hoakley March 22, 2026 Macs, Technology

Last Week on My Mac: Brilliant engineering in a flawed interface

If there’s one thing I’ll remember macOS Tahoe for it’s brilliant engineering inside a shockingly flawed interface. Last week’s first Background Security Improvement was yet another example of that trend.

I had enthused about its predecessor the RSR three years ago, although it was sent to the naughty corner after an updated version of Safari told Facebook and other popular sites it wasn’t who they expected. After that trauma, most users shunned RSRs, and it seems engineers who dared mention them were strapped to the front of an F1 car and driven round until they recanted.

Thankfully, RSRs were only put on pause before being rebadged as Background Security Improvements or BSIs, an Orwellian turn of phrase that skilfully avoids the word update despite the fact that they’re still discovered, downloaded and installed by softwareupdated. Now I’ve had a chance to give a fair account of the first public BSI, I can consider what’s wrong with their current implementation.

Location

BSIs are controlled not in Software Update settings, but in their own section at the end of Privacy & Security. As such, they are the only macOS update there, and all others remain in Software Update where they belong. This misleads users, and Software Update reports that Your Mac is up to date when it isn’t, because there’s an outstanding BSI available.

Not only that, but users naturally assume that when Software Update settings have Install macOS updates disabled, no macOS updates will be installed automatically. Little do they realise they can still get a BSI without being asked.

BSIs are currently misplaced in System Settings, and their controls should be moved back to Software Update where RSRs were.

I fear the reasoning behind hiding BSIs among strangers in Privacy & Security was to ensure most Mac users would leave BSIs to be installed automatically. It’s no coincidence that, in addition to this hiding, the automatic installation of BSIs was enabled by default when upgrading to macOS Tahoe. This reeks of deliberate deception.

Control

There is a single on-off toggle provided, to Automatically Install BSIs. Apple explains that “if you choose to turn off this setting, your device will not receive these improvements until they’re included in a subsequent software update.” Thus the user is given a forced choice between macOS deciding when to install an available BSI, or not being notified about that BSI at all.

As with other macOS updates, the user must be given the option to be notified when a BSI is available, and to make their own choice whether and when to install it.

The alternative for users is to disable Automatically Install, watch for news of BSI releases, and, if they wish to receive one, to enable that setting, download and install the BSI, then disable the control again. For many Mac users, that appears to be the best option in the absence of better support.

Although the control is titled Automatically Install, its behaviour is different. When a BSI is found to be available, macOS doesn’t automatically download and install it, but waits for the user to click on the Install button, then to authenticate.

However, if the user isn’t aware that BSI is available, or chooses to ignore it, automatic installation does appear to occur without the user being informed until the Mac is just about to restart, and no authentication seems necessary after all.

This behaviour is the greatest deterrent to users, as it effectively means that their Macs could restart unpredictably with almost no warning, resulting in data loss and disruption to their work. That’s completely unacceptable, and will ensure many will disable BSIs as a precaution to avoid the possibility of data loss. This aversion could be addressed simply by allowing the user full manual control over whether and when a BSI will be installed.

Progress

Despite softwareupdated monitoring progress through the download and preparation phases, the user is shown an indeterminate progress spinner, rather than a progress bar, which would at least give better warning of the restart that is coming. Although much briefer than a full macOS update, a progress bar should be displayed for the download and preparation phases of a BSI.

Restart warning

All previous RSRs, and this first BSI, have required restarts to complete the update. Yet at no time during this BSI was the user told that would be necessary. A notification was displayed a few seconds before the restart, but gave insufficient notice for the user to make any preparations.

It’s essential that information given about the BSI states clearly if a restart will be necessary, and the user is given the same one-minute countdown provided in macOS updates. Bizarrely, the one place that a restart was mentioned is in the dialog to remove a BSI.

Information

Apple’s current support note on BSIs is woefully inadequate, as is obvious by the content of this article. What would appear to be additional information in the BSI settings, marked with the ⓘ Info button, isn’t informative at all, but provides the means to remove a BSI, which is at least an improvement on RSRs, which unaccountably hid removal in the About settings. A more appropriate button should be provided.

BSIs are also only currently covered in the US English version of Apple’s Platform Security Guide. All other localised versions, including British and Canadian English, still contain the outdated section on RSRs. Fortunately, as their content is almost identical, this is revealing rather than misleading.

