Mac Mini M1- Security level on external boot drive cannot be changed?

[MacPaulchen]

Again something new concerning Big Sur, Mac M1 and external boot drive:

I could now install Big Sur on an external Thunderbolt drive without problems (Thank's Mac... nificent). The Mac Mini M1 boots well on the external drive. However, for the purpose of installing Boxcryptor afterwards, it is necessary to set the level of security to "Reduced Security" and “Allow user management of kernel extensions from identified developers”. So I pressed the power button until I saw the message that the startup options are loaded, clicked on "Options" and then on "Continue" etc. until I was in the Startup Security Utility. Then clicked on "Reduced Security" for the external drive and then wanted to enter the password for the administrator account that was requested afterwards. But the (correct) password was not accepted.

At first I thought I typed wrong or the keyboard settings are wrong etc, but this is not the case. Strangely enough, I can change the level of security for my internal drive without problems, there the same password is accepted with the same administrator account. If I select the external drive, it refuses to accept the password!

Is this a bug or for some reason Apple refuses to reduce the security level for external boot drives?

 

[chabig]

Booting from external Thunderbolt disks on M1 Macs running Big Sur is not a solved problem yet. Apparently Apple still has work to do.

From:

Updating external disks and 1 True Recovery on an M1 Mac

How you might be able to update an external bootable disk, errors you can encounter, and how can you use 1 True Recovery?

eclecticlight.co

Conclusions

Using external bootable disks with an M1 Mac is still riddled with problems and bugs, and not an option you should choose until it works more reliably. In particular:

• Apple urgently needs to improve compatibility of its updaters and installers with USB-C disks connected to a USB-C port on M1 Macs. Currently, this is too unpredictable for general use.
• Providing only full installer apps and online updates for macOS doesn’t give users sufficient flexibility to cope with situations when an online updater won’t install correctly. Without the fallback of a standalone update installer, users are forced to adopt lengthy workarounds.
• Big Sur installers must be able to install into containers with an existing Data volume and use that to form the new volume group. Otherwise there are no good options for dealing with a damaged or absent System volume.
• 1TR does appear reliable and capable, but also needs to be able to install a System volume alongside an existing Data volume, to form a new volume group.

At present, trying to use external bootable disks with an M1 Mac is a nightmare.

 

[MacPaulchen]

Yes, it's a nightmare!

A hint from someone in a German Mac forum:

"With M1 Macs, there is no system-wide startup security anymore.

Instead, each installed operating system has its own startup security policies. So you can't start a recovery from disk A and change the boot environment security for disk B with it. You'd have to make sure to start the recovery from disk B and change the setting there."

That could be, of course. Even though I previously declared the external disk as the boot drive, it obviously still boots the recovery from the internal disk when I go the usual way to start the Startup Security Utility (long press power button, click "options" etc). Is there any way at all that the recovery of the external disk is started?

 

[chabig]

I’d forgotten that each boot drive is treated separately. I have no idea how, or if, you can boot from external recovery. I don’t actually think you can.

Read more on https://eclecticlight.co/

 

[Mac... nificent]

Is this a bug or for some reason Apple refuses to reduce the security level for external boot drives?

I bought Snagit and on M1 it doesn't record the sound. They say to fix it you need to change the security level but, as you mentioned, you can't. Apple needs to get their act together. This issue is very frustrating.

 

[MacPaulchen]

Thank's for your answers. It is indeed frustrating. Then we have to wait and hope .......

 

[Mac... nificent]

On 11.01 I was able to change this setting. It's the newer version of macOS where it's broken, so I'm not very hopeful that they will fix it unless more people complain.

 

[Tenkaykev]

I’d forgotten that each boot drive is treated separately. I have no idea how, or if, you can boot from external recovery. I don’t actually think you can.

Read more on https://eclecticlight.co/

Just wanted to say thanks for the link. Quite an interesting and informative resource. 👍

 

[chabig]

Yes it is. It’s way over my head but I enjoy reading his Mac articles. I don’t remember how I stumbled upon it.

 

[phyllotaxy]

I’ve replied to you in the Apple Community, but I’ll copy paste what I’ve found.

I have exactly the same problem. Though I should clarify that “the correct password is not accepted” is a bit ambiguous. The real thing that happens is that when the correct password is entered, there is no effect. This is different from a password being rejected where there is a shake animation. In fact, even when the wrong password is entered, there is no shake animation.
I tried almost everything, including wiping the disk and having a clean install, multiple times, and here is what I observed:

1. When entering the recovery mode, after choosing “Options”, and before even entering Startup Security Utility, the administrator on the external drive is not listed there. Only the administrators on the internal drive are shown.
2. The closest that I’ve come to finding a workaround is to first enter the system of the external drive, and then turn on Filevault and wait for the encryption to complete. There are two problem that will follow. One is that after doing that, the drive will not be able to boot anymore. The second is that if you now enter Startup Security Utility, the shaking animation comes back, but unfortunately the right password is still not accepted. But now you could go to Terminal in the macOS Recovery, enter “csrutil disable” to disable SIP. Note that this will not work if Filevault is off, don’t even bother trying that. I’ve already tried everything there. After doing that, when you go to Startup Security Utility, you will see that the security level is now the lowest. Now we still have to solve the problem that the drive doesn’t boot. What I did is to boot from the internal drive, and then decrypt the external drive from the command line (this is the same as turning off Filevault), but I’ll save the details there. Now the drive is bootable with SIP disabled. At this point, I thought the problem was solved, but it wasn’t....see next point.
3. When you enter the operating system and try to install your software after completing what I’ve described in 2, the setting will still say that the security level is not low enough to allow user management of kernel extensions, even though that from the Startup Security Utility, it is shown that the security level is the lowest! After some digging, I believe that the command that should be entered at the Terminal of macOS Recovery is “crsutil authenticated-root disable”, instead of “crsutil disable”. However, that command requires Filevault to be off. But nothing will work when Filevault is off, and we’re back to square one. Moreover, it is pure speculation at this point, and there is no guarantee that that command would work.

Anyway, it is truly frustrating, and I hope this issue will be fix by Apple ASAP.

 

[MacPaulchen]

Thank you! I also hope that Apple solves this! At the moment it makes no sense to waste a lot of time with trial and error. The latest beta doesn't seem to solve the problem either!

 

[Mr Screech]

One month later...
Has anyone tried this on the new 11.3 or 11.4 beta?

 

[MacPaulchen]

With 11.3., I have no problem to start from external drive and to reduce the security level for external boot drives. My problem with Boxcryptor unfortunately persists, Secomba support has not been able to find a solution so far, it is unclear if the problem is Boxcryptor or 11.3 (or both).

 

[Mr Screech]

Just tried 11.4.
I was able to reduce the security level, both normal and 'authenticated-root'.
However steinberg drivers still don't work on the external volume.