Written byAmanda Wong
An Explanation of macOS Feature - Startup Security Utility
Summary: Apple provides multiple ways to secure your Mac and the Startup Security Utility is one of such features. This post will help you understand what is Startup Security Utility and how to access it on your Mac.
Table of Contents:
- 1. Overview of Startup Security Utility
- 2. How to access Startup Security Utility?
- 3. Common issues and fixes for Startup Security Utility
In addition to upgrading macOS, the software, to enhance the security of your Mac, Apple also levels it up with advanced hardware such as the T2 security chip and Apple silicon Mac. And the Startup Security Utility is one of Apple's methods to protect your Mac from unauthorized access. In this post, we are going to learn more about it.
Overview of Startup Security Utility
Just as the name implies, the Startup Security Utility is a tool used to guarantee the security of the startup on your Mac computers. It can restrict your Mac to start up from your designated startup disk, and from a legitimate, trusted operating system.
On a Mac without a T2 chip, the Startup Security Utility provides only one feature - firmware password protection. Once it is turned on, the password is needed when the Mac attempts to start up from a non-designated storage device in the Startup Disk preferences or boot into the macOS Recovery mode.
On a Mac with a T2 chip, the Startup Security Utility added another two features: Secure Boot and Allowed Boot Media(also called External Boot in some macOS). Secure Boot offers three levels of security, including Full Security, Medium Security, and No Security. With the Allowed Boot Media feature, you can allow or disallow the Mac to start up from external or removable media.
With the advent of the Apple silicon Mac, the Startup Security Utility has changed a lot. There is only a Security Policy you can choose to change. The Security Policy offers two options: Full Security and Reduced Security. With Reduced Security, you can fix system extension blocked Mac issue. Macs with Apple silicon use new tools to encrypt the firmware and set a boot security policy for each bootable disk.
How to access Startup Security Utility?
If you want to change the startup security settings such as disabling secure boot or turning off the firmware password, you need to access the Startup Security Utility. On either Macs with T2 security chip or Macs with M1, M1 Pro, and M1 Max chips, you can access Startup Security Utility in macOS Recovery mode. Here's how:
On Mac with T2 security chip:
- Boot Mac into Recovery mode: restart the Mac while holding the Command + R keys until the Apple logo appears.
- Select a user you know the password for and enter the password if asked.
- After entering the macOS Utilities window, select Utility > Startup Security Utility from the menu bar.
- Enter the macOS password to authenticate, then the Startup Security Utility shows up.
On Mac with Apple silicon:
- Boot Mac into Recovery mode: reboot the Mac and keep holding the power button until you see Loading startup options.
- Click Options > Continue, then select an administrator account and enter the password.
- In the Recovery app, choose Utility > Startup Security Utility from the menu bar.
- Select the system you want to use to set the security policy.
- Click Unlock and enter the password if you have enabled FileVault.
- Click Security Policy to make further changes.
Common issues and fixes for Startup Security Utility
During the startup process of the Mac, you may encounter some problems such as Mac won't boot past Apple logo, or receiving some error messages. Among them, some are related to startup security. Here we will provide fixes for the common issues of startup security.
Security settings do not allow this mac to use an external startup disk
Such an error message means you have disallowed the Mac to boot from an external startup disk in the Startup Security Utility. To get rid of this issue, you should change the settings in Startup Security Utility to choose “Allow booting from external or removable media”.
A software update is required to use this startup disk
If you receive this notification when booting Mac with a T2 security chip from an external hard drive, you can change the USB port, or use another external bootable drive. If it doesn't work, go to the Apple menu > System Preferences > Startup Disk, then select the startup disk and choose Software Update. In addition, you can update the macOS of the drive from the App Store.
Startup Security Utility no administrator was found
To enter the Startup Security Utility, it will ask to select an administrator account. Some Mac users reported that no administrator was found on the Mac. In this case, you can boot the Mac into Internet Recovery and try to access Startup Security Utility again.