Version numbering

Ignoring RSR and BSI version numbering, macOS has in recent years achieved clean and systematic version (and build) numbering, without the excesses of the past. By adopting a parenthesised letter as the identifier of a BSI, comparison is clumsy and prone to error. ProcessInfo.processInfo.operatingSystemVersion doesn’t contain a field for the BSI identifier, which is only offered as part of the full string in ProcessInfo.processInfo.operatingSystemVersionString. Version numbers like 26.3.1 (a) and build numbers of 25D771280a are irregular and unnecessary.

Recommendations

BSI controls should be removed from their hiding place in Privacy & Security and put alongside all other macOS updates in Software Update settings.
An option should be provided so that users are informed of the availability of BSIs without any obligation for them to be installed automatically.
Behaviour of the Automatically Install button should be described explicitly to the user. Does it automatically install, and if so, in what circumstances will the user not be so informed?
BSI download and preparation should be accompanied by a progress bar similar to that for a macOS update.
When a BSI requires a restart to complete its installation, the user must be informed of that before they consent to the BSI being downloaded.
When a BSI install is ready to restart the Mac, one minute’s warning notification should be given, just as in macOS updates.
The BSI support note should provide full details, not a sketchy outline.
The button to remove a BSI shouldn’t use the ⓘ Info symbol, but something more appropriate to its purpose.
Apple’s Platform Security Guide should be updated in all its online versions. Is it really that hard to translate from US English to British English?
Version and build numbering should be redesigned to be more consistent and better accessible in the API.
Despite having over three years to get them right, BSIs are a worse mess than RSRs were in Ventura. This is a great shame as their technology is still brilliant, but their current interface is shockingly flawed in so many respects.

Reference

Support note about BSIs

21Comments

Add yours

1

joethewalrus on March 22, 2026 at 9:17 am
Reply

Great points, all of them.

While iOS is not your focus, I have no shame pointing out that the BSI setup on iPhones and iPads is identical, and should be remedied exactly as you describe. However, in checking the iPhones and iPads of some loved ones who rely on me for periodic tech help, I was delighted to find that the BSI had already installed automatically and transparently, with the users unaware that their devices had even restarted. This is the ideal, providing of course nothing breaks like with the naughty RSR of the past.

I can think of cases where an unexpected restart would be devastating on a mobile device; top of mind would be a lengthy composition in an unsubmitted webform, like this comment will remain until I’m done typing it, but overall the risk is much lower than with the robust multitasking system that is a Mac.

LikeLiked by 6 people
- 2
  
  Enzo Vincenzo on March 22, 2026 at 10:05 am
  Reply
  
  Nice comment, Joe the walrus! Thank you very much!
  It’s all about peace and I genuinely admire you for that. Perhaps Apple’s intentions are very well-meaning and my comment was too confrontational. Unfortunately, I hadn’t seen or read yours yet; otherwise, I might have decided not to write anything at all.
  Howard, however, is right to point out every strange and unexpected feature that Apple decides to introduce.
  Have a good Sunday!
  
  LikeLiked by 2 people
- 3
  
  hoakley on March 22, 2026 at 1:55 pm
  Reply
  
  Thank you. We’ve had a little fun and games with our devices here too. I keep my iPhone up to date, so that was straightforward. My wife’s iPad updated itself, to her surprised. When we checked her iPhone, though, despite being on automatic updates it was still running iOS 26.2.1, so had to be manually updated to 26.3.1 and to receive the BSI. I had thought updates were getting more reliable.
  Howard.
  
  LikeLiked by 3 people
- 4
  
  Tristan Hubsch on March 22, 2026 at 3:09 pm
  Reply
  
  > “overall the risk is much lower” …yeeessortofmaybe… Just think of finally receiving that eagerly awaited phone call in response to your dream-job and highly competitive application, when after the first “Hello. Yes, it’s me…” …your communication device restarts. For your safety.
  
  Rather famously, The Macintosh (and iPhone by extension) was supposed to be a reliable “it just works” appliance.
  
  LikeLiked by 3 people
  - 5
    
    hoakley on March 22, 2026 at 3:43 pm
    Reply
    
    I think you’ll find that an active phone connection blocks the restart to install a BSI. softwareupdated does check for potential problems before calling the restart.
    Howard.
    
    LikeLiked by 3 people
    - 6
      
      Tristan Hubsch on March 22, 2026 at 4:12 pm
      
      One would hope.
      
