TNCS-0049 – Bootable Backups on macOS 11, Big Sur
Created: November 11, 2020 | Updated: March 19, 2022
Table of Contents
ToggleINTRODUCTION
NOTE: This tech note only applies to pre-ChronoSync v10 (4.9.13). If you’re running ChronoSync v10 or later, please see the Bootable Backup Assistant Guide for post v10 Big Sur Bootables.
The release of Big Sur means big changes to how bootable backups are performed. Apple has removed the ability to easily make bootable backups. But, fear not, we’ve come up with a work-around. Basically, bootable backups of your Big Sur System and Data volume groups aren’t allowed, but complete duplication of just your Big Sur Data volume can be made. This is the approach ChronoSync takes when creating bootable backups on Big Sur and this tech note will outline the steps for doing this.
QUICK BACK STORY
With the advent of macOS Catalina, Apple introduced the concept of APFS volume groups. Apple breaks up your files into two volumes: System and Data. The System volume is read-only and contains all the operating system files that should never change during use of the computer. The Data volume contains everything else, including your home folders. The two volumes are linked together in macOS to appear as one volume to the user. ChronoSync v4.9.5 was released to handle this new file system organization.
But with a major release from macOS 10.15 to macOS 11.0, one would expect major changes. Now, macOS Big Sur adds strong cryptographic protections to store system content on a signed system volume (SSV). SSV features a kernel mechanism that verifies the integrity of the system content at runtime, and rejects any data — code and non-code — that doesn’t have a valid cryptographic signature from Apple (source: https://developer.apple.com/news/?id=3xpv8r2m). This makes it impossible for ChronoSync to create a bootable Big Sur System volume since it cannot cryptographically sign the filesystem.
HOW DOES CHRONOSYNC CIRCUMVENT THIS?
Since ChronoSync must ignore the System volume, it will only sync the Data volume. Obviously just syncing the Data volume won’t allow for bootability, so it is required to sync to a disk that already has Big Sur installed on it. ChronoSync will just replicate the Data volume of your main Big Sur installation to the backup installation.
STEPS TO TAKE
The steps to take to make bootable backups on Big Sur are a bit cumbersome now. Hopefully in the near future, we can rely on Apple’s APFS replication utility (ASR) to clone the Big Sur System volume more easily.
Keep in mind it is preferable to use a new, blank device to create your first Big Sur bootable backup. While you can perform the following steps with an existing bootable backup, you will lose the ability to revert to the previous version of macOS, if needed. Erasing an existing device will also temporarily lose your redundant system for the amount of time it takes to complete this procedure.
- Install Big Sur on a backup device and configure it with a temporary user (fully configuring the user isn’t necessary). If you are unfamiliar with selecting an alternate destination volume for macOS Installation, review this article as it explains the process with screen shots: https://www.macworld.co.uk/how-to/macos-external-drive-3659666/
The macOS installer will walk you through the process of creating an initial user account. Use some temporary name/credentials such as ‘tempuser’. - Connect this device to your Mac.
- On your main Big Sur Mac, open ChronoSync.
- On the ChronoSync Organizer window, click ‘Create a new synchronizer task.’
- In the ‘Setup’ panel, under ‘Source Target,’ select ‘Connect To: Mounted Volumes (Admin Access).’
- Select your booted system volume as the source.
- In the ‘Destination Target,’ select ‘Connect To: Mounted Volumes (Admin Access).’
- Select your attached device’s system volume as the destination.
- Choose ‘Mirror left-to-right’ as the ‘Operation.’
- Enable ‘Synchronizes deletions.’
- Switch over to the ‘Analyze’ panel.
- Find the following file and ‘Exclude’ it: ‘System/Library/CoreServices/CoreTypes.bundle’. Use ‘Actions->Exclude’ to exclude the selected item or items. This is also found in the contextual menu (right-click).
- Run the task.
After running the mirrored backup, the temporary user on the destination will be wiped out and replaced by the legitimate user(s) on your source volume.
OPTIONAL, BUT RECOMMENDED, STEPS TO TAKE
It is preferable not to have applications startup in your last running state on the destination. First, it adds significantly to the startup time. Second, it could result in unwanted behavior such as Mail staring up and downloading new messages. Lastly, in some instances, it can cause stability problems. Also, if/when you boot your destination, you should avoid leaving any applications running when you shut it down.
Go through the following steps in your task document for each user account on your system to prevent the destination from restoring the running application state when you boot into it.
- Navigate to ‘/Users/<username>/Library/Saved Application State’ in the Analyze Panel. If there is no such folder on the destination, proceed to step 5.
- Select all entries that may exist on the destination within the ‘Saved Application State’ folder. If there are no entries on the destination, proceed to step 4.
- Right-click one of the selected entries and choose “Delete from right” -> “Delete Immediately” (assuming that the right side is your destination). Make sure all such files on the destination are deleted.
- Navigate up one folder level in the Analyze panel so the contents of Library are visible.
- Right-click the ‘Saved Application State’ folder and choose ‘Exclude.’
- Navigate to ‘/Users/<username>/Library/Preferences/ByHost’ in the Analyze Panel.
- Look for a file whose name begins with ‘com.apple.loginwindow…’ and select it.
- If the file exists on the destination, right click it and choose “Delete from right” -> “Delete Immediately” (assuming that the right side is your destination).
- With the ‘com.apple.loginwindow…’ file(s) still selected, right-click and choose ‘Exclude.’
HEED ALL WARNINGS
On the Setup panel, there is a new readiness check warning that detects a Data volume backup and warns you if there is an OS version mismatch. In such cases, you’ll want to boot from the destination device and run the OS update. Then run your sync task to bring the Data volume files up-to-date. BONUS: This forces you to periodically confirm that your bootable backup is working!
REVISION HISTORY
Mar-19-2022 – Pre-v10 ChronoSync (4.9.13) mention.
Feb-05-2021 – Added detail to some steps.
Nov-11-2020 – Created from scratch.