Six months ago, the chances of you getting a new Mac with a T2 chip were slim: only if you handed over a great deal of money for an iMac Pro would you get one. Now, most new Macs come equipped with a T2 – MacBook Air, MacBook Pro with Touch Bar, Mac Mini, and of course the iMac Pro. This article looks at some of the most obvious changes which you will notice when you start using your new Mac with its T2 chip.
The most obvious thing is that you won’t see any difference. There’s no splash screen to say that your Mac has a T2, and in ordinary use there’s nothing noticeably different. But start up in Recovery mode, try installing Linux using Boot Camp, or try starting up from an external drive, and the T2 will make its presence felt.
On many Macs with T2 chips, entering Recovery mode is much slower. Unless you’re using the built-in keyboard of a laptop model, you’ll almost certainly have to connect your wireless keyboard to your Mac using its charging lead, so that it is available via USB rather than Bluetooth. Then you’ll probably be holding Command-R forever before your Mac finally displays the standard options for Recovery.
The newest option, the T2-specific Startup Security Utility, isn’t shown in those options, but is opened from the menubar.
You’ll then be warned that you have to authenticate to access it.
That means entering your normal primary administrator’s user name and password.
By default, even if you didn’t opt for your startup disk to be encrypted using FileVault when you first set your new Mac up, your startup disk will still be encrypted by the T2, and your Mac will be put into Full Security mode, with booting from external media disabled.
This may seem strange, but it doesn’t seem possible to get a Mac with a T2 chip to start up from an unencrypted internal drive: that disk will always be encrypted, no matter whether you turn FileVault ‘off’ or on. The difference it makes is that if you opt for FileVault to be ‘off’, the encryption will unlock using only its internal hardware UID (kept in the T2’s Secure Enclave), and won’t use your password in addition.
When you’re setting up a new MacBook Air or MacBook Pro with a T2, you’re almost certainly going to enable FileVault anyway, and would be well advised to. That will provide maximum protection to the entire contents of your internal storage, even if someone tries removing its drive – something which isn’t at all simple now, as so many internal SSDs are soldered in rather than socketed.
With FileVault ‘off’, your Mac does behave differently. Someone with access to another user account on that Mac doesn’t then need to enter the master password to access the encrypted internal drive, as that is performed automatically by the T2. So the Mac isn’t as secure as with FileVault turned on. (With FileVault turned on, you can opt to allow any other users of your Mac to unlock it using their own password rather than the master, and this is set as the default behaviour once you have turned FileVault on.) But that internal storage is still inaccessible without its T2 chip.
The wonderful thing about FileVault with a T2 is that enabling it doesn’t require any further encryption: it’s instant, because all it involves is the T2 shuffling some keys. So if you’re unsure whether to go the whole hog and enable FileVault when setting up, there is no penalty for changing your mind.
The other options in the Startup Security Utility are thankfully more straightforward. If you want to start up from different versions of macOS, you’ll not want the Full Security option, but probably Medium instead, perhaps allowing booting from external media too.
If you want to run Windows using Boot Camp, you can do that under Full Security, provided that you use the latest version of Boot Camp Assistant to set it up. This allows the T2 to trust Microsoft’s signed code during startup, and enter Windows properly.
Unfortunately, this isn’t the case for Linux and other operating systems which you might want to install in a Boot Camp partition or an external drive. For those, you will have to turn Secure Boot off, into No Security, and if necessary allow booting from external media.
When things go wrong
So what happens if something goes wrong with Secure Boot when you have got Full Security turned on? How does your Mac start up?
The answer is into Recovery mode. It then automatically launches the Boot Recovery Assistant, which will first try to fix the problem, or then offer you various options as to how to proceed. These can include downgrading the level of security to start up from any signed version of macOS (Medium Security), for instance.
You can still use your Mac’s internal storage in Target Disk mode, for example as a Thunderbolt Target Disk when connected back-to-back with another Mac. However, if you opted to turn FileVault on, you will have to supply its password. With FileVault ‘off’, the T2 chip should handle that itself.
When disaster strikes a Mac with a T2 chip, it can be more serious than without one. If your T2 chip dies, it takes with it its Secure Enclave, and all hope of recovering the disk(s) it has encrypted. This makes it even more important that you keep good backups to an external drive. With or without FileVault enabled, you should consider encrypting that backup using FileVault.
The snag is that, at present, a Time Machine backup volume must be in HFS+ and can’t use APFS encryption. If you start making backups to an unencrypted volume, Time Machine will warn you that you are backing up encrypted data to an unencrypted backup, and offer to turn FileVault on for you.
When using a MacBook Pro with a Touch Bar, you can of course use Touch ID, which then works similarly to iOS devices. As the T2 chip also has special image processing capabilities, there is speculation that Apple may add the option of Face ID in the future, which would of course be more widely applicable.
One final benefit worth noting is that the T2 disconnects your Mac’s microphone in hardware when a laptop’s lid is closed. As lid closure also physically obstructs the camera, this prevents software from eavesdropping when a MacBook Pro or Air is shut.
Apple’s full reference to the T2 is here.