      LikeLiked by 2 people
7

Enzo Vincenzo on March 22, 2026 at 9:53 am
Reply

Thanks, Howard, for sharing this information and for joining us in this sort of torture, or bullying, or violence – or whatever we want to call it (stupidity, perhaps?…).
In fact, last week I discovered ‘by chance’ that it was necessary to update iOS 26.3.1 to version 26.3.1 (a) to avoid a very, very serious WebKit vulnerability that could have allowed malicious websites to bypass security policies and *access sensitive data* or perhaps carry out any other action.
The worst part is that I found out thanks to YouTube’s algorithm, which showed me a video by an unknown YouTuber who, by some miracle, piqued my curiosity and thus caught my attention.
After that, I found myself EXACTLY in the situation you described… That is, I immediately went to System Preferences -> General -> Updates, only to find that there were no updates available.
As a long-time Mac user, I had both the inclination and the ability to dig deeper and check, for example, whether the YouTuber’s claim was false. And when I discovered, instead, that it was true, I was rather annoyed…
Obviously, I had to figure out for myself how to go about it, and I found it quite absurd that Apple hides the update in a place that’s neither intuitive nor conventional.

To draw an apt comparison, it is as if a large, renowned car manufacturer (such as Tesla, Rolls-Royce, Mercedes, Ferrari, Audi, etc.) were to discover a very serious fault in the braking system and, instead of immediately issuing a recall to customers, were to wait until the next scheduled service to carry out the repair without the customer’s knowledge.
In the meantime, not only the customers are exposed to serious risks, but, completely unaware of the situation, they might even have boasted to friends about the car manufacturer’s (you can read ‘Apple’) high standards of professionalism, safety and reliability…
Dear Apple, shame on you!

LikeLiked by 3 people
- 8
  
  hoakley on March 22, 2026 at 2:06 pm
  Reply
  
  Thank you, Enzo.
  
  You don’t have to put your trust in any YouTuber’s performance: BSIs, and that one in particular, have been covered here in detail.
  
  By chance, I think I was the first outside Apple to be aware of the release of the BSI, because I was working with an XProtect update that was released immediately before the BSI, and SilentKnight announced the availability of the BSI before macOS was even aware, and before Apple had posted its webpages on BSIs.
  
  I don’t actually think that vulnerability is as serious as that YouTuber made out. When Apple is aware that a vulnerability is already being exploited, it draws attention to that in its security release notes. There has been no such warning for the vulnerability patched in this BSI, so presuming that it’s already out in the wild is unreliable.
  
  A BSI is exactly the opposite of your comparison: this was released very quickly, and before the next macOS update, which is expected next week, when we should get 26.4. So Apple did do the right thing, it’s just that the interface to BSIs is badly flawed.
  Howard.
  
  LikeLiked by 3 people
9

Michele Galvagno on March 22, 2026 at 11:10 am
Reply

You mentioned twice that the user is not given a warning that the Mac is about to restart until it is about to do so.
In my case, the Mac restarted after login without asking me for permission. It may be that I am a lone case here, and I certainly hope so, but it is something I’m not looking forward to experience again.

LikeLiked by 4 people
- 10
  
  hoakley on March 22, 2026 at 2:08 pm
  Reply
  
  Thank you, Michele.
  Are you saying that you were using your Mac normally, when suddenly it restarted, as if it had suffered a kernel panic?
  Howard.
  
  LikeLiked by 2 people
  - 11
    
    Michele Galvagno on March 22, 2026 at 4:03 pm
    Reply
    
    Not really, because à kernel panic would not quit all apps before restarting. It was as if I had pulled down the Apple menu, hit Restart and confirmed. Just replace these last 3 actions with: logged in.
    After inputting the password, I saw the desktop with all my open apps. Then, one by one, they quickly quit and the Mac restarted on its own. I did not press a single button or key! The black screen time (roughly 40-50 seconds) was the most uncomfortable part.
    Notice also that when I manually restart, I have the reopen apps checkbox unchecked! Even weirder!!
    
    LikeLiked by 3 people
- 12
  
  joethewalrus on March 22, 2026 at 4:54 pm
  Reply
  
  I have noticed certain notifications I consider “time sensitive” (to borrow Apple’s terminology) to be muted and hidden by Do Not Disturb or other Focus settings. Is it possible this is an explanation for what you experienced? If so, it’s a huge oversight on Apple’s part, but yet another one of Tahoe’s many design woes.
  
  LikeLiked by 1 person
  - 13
    
    Michele Galvagno on March 22, 2026 at 7:20 pm
    Reply
    
    I don’t think that to be the case, as it was morning and I have no focus mode active at that time. Also, à restart notification usually gives you 10 secs or more, here it was immediate after login.
    
