hoakley November 9, 2021 Macs, Technology

Using an M1 Mac: some basic principles

M1 series Macs are different in almost every respect from the Intel Macs which have preceded them. Most days, someone emails me asking whether it’s possible to clone macOS from their internal SSD and use it for recovery, or any of thousands of variations. This article explains the basics of using an M1 Mac, including how to provide for disaster recovery, so that you can decide how best to set yours up. Although M1 Macs have some unique restrictions, in many ways they’re among the most flexible of Apple’s recent models. Learning how not to come into conflict with their restrictions, and how to get the best of their flexibility, is essential if you’re going to get the most out of your M1 Mac.

The most common basic configuration for an M1 Mac is that it boots from the single version of the latest macOS on its internal SSD, with the whole of its Data volume on that disk, and File Vault enabled. It backs up using Time Machine to APFS, to an external SSD which is connected to one of its USB-C ports, with those backups encrypted.

Disaster recovery

There are four scenarios to prepare for in terms of disaster recovery.

The simplest is loss or damage to data on the Data volume, on the internal SSD. The response is to open Time Machine and restore the files from there. If the entire Data volume becomes damaged, it may be necessary to restore the whole volume from the backup, which is simple to perform in Recovery, after you have run First Aid on the volume using Disk Utility there.

Next up is damage to the System. This is prevented by the fact that M1 Macs, like Intel models, booting from Big Sur or Monterey do so not from a mounted volume, but from a signed and sealed snapshot. In the Secure Boot process, the top-level Seal is checked, and if that no longer matches that set by Apple for that version of macOS, that Mac should be automatically booted into Recovery for macOS to be re-installed. Because snapshots are read-only and can’t be changed in any way, the chances of a corrupt System snapshot occurring are very low.

However, Recovery doesn’t provide an option for you to try cloning back a copy of the System volume, which your Mac couldn’t boot from anyway, as it requires a signed and sealed snapshot, which can’t always be created on the internal SSD by third-party software. The only reliable and sound approach is to use Recovery to re-install macOS.

The macOS installer may be able to reunite your existing, undamaged Data volume with its new System volume, but in most cases you should expect to migrate your data back from a Time Machine backup or a copy or clone of the Data volume, on an external disk.

Beyond that is soft damage to the whole of the internal SSD. What the user can’t normally see is that this isn’t just the container (partition) for macOS, but includes two hidden containers too: the Pre-Boot container is used for what is effectively the firmware, which runs during the early stages of booting, and for secure storage of the various keys and other data to support the Secure Boot process. The other container holds a Recovery system, although in Monterey that copy isn’t the one normally used for Recovery; it is the primary Recovery system for Big Sur, though.

If the Pre-Boot container is damaged, the Mac is unable to boot, even though it may be connected to a bootable external disk, as the only Pre-Boot it can use in the early part of the boot process is that located on the internal SSD. In that case, the only way forward is to put the Mac into DFU mode, which isn’t dependent on an intact internal SSD, connect it to another Mac running Apple Configurator 2, and from there restore its internal SSD using an IPSW image file downloaded from Apple, a technique detailed in Configurator’s Help book. This puts the Mac back to factory condition, and it then has to be booted, personalised and set up just as it was when it was first delivered.

Many users think this a severe limitation, but M1 Macs are, to the best of my knowledge, the only Macs that Apple has made which can be taken right back and restored by the user in this way. If the firmware in an Intel Mac is corrupted, it can be very difficult to get that Mac working again, and failed firmware updates are a well-known cause of ‘bricking’ of Macs with the T2 chip, which also needs the ministrations of Configurator to fix them. What’s truly remarkable, though, is that you can use this technique to restore older versions of the ‘firmware’ and macOS on an M1 Mac, something not possible on an Intel model.

If you don’t have access to a second Mac, all Apple stores and authorised service providers should be able to restore an M1 Mac while you wait. It normally takes less than 15 minutes.

The ultimate disaster for the internal SSD is hard failure. Because it’s soldered to the logic board, the only remedy is a replacement logic board, which is performed under warranty and AppleCare by an authorised service provider. Again, this often meets with howls of derision, but if you want the performance attained by the internal SSD, there aren’t many options. It also makes M1 series Macs a tougher proposition for thieves. You’d have exactly the same problem if the failure had occurred in the M1 chip itself, or in any other key component on the logic board, but I’ve never heard of complaints about that.

Modern high-quality SSDs have extremely low failure rates. If you’re concerned at the risk of this occurring when you’re travelling, I think in many cases you’re more likely to end up in Intensive Care than your Mac’s SSD suffers complete failure.

