Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MP 7,1 Startup Security Utility Rejecting Admin Password

M

Moof1904

macrumors 65816
Original poster
Hello!

TL;DR: Startup Security Utility is thwarting attempts to move my Sonnet M.2 NVMe boot drive into a “new” Mac Pro by not accepting my admin password.

Details:

I have been using a Mac Pro 7,1 for years and just purchased another 7,1 from eBay. One with better specs. The plan is to use the original one as a backup and enjoy the better specs of the “new” one.

I received the new one today and moved the Promise Pegasus J2i and Sonnet M.2 4x4 PCIe Card from the previous Mac Pro into the new one. I had been using one of the NVMe drives on the Sonnet card as a Sequoia boot drive.

The new 7,1 has Tahoe on its Apple SSD and after configuring it as a new user I attempted to set the NVMe drive I had been using in the previous 7,1 as a startup drive and I received the error message that the Mac hadn’t been configured to boot from an “external” drive.

When I rebooted in recovery mode, though, the Startup Security Utility acts as though my admin password is incorrect, even though it’s correct. Moreover, the utility doesn’t show any other admin users in the menu, either.

I have tried to fix this by changing the password using Terminal while in recovery mode and that didn’t work. I also tried to reinstall Tahoe on the Apple SSD startup drive, but the utility would only offer to reinstall Sequoia, not Tahoe, and wouldn’t do so on the Tahoe drive.

How in the world do I get into the Startup Security Utility to allow booting from the NMVMe drive on the Sonnet card?
 
I had a similar issue when I purchased mine. In the end it seems that the Mac was somehow still connected to the previous owners Apple ID (T2 Chip Security) even though it appeared in my devices list on MY Apple ID.

I had to contact the previous owner and get his Apple ID and password (he came to my house as he was local and did it) and then he had to remove it from his device list on his Apple ID.

So could be some sort of screw up like that maybe....
 
  • Like
Reactions: b17777
I finally solved it. It was tedious. Here's a writeup in case someone else has a similar problem:

The Core Problem

After moving my Sonnet M.2 NVMe boot drive into a “new” Mac Pro, in Recovery Mode, Startup Security Utility flat-out rejected my admin password — even though it was correct and worked fine in macOS. The utility wasn't even showing all my admin users in the menu. Hence, I couldn't authorize the Mac to boot from the "external" NVMe drive on a PCI card.

What Did Not Work

I worked through this with Claude.ai, trying fix after fix. Here's everything that didn't work, in case it saves someone some time:

Resetting the password in Recovery Terminal. Changing the admin password from Terminal in Recovery Mode did nothing. Startup Security Utility still wouldn't accept it.

Reinstalling Tahoe from local Recovery Mode. The reinstall utility refused to touch the Tahoe volume, throwing this error: "The operation could not be completed. (com.apple.BuildInfo.preflight.error.error 21.)"

Checking for a missing SecureToken via diskutil apfs listusers /. Both admin account UUIDs showed up in the APFS credential store, so a missing SecureToken wasn't the issue.

The FileVault recovery key trick. Trying to trigger SecureToken provisioning through the FileVault setup dialog didn't help.

Using sysadminctl to grant a SecureToken. Running sudo sysadminctl -secureTokenOn $(whoami) -password - came back with: "Operation is not permitted without a secure token unlock." Classic Catch-22 — you need a SecureToken to grant a SecureToken, and none of my accounts had a valid one tied to this machine's T2 chip.

Deleting .AppleSetupDone to trigger Setup Assistant. SIP blocked the deletion from within the running OS, so I did it from Recovery Terminal after mounting the Data volume. Tahoe didn't care — it booted normally anyway. Turns out Tahoe no longer uses that file as a Setup Assistant trigger at all.

Internet Recovery (Cmd-Option-R). After two hours stuck below 10% on the progress bar, I gave up on this one.

Reinstalling Sequoia from local Recovery over the Tahoe volume. Same preflight error 21 as before. The Tahoe volume was apparently poisoned for any installer.

The Resolution

That preflight error 21 was the real clue — the Tahoe volume was failing installer validation no matter what I threw at it. Since my only goal was to boot from the NVMe drive anyway, I stopped trying to save the Tahoe install and just erased the Apple SSD entirely from Disk Utility in Recovery Mode, formatted it as APFS with a GUID Partition Map, and did a clean Sequoia install from the local recovery partition.

It worked. The install completed without complaint, and on first boot Setup Assistant ran — which turns out to be the whole key. Setup Assistant is the only process Apple actually allows to initialize the T2 chip's SecureToken chain from scratch. There's no back door, no terminal command, no trick that replicates what it does.

As soon as I was at the desktop I rebooted straight into Recovery Mode without doing anything else first. Startup Security Utility accepted my password immediately. I enabled booting from external drives, restarted holding Option, selected the NVMe drive, and that was it.

Current State

The Mac Pro is now booting from the NVMe drive on the Sonnet PCIe card as intended. I kept the clean Sequoia install on the internal Apple SSD as an alternate startup volume for troubleshooting.

