Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

PSA: Got a new Mini 2018? Set a firmware password and keep it safe!

M.Rizk

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
785
613
The new Mini 2018 comes with a T2 chip inside. This chip encrypts your SSD to keep your Mac secure. While the T2 is amazing at what it does, it can cause a lot of trouble too if something goes wrong!

If something goes wrong with the macOS installation and you try to use the recovery to re-install macOS the T2 chip will ask for the macOS admin password. Depending on how badly corrupted the OS is, it might not be able to authenticate you and will prevent you from re-installing the OS requiring you to schedule an appointment with Apple Genius Bar.

This becomes a major issue especially for those who like wiping their drives before doing a re-install because the T2 chip would have no admin user to use for authentication.

Having a firmware password means the T2 chip will only ask for this password regardless of the status of the current macOS installation if you ever decide to re-install macOS.

Just remember to keep it written in a place safe because if lost, you will never be able to access any other OS or do re-installs again unless you visit Apple Store or an authorized service center with a purchase receipt for them to reset it for you.

More info on how to enable/disable firmware password here. https://support.apple.com/en-us/HT204455
 
  • Like
Reactions: Mannaerts, Synchro3, BillyBobBongo and 3 others
From what the article you linked states, if you set a firmware password, it "prevents starting up from any internal or external storage device other than the startup disk you've selected".

That's a problem if someone (like me) uses/sets-up other systems in external drives.

Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
 
madrag said:
From what the article you linked states, if you set a firmware password, it "prevents starting up from any internal or external storage device other than the startup disk you've selected".

That's a problem if someone (like me) uses/sets-up other systems in external drives.

Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
Click to expand...

It allows you to use the option key (that’s how I boot into bootcamp) but you will need to enter the firmware password before it shows the drives.
 
  • Like
Reactions: Cape Dave and ElectronGuru
madrag said:
Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
Click to expand...
Changing the startup disk via System Preferences is not affected by having a firmware password. Using option at boot or the T key to get into target mode will prompt for the firmware password.
 
StellarVixen said:
Nobody will break into my apartment to steal desktop computer. To me firmware password and drive encryption make more sense on a laptop.
Click to expand...

I am assuming you did not read a word of what I wrote.

This is not for security. This is to make it possible for you to re-install macOS if something goes wrong as the process is no longer the same with T2 encrypting the hard drive.
 
  • Like
Reactions: Cape Dave
I've seen too many people setting a firmware password only to forget it and then they're up the creek
 
A firmware password is THE LAST THING I would ever put on one of my computers...
 
Excuses. I didn’t comprehend your post at first, sorry.

As someone who has set lock password to be asked for after the maximum allowed amount of time, this is sad. This means that you shall enter password every time after reboot.
 
Is disabling secure boot and/or permitting external boot equally effective in preventing data corruption or accidental deletion from bricking the Mini? Alternatively if I have a second Mac could I get back in via Target Disk mode?

I'm not really liking the current options of Firmware Password, Risk Bricked Mini, or Don't Buy.
 
Last edited:
padams35 said:
Is disabling secure boot and/or permitting external boot equally effective in preventing data corruption or accidental deletion from bricking the Mini? Alternatively if I have a second Mac could I get back in via Target Disk mode?

I'm not really liking the current options of Firmware Password, Risk Bricked Mini, or Don't Buy.
Click to expand...

Disabling the security boot sure is another workaround. With it disabled, your Mac Mini will behave as any other non T2 equipped Mac when you need to restore it.

I personally prefer having a firmware password because this way I get to enjoy all the security features offered by the T2.

I can’t comment on the Target Disk part because I have never used it personally.
 
Thanks for the replies.
M.Rizk said:
Disabling the security boot sure is another workaround. With it disabled, your Mac Mini will behave as any other non T2 equipped Mac when you need to restore it.
Click to expand...
This is something that interests me and "solves" this "problem".

How can we disable the secure boot?
 
I'm a bit curious about this.

At what point in booting from recovery (or say, a macOS Installer USB stick) will the T2 prompt for the admin password?

Surely it's once you try to access the drive at all, rather than when you try to actually run the setup?

So, why couldn't you
  1. boot from <recovery/installer USB stick/etc>
  2. authenticate with the admin password to allow the internal drive to be decrypted
  3. use DU to wipe the volume
  4. reinstall
?
 
Stephen.R said:
I'm a bit curious about this.

At what point in booting from recovery (or say, a macOS Installer USB stick) will the T2 prompt for the admin password?

Surely it's once you try to access the drive at all, rather than when you try to actually run the setup?

So, why couldn't you
  1. boot from <recovery/installer USB stick/etc>
  2. authenticate with the admin password to allow the internal drive to be decrypted
  3. use DU to wipe the volume
  4. reinstall
?
Click to expand...

You can. Assuming the current macOS is in a state that allows the T2 to authenticate the admin user account.

This was a major issue when the 2018 MBP launched and many wiped their internal drives without knowing that the T2 has a different process and ended up being locked out of their system and had to visit an Apple store to get it fixed.
 
M.Rizk said:
This was a major issue when the 2018 MBP launched and many wiped their internal drives without knowing that the T2 has a different process and ended up being locked out of their system and had to visit an Apple store to get it fixed.
Click to expand...

... I'm confused. They wiped their drive (presumably while booted into recovery or from a usb stick, having entered the admin password?) and then... rebooted? I don't understand how what they did would be any different than what I said?
 
Stephen.R said:
... I'm confused. They wiped their drive (presumably while booted into recovery or from a usb stick, having entered the admin password?) and then... rebooted? I don't understand how what they did would be any different than what I said?
Click to expand...

I haven’t tried personally but that is what they posted. They basically said they wiped their drive using Disk Utility launched from recovery and then when they tried to re-install macOS, the T2 asked for authentication but couldn’t find any admin users so failed.

Maybe T2 doesn’t require a password for Disk Utility Access but only for installing a new OS based on the Secure Boot description on Apple Support webpage?
 
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this? Using the Recovery Partition (Option-⌘-R as per https://support.apple.com/en-us/HT204904) or would I have to sign in first and create an Admin Account first? This is all very confusing haha.
 
jlsm511 said:
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this? Using the Recovery Partition (Option-⌘-R as per https://support.apple.com/en-us/HT204904) or would I have to sign in first and create an Admin Account first? This is all very confusing haha.
Click to expand...

To re-install macOS you will need to authenticate with an admin user password or firmware password (if you have one).

You can boot to the current macOS first to create an admin account then do a re-install but I recommend having a firmware password so that if something goes wrong later and T2 fails to find an admin user you will still have full control on your Mac Mini.

Just make sure you keep the firmware password written somewhere safe if you ever forget it or you will need to pay a visit to Apple Store (or authorized service center) with proof of purchase.
 
jlsm511 said:
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this?
Click to expand...
Don't waste your time.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back