Variations

Contrary to some opinion, M1 Macs are straightforward to boot from an external SSD, although you must never confuse that process with booting an Intel Mac from an external disk. In the latter, the whole of the boot process can run from the external SSD. M1 Macs invariably start their boot process from their internal SSD, and only then transfer to the external boot system.

Currently, it may be possible to clone a System and Data volume to an external SSD and make it bootable. However, that isn’t recommended, and the best and most reliable way to create an external bootable disk is using a macOS full installer app, or in Recovery. If that is to install an older version of macOS, it may need to be installed from a bootable install disk, as recent versions of macOS usually block older versions.

Once you’ve made a bootable external disk, and its ownership is recognised by macOS so that Mac can start up from it, you can use that disk with other M1 Macs. You may be able to boot Intel Macs from it too, but there are some things which may be installed on it which they don’t understand, like Rosetta 2, neither will they grok the volume ownership issues inherent in M1 Macs.

Unlike Intel Macs with T2 chips, you don’t have to change an M1 Mac’s security settings for it to boot happily from an external disk. What’s more, you can set that disk up to boot at a reduced security level so it can load third-party kernel extensions, and do other things not permitted in full security.

You can also repartition your M1 Mac’s internal SSD to provide additional containers, and install multiple bootable copies of macOS on that internal storage. However, when you do this, remember that your Mac is reliant on that SSD to enable it to boot. Make a mess of it, and you could well be restoring it in DFU mode. Some changes don’t appear well-tolerated: creating an HFS+ volume (partition) on the internal SSD doesn’t go down well, for example.

You can also install multiple versions of macOS in a single container if you wish. Remember that, in Monterey, they will each have their own Recovery volume, and consider whether it would be cleaner and clearer to install those into separate containers, for instance.

M1 Macs have a great many options as to how you can configure and boot them, but always remain within their basic rules, most important of which is that their boot process always starts from the internal SSD. Follow those rules and play safe, and you should avoid the frustrations which experimental configurations could bring.

27Comments

Add yours

1

Doug B on November 9, 2021 at 2:42 pm

Do you have any thoughts on why the login screen background picture appears to be part of the sealed snapshot? It seems like they could cache that in the pre-boot partition like they used to and like user profile pictures/avatars still are.

I’d really like to customize that with but it doesn’t appear supported anymore even on Intel Macs with FileVault enabled.

LikeLiked by 1 person
- 2
  
  hoakley on November 9, 2021 at 3:54 pm
  
  I don’t know why this has changed. However, I wonder whether allowing an arbitrary image might be a vulnerability. I can imagine someone crafting a malicious image, perhaps.
  Howard.
  
  LikeLike
  - 3
    
    Doug B on November 9, 2021 at 5:30 pm
    
    I guess so but why allow profile images? Maybe the file size? Oh well.
    
    Thanks for your great articles!
    
    LikeLiked by 1 person
    - 4
      
      hoakley on November 9, 2021 at 5:42 pm
      
      Thank you. I don’t know, I was only guessing.
      Howard.
      
      LikeLike
5

William D Schwaderer on November 9, 2021 at 2:53 pm

Thank you for a great post.

LikeLiked by 2 people
6

Dakotamoons on November 9, 2021 at 4:49 pm

Howard, your relentless, selfless, insatiable distribution of knowledge never ceases to amaze me, and I’m sure I speak for everyone. I am by no means a “expert” or anywhere near your pay-grade or that of most of your followers, nonetheless I continue to plod through the wealth of information that you so graciously provide, picking up tidbits of wisdom as I struggle to understand more each day.

I have no formal background or training so even having to stop and look up some of the technical nomenclature is daunting for me, especially being dyslexic, however I can’ thank you enough for so vastly enriching my sophomoric understandings of the topics which you share. Little by little I listen. I have little to offer in return but my deepest gratitude. So, thank you as always Howard, for your tireless, selfless, pursuit and distribution of the plethora of topics you cover. I don’t know what where we would be without you.

LikeLiked by 1 person
- 7
  
  hoakley on November 9, 2021 at 5:17 pm
  
  Thank you.
  Howard.
  
  LikeLiked by 1 person
8

Milo on November 9, 2021 at 5:02 pm

Thank you for another great article.

> The macOS installer may be able to reunite your existing, undamaged Data volume with its new System volume,

Reading the above gave me the idea, that it could actually be useful to have the ability to choose a data volume at boot time. This would be similar to booting different macOS installs from the same drive. The only difference being that you would only need one working installation of macOS and would therefore save some space on the hard drive. Also you would only have to keep one system volume current with upgrades.

