AFIK it could already be available on iOS devices.)

I've gone through the Apple Privacy Site, and I've also looked at Apple's T2 chip and change password documentation and a couple of pertinent sounding threads on other sites, and I"m left with the same question:

If, as has always been the case with Macs and appears to continue to be the case with T2 protection enabled Macs, I can steal your Mac, boot into Recovery, change your admin password, and boot into your Mac as you,

• what will I lose by being unable to boot your Mac from an external drive (And don't forget that once I've changed your password I can disable the T2 protection.),
• and what will you gain (other than the INability to easily verify the bootability of your externally stored clones ) from my being blocked from doing so?

If Apple is so dead-set on protecting our data, why don't they simply make firmware passwords default...PERIOD?

(I've emailed Mike Bombich and asked if CCC can either deal with firmware passwords or be made capable of doing so.)

Since you know your firmware password, does that matter? According to Apple Support: "Your Mac asks for the firmware password only when attempting to start up from a storage device other than the one selected in Startup Disk preferences, or when starting up from macOS Recovery".

I'm a Super Duper user and am wondering if I need to ask the same question of Dave Nanian.

That's correct, but just to note it, a firmware password is far more restrictive than that; see Mac startup key combinations - Apple Support (Aside: I just learned from that doc that single user mode doesn't work in versions of macOS later than High Sierra.)

I'm guessing that a firmware password might prevent CCC from determining that a clone on an external drive is bootable in the same manner that the T2 inaccessibility of the drive does; the ball's now in Mike's court on that one.

It can't hurt to ask how SuperDuper! deals with T2 drive inaccessibility/firmware passwords; it'll supplement our info on how CCC deals with them.

Here's what I heard from Dave Nanian:

"Firmware passwords are in the firmware, and so there's nothing to deal with, as such. The external drive is not protected with the firmware password: the whole computer is. You can't even "start" the system, regardless of media, if you have a firmware password applied and don't know it.

But the external drive is separate. They're not really related at all.

With regard to T2, basically the same thing: it's not so much the backup that's affected but the computer. You have to turn on the ability to boot from external devices (which is turned off by default) using Recovery, which turns on the 'feature' of the firmware."

I guess that addresses the question squarely and obliquely at the same time.

At any rate, though, his point about "Firmware passwords [being] in the firmware" made me realize that that SD!, CCC, whatever are at a complete loss as respects the possibility of dealing with them, because they live in the GUI, and the GUI can't interact with firmware.

So much for hope.

(In view of that, I've backed off my question to Mike Bombich.)

And, it answers another question that had been nagging me. If the computer is protected through a firmware password, but the backup drive isn’t, why bother? The idea of extra-level password security is to keep personal information inaccessible but it appears that a thief only needs to swipe my backup drive.

I guess I could keep my backup drive hidden under the mattress and only bring it out when needed, but that's a giant pain in the Royal American. Is the Time machine backup similarly exposed?

Either enable FileVault on your boot volume and, thereby, your clone, or leave your boot volume unencrypted (but otherwise protected) and boot into your clone and enable it there (after EVERY update...giant PIA).


It all depends on which part of your mattress it's under.


Dunno nuttin' 'bout no TimeMachine.

Protection of the data on the backup drive is provided by FileVault. Firmware passwords only prevent access to the drive from an external boot. Filevault protects the data even if someone is able to boot the computer. It is possible to backup to a non-Filevaulted drive, but Time Machine will try to "talk out out of it". But as you said why bother backing up to a non-Filevaulted drive. The same thing is true of clones, the clone drive should be protected by FileVault or an encrypted disk image. But don't forget the FileVault or image password!