Over on the MacAdmins Slack, in the #mojave channel, there was a lengthy discussion of problems that some admins saw after users installed Security Update 2019-001 (Mojave). The topic is also discussed in a thread on the Jamf Nation site—thanks to reader Bruce Carter for the initial pointer.
The details vary, but all revolve around problems at boot, with complete lockups, accounts not available, current passwords not working, the login window reappearing after the user enters the password, or a crash screen after login. So far, it seems that only Macs with the T1 or T2 security chip are affected—that includes the MacBook Pro with Touch Bar (2016 and later), iMac Pro, MacBook Air (2018), and Mac mini (2018).
As far as I can tell, no one has actually seen the problem happen in person; users are always reporting it after the fact. (And in the admin world, user reports are taken with a very large grain of salt.) But in at least some cases, the users are admitting that they interrupted the update because it seemed to be taking too long. That’s key, because as user James Dean suggested on the MacAdmins Slack, for at least some users, this update appears to install itself in an unusual way, seemingly turning the Mac off and back on, and at one point keeping it off for what he says feels like a minute. (On Tonya’s T1-equipped MacBook Pro (2016), the installation took about 10 minutes, and I didn’t notice any particularly unusual behavior, though I wasn’t watching all that closely.)
While the Mac appears to be off, I suspect that the security update is upgrading BridgeOS, which is a modified version of watchOS embedded on the T1 or T2 chip that runs things like the Touch Bar and the FaceTime HD camera. Mr. Macintosh reports that Security Update 2019-001 for Mojave also updates BridgeOS to version 17.16.11081.0.0. Given that BridgeOS runs on the T1 or T2 chip that’s responsible for boot security (see “What Does the T2 Chip Mean for Mac Usage?,” 5 April 2019), it’s not a stretch to theorize that interrupting a BridgeOS update would cause havoc with subsequent boot attempts.
Solutions to the problem range from using previous passwords to reinstalling macOS via Internet recovery, sometimes after reinitializing the boot drive and then restoring data and settings from a backup. So far, it seems that admins and consultants have been able to bring every affected Mac back to life, though sometimes with data loss, depending on the state of backups.
In the end, my advice is simply to go ahead with installing Security Update 2019-001 (Mojave), with two important caveats. First, make sure you have good backups before starting, in case the worst happens. That’s always a good plan anyway. Second, do not interrupt the installation process! It may take longer than you expect, but let it run as long as it needs. As a corollary to this second piece of advice, only start the installation on a MacBook Pro or MacBook Air when it’s plugged in; the last thing you want is for it to lose power in the middle of the installation.