Since pairing a data volume to a system volume seems to be such an intricate process, I suppose that’s not possible (yet)?

LikeLiked by 1 person
- 9
  
  hoakley on November 9, 2021 at 5:28 pm
  
  Thank you.
  It’s not just an intricate process, it’s specific to one System and one Data volume. It’s one-to-one, and isn’t intended to work with more than the pair. Neither end of a firmlink can be connected to more than one volume, or the file system wouldn’t know which is the one to choose.
  Funnily enough, I was thinking of this, in that it would result in deduplication. But I’d be surprised it the idea ever gets any further.
  Howard.
  
  LikeLike
  - 10
    
    Milo on November 10, 2021 at 12:06 pm
    
    Thank you for the explanation. Under those circumstances it does indeed seem very unlikely that Apple will develop such a feature.
    
    LikeLiked by 1 person
11

James Robertson on November 9, 2021 at 6:10 pm

Thanks so much for that very detailed yet succinct post. I hope you could expand on one sentence, in which you state:

“Once you’ve made a bootable external disk, and its ownership is recognised by macOS so that Mac can start up from it, you can use that disk with other M1 Macs.”

Can you clarify the “ownership” issue? Is there adequate protection against someone with a “bootable clone” created on an Apple Silicon Mac who does NOT have ownership or a registered user account on a machine using such an external bootable installation as an attack vector?

LikeLiked by 1 person
- 12
  
  hoakley on November 10, 2021 at 12:09 am
  
  Thank you.
  I will be stepping through how you get an M1 series Mac to boot from an existing bootable disk in a future article.
  For a start, you don’t use a “bootable clone” if you want to do this. Cloning is on its way out, is unreliable and no longer recommended, particular for M1 Macs. What you use is a bootable external disk.
  The snag with that is that the disk has to have ownership extended to it from your Mac, and that requires an admin password for that Mac. Without that ownership, the Mac won’t boot from that external disk. It can still access it, of course, if the attacker can start that Mac up and log into it. But that also requires a password. And the whole contents of the Data volume on the internal storage are encrypted, so to mount that, they’d need the password too.
  So an attacker needs rather more than just a bootable external disk and a cable.
  Howard.
  
  LikeLike
13

Javier Gallardo on November 9, 2021 at 8:36 pm

Thank you, sir.
Things are becoming messy for some users like me: iMac internal APFS ssd, Mojave, Time Machine going to HFS+ Time Capsule, external media in hfs+ drives, boot drive on APFS ext. (plus some iOS devices), ….and waiting my M1pro MacBook to be delivered… Everything has it logic, but I suppose I’m not the only one in troubled waters. (I think MacOS has sailed admirably, anyway!).
I know (I can search in your blog to find exact and clear descriptions of quite a lot of use cases and great general resumes; I praise your work.
This is becoming something like “the Human Apple Guide”. 🙂

LikeLiked by 1 person
14

dominikushoffmann on November 10, 2021 at 2:06 pm

Can I install a bootable OS on an external volume without having admin privileges on the Mac itself? From the sounds of what you are writing, the answer is, no. On Intel Macs that should always be possible, unless a firmware password is turned on.

LikeLiked by 1 person
- 15
  
  dominikushoffmann on November 10, 2021 at 2:11 pm
  
  @hoakley, I should have read your 12:09 PM response, first. In other words, I had hoped that I could install a full OS on an external drive on an M1 MacBook Pro at an Apple Store or a Best Buy, so that I could install Parallels to try it out. Because they wouldn’t let me do admin-level installations on their systems, an external drive wouldn’t be an option, either.
  
  LikeLiked by 1 person
  - 16
    
    hoakley on November 10, 2021 at 7:20 pm
    
    Well, you have two options then: you can ask the store to help you do this, or you can ask here. I have reviewed version 17, used it a fair bit, and written a tutorial on using it. What would you like to know about it, on M1 series Macs?
    Howard.
    
    LikeLike
    - 17
      
      dominikushoffmann on November 10, 2021 at 8:02 pm
      
      What I would like to know is, whether, if I purchase the 16-in MacBook Pro with the M1 MAX (with 10-core CPU and 32-core GPU), my Windows 10 VMs running Autodesk Inventor would run at least as smoothly as they currently do on my 2017 MacBook Pro (3.1 GHz Quad-Core Intel Core i7).
      
