hoakley February 7, 2021 Macs, Technology

Last Week on My Mac: Apple’s scorched update policy

Just before Christmas, when Apple released the update to Big Sur 11.1, there was uproar among users as it had apparently decided, without any announcement let alone consultation, to cease providing standalone updates for Big Sur. The reason is apparently Big Sur’s new Sealed System Volume (SSV). Installing updates to this is quite different to previous macOS updates, and includes building a Merkel tree of hash values which are then saved in file system metadata.

Prior to Big Sur, creating Installer packages for both incremental or ‘delta’ and Combo updates wasn’t difficult, as those essentially performed the same installations as the direct update. That isn’t possible with the SSV, which needs a different engineering approach. At that time, I gather, Apple hadn’t decided whether it would provide any form of standalone updater for Big Sur, and not having made that decision, it meant that no standalone installer was provided at all.

Not that Apple had gone to the trivial effort of informing users, most of whom only discovered this when no standalone installers were provided for 11.1.

Just over month later, Apple released the update to 11.2. Not only are there still no standalone installers for that, and no explanation or (heaven forbid) apology, but Apple immediately removed the full 11.1 installer app, and still hasn’t provided standalone installer packages for the concomitant security updates to Mojave and Catalina. As things stand at the moment, even if you use
sudo softwareupdate --fetch-full-installer --full-installer-version 11.1
at the command line, Apple’s servers tell you it wasn’t found. Download the current version of 10.15.7 using the same mechanism, and you’ll be given the version from last November, without either Security Update 2020-001 or 2021-001 installed.

Apple’s failure has affected many users.

Some of those who updated successfully, so they thought, to 11.2 have since discovered that it’s incompatible with the latest release of SoftRAID, rendering their expensive RAID systems inaccessible. They need to roll back to 11.1 while Apple and OWC sort this incompatibility out, which may not be fixed until the release of 11.3, perhaps in late March. In the meantime, they can’t download the full installer for 11.1, to which Apple unilaterally decided users should no longer have access.

For those early adopters who are already using M1 Macs, this isn’t an insurmountable problem, though. Provided that they have another Mac running Catalina or Big Sur and a suitable cable, they can put their M1 into DFU mode, connect it to Configurator 2, and restore the IPSW for macOS 11.1. Of course that completely wipes their M1 Mac, which then has to be restored from a backup. So after several hours slog, they can eventually roll back to 11.1 and get their external RAID systems working again. Thank you, Apple, for that great inconvenience.

Developers and researchers who rely on running macOS in virtual machines (VMs) have discovered that it often isn’t possible to update those with security updates, or the mandatory online update from 11.1 to 11.2. Apple’s failure to make any provision for them means they’re unable to test against fully patched Mojave and Catalina, and the only way they can update to 11.2 is to download the full installer.

Just a few months ago, Apple had a standard routine with system and security updates: online updates were released, and followed up with the release of standalone installer packages, which included:

a ‘delta’ incremental updater for the current release of macOS,
a Combo updater for that release,
standalone packages containing the two security updates, for the last two major releases of macOS.

Without warning, or even confessing that it has done so, Apple has now stopped providing those four presentations of updates for users. Instead of making it easier to keep your Macs up to date, Apple has made it possible only if you follow the same procedures as you do with your iPhone or iPad. For many users, that will mean, for one reason or another, that they will be slow to apply security updates which address vulnerabilities that are already being exploited – as is the case with these latest updates – or they may never get round to updating at all.

For the sake of a little engineering effort on Apple’s part, it has now decided to leave many macOS users without the support which has long been one of the advantages of buying Apple computers.

Like many users, I’m now compelled to waste many gigabytes of my local storage with previous full installers for Big Sur and earlier versions of macOS. Even running a Content Caching Server can’t replace the removal of 11.1.

If you consider that Apple should reinstate its long and much-appreciated practice of providing those standalone updaters, even if you’ve already updated successfully, please take a few moments and ask Apple Support where the standalone updaters are for Mojave and Catalina Security Updates 2021-001 and for Big Sur 11.2, and where you can obtain the 11.1 installer from. Otherwise we can kiss goodbye to any flexibility in the future: your Mac will be, in this respect, just like any other iOS device.

Postscript (updated)

I’m very grateful to @rosyna for pointing out that, as Big Sur should retain a pre-update snapshot, users could now be able to use that to revert to the previous System snapshot in the event that an update goes wrong, as 11.2 has for SoftRAID users. Instructions for doing this on an M1 Mac are given here by SoftRAID, although those are incomplete. A more detailed account is available in my own guide.