    LikeLiked by 1 person
14

Duncan on March 22, 2026 at 11:27 am
Reply

Apple really, Really, REALLY wants their users to update/upgrade every time they come up with some new patch, whether they’re ready or not. And the frequency of those patches is increasing beyond user endurance.

I don’t run Tahoe myself for reasons described in this article, but I wonder if it might be possible to at least block the reboots by running a continuous lightweight process in the terminal? In the past, the routine of logging out or rebooting would present a dialog requesting the user to address the running terminal process. Would this still work as a prophylactic against BSI take-over?

LikeLiked by 4 people
- 15
  
  hoakley on March 22, 2026 at 2:10 pm
  Reply
  
  No, not as far as I’m aware. The simple solution is to leave BSIs turned off until you want to install one, then to turn them on, install the BSI, and turn them off again.
  Howard.
  
  LikeLiked by 3 people
  - 16
    
    Tristan Hubsch on March 22, 2026 at 4:33 pm
    Reply
    
    Hmm… If (as you wrote above) an active phone connection in fact really would block the reboot of an iPhone, is there no such “active connection” on the macOS that would likewise block a reboot? Ever so vaguely, I seem to recall having seen (I know not how long ago) the macOS telling me that a Restart was prevented “because SuchAndSuch.app wouldn’t quit” (or some words to that effect). If yes, could such an activity be simulated so as to act as Duncan’s “prophylactic”? Somewhat akin to how Amphetamine.app prevents the macOS from falling sleep.
    
    LikeLiked by 1 person
  - 17
    
    Duncan on March 22, 2026 at 6:11 pm
    Reply
    
    “Somewhat akin to how Amphetamine.app prevents the macOS from falling sleep.”
    
    That’s what I had in mind, initially. (I think there was also an app called ‘Caffeine’ which served the same function.)
    
    If there were a way to intercept or interfere with an unexpected reboot, it would be great if that were built into SilentKnight (as an optional switch?). We could just leave that running all the time and it would not only tell us when an update arrives, but it would also put any potential reboot under the user’s control!
    
    LikeLiked by 1 person
18

Markus on March 22, 2026 at 12:01 pm
Reply

Thanks Howard,

As I wrote in a comment a couple days ago, there was a warning about an imminent reboot. As your screenshot clearly shows there is no indication in the dialog that a reboot was necessary. So I clicked Apply and caught in the corner of my eye something popping up at the top right corner of my 49″ ultra wide screen. There was that famous countdown with two buttons, Reboot now, and Cancel, already at the “Your Mac will reboot in 30 Seconds” stage. Realizing something happened far away almost outside of my field of vision, reading the message, understanding its implications, throwing the mouse cursor across the whole screen to hit the Cancel button … I am still proud I managed this in time to prevent the unexpected reboot!

Tahoe, one of the most beautiful areas in the US and the worst imaginable on your Mac’s desktop!

Apple, what a shame….

LikeLiked by 4 people
- 19
  
  hoakley on March 22, 2026 at 2:11 pm
  Reply
  
  Thank you, Markus.
  Howard.
  
  LikeLike
20

thymine02rising on March 22, 2026 at 5:42 pm
Reply

Thank you Howard, for providing a heads up on what to expect. Again, you provide so much peace of mind! I have learned to always check iOS and iPadOS at the same time when you give us a xprotect update. This second heads up of the day last Tuesday – prevented the unexpected. I like the idea of turning the updates off and installing them, instead of having a Michele experience! I had a lot of already unexpected behavior that day on my Mac. I wouldn’t have wanted more!I had a lot of already unexpected behavior that day on my Mac. I wouldn’t have wanted more! This Apple update reminds me of a vague memory for a type of (wild) food that is toxic, unless cooked for a certain amount of time – being served on a beautiful platter – undercooked.

LikeLiked by 1 person
21

Ric C on March 22, 2026 at 6:06 pm
Reply

After reading this in the morning, I checked Settings>General to also find I was “up to date” with OS 26.3.1, and under >Background Security Improvements, 26.3.1 (a) was downloaded and ready to restart. In agreement, System Information>Software showed 26.3.1 was installed and the system rebooted a week ago. However, System Information>Installations showed that MacOS Rapid Security Response 26.3.1 (a) had been installed the night before after putting the computer to sleep and myself to bed.

Without closing any apps, I restarted the M4 mini and I was immediately notified that I was now up to date with OS 26.3.1 (a). The only oddity I can find is that Installations still shows the same RSR installation last night and nothing new for today. It sounds to me like Apple’s middle management is getting pushed to produce output too quickly.

LikeLiked by 1 person