While some developers seem surprised by a change in macOS 15.2, we've known for several years that making bootable backups would eventually become impossible. We shifted CCC's strategy away from relying on External Boot so our users wouldn't be affected by this inevitable result.

I took a few days off last week to help a family member, and returned to find the Mac community all aflutter with comments about bootable backups not working after the 15.2 update and comparisons of Apple to The Grinch. After reviewing a lot of comments on this subject, I felt it was time to weigh in. Apple is taking a lot of heat for this "bug" in 15.2, but if there is any finger-pointing here, I think it should be directed towards any developers that have misled their users into believing that ASR and "bootable backups" had any place in a backup/recovery strategy post-Big Sur.

This result does not come as a surprise

Several years ago I wrote a blog post about the macOS Big Sur changes that affected how third-party developers would be able to make copies of the System:

Beyond Bootable Backups: Adapting recovery strategies for an evolving platform

I made a reference to a conference call that I had with Apple, but I only summarized it:

Back in December I had a conference call with Apple about the reliability and functionality of ASR on macOS and regarding Apple Silicon Macs in particular. They indicated that they were working to resolve the ASR/Apple Fabric issue, but they [Apple] made it very clear that copying macOS system files was not something that would be supportable in the future. Many of us in the Mac community could see that this was the direction Apple was moving, and now we finally have confirmation. Especially since the introduction of APFS, Apple has been moving towards a lockdown of macOS system files, sacrificing some convenience for increased security.

I realize now that the more specific technical detail from that call would probably be really helpful context in the conversations that people have been having on the subject of bootable backups. Participating in that (Dec 2, 2020) conference call was the APFS team lead, someone from Developer Technical Support, and to my surprise, Apple's Director of Product Marketing. When I joined the call I was prepared for a technical discussion of what was broken in ASR and whether Apple would be able to fix those issues and make it reliable enough for a commercial backup solution. The call didn't quite go in that direction. The Marketing Director kicked off the call by asking:

So how would it look if someday in the future you simply couldn't make a copy of the System at all?

He (and the more technical folks on the call) went on to explain why only ASR could be allowed to copy the system, and that they were committed to addressing any problems with it as long as it did not require making a compromise to platform security. Platform security is a top priority at Apple, and one of the keys to that security is a Secure Boot environment — without compromise. Allowing system files to be copied introduces an opportunity for attackers to modify key system components. Some of this can be mitigated by only allowing Apple's ASR utility to make the copy, but there are still inherent opportunities to inject changes when copying system files. On the flip side, Apple has invested a lot of effort into the Recovery Mode environment and Migration Assistant. It has become trivial to boot a Mac into Recovery Mode, perform a clean and secure install of the system (verified and signed), then recover user data via Migration Assistant. All of that can be done without compromising the security of the boot environment.

I was a little bit surprised at the time, but I was impressed and grateful for how forward they were willing to be about the matter. I also completely agreed with their approach and reasoning; it was suddenly obvious that simply allowing the creation of "bootable backups" was an inherent and unnecessary security flaw that would eventually have to be resolved. With this new context, now I knew that I could invest all of our resources into a major strategic shift — it was time to rearchitect backup and recovery without External Boot. In May 2021 we did exactly that with the introduction of CCC v6.

It's time to move on to a backup strategy (and software) that is future-compatible

Will Apple fix this issue so that bootable backups can limp along a little further? Maybe, but that's getting to be a moot question. Apple made it unambiguously clear that "bootable backups" and System cloning are fundamentally incompatible with platform security. While we will continue to offer the "Legacy Bootable Copy Assistant" as long as it's useful (e.g. for Intel Macs), it's not something that anyone should be building a backup/recovery strategy around. CCC offers numerous ways of backing up and restoring your data (even backing up data that's only stored in the cloud), and CCC backups are also designed to be compatible with Migration Assistant. The past three years have demonstrated that a CCC "standard" backup along with Migration Assistant is a simple, effective and secure way to recover your Mac, or migrate your data to a new Mac. Most importantly, this is the future-compatible path.