Are Apple and others misleading users about the use of bootable USB or SSD Mac OS installers with M1 Macs and Monterey?

My comments below solely concern M1 Series Macs

There are many articles on how to create bootable USB or SSD Mac OS installers. Below are 2 examples, one from apple support and the other from Macworld. It’s a standard procedure which forum members are familiar with.

How To Create A Bootable USB macOS Installer

Create a bootable installer for macOS - Apple Support

But the following article from the reputed Electric Light Company demolishes - if I understand correctly - the idea that bootable USB or SSD Mac OS installers are of any use with M1 Macs and Monterey. I am referring to recovery, not rare situations where you would want to downgrade the OS.

Please note that the article is about booting from an external drive (which is not what I am talking about) but the subsequent discussion covers the topic of bootable USB or SSD macOS installers

Creating a bootable external disk with an M1 Pro in Monterey – The Eclectic Light Company

In a nutshell, the author argues that in order to boot from the bootable installer key or SSD, the internal recovery drive on the M1 Series Mac must be intact which defeats the purpose of using an installer key in the first place because the internal recovery drive itself would be used.

Below are exerpts from the reputed Electric Light Company reference

On an M1 Mac, you don’t need a bootable installer disk to get Disk Utility, Terminal, etc.: they all come in Recovery mode, which is installed on the Mac before you even get it. Not only that, but in Monterey you get at least two complete Recovery systems, one of which is in its own container/partition on the internal SSD, and the other in a volume in the active macOS set. If they’re both damaged, then an M1 Mac won’t boot at all, not even from a full external disk, and has to be restored in DFU mode.

with an M1 series Mac is that what’s provided on a bootable external disk of any kind isn’t sufficient to boot it. So as far as an M1 Mac is concerned, your flash drive doesn’t contain a bootable system at all. So to boot from that, the M1 Mac has first to boot into Recovery mode (using its internal SSD), and until it’s in Recovery you can’t get it to boot from your flash drive. Only when it has loaded recoveryOS will it give you the option to boot from the flash drive. As by that time it’s already running Recovery, which contains the same tools as on your flash drive, it far simpler just to use them from Recovery instead.

I have great respect for Howard Oakley and read most of his articles, and try to follow.

Your quotes from that link (which are in the comments section for the benefit of others) seem at odds with what he says about the changes to Recovery in Monterey, in this article:

https://eclecticlight.co/2021/09/23/how-monterey-changes-apple-silicon-recovery/

In particular this extract:

“Consider that same M1 Mac which is set to start up from an external disk containing Monterey, instead of its internal SSD. During the early part of its boot process with the Power button held for 1TR, the Mac detects that it’s set to boot from that external disk, and starts up from the paired recoveryOS installed with that copy of Monterey.”

I am reading that to say that in Monterey, unlike Bg Sur, the boot process starts with the Recovery on the flash drive (or bootable external), not the one on the possibly damaged internal.

Booting on an M1/M2 Mac always starts from components stored on the internal SSD. If those components are damaged, nothing can be booted (either internal or external) until they are restored from another Mac using Apple Configurator. If the internal SSD is toast and can’t be restored via Apple Configurator, that’s a trip to the Apple Store for a motherboard replacement.

So there are cases where Apple Silicon Macs can not be booted from external media, but Intel Macs can.

What does “Components stored on the internal SSD” actually mean?

I don’t doubt that there may be situations where the “components on the internal” are damaged such that the machine can’t be booted from a bootable installer (or external). But the statement in the Oakley article I linked was made about the Recovery volume, where he clearly says that it will boot from the external Recovery, which seems to be at odds with his other article, where he says it boots from the internal first and wont boot to external unless internal is OK.

I have had M1 Macs since release in November 2020 and done lots of testing, booting from Installers and externals etc, and also often failing. I have been forced to use Apple Configurator. It is a complicated subject and I don’t think many outside Apple understand it. Certainly not me. And it has changed quite a lot since those early days.

My impression (no stronger than that) is that there are some kind of internal problems which will prevent external boot and some which can be avoided by external boot.

