Tuesday, November 23, 2021

Booting an M1 Mac From an External Disk With Monterey

Howard Oakley:

One of the stumbling blocks to using an external boot disk with an M1 Mac is that it may not cope if you update macOS on the internal SSD, then try booting from the external disk to update that. You may be prompted to assign an authorised user to that external disk, only to be informed that the version of macOS on that disk isn’t bootable and needs to be replaced.

[…]

If you’re unable to boot from a bootable disk using an older (non-current) version of macOS, change its boot policy to Reduced Security and it should then become bootable again.

Use Reduced Security to update bootable external disks, and to maintain older bootable versions of macOS.

If you’ve updated a bootable disk to the current version of macOS, change its boot policy back to Full Security.

This is done in the Recovery Assistant.

Howard Oakley:

Unlike a T2 Mac, M1 Macs don’t set one boot security policy for the Mac, but a policy for each bootable disk. This is attractive, as it means that you can still ensure that, when it boots from its internal SSD it does so in Full Security, but your M1 Mac can be more relaxed when it boots from an external disk instead.

[…]

At present, the odd situation is when LocalPolicy is set to Full Security and the macOS versions don’t match, but the external disk is connected via USB-A rather than USB-C or Thunderbolt. In that circumstance, it appears that booting continues despite the conflict in macOS versions. This could be a simple bug, but I suspect that it’s a limitation of the USB-A bus (I recall historical issues in which USB-A had problems with security systems which could be related).

[…]

The final piece in this jigsaw puzzle is the macOS full installer app. In response to user outcry when it removed the macOS 11.2 installer as soon as 11.2.1 was released, Apple now leaves full installers available for each version of Big Sur. However, they don’t appear to be of much use to those with M1 Macs, as all attempts to install an older version of macOS on an external disk appear to fail.

Howard Oakley:

On M1 Macs:

  • Carbon Copy Cloner 6 can now create full clones of bootable system volume groups in containers on an external disk;
  • making a full clone of the internal SSD works, but it can’t readily be booted, and is strange in other ways too. Unless you have a compelling reason for doing so, avoid this;
  • booting from a full clone of the internal SSD is to be avoided;
  • making a full clone of an external SSD works, but has little or no advantage over performing a full install of macOS on that disk.

Howard Oakley:

I’m delighted to report that five months after I wrote that M1 Macs had problems starting up from external disks, Apple has finally fixed Big Sur 11.4 so that they now work fully.

[…]

Changing between external boot disks is normally simple and direct using the Startup Disk pane. Changing back to the internal SSD when booted from an external disk usually requires a visit to recoveryOS, where you need to authenticate in Recovery Assistant. After a long pause, once that has been accepted as successful, select the Restart button.

[…]

Check LocalPolicy for your bootable systems using sudo bputil -d, which should then list available macOS installations by the UUID of their boot volume group[…]

[…]

If your external disk connects by USB-C rather than Thunderbolt and you experience problems, try connecting it using a USB-C data cable rather than a certified Thunderbolt cable. If that doesn’t help, and you have a USB-A port available, use a USB-C to USB-A cable instead, which appears to be the most reliable.

Howard Oakley:

When Apple released Big Sur 11.4 update, nothing in its release notes indicated that any change had taken place in support for bootable external disks. Indeed, as far as I can tell, Apple hasn’t mentioned these problems, and anyone considering buying an M1 Mac would probably be completely unaware of their gross unreliability with bootable external disks.

[…]

There’s an obvious explanation which I came across when looking at what had changed in the 11.4 update: a brand new kernel extension AppleVPBootPolicy.kext which is concerned with the management of LocalPolicy, which determines security level on boot disks.

[…]

The evidence is that these problems were the result of bugs in managing and implementing LocalPolicy, which were fixed by that new extension, and other changes in macOS 11.4. In other words, M1 Macs didn’t work properly for a period of six months because their Secure Boot system was broken.

Howard Oakley:

As Apple doesn’t yet appear to provide complete instructions for the creation of a bootable external disk in recent versions of macOS, and the information which it does provide is at best misleading in places, this article attempts to remedy this for both Intel and M1 Macs.

Howard Oakley:

I hope this has dispelled some of the rumours about using external boot disks with M1 series Macs, which seem still to be based on Big Sur before 11.4. Installing, configuring and using them is now highly reliable, quick and simple. I’m sure that someone will be able to find a model of SSD which doesn’t yet work perfectly, but this demonstration is based on a regular retail Samsung SSD fitted inside an anonymous case bought cheaply from Amazon, and a regular Thunderbolt 3 cable. No witchcraft or incantations were involved.

Previously:

Comments RSS · Twitter

Leave a Comment