How to boot an M1 Mac into an older version of Big Sur

One of the stumbling blocks to using an external boot disk with an M1 Mac is that it may not cope if you update macOS on the internal SSD, then try booting from the external disk to update that. You may be prompted to assign an authorised user to that external disk, only to be informed that the version of macOS on that disk isn’t bootable and needs to be replaced.


It turns out that this isn’t exactly true: the external disk is still bootable, but not under its current boot policy. This whole area is confusing, and unusually isn’t helped by Apple’s otherwise excellent Platform Security Guide. That states for the default Full Security setting:
“The system behaves like iOS and iPadOS, and allows only booting software which was known to be the latest that was available at install time.”

Let’s say that you’ve just updated your M1 Mac’s internal SSD to 11.3.1, but your external SSD still has 11.3 installed. When the latter was installed, it was known to be the latest available, so should still boot under the Full Security boot policy. That may be what the Platform Security Guide states, but that’s not (always) how it works.

Shut your Mac down, then start it up in 1TR (holding the Power button until the Options icon appears). Select Options and click Continue to open the Recovery Assistant.

In Recovery Assistant, select the user you know the password for, then click Next. Enter the password to see the Recovery window. In the Utilities menu, select Startup Security Utility. In its window select the external disk with the old version of macOS on it and click the Security Policy… button. Set its security policy to Reduced Security and click OK. Then in Startup Disk select Restart from the Apple menu.

When your Mac restarts, open the Startup Disk pane and switch to your external disk. That should start up normally, and you can now run that older version of macOS, or update it to the current release using the Software Update pane.



If you decide to update it, once the update has completed, you can shut down, start up in 1TR and restore its boot policy to Full Security if you wish, as it’s now running the current release of macOS.

You can also use Reduced Security to make yourself a boot disk with a range of older versions of Big Sur, for example for testing purposes. The snag here is that even if you’ve been careful enough to keep old Big Sur full installer apps, they’re difficult (perhaps impossible) to get to work once you’re running a more recent version of macOS 11. This may have been the reason that Apple pulled all the earlier releases of Big Sur installers, as it realised their limited usefulness.



So if you’re a developer or someone else who needs access to bootable copies of older releases, create several containers on your external SSD, and when there’s a new version of Big Sur released, install it on one of the empty containers on your external disk. When that version of macOS ceases being current, you’ll need to change its boot policy to Reduced Security, to allow it to remain bootable.


If you’re unable to boot from a bootable disk using an older (non-current) version of macOS, change its boot policy to Reduced Security and it should then become bootable again.

Use Reduced Security to update bootable external disks, and to maintain older bootable versions of macOS.

If you’ve updated a bootable disk to the current version of macOS, change its boot policy back to Full Security.

Installing older versions of Big Sur is difficult if not impossible. If you work out how to do that, please let me know.