Key Takeaway

When you move a T2-based Mac Pro startup volume to a new machine, the T2 chip needs to be properly initialized by Setup Assistant before Startup Security Utility will work. If something prevents Setup Assistant from running — or blocks a clean OS reinstall onto the internal drive — you're stuck until you erase the internal SSD completely and start fresh. No password resets, SecureToken commands, or file deletions will get you around it. The erase feels drastic but it's the only thing that actually works.​
 
  • Like
Reactions: Fastsavage, Flint Ironstag, Regulus67 and 1 other person
Moof1904 said:
The new 7,1 has Tahoe on its Apple SSD and after configuring it as a new user I attempted to set the NVMe drive I had been using in the previous 7,1 as a startup drive and I received the error message that the Mac hadn’t been configured to boot from an “external” drive.

When I rebooted in recovery mode, though, the Startup Security Utility acts as though my admin password is incorrect, even though it’s correct. Moreover, the utility doesn’t show any other admin users in the menu, either.
Click to expand...

You... just used an OS that came pre-installed on a computer you bought secondhand?

Which drive had you booted from when you tried setting the Sonnet NVME as the boot drive, and which drive was the recovery partition on when it was starting up?

Moof1904 said:
When you move a T2-based Mac Pro startup volume to a new machine, the T2 chip needs to be properly initialized by Setup Assistant before Startup Security Utility will work.
Click to expand...

I'm a little unclear on how you did this...

I would have thought the process would be:
  1. Boot new machine without PCI NVME installed and erase + install OS in Apple SSD
  2. Ensure security settings for external boot are what you want them to be.
  3. Power off and install PCI SSD
  4. Boot on Apple SSD, set startup disk to PCI
  5. Boot on PCI SSD
 
mattspace said:
You... just used an OS that came pre-installed on a computer you bought secondhand?

Which drive had you booted from when you tried setting the Sonnet NVME as the boot drive, and which drive was the recovery partition on when it was starting up?



I'm a little unclear on how you did this...

I would have thought the process would be:
  1. Boot new machine without PCI NVME installed and erase + install OS in Apple SSD
  2. Ensure security settings for external boot are what you want them to be.
  3. Power off and install PCI SSD
  4. Boot on Apple SSD, set startup disk to PCI
  5. Boot on PCI SSD
Click to expand...
What you've described is pretty much what I attempted.

The seller reset the Mac to factory new, so when I received it, I booted it up, was greeted with the Welcome to MacOS screen where I then created an admin account for myself. After that, I verified that the system was as advertised and that it worked fine. At that point, I had a pristine, factory new OS on the Apple SSD that I was going to keep as a troubleshooting boot drive and had planned to specify the NVMe drive from my former 7,1 as the daily boot drive, since it had been fully configured over the years to be just how I want everything. That's how my former 7,1 was configured.

Then I shut the new 7,1 down and moved my drives over from my former 7,1 and started it up from the newly created OS on the Apple factory drive and verified that all my migrated drives were mounting properly. So far, so good.

But when I then tried to set the PCI NVMe as the startup drive, the Mac reported that booting from external drives was not allowed and I would have to change the setting by booting into recovery mode and using the Startup Security Utility. That's when I discovered that the Startup Security Utility wouldn't recognize my admin credentials and I therefore couldn't authorize external drive boot-up. The rest is as described above.
 
Moof1904 said:
What you've described is pretty much what I attempted.

The seller reset the Mac to factory new, so when I received it, I booted it up, was greeted with the Welcome to MacOS screen where I then created an admin account for myself. After that, I verified that the system was as advertised and that it worked fine. At that point, I had a pristine, factory new OS on the Apple SSD that I was going to keep as a troubleshooting boot drive and had planned to specify the NVMe drive from my former 7,1 as the daily boot drive, since it had been fully configured over the years to be just how I want everything. That's how my former 7,1 was configured.
Click to expand...

I wonder, if you had tried the startup security app at this point, if things would have been different, or you would have at least seen the problem manifest without other variables of the presence of the PCI SSD...

I have to wonder if the previous owner didn't reinstall a fresh OS and give it to you, but rather he ran the "wipe this for sale" process, which just removes user accounts and rolls back to the sealed system volume... but jeez it would be just like Apple to have not taken into account that T2 systems are different to AS systems, and maybe that feature is actually broken, and caches the old admin password for the startup security settings, or something of that nature.
 
mattspace said:
I wonder, if you had tried the startup security app at this point, if things would have been different, or you would have at least seen the problem manifest without other variables of the presence of the PCI SSD...

I have to wonder if the previous owner didn't reinstall a fresh OS and give it to you, but rather he ran the "wipe this for sale" process, which just removes user accounts and rolls back to the sealed system volume... but jeez it would be just like Apple to have not taken into account that T2 systems are different to AS systems, and maybe that feature is actually broken, and caches the old admin password for the startup security settings, or something of that nature.
Click to expand...
I'm guessing that you're right: The previous owner probably wiped it for sale rather than a full reinstall. And I wouldn't be surprised if that feature was broken, too.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back