PSA: Got a new Mini 2018? Set a firmware password and keep it safe!

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
The new Mini 2018 comes with a T2 chip inside. This chip encrypts your SSD to keep your Mac secure. While the T2 is amazing at what it does, it can cause a lot of trouble too if something goes wrong!

If something goes wrong with the macOS installation and you try to use the recovery to re-install macOS the T2 chip will ask for the macOS admin password. Depending on how badly corrupted the OS is, it might not be able to authenticate you and will prevent you from re-installing the OS requiring you to schedule an appointment with Apple Genius Bar.

This becomes a major issue especially for those who like wiping their drives before doing a re-install because the T2 chip would have no admin user to use for authentication.

Having a firmware password means the T2 chip will only ask for this password regardless of the status of the current macOS installation if you ever decide to re-install macOS.

Just remember to keep it written in a place safe because if lost, you will never be able to access any other OS or do re-installs again unless you visit Apple Store or an authorized service center with a purchase receipt for them to reset it for you.

More info on how to enable/disable firmware password here. https://support.apple.com/en-us/HT204455
 

madrag

macrumors 6502
Nov 2, 2007
359
70
From what the article you linked states, if you set a firmware password, it "prevents starting up from any internal or external storage device other than the startup disk you've selected".

That's a problem if someone (like me) uses/sets-up other systems in external drives.

Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
 
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
From what the article you linked states, if you set a firmware password, it "prevents starting up from any internal or external storage device other than the startup disk you've selected".

That's a problem if someone (like me) uses/sets-up other systems in external drives.

Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
It allows you to use the option key (that’s how I boot into bootcamp) but you will need to enter the firmware password before it shows the drives.
 
Comment

StellarVixen

macrumors 68020
Mar 1, 2018
2,194
3,581
Earth
Nobody will break into my apartment to steal desktop computer. To me firmware password and drive encryption make more sense on a laptop.
 
Comment

chrfr

macrumors G3
Jul 11, 2009
9,191
3,168
Or can I select the startup disk in the system prefs as usual?
Does it allow me to use the option key while starting-up, to select a different drive as the startup?
And does it allow me to use the mas in targer disk mode?
Changing the startup disk via System Preferences is not affected by having a firmware password. Using option at boot or the T key to get into target mode will prompt for the firmware password.
 
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
Nobody will break into my apartment to steal desktop computer. To me firmware password and drive encryption make more sense on a laptop.
I am assuming you did not read a word of what I wrote.

This is not for security. This is to make it possible for you to re-install macOS if something goes wrong as the process is no longer the same with T2 encrypting the hard drive.
 
  • Like
Reactions: Cape Dave
Comment

maflynn

Moderator
Staff member
May 3, 2009
66,364
32,961
Boston
I've seen too many people setting a firmware password only to forget it and then they're up the creek
 
Comment

Fishrrman

macrumors Core
Feb 20, 2009
19,060
6,516
A firmware password is THE LAST THING I would ever put on one of my computers...
 
Comment

StellarVixen

macrumors 68020
Mar 1, 2018
2,194
3,581
Earth
Excuses. I didn’t comprehend your post at first, sorry.

As someone who has set lock password to be asked for after the maximum allowed amount of time, this is sad. This means that you shall enter password every time after reboot.
 
Comment

padams35

macrumors 6502
Nov 10, 2016
252
124
Is disabling secure boot and/or permitting external boot equally effective in preventing data corruption or accidental deletion from bricking the Mini? Alternatively if I have a second Mac could I get back in via Target Disk mode?

I'm not really liking the current options of Firmware Password, Risk Bricked Mini, or Don't Buy.
 
Last edited:
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
Is disabling secure boot and/or permitting external boot equally effective in preventing data corruption or accidental deletion from bricking the Mini? Alternatively if I have a second Mac could I get back in via Target Disk mode?