Further investigation reveals that, even if your M1 Mac has been making ‘full’ Time Machine backups, there is no snapshot of the System available on the System volume or in your backups. In any case, if your backups are on external storage which relies on SoftRAID, they aren’t accessible when you’ve updated to 11.2, so couldn’t be used to restore 11.1. Even if you were wise enough to make an external disk bootable with 11.1, once your Mac has updated to 11.2, it’s unable to boot from any external disk with 11.1 installed without suffering a boot loop kernel panic. So without the 11.1 Full Installer, there’s only one way back to 11.1, and that’s DFU mode to restore the 11.1 IPSW.

At some time after 2300 UTC on 8 February 2021, Apple finally made available a standalone updater for Catalina Security Update 2021-001. You can obtain it from here. There are some remaining oddities about that, though: the date given on that webpage is 5 February 2021, although the page wasn’t made available for 3-4 days after that date. What’s more, the Installer package containing that update is dated 15 January 2021, two weeks before that urgent security update was released via Software Update on 1 February 2021, and three weeks before its release as a standalone installer package. Doesn’t time seem to fly?

21Comments

Add yours

1

EcleX on February 7, 2021 at 10:14 am

Many thanks for the excellent article about such serious productivity issues. Besides, as said in other article, if you turn off

“Apple – System Preferences – App Store – Automatically check for updates – Install system data files and security updates”

and want to carry out updates manually (to prevent unwanted results, as sometimes has happened!), then

“Apple – About This Mac – Software Update”

does not show firmware or security updates. Even when they are available, as shown by SilentKnight.

I hope that Apple engineers red this site routinely. Apple should fix these serious issues, which are blocking workflows.

LikeLiked by 2 people
- 2
  
  hoakley on February 7, 2021 at 12:36 pm
  
  Thank you.
  We are referring to different types of security update here, I think.
  The recent (2021-001) Security Updates for Mojave and Catalina aren’t pushed in the way that security data updates, those to XProtect and MRT, are. So even though you may have automatic checking disabled, if you open Software Update, when it runs its check, it should show any Security Update or other update to macOS.
  Firmware updates only come as part of a Security Update or macOS update, and they aren’t even disclosed in the installation notes.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on February 7, 2021 at 2:51 pm
    
    Thanks. Well, none of them show here, at least in Sierra, Catalina and Big Sur.
    
    LikeLiked by 1 person
4

baron on February 7, 2021 at 1:33 pm

You wrote: “as Big Sur should retain a pre-update snapshot, users should now be able to use that to revert to the previous System snapshot in the event that an update goes wrong”.
I think having read somewhere else that these automatic snapshots only remain 24 hours, which is not very long to decide wether an update is problematic or not. I cannot verify it but if it is still the case, is it possible to extend their life span?

LikeLiked by 1 person
- 5
  
  hoakley on February 7, 2021 at 2:09 pm
  
  Thank you.
  I don’t know, and can’t find any documentation. However, the description on the SoftRAID site appears not to be accurate. Or maybe it is, and that snapshot has already been removed by macOS.
  Howard.
  
  LikeLike
  - 6
    
    b on February 7, 2021 at 11:53 pm
    
    I’m afraid I was relying on outdated information: it looks like these automatic snapshots, created on macOS updates without having Time Machine activated, were not anymore used in Catalina Update 10.15.3. https://mrmacintosh.com/10-15-3-combo-security-updates-are-not-creating-backup-snapshots/ I don’t know if this precious feature reappeared since then.
    
    LikeLiked by 1 person
7

alberic on February 7, 2021 at 1:56 pm

Howard said: “your Mac will be, in this respect, just like any other iOS device”. I believe this is precisely where Apple is heading, thus forfeiting the flexibility and modularity afforded by the Mac. Sad!

BTW, I use SoftRAID. After I did the Catalina 2021-001 update, Apple removed the current version (5.8.4) and put an outdated SoftRAID kext version instead. Fortunately because my SoftRAID array is not the boot device, this was easy to correct. Apple even nuked my background (GitHub provided) background tasks, but that’s another story…

LikeLiked by 1 person
- 8
  
  hoakley on February 7, 2021 at 2:23 pm
  
  Thank you.
  Note those important words, “in this respect”.
  Howard.
  
  LikeLiked by 1 person
9

Simon on February 7, 2021 at 4:17 pm

Thank you for pointing out this problem. Hopefully, Apple will reconsider.

Just one question:

“… Big Sur should retain a pre-update snapshot, users should now be able to use that to revert to the previous System snapshot in the event that an update goes wrong, as 11.2 has for SoftRAID users. Instructions for doing this on an M1 Mac…”

Anything different for those of us still on Intel Macs? Is it just reboot into restore mode, select restore from TM, and then choose last listing that shows prior macOS version?

LikeLiked by 2 people
- 10
  
  hoakley on February 7, 2021 at 8:37 pm
  
  Thank you.
  As with Intel Macs, it now appears that this is only true on M1 models with Time Machine backups. It’s not a system-level feature on either, I’m afraid.
  Howard.
  
