About Secure Boot

If your Mac includes the Apple T2 chip, you can use Secure Boot to make sure that only a legitimate, trusted operating system loads at startup.

Available only on Mac computers that have the Apple T2 chip, Secure Boot offers three settings to make sure that your Mac always starts up from a legitimate, trusted Mac operating system or Microsoft Windows operating system: Full Security, Medium Security, and No Security.

Secure Boot settings are available in Startup Security Utility:

  1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo to start up from macOS Recovery.
  2. When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
  3. When you're asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

Full Security

Full Security is the default Secure Boot setting, offering the highest level of security. This is a level of security previously available only on iOS devices.

During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it's legitimate. If the OS is unknown or can't be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

If FileVault is enabled while your Mac is attempting to download updated integrity information, you're asked to enter a password to unlock the disk. Enter your administrator password, then click Unlock to complete the download.

If the OS doesn't pass verification:

  • macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
  • Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

If your Mac can't connect to the Internet, it displays an alert that an Internet connection is required.

  • Check your Internet connection, such as by choosing an an active network from Wi-Fi status menu  in the menu bar. Then click Try Again.
  • Or click Startup Disk and choose a different startup disk.
  • Or use Startup Security Utility to lower the security level to Medium Security.

Medium Security

During startup when Medium Security is turned on, your Mac verifies the OS on your startup disk only by making sure that it has been properly signed by Apple (macOS) or Microsoft (Windows). This doesn't require an Internet connection or updated integrity information from Apple, so it doesn't prevent your Mac from using an OS that is no longer trusted by Apple.

If the OS doesn't pass verification:

  • macOS: An alert informs you that a software update is required to use this startup disk. Click Update to open the macOS installer, which you can use to reinstall macOS on the startup disk. This requires an Internet connection. Or click Startup Disk and choose a different startup disk, which your Mac will also attempt to verify.
  • Windows: An alert informs you that you need to install windows with Boot Camp Assistant.

No Security

The No Security setting doesn't enforce any of the above security requirements for your startup disk.

Published Date: