TNCS-0044 – Secure Boot and T2-enabled Macs
Created: November 9, 2018 | Updated: December 4, 2020
Table of Contents
ToggleINTRODUCTION
New Macs equipped with the T2 Security Chip introduce new security capabilities, but also change the way in which Bootable Backups are tested and used. The ‘Secure Boot’ capability now present is configured by default to only allow trusted operating system software to startup your Mac.
To test and utilize a Bootable Backup created by ChronoSync, the Secure Boot behavior must be modified. Apple provides utilities to handle this. This Tech Note explains the procedure and the options available for testing and utilizing a Bootable Backup.
APPLICATION
DEFAULT BEHAVIOR
When using the Secure Boot default settings of “Full Security” and “Disallow External Boot,” holding down the Option key at startup brings up Startup Manager. External drives with bootable OS’s appear normal. Selecting one of the available alternate boot volumes will appear to work and bootup will start.
However, during the boot, the Apple logo eventually turns red and the “Boot Recovery Assistant” dialog is displayed. It reports “Security settings do not allow this Mac to use an external startup disk.” The “Boot Recovery Assistant” dialog states that you can restart holding Command-R and use the Startup Security Utility to change these settings. This is how you change your secure-boot settings.
Alternatively, if the ‘System Preferences->Startup Disk’ control panel is used to select an external startup disk and then you restart the system, the same exact same warning is displayed:
This default behavior prohibits testing Bootable Backups unless changes are made to the default settings through the “Startup Security Utility.”
RECOMMENDED SETTINGS
In order to facilitate testing Bootable Backups created using ChronoSync we recommend some changes to the Default Behavior. At a minimum we recommend enabling:
- Full Security
- Allow booting from external media
These changes allow easy testing and using of Bootable Backups by selecting the drive from Startup Manager (Option-key startup).
To make the changes, follow the directions to activate the ‘Startup Security Utility’ from the macOS Recovery.
OPTIONAL SETTINGS
The drawback to using the Recommended Settings is that if you attach a bootable backup that was made from another system, or even one from the current system but with a much older OS version, you will not be able to conveniently boot from it. Trying to select such a drive will again appear to boot normally but then the Apple logo flashes red and a message reporting “A software update is required to use this disk” is displayed. It may, in some cases, include a message indicating that an internet connection is required if such a connection isn’t available. Choosing “Update” will modify the OS on that external drive. This is not recommended.
To get around this limitation we recommend using the following settings:
- Medium Security
- Allow booting from external media
When using these settings, only valid, signed operating systems will be allowed to boot but they can come from other systems or be significantly older versions of the OS. Choosing “No Security” will be equivalent to systems running without the T2 chip i.e. there is no restriction on what kind of OS can be used to boot your computer. This provides the greatest flexibility at the expense of giving up some security.
FIRMWARE PASSWORD
When utilizing the ‘Startup Security Utility,’ consider the use of the “Firmware Password” option. This doesn’t affect any of the boot behaviors. It simply displays a password prompt before booting up or showing the Startup Manager. Without the password, you won’t be able to boot no matter what your boot behaviors are set to. If you choose to enable the Firmware Password, be sure you remember it and write it down in a secure location.
CONCLUSION
Testing or utilizing Bootable Backups created with ChronoSync require modification to the default Startup Security settings on Macs equipped with the T2 Security Chip. Use the Recommended Settings to obtain the capability of testing/using Bootable Backups while retaining the Secure Boot features offer by T2.
REVISION HISTORY
Nov-09-2018 – Created from Scratch.