SuperDuper has been my app for bootable clones for years, so when the clone of my MBAir M2 with Monterey (on an external HD) wouldn’t boot (I then tried CCC, which also failed) (I also tried unsuccessfully to make just a bootable Monterey thumb drive) I asked Dave Nanian, SD’s creator, for help. I initially thought it was because my HD was too slow, not fast enough to boot before the internal SSD, but another SD user had the same problem with his external SSD. Dave’s answer: “Apple needs to fix their boot bugs. Nothing and no one else can do this 'for them’.” Then I read somewhere that the external SSD must be connected via Thunderbolt, then it’d boot. I don’t have such an SSD (too expensive), so I haven’t tried it.

Despite all of this, there are numerous instructions on the net detailing how to boot an M2 Mac from an external SSD. I’ve tried some of them and never succeeded. What I’m left with is a non-bootable clone (I also have Time Machine backups) from which I can repopulate my MBA if necessary, which should work fine unless my Mac dies stone dead (which has never happened to me over 4 decades of Apples and Macs).

But I’d be thankful if anyone came up with a solution.

From Howard’s explanations, there are two critical pieces of information used by LLB process (the Phase 2 of boot on an Apple Silicon Mac). Reference Booting an M1 Mac from hardware to kexts: 1 Hardware – The Eclectic Light Company and Booting an M1 Mac from hardware to kexts: 2 LLB and iBoot – The Eclectic Light Company

• LocalPolicy
• Secure Enclave

Both of these are located in the Apple_APFS_ISC container on the internal SSD. LLB consults both of these to find and verify the Preboot volumes contained in the internal or external volumes you boot from. The iBoot (phase 3) of the process is loaded from the selected startup disk’s APFS Preboot volume in the macOS container.

If they are damaged, they must be re-installed in DFU mode from another Mac with Apple Configurator. If the internal SSD has failed to the point where the Apple_APFS_ISC container can’t be read or rebuilt with Apple Configurator, then the only recourse is a motherboard replacement.

Thanks for those links, which put the detail into “components stored on the internal SSD” which have to be working for the machine to boot at all, internal or external.

Presumably those are the “early part of the boot process” in his article I linked, and where it recognises it is set to boot to an external and boots to to the external Recovery instead of the internal.

This seems to allow the possibility that if the internal Recovery (not the essential components) is damaged then the external Recovery would still work.

As I said I do not have a deep understanding of the entire process, I am simply trying to reconcile Howard’s different statements…in the article I quoted and the one the OP quoted.

Although not free from problems, creating a bootable external is pretty reliable these days, as Howards Oakley’s recent article details. But using CCC or SuperDuper is not the way, as Dave Nanian told you.

Presume you have seen this article Mike Bombich of CCC, which starts off:

“Copying Apple’s system is now an Apple-proprietary endeavor; we can only offer “best effort” support for making an external bootable device on macOS Big Sur (and later OSes)”

Superduper! is subject to all the same obstacles but put a different spin on the situation. I don’t believe they have any magic sauce which CCC doesn’t. They both have to use the Apple Tool ASR because there is no alternative.

Personally I have always much preferred Data only clones and install and migrate. It takes a bit longer but I don’t need to be up and running within a few minutes, and if I did I would use a second Mac.

hello @mikebhm @Technogeezer @gbdoc

Thank you all for your comments.

My comments pertain solely

• to M1 + Monterey.
• bootable OS installers. Not bootable external drives which I agree it is possible to create (and of no use for me).

In terms of semantics, a purist would say “if both recoveryOS fail” (=recovery drives or volumes - plural) because M1+Monterey Macs now have 2 recoveryOS, the one we are used to and a so-called “fallback recovery OS”. If the recoveryOS fails, the fallback recoveryOS should both install the OS and repair the primary recoveryOS.

Yes, if both recoveryOS fail, one can try to use the primary drive as external SSD of another Mac to recover data. What used to be called Target mode (boot +press T key) is now on M1 Monterey called “share within recovery” (power on with long press → recovery → utilities → share disk) . I have never done this.

