Before Apple refreshed security on Intel Macs with the T2 Security Chip and FileVault, the company offered a different way to deter certain kinds of physical attacks. Intel Mac owners can set a firmware password, which prevents a volume other than the one set to start up the Mac from being used on restart or from a cold start.
Apple did away with the problem entirely with Apple silicon by adding low-level security policies and other system drives that prevent an M-series Mac from starting up with an arbitrary volume. (This also made it difficult to have a bootable backup in case of a drive failure, but SSDs—the only built-in option for M-series Macs—are far more reliable than hard drives.)
If you have or are planning to buy an Intel Mac and want to know how to remove the firmware password, it’s an easy process:
- Power up your Mac or restart it, and then immediately hold down Command-R until you see the progress bar under the Apple icon.
- In macOS Recovery, the special boot mode, choose Utilities > Startup Security Utility (or, for older Macs, Utilities > Firmware Password Utility).
- Click Turn Off Firmware Password.
- When prompted, enter the firmware password. If you purchase the Mac or plan to purchase it, the seller must provide it. There’s no way on your own to bypass or reset it (an exception is below).
- Quit the utility.
- Choose > Restart.
Apple can reset the firmware password in person at an Apple Store or a store that’s an authorized service provider. However, the company has always required proof of purchase by the original owner and then proof of identity for the person with that receipt (digital or paper). As far as I can tell, if you’re a secondary or later buyer, Apple or third-party personnel will not unlock the firmware.
This Mac 911 article is in response to a question submitted by Macworld reader Anthony.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to [email protected], including screen captures as appropriate and whether you want your full name used. Not every question will be answered; we don’t reply to emails, and we cannot provide direct troubleshooting advice.