Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

haralds

macrumors 68030
Original poster
Jan 3, 2014
2,994
1,259
Silicon Valley, CA
If you ever use a T2 Mac with the Startup Security Utility in the Recover Partition to control external booting and other boot parameters, this is for you.

If you clone the original installation to another volume, boot off that, and erase the original, the token to use this utility is gone. You can no longer change the startup boot parameters!

APFS makes creating another container really fast, cloning is a very quick way to fix disk issues. But you lose the ability to log in with the StartupSecurity Utility

Thanks to Mike Bombich of Carbon Copy Cloner fame, below is the method to recreate the token. I spent quite a bit of time on this, he saved me more!

https://bombich.com/kb/ccc5/frequen...out-encrypting-backup-volume#startup_security

The Startup Security Utility may not work correctly after restoring to an encrypted-at-rest volume on T2-based Macs

The at-rest encryption described above involves a volume-specific "secure access token", which each user account must obtain access to if that user requires administrative privileges over startup security settings. Because this token is volume-specific, cloning the token from one volume to another will not produce the correct result. Additionally, user accounts that have access to the token on the source won't automatically have access to the token on a cloned volume.

Apple does not offer a method for creating this token on a volume that is not the current startup disk, so CCC cannot offer a postflight method that automatically creates that token. Apple does, however, offer a utility for creating the token on the current startup disk, and also for granting access to that token for specific users on the current startup disk. If you find that you're unable to modify settings in the Startup Security Utility while booted from the macOS Recovery volume (e.g. "No administrator was found"), reboot from your cloned volume, then paste the following into the Terminal application to create the secure access token and grant access to it to your user account (replace "yourname" with the short name of your user account):

sysadminctl interactive -secureTokenOn yourname -password -

I add this to whatever multiple boot volumes I create in case one of them goes BY-BY.

And again, a shoutout to Mike and his most excellent utility. Use it all the time. BTW, it's a good way to compact VMware Fusion macOS Guests, since there is not built-in method. Just create another disk and copy inside the VM - many GB saved.

https://bombich.com
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.