hoakley June 17, 2024 Macs, Technology

How Sequoia changes virtualisation on Apple silicon

Virtualising macOS on Apple silicon Macs running Sonoma has been severely limited in several respects. The most critical has been the inability for virtual machines (VMs) to use an Apple ID, which has in turn prevented the use of almost all App Store apps, and blocked access to iCloud from the VM. This article explains the changes promised in macOS Sequoia as a host, and their consequences on VMs.

Apple ID

When running macOS 15 or later in a VM on a host running macOS 15 or later, VMs now support Apple ID and signing into iCloud. When you create a Sequoia VM on a Sequoia host, the VM is provided with an identity derived from the host’s Secure Enclave to enable that. That identity is specific to the host Mac and the user; if that VM is run on a different Mac or by another user, then macOS will automatically create a new identity, requiring the user to authenticate again. Reauthentication is also required if the VM is duplicated and run at the same time as the original. This ensures that each Sequoia VM has its own distinct identity derived from the required secrets in the host Secure Enclave.

To take advantage of this new feature, VMs have to be built from IPSW image files for macOS 15 or later. If you upgrade an existing VM built originally for Sonoma or earlier, Apple ID isn’t made available after upgrading. It also isn’t available in a Sequoia VM built on Sonoma or earlier.

Although this is an important enhancement, it still means that macOS VMs will be unable to run App Store apps, or anything else requiring Apple ID or iCloud access, that are incompatible with Sequoia, and that limitation is going to be permanent. Apple warns that those providing virtualisers should “let anyone using your virtualization-enabled app know that they need to migrate their data from older VMs to a macOS 15 or later VM”, but it’s hard to see that would affect many users, given that previous versions of macOS haven’t supported Apple ID or iCloud, and will never be able to.

USB Storage

In previous versions of macOS, VMs have been unable to access most storage except in the VM’s own disk image or through shared folders. With Sequoia they will now be able to access USB storage through the UUID of the storage device. This should provide direct access to external disks, and any other external storage connected to the host via USB.

USB devices

Sequoia VMs running on Sequoia hosts also have access to a wider range of USB devices, including USB controllers and USB XHCI controllers. These can again be added through the UUID of the device connected to the host. Apple doesn’t provide any indication of their likely performance or limitations.

macOS VM numbers

For those with Macs with Ultra chips and ample cores, there’s no indication that Apple has relaxed its licence to allow any more than two macOS VMs to be run at the same time.

Nested virtualisation

In previous versions of macOS, it hasn’t been possible to run a virtualiser within a VM, in nested virtualisation. Although this is now possible when the host Mac has an M3 chip or later, Apple’s documentation is unclear whether this applies to macOS VMs, as this capability is listed for Linux VMs rather than for macOS.

Sequoia beta VMs

For the last two release cycles, it has been possible to run the next macOS in beta as a VM, and that should be true for Sequoia betas too. For those wanting to test against betas of macOS 15 this can be an excellent compromise if a Mac can’t be set aside as a test platform.

To install and run a beta of Sequoia on a Sonoma host normally requires additional software, though. One way of accomplishing that is to download and install the current beta-release of Xcode 16; alternatively the additional software can be downloaded and installed automatically when you first try running a newly created Sequoia VM. Currently, the latter doesn’t work, as that update isn’t yet available. It may be provided through developer downloads, or when the first public beta of Sequoia is released. Please remember that, until Apple releases that public beta, Sequoia is only licensed to those with developer or AppleSeed for IT agreements with Apple, and not yet intended for the public.

Note that Apple ID won’t be available in any Sequoia VM running on Sonoma, and that you can’t use Apple ID in any macOS VM that has been upgraded to Sequoia.

I suspect that most virtualisers will need to be rebuilt to some degree before they can make full use of changes in Sequoia as host or guest. So far my current release of Viable appears fairly stable, although it won’t run a Sequoia VM built on Sequoia, on a Sonoma host, and doesn’t have Apple ID access yet. I have more work to do over the coming weeks.

References

Apple’s Virtualisation documentation
iCloud support

19Comments

Add yours

1

Marnix van de Veen on June 17, 2024 at 6:54 am
Reply

If I understand correctly, it will be possible to run a VM and store an iCloud Photo Library on it with the library on an external SSD? That would finally solve my issues backing up my photos to local storage.

(Currently I have a second user account which I acces through Screens VNC, but this is not optimal)

LikeLiked by 2 people
- 2
  
  hoakley on June 17, 2024 at 7:04 am
  Reply
  
  I’m not sure how that would work. Although no one has yet been able to test this, from the docs you need to sign into the same Apple ID in the VM that you’re signed into on the host Mac. I may be incorrect there, and until it all works no one can check.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Marnix van de Veen on June 17, 2024 at 7:42 am
    Reply
    
    “you need to sign into the same Apple ID in the VM that you’re signed into on the host Mac”
    
    That would be fine. The problem is my Mac does not have enough space for the whole library, but I do want to use the iCloud photo library when I don’t have external storage with me.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on June 17, 2024 at 7:54 am
      
      What you could perhaps try is creating a VM and connecting that to iCloud Photos, then on the host turning iCloud Photos off. But you’d then lose all access to your photos from the host.
      Howard
      
      LikeLike
5

joethewalrus on June 17, 2024 at 7:48 am
Reply

On a Sonoma host, I cloned an existing Viable Sonoma VM (thank you, APFS) and managed to quickly and painlessly update it to Sequoia using the InstallAssistant.pkg linked from the Mr. Macintosh site.

