Reinstalling macOS cleanly has always been a simple process. With T2-enabled Macs, however, some of the ways to perform this task must be modified to get around the enhanced security restrictions.
As with most things computer-related, there are multiple ways to accomplish a task or execute a process. The outcomes may vary slightly (or largely) depending on what needs to be done, but thankfully there is hope for success.
Over the years, the task of reinstalling the operating system on computers has branched out to offer multiple avenues to get the OS loaded properly. Depending on your infrastructure and the tools available to you at the time, some of the more common ways are through Internet Recovery or using a USB installer to make offline installations—for those times when the device cannot be connected to the Internet—a breeze.
Apple’s inclusion of the T2 security chip which, among other things, enforces Secure Boot to ensure that your Mac computer only boots from safe, securely signed environments. This is an effort to thwart data exfiltration attempts and other attacks that would load a dubious operating system, potentially opening up the device to funneling malicious code or advanced persistent threats (APT).
The downside to this? By default, your Apple hardware doesn’t trust anything that isn’t bolted on, preventing the device from loading software from a USB drive or any third-party device to maintain the integrity of your system. While this is the intended and correct action to take, it can cause headaches when trying to load macOS (or any other supported OS for that matter) from a USB drive. But it doesn’t have to be if you follow the steps outlined below to get your Mac back in action.
How to temporarily disable T2 security
- Boot to the recovery partition (or Internet Recovery) by pressing the Command + R keys.
- If prompted, authenticate before proceeding with modifying settings Click on the menu and select Utilities | Startup Security Utility.
- If installing a modern version of macOS (Catalina or Big Sur) and you have internet access, select the Full Security button. If installing an older version of macOS, select the Medium Security button; or if installing a supported, third-party OS (Linux, for example), select the No Security button under the Secure Boot section.
- Next, under the External Boot section, select the button next to Allow Booting From External Media to allow installation from USB drives.
- You may wish to disable the firmware password (if there is one) by clicking on the Turn Off Firmware Password button and entering the password when prompted.
- Last, shutdown the Mac, and you will be ready to load macOS or a third-party OS from USB.
First time USB use after disabling T2
Note: Make sure you’re using a native USB drive and there isn’t an adapter between the drive and the port on the laptop. For some reason, the Macs don’t like that when attempting to install a new OS.
- Before you can use the USB for the first time, you will need it to be trusted by Apple. This requires downloading some code from Apple’s services once to attest the usage of the USB drive. To begin, insert the USB installer drive created previously and power on the Mac holding the Option key.
- Select the bootable USB drive when displayed on screen.
- After booting to the USB drive, connect to Wi-Fi before proceeding, otherwise everything from here on will fail.
- You should be prompted with the message “A software update is required using this startup disk.” Click the Update button to begin the process.
- While the file is relatively small, being smaller than 100kb, the process may take several minutes to complete and may cause the screen to blink or even display all black for a period of time.
- Once the update is completed successfully, you will hear the familiar Apple startup chime and the device will reboot.
- You will now be able to boot back into the USB drive and proceed to format the internal storage drive completely and reinstall from scratch like usual.
Note: Don’t lose hope if takes more than a minute to complete as the message states on-screen. In my experience, the process took almost five minutes to complete with no activity or progress monitoring providing accurate feedback.
Once your OS of choice has been installed and the Mac is operational again, do not forget to go back into the Startup Security Utility and re-enable all the security settings to their maximum defaults to continue protecting your data.