Last Week on My Mac: Where’s the fire escape?

If the room you’re in suddenly went dark and filled with smoke, would you be able to get to the fire escape? That was the question put to me many years ago by a friend who, like me, often stayed overnight in unfamiliar locations. I think he took it to extremes, though, in travelling everywhere with a thirty-foot climbing rope in his suitcase, but his point was sound. A few years later, when I was stood outside a hotel after a fire alarm in the late evening, I was glad to have taken that advice.

Much of what we do on our Macs can be at worst relatively harmless, and there are simple measures we should take to ensure they’re safe. Accidentally delete the wrong files, and you should be able to restore them swiftly from your latest backup. Cut out a crucial section of a document, and you should be able to look back through its saved versions and paste the text back from one of those. That’s why we have all those checks and safeguards.

Every so often, though, we do something that could have greater consequences, like adding another volume to our boot disk, or installing an alternative operating system such as Asahi Linux. Those are the times we need to check where the fire escape is.

If anything goes wrong with the containers and volumes on the internal storage of an Apple silicon Mac, the result can be serious, because these Macs have to start their boot process from there.

Intel Macs, including those with T2 chips, can of course start up entirely from an external disk. Although that might appear advantageous, in the long run it’s not as good as it might seem. Those with the added boot security that comes with a T2 can only boot from an external disk when that has been specifically enabled in Startup Security Utility, in Recovery mode, and the time to think about that isn’t when it can’t boot from its internal SSD.

Unlike Apple silicon Macs, though, Intel Macs with T2 chips can’t boot from an external disk in full security. In practice it means that, if you do enable that, anyone can attach any bootable disk to your Mac, start it up from that, and make off with it. So making the decision whether to enable your T2 Mac to start up from external disks will either compromise its security or its recoverability.

There’s no compromise of security when booting an Apple silicon Mac from an external disk, as that can only happen when that disk has a LocalPolicy created for it, that in turn requires ownership, and secure controls from the internal SSD. But if the internal SSD has become messed up, that Mac may well not get as far as considering starting up from the external disk, and all you can hope for is that it will be able to enter Recovery or Fallback Recovery.

If this all seems more complex and fiddly in Apple silicon, in practice it’s not, as boot failure is far less likely, and in most cases can be managed fully in either Recovery mode. However, making changes to the layout of containers and volumes on the internal SSD is one situation where an Apple silicon Mac’s ability to boot can be compromised. The Asahi Linux Project has drawn attention to one mistake that can spell disaster, removal of the Apple_APFS_Recovery partition/container from the internal SSD.

Let’s assume that you’ve changed partitions/containers and/or volumes on your Apple silicon Mac’s internal SSD, and want to revert to its original layout. You now have a choice of attempting that in either Recovery mode, using the diskutil command tool there, or putting your Mac into DFU mode and performing a full Restore with the IPSW image file for the macOS version of your choice.

Provided you have a second Mac and USB-C cable to connect it, and a recent full backup available to migrate from, Restore in DFU mode is likely to prove the simpler and more reliable option. Unless, that is, you’re the kind of person who also likes hoisting out your car engine and disassembling it on your kitchen table.

For all its apparent complexity, this is where an Apple silicon Mac comes into its own, as you can now Restore it to Sequoia even though Apple still so earnestly wants you to savour the delights of Tahoe’s Liquid Glass.

Follow my friend’s advice. When you’re about to do something that could have serious consequences, check where the fire escape is, as one day you may well have to rely on it.

3Comments

Add yours

1

billstanford9 on May 3, 2026 at 7:26 am

A useful reminder – with a great co-relative!

LikeLiked by 1 person
2

Enzo Vincenzo on May 3, 2026 at 7:44 am

Great advice, Howard! I’d say it’s second only to the famous saying: “Computer users fall into two categories: those who have already lost their data (and have therefore learnt their lesson about backups) and those who haven’t lost it yet (and therefore don’t understand, can’t hear and don’t want to listen to any warnings…)”.

I’ve just come out of a situation that you’re describing in general terms today.
Two or three days ago, in fact, whilst in Safe Mode, CONTRARY to a suggestion you’d mentioned in a reply to one of my messages, I carried out a complete cache clean-up, including the contents of /private/var/folders/etc./etc./contents of the three user subfolders.
I told myself, in fact: “Howard is being overly cautious… After all, macOS always recreates the caches…”.
The result?… Fortunately, and almost by chance, whilst doing a search, I realised that thousands of messages had disappeared from the folders I had created in ‘On my Mac’ [note: I use the POP protocol and, using rules, I move and I maintain my emails (which I’ve been keeping since 1994/1995) into neatly organised subfolders corresponding to each account I use or like categories, as I’ve found that this method provides the best e-mail backup and ensures a perfect and complete restoration of Mail, even if I downgrade the operating system].

My lifeline, in this case, was consulting the AI, which advised me to delete the Envelope files in /Mail/V10/Data/, so I ended up with Mail performing even better than before. But I took a huge risk because if I’d continued using Mail, the Time Machine backups would have started to get corrupted too.

So, my “FIRE ESCAPE”, therefore – bearing in mind YOUR earlier personal WARNING about clearing caches – should have consisted of a more thorough analysis of your sound advice. At that point, I almost certainly would not have touched the macOS temporary caches.

I hope your teachings will be of use to everyone, and that my example will confirm just how important you are – as even the AI has told me. But that’s another story… :-)

Have a lovely Sunday

LikeLiked by 1 person
3

John on May 3, 2026 at 9:45 am

I have set up a firmware password on my non-T2 Intel iMac, which must be entered before it will boot from an external drive.

What level of protection does that provide?

Obviously, not as much as full disk encryption with FileVault, but otherwise?

LikeLike

Share this:

Related