  LikeLike
11

Abbott on February 7, 2021 at 7:51 pm

Apple started doing this a while ago. I’ve been trying to revert to Safari 13.x on a Mojave system for several months and it seems impossible to find ANY Safari 13 installer anywhere. I’ve tried Apple Support, and no luck (actually, I think they really didn’t care); searched the Web and all links now point to empty sites, so apparently Apple’s done a very good job of purting Safari 13 just as you mentioned with earlier versions of Big Sur.

Having learned my lesson, I now go to Library/Updates and copy all installers as soon as they’re done downloading. It looks like this approach may fail in the future, though, because—at least the latest Mojave Security Update—have a number of component installers and I’m not sure whether their order of installation matters.

I’m not thrilled with this approach. It’s not like I’ve never had to downgrade from a goofed updater.

LikeLiked by 1 person
- 12
  
  hoakley on February 7, 2021 at 8:46 pm
  
  Thank you.
  I think Safari has proven a bit more complex, as some of its underlying components are normally on the System volume, so have to be updated as a more substantial process, which is even worse in Big Sur. This is odd, as Safari itself isn’t on the protected System volume, but on the Data volume to make it easier to update.
  Howard.
  
  LikeLike
13

abbott on February 7, 2021 at 10:22 pm

I just discovered a possible reason for Apple not releasing updaters. I’ve now downloaded Security Update 2021-001 for Mojave to two machines: a 2012 Mac Pro and a 2019 MacBook Pro. The downloads differ, with two components more in the MBP download than in the MP. Judging by the name, the additional components are for the T2 chip. If that’s the case, then it may be easiest for Apple to download to specific machines rather than have [at least] three downloadable installers (vanilla, vanilla + T2, and M1 versions) that are scripted to install only those components required for a particular machine.

Maybe this will sort out in a few years when Apple completely drops support for Intel hardware?

LikeLiked by 1 person
- 14
  
  hoakley on February 7, 2021 at 11:22 pm
  
  Thank you.
  Apple has been providing macOS updates for mixed T2 and non-T2 models for the last two years. Yes, the installers are more complex, but Apple already knows how to do it, and has been doing so. So why stop now?
  Howard.
  
  LikeLiked by 1 person
  - 15
    
    BKDad on February 8, 2021 at 2:33 pm
    
    Apple must have some reason, whether it makes sense or not. So far, I haven’t read any reason that makes sense.
    
    Perhaps they want to just kill all previous operating systems prior to the very latest version of Big Sur so that they never have to deal with them again. That sounds paranoid, but all it takes is one out-of-touch crazy person in the right position to enable such an event. Or, maybe, the paranoia is really justified and Apple is creating security that only they can control.
    
    One theme I have discovered running through so many of these discussions is that Apple support is often less than helpful now. If they just shrugged their shoulders and said “we don’t know” that would be frustrating. Instead, they seem to be peddling disinformation, such as “170.0.0.0.0 IS the most recent version of firmware…”
    
    The craziest part to me is that Apple spent decades building up a lot of good will amongst its customers by being somewhat flexible and friendly, at least compared to the competition. They seem in a big hurry to wipe that out as fast as they can. They now appear to be more Apple internally focused than paying customer focused. At a time when the US Congress is looking carefully at these Big Tech companies, you’d think that Apple would want as much goodwill on their side as they can get. But, perhaps not. Maybe they’re hoping for some government intervention to sanctify a business restructuring, ala AT&T. At some point, the mainstream press will grab ahold of this, get 30% of the factual information right, and create a stir that will be hard and expensive for Apple to tamp down.
    
    One more thing – Howard, I very much appreciate your own honesty and transparency on all of this. I hope others do as well.
    
    LikeLiked by 2 people
    - 16
      
      hoakley on February 8, 2021 at 5:50 pm
      
      Thank you.
      There’s still more to come this week.
      Howard.
      
      LikeLike
17

Michael Tsai - Blog - No More Downloadable macOS Updates on February 8, 2021 at 7:57 pm

[…] Update (2021-02-08): Howard Oakley: […]

LikeLike
18

Samuel Herschbein on February 9, 2021 at 9:33 pm

Howard: I run Big Sur in Parallels and I also ran it in VMware. Both were setup for developer betas. Neither would update from 11.1 until the full 11.2 installer. Same problem today with 11.2.1. Nothing I’ve tried fixed this. Have any of the people who reported this problem to you found a fix?

LikeLiked by 1 person
- 19
  
  Samuel Herschbein on February 9, 2021 at 9:34 pm
  
  Make that Both, not Bother…
  
  LikeLiked by 1 person
  - 20
    
    hoakley on February 10, 2021 at 12:26 am
    
    Done, thank you.
    Howard.
    
    LikeLike
21

Samuel Herschbein on February 25, 2021 at 10:52 pm

Have any of the people reporting problems updating Big Sur in virtual machines found a workaround? It’s annoying to have to wait for a full installer to be available.

LikeLiked by 1 person