Last Week on My Mac: Apple’s scorched update policy

Just before Christmas, when Apple released the update to Big Sur 11.1, there was uproar among users as it had apparently decided, without any announcement let alone consultation, to cease providing standalone updates for Big Sur. The reason is apparently Big Sur’s new Sealed System Volume (SSV). Installing updates to this is quite different to previous macOS updates, and includes building a Merkel tree of hash values which are then saved in file system metadata.

Prior to Big Sur, creating Installer packages for both incremental or ‘delta’ and Combo updates wasn’t difficult, as those essentially performed the same installations as the direct update. That isn’t possible with the SSV, which needs a different engineering approach. At that time, I gather, Apple hadn’t decided whether it would provide any form of standalone updater for Big Sur, and not having made that decision, it meant that no standalone installer was provided at all.

Not that Apple had gone to the trivial effort of informing users, most of whom only discovered this when no standalone installers were provided for 11.1.

Just over month later, Apple released the update to 11.2. Not only are there still no standalone installers for that, and no explanation or (heaven forbid) apology, but Apple immediately removed the full 11.1 installer app, and still hasn’t provided standalone installer packages for the concomitant security updates to Mojave and Catalina. As things stand at the moment, even if you use
sudo softwareupdate --fetch-full-installer --full-installer-version 11.1
at the command line, Apple’s servers tell you it wasn’t found. Download the current version of 10.15.7 using the same mechanism, and you’ll be given the version from last November, without either Security Update 2020-001 or 2021-001 installed.

Apple’s failure has affected many users.

Some of those who updated successfully, so they thought, to 11.2 have since discovered that it’s incompatible with the latest release of SoftRAID, rendering their expensive RAID systems inaccessible. They need to roll back to 11.1 while Apple and OWC sort this incompatibility out, which may not be fixed until the release of 11.3, perhaps in late March. In the meantime, they can’t download the full installer for 11.1, to which Apple unilaterally decided users should no longer have access.

For those early adopters who are already using M1 Macs, this isn’t an insurmountable problem, though. Provided that they have another Mac running Catalina or Big Sur and a suitable cable, they can put their M1 into DFU mode, connect it to Configurator 2, and restore the IPSW for macOS 11.1. Of course that completely wipes their M1 Mac, which then has to be restored from a backup. So after several hours slog, they can eventually roll back to 11.1 and get their external RAID systems working again. Thank you, Apple, for that great inconvenience.

Developers and researchers who rely on running macOS in virtual machines (VMs) have discovered that it often isn’t possible to update those with security updates, or the mandatory online update from 11.1 to 11.2. Apple’s failure to make any provision for them means they’re unable to test against fully patched Mojave and Catalina, and the only way they can update to 11.2 is to download the full installer.

Just a few months ago, Apple had a standard routine with system and security updates: online updates were released, and followed up with the release of standalone installer packages, which included:

  • a ‘delta’ incremental updater for the current release of macOS,
  • a Combo updater for that release,
  • standalone packages containing the two security updates, for the last two major releases of macOS.

Without warning, or even confessing that it has done so, Apple has now stopped providing those four presentations of updates for users. Instead of making it easier to keep your Macs up to date, Apple has made it possible only if you follow the same procedures as you do with your iPhone or iPad. For many users, that will mean, for one reason or another, that they will be slow to apply security updates which address vulnerabilities that are already being exploited – as is the case with these latest updates – or they may never get round to updating at all.

For the sake of a little engineering effort on Apple’s part, it has now decided to leave many macOS users without the support which has long been one of the advantages of buying Apple computers.

Like many users, I’m now compelled to waste many gigabytes of my local storage with previous full installers for Big Sur and earlier versions of macOS. Even running a Content Caching Server can’t replace the removal of 11.1.

If you consider that Apple should reinstate its long and much-appreciated practice of providing those standalone updaters, even if you’ve already updated successfully, please take a few moments and ask Apple Support where the standalone updaters are for Mojave and Catalina Security Updates 2021-001 and for Big Sur 11.2, and where you can obtain the 11.1 installer from. Otherwise we can kiss goodbye to any flexibility in the future: your Mac will be, in this respect, just like any other iOS device.

Postscript (updated)

I’m very grateful to @rosyna for pointing out that, as Big Sur should retain a pre-update snapshot, users could now be able to use that to revert to the previous System snapshot in the event that an update goes wrong, as 11.2 has for SoftRAID users. Instructions for doing this on an M1 Mac are given here by SoftRAID, although those are incomplete. A more detailed account is available in my own guide.

Further investigation reveals that, even if your M1 Mac has been making ‘full’ Time Machine backups, there is no snapshot of the System available on the System volume or in your backups. In any case, if your backups are on external storage which relies on SoftRAID, they aren’t accessible when you’ve updated to 11.2, so couldn’t be used to restore 11.1. Even if you were wise enough to make an external disk bootable with 11.1, once your Mac has updated to 11.2, it’s unable to boot from any external disk with 11.1 installed without suffering a boot loop kernel panic. So without the 11.1 Full Installer, there’s only one way back to 11.1, and that’s DFU mode to restore the 11.1 IPSW.

At some time after 2300 UTC on 8 February 2021, Apple finally made available a standalone updater for Catalina Security Update 2021-001. You can obtain it from here. There are some remaining oddities about that, though: the date given on that webpage is 5 February 2021, although the page wasn’t made available for 3-4 days after that date. What’s more, the Installer package containing that update is dated 15 January 2021, two weeks before that urgent security update was released via Software Update on 1 February 2021, and three weeks before its release as a standalone installer package. Doesn’t time seem to fly?