I am sorry to say that I still don’t see in what circumstances you would use a bootable installer. In retrospect, my initial post was not worded correctly. I have no doubts that it is possible to boot from an installer. I have done it myself. My question is whether is makes any sense to boot from an OS bootable installer.

To boot from an installer, you need one of the 2 recoveryOS to be intact. I know, I tried it and it’s what M1 experts say. If you plug in the installer → shut down → boot in recovery → click on the installer → the mac will still boot from recovery, not from the installer or if it boots from the installer, it is by way of the recoveryOS.

If one of the recoveryOS is intact, well … that recovery OS contains the OS which means you don’t need the OS on an installer.

The only use for a bootable installer that I know of is for those rare high level users who run multiple versions of Mac OS on their macs.

I would be most grateful if you could give concrete examples where a bootable installer would be used.

thanks very much

This thread has certainly sown doubt in my mind about the value of bootable installers, but one obvious reason for them is to avoid multiple downloading of the 12GB Install Assistant, eg if you have several macs to upgrade or you frequently do tests involving installing on different externals, or dual internal which I do.

In addition to that reason, I believe that, in all the trials and tribulations of external and dual internal booting I have been through since Nov 2020, there have been occasions where the bootable external got me out of trouble. I can’t document this, so it is purely anecdotal and may be wrong, or may only have applied at some point and is no longer applicable, because it has been a moving bus, especially in the first year or so.

that’s certainly an excellent example ! thank you. I am sure that you anecdotal experiences are also relevant.

On an Intel Mac (and on nearly all PCs), the boot sequence begins with some startup code on an internal flash chip (what Apple calls “BootROM” or sometimes “firmware”). This code scans for bootable devices (SSDs, hard drives and maybe network-based boot images). It selects one, loads the next-stage bootloader from it (from an OS-specific Recovery partition), and that code starts the system

The boot device can be completely erased because the absolute first stage of the boot sequence is in a separate flash memory chip. If that chip gets clobbered, then you’re out of luck and will need to resort to extreme measures in order to have a bootable system

An M1/M2 Mac, like most embedded devices (including iPhones, Apple TVs and countless devices from hundreds of manufacturers) doesn’t do this. There is one flash memory storage device which contains the lowest level pre-boot code, the OS’s boot loader (in an OS-specific Recovery partition) and the operating system.

When you boot such a device from external storage, the pre-boot code must still run from the internal SSD (much like how an Intel Mac runs this code from the firmware in its BootROM flash chip). It then transfers control to the boot-loader on the device you are booting from (via an OS-specific Recovery partition on the device holding the system you are booting).

Which means that if you completely wipe the internal SSD, there’s no way to boot anything without putting the pre-boot code back. For Apple devices, this means using Configurator from another Mac, if it’s possible at all. And if the SSD has actually failed, it will need to be replaced (which means a motherboard replacement unless you’re running a Mac Studio).

But that kind of SSD failure should be very rare. How often has the pre-boot loader failed on an iPhone? I can’t recall ever reading about something like that - every dead phone report I’ve read ended up being the result of some other kind of failure. So I wouldn’t worry about it that much.

But as you mentioned, your internal SSD has the recovery partition (actually several - a 1TR (“one true recovery”) partition (for when you boot while holding down the power button), and one that is installed as a part of each macOS installation. You can always use these to (re-)install macOS from the Internet.

So why bother with a bootable installer? A few reasons come to mind:

• Bandwidth. If you need to reinstall several Macs, why bother downloading the installer multiple times?

• Network availability. If you need to (or think you might need to) reinstall macOS in an environment where there is no network, then you’ll need it.

• Speed. Downloads take time, even on a fast Internet connection.

• Versions. Recovery doesn’t let you install any version you want. You can only install a few versions based on what your Mac has previously used and what’s on Apple’s servers. If I remember correctly, these are going to be one or more of:

  • The version that shipped with your Mac (or the nearest compatible version on Apple’s servers)
  • The last version your Mac was running (or the nearest compatible version)
  • The latest version compatible with your hardware

  If you want to install any other version (assuming it’s compatible, of course), you will need to have a bootable installer for that version and boot it to run the installation.