      LikeLiked by 1 person
    - 18
      
      hoakley on November 10, 2021 at 10:13 pm
      
      Thank you.
      I’ve been looking around tonight, and as far as I can tell, you can’t run Inventor on an M1 series Mac, I’m afraid. Not that Autodesk is clear about this, but I think the signs are bad.
      Because M1 series Macs have an ARM processor, they can’t run Intel versions of Windows at all, only the special ARM versions provided by Microsoft for some of its Surface products. While they can run a lot of Intel apps using a system a bit like Rosetta 2, they don’t run everything, and to be reliable developers have to assist. There are known issues with software which relies on Intel-only graphics drivers, and Inventor is one of those. Not only that, but Autodesk doesn’t make any mention of ARM compatibility, which suggests that they either haven’t done any testing, or they know that Inventor isn’t compatible.
      It’s shame, because the M1 Max certainly has the capability. But unless Autodesk shows an interest, I doubt that it will happen.
      I hope that helps.
      Howard.
      
      LikeLike
- 19
  
  hoakley on November 10, 2021 at 7:18 pm
  
  You wrote: “On Intel Macs that should always be possible”, which isn’t correct. For some time now, all new Intel Macs have come equipped with a T2 chip. This brings with it a Secure Boot similar to that in M1 Macs. By default, all T2 Macs block any attempt to boot them from an external disk, which includes trying to install macOS on an external disk, as that has to complete by booting into the newly installed macOS. The only way that you can enable a T2 Mac to boot from an external disk is to enter Recovery mode and use Startup Security Utility to alter the Secure Boot settings there. And that requires an admin user’s authentication.
  The big difference between the T2 approach and that of the M1 is that booting from an external disk is always enabled on the M1. But the disk needs to be paired with that Mac, which is the part which requires authentication.
  Howard.
  
  LikeLike
  - 20
    
    dominikushoffmann on November 10, 2021 at 8:04 pm
    
    Thank you very much for this clarification. I guess, I had never tried to boot my 2017 MacBook Pro off an external drive.
    
    LikeLiked by 1 person
    - 21
      
      hoakley on November 10, 2021 at 10:07 pm
      
      Thank goodness for that – you might have had a nasty shock!
      Howard.
      
      LikeLike
22

charleseflynn on November 10, 2021 at 11:30 pm

If you ever want to erase the internal SSD in an M1 Mac, reinstall the operating system, and then create a new user from scratch (migrating nothing at all), do not use Disk Utility to erase separately the volumes “Macintosh HD” and “Macintosh HD – Data”. If you do that, the creation of a new user account, at least in High Sierra, fails, with a dialog box stating that the chosen “user name is unavailable”.

The correct method of erasing the internal SSD is given in this Apple support document:

Use Disk Utility to erase a Mac with Apple silicon

https://support.apple.com/en-us/HT212030
October 25, 2021

The article has been revised since I last saw it in May, and it no longer has a screen capture of the crucial Erase Volume Group button that was instrumental in resolving a support case. The original title was “How to erase a Mac with Apple silicon”.

Note Step 2 for Monterey users in “Before erasing your Mac”.

LikeLiked by 1 person
- 23
  
  hoakley on November 10, 2021 at 11:39 pm
  
  Thank you. I wrote about this nearly two months ago in this article. Monterey’s Disk Utility also enforces it too.
  Now, in Monterey, it makes more sense to use the Erase All Content and Settings command, which leaves the System volume untouched, which also is more sensible.
  Howard.
  
  LikeLiked by 1 person
- 24
  
  hoakley on November 11, 2021 at 12:00 am
  
  It’s also worth pointing out that this doesn’t actually erase the disk: there are two containers or partitions for pre-boot and recovery which remain. The only way to wipe those is to restore in DFU mode.
  Howard
  
  LikeLiked by 1 person
25

charleseflynn on November 10, 2021 at 11:58 pm

Howard,

Thank you for the link to your excellent article, and for all of your efforts here. If only that information had been available back in May!

LikeLiked by 1 person
26

Johnny Ray Bennett II on April 18, 2022 at 5:57 am

Hello! I was looking around in the diskutil command in terminal on my M1 iMac, and I noticed the SSD is listed as APPLE SSD AP0512Q and disk0, but then again as APPLE SSD AP0512Q and disk1 disk2 and disk3, virtual disks. Is this this how the system is installed, as virtual disks on the SSD? I’ve been trying to understand virtualization on M1, and haven’t had much success at this point….Any illumination would be greatly appreciated!

LikeLiked by 1 person
- 27
  
  hoakley on April 18, 2022 at 6:43 am
  
  No – those aren’t “virtual disks”, and have nothing to do with virtualisation. You’ll find full details of current disk layout in this article.
  Virtualisation isn’t a topic that I have covered here, as it’s specialised and not something that users ever have to deal with. You’re welcome to ask questions about it, though, and I’ll do my best to answer them.
  Howard.
  
  LikeLike