I'm not really liking the current options of Firmware Password, Risk Bricked Mini, or Don't Buy.
Disabling the security boot sure is another workaround. With it disabled, your Mac Mini will behave as any other non T2 equipped Mac when you need to restore it.

I personally prefer having a firmware password because this way I get to enjoy all the security features offered by the T2.

I can’t comment on the Target Disk part because I have never used it personally.
 
Comment

madrag

macrumors 6502
Nov 2, 2007
359
70
Thanks for the replies.
Disabling the security boot sure is another workaround. With it disabled, your Mac Mini will behave as any other non T2 equipped Mac when you need to restore it.
This is something that interests me and "solves" this "problem".

How can we disable the secure boot?
 
Comment

Stephen.R

macrumors 68020
Nov 2, 2018
2,282
2,655
Thailand
I'm a bit curious about this.

At what point in booting from recovery (or say, a macOS Installer USB stick) will the T2 prompt for the admin password?

Surely it's once you try to access the drive at all, rather than when you try to actually run the setup?

So, why couldn't you
  1. boot from <recovery/installer USB stick/etc>
  2. authenticate with the admin password to allow the internal drive to be decrypted
  3. use DU to wipe the volume
  4. reinstall
?
 
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
I'm a bit curious about this.

At what point in booting from recovery (or say, a macOS Installer USB stick) will the T2 prompt for the admin password?

Surely it's once you try to access the drive at all, rather than when you try to actually run the setup?

So, why couldn't you
  1. boot from <recovery/installer USB stick/etc>
  2. authenticate with the admin password to allow the internal drive to be decrypted
  3. use DU to wipe the volume
  4. reinstall
?
You can. Assuming the current macOS is in a state that allows the T2 to authenticate the admin user account.

This was a major issue when the 2018 MBP launched and many wiped their internal drives without knowing that the T2 has a different process and ended up being locked out of their system and had to visit an Apple store to get it fixed.
 
Comment

Stephen.R

macrumors 68020
Nov 2, 2018
2,282
2,655
Thailand
This was a major issue when the 2018 MBP launched and many wiped their internal drives without knowing that the T2 has a different process and ended up being locked out of their system and had to visit an Apple store to get it fixed.
... I'm confused. They wiped their drive (presumably while booted into recovery or from a usb stick, having entered the admin password?) and then... rebooted? I don't understand how what they did would be any different than what I said?
 
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
... I'm confused. They wiped their drive (presumably while booted into recovery or from a usb stick, having entered the admin password?) and then... rebooted? I don't understand how what they did would be any different than what I said?
I haven’t tried personally but that is what they posted. They basically said they wiped their drive using Disk Utility launched from recovery and then when they tried to re-install macOS, the T2 asked for authentication but couldn’t find any admin users so failed.

Maybe T2 doesn’t require a password for Disk Utility Access but only for installing a new OS based on the Secure Boot description on Apple Support webpage?
 
Comment

jlsm511

macrumors 6502
Feb 26, 2008
333
70
KMIA
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this? Using the Recovery Partition (Option-⌘-R as per https://support.apple.com/en-us/HT204904) or would I have to sign in first and create an Admin Account first? This is all very confusing haha.
 
Comment

M.Rizk

macrumors 6502a
Original poster
Apr 20, 2015
538
243
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this? Using the Recovery Partition (Option-⌘-R as per https://support.apple.com/en-us/HT204904) or would I have to sign in first and create an Admin Account first? This is all very confusing haha.
To re-install macOS you will need to authenticate with an admin user password or firmware password (if you have one).

You can boot to the current macOS first to create an admin account then do a re-install but I recommend having a firmware password so that if something goes wrong later and T2 fails to find an admin user you will still have full control on your Mac Mini.

Just make sure you keep the firmware password written somewhere safe if you ever forget it or you will need to pay a visit to Apple Store (or authorized service center) with proof of purchase.
 
Comment

chrfr

macrumors G3
Jul 11, 2009
9,191
3,168
I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this?
Don't waste your time.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.