Not that I agree with any of this, but Apple’s answer to the bandwidth issue will be “use Content Caching Server”. Just like their answer to iOS sync was iCloud. Both services with a poor track record that only to the marketers and fanbois could serve as adequate replacement for what people are actually asking for.

Not an external boot disk, but Techtool used to be able to create a recovery disk that allowed you to put other programs beside Disk Utility (back in the Disk Warrior days). I do not have the current version, but does it allow you to build a recovery disk internally or externally?

As far as I can tell, the OS-specific Recovery volume that Apple has been using for a long time is pretty much the same thing. It’s a bootable volume running “RecoveryOS”, which can be used to perform repairs or to reinstall macOS.

Since this is simply another volume in the same APFS container that holds macOS’s other volumes, you may be able to just mount is and copy some additional files there.

Of course, since there are no third-party tools that can repair/rebuild APFS, this may be a strictly academic question. There’s no need to boot into Recovery Mode in order to repair an HFS+ volume.

a brilliant post which says it all. thank you very much

In this context, does the combo installer still have a role ?

The universal panacea for macOS problems: install the Combo updater – The Eclectic Light Company

I don’t think you can even get combo installers for updates anymore. Just full OS installers (which can be used to perform a full reinstallation over an existing system, either with or without wiping the old system first).

That having been said, there is less need for it than before.

In the past, a combo installer was useful because it would replace every file that every updater that had been released for your OS version. It worked to solve problems resulting from some system file getting corrupted.

Since Big Sur, and it’s Signed System Volume, it is pretty much impossible for these system files to get corrupted, because they can only be modified by a macOS installer. Other software can’t make any changes to that volume. Which means that if it works after the initial installation, it will continue to work until it is replaced (by the next installation).

Of course, applications and configuration data stored on your Data volume can still get corrupted. The SSV can’t protect against that.

Apple Silicon changed things radically.

1. No firmware, well not in the traditional sense
2. Secure proprietary and protected boot volumes
3. Secure Enclave (write only black box to hold all the secret private keys)
4. Factory encrypted SSD storage (always encrypted)
5. SSD storage chips are lacking any sort of traditional NVME controller chips. The SoC is the disk controller all the way down to the lowest level of talking directly to the SSD flash storage chips.
6. No more Internet Recovery

There is a whole chain of trust from the factory burned private key inside the Secure Enclave to the private keys for the 1st admin user to login to FileVault2 which merely adds another public/private key for an additional recovery method. The OS System volume is read-only, signed, snapshot, and sealed. The OS boots from the snapshot.

In a recovery situation, you need to use a 2nd Mac running Apple Configurator so it can grab an approved, signed IPSW based installer for macOS. Then install that on the broken Mac via Thunderbolt cable when the broken Mac is in DFU mode. This is to maintain that chain of trust. It is a security feature.

Apple Silicon adds the ability to Erase all Content and Settings much like an iPhone / iPad.

But you can no longer wipe a Mac and boot from an external disk to restore the OS or merely run a Mac with a failed internal SSD.

At the same time, it’s more and more rare for an internal SSD to fail and it’s ridiculously easy to backup Macs. The most common failure of SSD’s is liquid damage which will cause bigger problems on the system board than just the SSD storage.

This all started with the T2 Security Chip on 2018+ Macs. The T2 is basically an iPhone A10 chip but runs a proprietary BridgeOS. It contains the Secure Enclave. The system booted the T2 first then passed control to the Intel processor. You had to boot T2 Macs and create an admin login account so you could login to the Recovery Mode to reach the Security Startup options to allow USB booting and lower the security level if necessary. Then you could boot from flash and nuke and pave the OS.

Before all this security a bad actor with physical access and the right tools could boot any Mac with a flash thumb drive, use hacking tools to modify system files, install rootkits and even replace the firmware with a hacked version. etc., etc., etc.

Fortunately, today’s SSD’s are extremely reliable and Macs are ridiculously easy to backup via Time Machine, CCC, or SuperDuper. Not to mention Desktop & Documents iCloud sync and sync’ing of keychain and Safari data.