PSA: Got a new Mini 2018? Set a firmware password and keep it safe!

Discussion in 'Mac mini' started by M.Rizk, Nov 8, 2018.

  1. M.Rizk macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #1
    The new Mini 2018 comes with a T2 chip inside. This chip encrypts your SSD to keep your Mac secure. While the T2 is amazing at what it does, it can cause a lot of trouble too if something goes wrong!

    If something goes wrong with the macOS installation and you try to use the recovery to re-install macOS the T2 chip will ask for the macOS admin password. Depending on how badly corrupted the OS is, it might not be able to authenticate you and will prevent you from re-installing the OS requiring you to schedule an appointment with Apple Genius Bar.

    This becomes a major issue especially for those who like wiping their drives before doing a re-install because the T2 chip would have no admin user to use for authentication.

    Having a firmware password means the T2 chip will only ask for this password regardless of the status of the current macOS installation if you ever decide to re-install macOS.

    Just remember to keep it written in a place safe because if lost, you will never be able to access any other OS or do re-installs again unless you visit Apple Store or an authorized service center with a purchase receipt for them to reset it for you.

    More info on how to enable/disable firmware password here. https://support.apple.com/en-us/HT204455
     
  2. madrag macrumors 6502

    Joined:
    Nov 2, 2007
    #2
    From what the article you linked states, if you set a firmware password, it "prevents starting up from any internal or external storage device other than the startup disk you've selected".

    That's a problem if someone (like me) uses/sets-up other systems in external drives.

    Or can I select the startup disk in the system prefs as usual?
    Does it allow me to use the option key while starting-up, to select a different drive as the startup?
    And does it allow me to use the mas in targer disk mode?
     
  3. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #3
    It allows you to use the option key (that’s how I boot into bootcamp) but you will need to enter the firmware password before it shows the drives.
     
  4. StellarVixen macrumors 6502a

    StellarVixen

    Joined:
    Mar 1, 2018
    Location:
    Earth
    #4
    Nobody will break into my apartment to steal desktop computer. To me firmware password and drive encryption make more sense on a laptop.
     
  5. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #5
    Changing the startup disk via System Preferences is not affected by having a firmware password. Using option at boot or the T key to get into target mode will prompt for the firmware password.
     
  6. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #6
    I am assuming you did not read a word of what I wrote.

    This is not for security. This is to make it possible for you to re-install macOS if something goes wrong as the process is no longer the same with T2 encrypting the hard drive.
     
  7. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #7
    I've seen too many people setting a firmware password only to forget it and then they're up the creek
     
  8. Fishrrman macrumors G5

    Fishrrman

    Joined:
    Feb 20, 2009
    #8
    A firmware password is THE LAST THING I would ever put on one of my computers...
     
  9. StellarVixen macrumors 6502a

    StellarVixen

    Joined:
    Mar 1, 2018
    Location:
    Earth
    #9
    Excuses. I didn’t comprehend your post at first, sorry.

    As someone who has set lock password to be asked for after the maximum allowed amount of time, this is sad. This means that you shall enter password every time after reboot.
     
  10. padams35, Nov 9, 2018 at 10:29 AM
    Last edited: Nov 9, 2018 at 10:37 AM

    padams35 macrumors regular

    Joined:
    Nov 10, 2016
    #10
    Is disabling secure boot and/or permitting external boot equally effective in preventing data corruption or accidental deletion from bricking the Mini? Alternatively if I have a second Mac could I get back in via Target Disk mode?

    I'm not really liking the current options of Firmware Password, Risk Bricked Mini, or Don't Buy.
     
  11. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #11
    Disabling the security boot sure is another workaround. With it disabled, your Mac Mini will behave as any other non T2 equipped Mac when you need to restore it.

    I personally prefer having a firmware password because this way I get to enjoy all the security features offered by the T2.

    I can’t comment on the Target Disk part because I have never used it personally.
     
  12. madrag macrumors 6502

    Joined:
    Nov 2, 2007
    #12
    Thanks for the replies.
    This is something that interests me and "solves" this "problem".

    How can we disable the secure boot?
     
  13. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #13
  14. Stephen.R macrumors regular

    Stephen.R

    Joined:
    Nov 2, 2018
    Location:
    Thailand
    #14
    I'm a bit curious about this.

    At what point in booting from recovery (or say, a macOS Installer USB stick) will the T2 prompt for the admin password?

    Surely it's once you try to access the drive at all, rather than when you try to actually run the setup?

    So, why couldn't you
    1. boot from <recovery/installer USB stick/etc>
    2. authenticate with the admin password to allow the internal drive to be decrypted
    3. use DU to wipe the volume
    4. reinstall
    ?
     
  15. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #15
    You can. Assuming the current macOS is in a state that allows the T2 to authenticate the admin user account.

    This was a major issue when the 2018 MBP launched and many wiped their internal drives without knowing that the T2 has a different process and ended up being locked out of their system and had to visit an Apple store to get it fixed.
     
  16. Stephen.R macrumors regular

    Stephen.R

    Joined:
    Nov 2, 2018
    Location:
    Thailand
    #16
    ... I'm confused. They wiped their drive (presumably while booted into recovery or from a usb stick, having entered the admin password?) and then... rebooted? I don't understand how what they did would be any different than what I said?
     
  17. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #17
    I haven’t tried personally but that is what they posted. They basically said they wiped their drive using Disk Utility launched from recovery and then when they tried to re-install macOS, the T2 asked for authentication but couldn’t find any admin users so failed.

    Maybe T2 doesn’t require a password for Disk Utility Access but only for installing a new OS based on the Secure Boot description on Apple Support webpage?
     
  18. jlsm511 macrumors 6502

    jlsm511

    Joined:
    Feb 26, 2008
    Location:
    KMIA
    #18
    I just got the new Mini but haven't set it up yet. I usually like to reinstall the OS when I first set it up to get the newest OS on there (10.14.1 in this case). So what would be the correct process to do this? Using the Recovery Partition (Option-⌘-R as per https://support.apple.com/en-us/HT204904) or would I have to sign in first and create an Admin Account first? This is all very confusing haha.
     
  19. M.Rizk thread starter macrumors 6502

    M.Rizk

    Joined:
    Apr 20, 2015
    #19
    To re-install macOS you will need to authenticate with an admin user password or firmware password (if you have one).

    You can boot to the current macOS first to create an admin account then do a re-install but I recommend having a firmware password so that if something goes wrong later and T2 fails to find an admin user you will still have full control on your Mac Mini.

    Just make sure you keep the firmware password written somewhere safe if you ever forget it or you will need to pay a visit to Apple Store (or authorized service center) with proof of purchase.
     
  20. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #20
    Don't waste your time.
     

Share This Page