Since this is not the way to get an iCloud capable Sequoia VM going, I’m not sure what I’m going to do with it yet, beyond some light browsing and admiring the nostalgic Macintosh wallpaper, but it’s a start.

LikeLiked by 1 person
6

John Woods on June 17, 2024 at 10:08 am
Reply

very cool. Is it “safe” to run a Seq beta VM on Sonoma? Ie. It doesn’t change firmware and is entirely encapsulated? So that when you nuke the VM your system is intact vanilla Sonoma and not augmented.

LikeLiked by 1 person
- 7
  
  hoakley on June 17, 2024 at 11:00 am
  Reply
  
  I will be writing more about this, but the macOS you install into a VM only goes into that VM, and nowhere else. At worst you could have a broken VM, that you can just trash. The only way that macOS firmware can be updated or changed is by running a macOS installer or updater on that Mac, not in a VM.
  Howard.
  
  LikeLiked by 1 person
  - 8
    
    John Woods on June 17, 2024 at 11:08 am
    Reply
    
    fantastic! Risk free so!
    
    LikeLiked by 1 person
9

Sven on June 17, 2024 at 11:01 am
Reply

BTW, finally having nested virtualisation support in Sequoia also means that Parallels and VMware will probably be able to integrate it in Windows 11 for ARM VMs, thus making it possible to run WSL 2 and other nested solutions: i.e., essentially feature parity with Intel, now – very good! 🙂

LikeLiked by 2 people
- 10
  
  hoakley on June 17, 2024 at 11:04 am
  Reply
  
  I don’t know about that. Currently, according to the docs, nesting is only available in Linux guests. Whether it will be possible for others will require experimentation, and in any case nesting is only available on M3 and later chips, I think because of their more advanced instruction set.
  Howard.
  
  LikeLike
11

aONe on June 17, 2024 at 11:34 am
Reply

Cool! Nested virtualization on my M4 iPad Pro! Oh, wait…

Jokes apart, those are very welcome enhancements. It’s a pity they are not compatible with macOS 11-14 VMs but at least the future looks brighter. Thanks a lot for the info.

LikeLiked by 1 person
12

Marshal on June 17, 2024 at 8:12 pm
Reply

Will TouchID work with the VM in Sequoia?

LikeLiked by 1 person
- 13
  
  hoakley on June 17, 2024 at 9:08 pm
  Reply
  
  No, not as far as I know, and it isn’t mentioned in the documentation. I think the Secure Enclave connection to achieve that isn’t likely to be feasible without compromising the whole system.
  Howard.
  
  LikeLike
14

David C. on June 17, 2024 at 11:58 pm
Reply

Since VMs will get access to USB drives, I wonder if it will go any deeper (which will depend greatly on the specific APIs/behaviors).

I’m thinking, in particular, of the fact that classic Mac emulators (e.g. Basilisk) can’t access a CD-ROM drive, but can only access images of optical media. I’m told that there is a technical reason why that can’t be supported, but since optical drives are USB devices just like flash drives, I’m wondering if these emulators could use the same APIs to access them

I’ve got a closet full of old Developer CDs that would once again become easily accessible, should that become possible.

LikeLiked by 1 person
- 15
  
  hoakley on June 18, 2024 at 3:55 pm
  Reply
  
  Thank you.
  My understanding of how Virtio drivers work is that the host requires the basic driver for the peripheral. If the host can’t access it, then it can’t expose that feature through Virtio to the VM. So I would only expect this USB support to give access for the VM to use devices already recognised by the host.
  As far as I’m aware, Sequoia should retain similar support for CD-ROM and other optical drives. So if the host can access it, it should be possible for the VM to do so via Virtio.
  Howard.
  
  LikeLiked by 1 person
  - 16
    
    Fernando on June 21, 2024 at 3:42 pm
    Reply
    
    Howard, will Viable require an update to take advantage of USB storage access or will its current implementation of Virtio suffice?
    
    LikeLiked by 1 person
    - 17
      
      hoakley on June 21, 2024 at 4:28 pm
      
      I don’t know for sure but I expect so. Please bear with me.
      Howard
      
      LikeLike
18
tdv on June 24, 2024 at 7:23 pm
Reply
FYI. Beta 2 allows iCloud login on virtual machines. From release notes

Virtualization

Resolved Issues
- Fixed: Users will not be able to sign-in to iCloud and related applications. (128924562)
LikeLiked by 1 person
- 19
  
  hoakley on June 24, 2024 at 8:29 pm
  Reply
  
  Thank you. Unfortunately I’m away from home until late Tuesday, but eagerly look forward to trying that out.
  Howard.
  
  LikeLike