These are the instructions I use to do a ‘clean install’ when setting up a ‘new’ Mac, which I seem to do more often than I should (and certainly, way more often then when I actually have a new Mac).
Modern Macs can upgrade/repair macOS without any install media so long as they have an internet connection. However there are times when you need installation media, such as when installing a new SSD, or if you want to wipe the machine clean and start again (i.e., perform a ‘clean install’). In this case, you’ll need a USB installer. Apple has instructions for creating installation media. These instructions worked for me when downloading the installer on a computer already running High Sierra or later1.
Depending on the version of macOS on the computer you are using and the one you are downloading, the installer may launch, or you may get a ‘This copy of the “Install macOS” application is too old to be opened on this verion of macOS’ error. In either case, select cancel/quit, then follow the remainder of the installation media creation instructions.
Modern Macs should in theory recognise available bluetooth keyboards and pointing devices, even during a completely clean install. However sometimes, this fails (especially on older Macs), so it may be handy to have USB input devices available, if only for the initial steps.
Boot drive/recovery mode
To boot from the installation media, reboot the Mac with the USB inserted and
Alt during startup to select the boot drive (i.e., the installer you
If booting from external volumes is restricted (e.g., you get a “This startup
disk could not be verified” error), change this settig first by booting into
Recovery Mode (hold down
Command + R during startup), then select Utilities >
Startup Security Utility. Enter administrator/firmware password if required,
and change the setting to allow booting from external drives. Restart while
Alt again, then select the relevant boot drive.
Select Utilities > Disk Utility and select the drive you want to format (be sure, of course, to choose the right one). Select Erase, and choose APFS (Excrypted) as the drive format if available4. Enter a password for the drive encryption. Save the password in a password manager (and note in the Password hint field that it has been saved there if you like). Exit Disk Utility when complete.
APFS (Encrypted) versus FileVault
Historically, Apple has offered FileFault as an encryption solution. APFS
supports native encryption, so you would think that ‘FileVault’ would be
deprecated, but it lives on in System Preferences > Security & Privacy >
FileVault. If you format the startup drive with APFS (Encrypted), ‘FileVault’
will already turned on in Security & Privacy settings once installation is
completed, so it seems that Apple is just applying the FileVault marketing term
to the full disk encryption now provided by APFS (i.e. FileVault
For a drive that has previously been encrypted, it is not necessary to overwrite the free space on the disk as any data written there will have been encrypted anyway. However, if reusing a drive that was previously used unencrypted, it may be useful to overwrite the free space. Even then, though, because of the way data are written to SSDs, the original data will quickly become unreadable so unless you are setting up a hardened machine where an attacker may have physical access, it’s probably safe to skip this step.
If you nevertheless want to erase free space:
- In Recovery mode, go to Utilities > Terminal.
diskutil listto list available volumes, and note the mount point of the volume you want to secure erase.
- To erase free space enter
diskutil secureErase freespace 0 volumemountpoint, where
volumemountpointis the mount point noted above, e.g.:
diskutil secureErase freespace 0 /Volumes/Ardbeg.
- Level 0 = overwrite with 0s, which takes around two hours for a 1TB SSD on a
2012 MacBook Air. See the
diskutilman page (not available in Recovery mode) for more options, but all other options take an inordinate amount of time for a disk of any meaningful size.
- Format the drive as usual using Disk Utility (APFS (Encrypted) if available).
diskutil man page offers this warning on the use of
NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly "erased" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).
This is good advice, but it fails to address the situation where you have a disk
with unencrypted data on it, that you now want to re-use and need to securely
wipe first (for reasons as outlined above). So, all told, maybe you need to do a
secure erase one last time, but you shouldn’t need to do it ever again. (This
note also confirms our suspicion that APFS encryption
Now you’re ready to actually install macOS, so boot from the USB installer (hold
Alt during startup to select the boot drive), select Install macOS and
follow the prompts. In general, just follow the prompts, making selections as
appropriate, taking note of the following:
- Select appropriate install destination, then enter the drive encryption password you used when formatting the drive. Continue with the installation. When the computer reboots as part of the installation, you will need to enter the drive encryption password again (once macOS is installed, this will no longer be required)5.
Transfer Information to This Mac: select Don’t transfer any information now.
Skip signing in with an Apple ID–select ‘Set Up Later’.
- Create a Computer Account. The user created here will be the default ( i.e. first) admin account. I create an admin account here that is distinct from the main user account that I (or other computer users) will use. Remember to use a strong password, and to store it in a password manager–for this reason, I don’t enter anything in the Hint (though you could put in a reminder there to check in your password manager…). Leave the Allow this account to unlock the disk option enabled–this will mean that entering your account password at login decrypts the disk, instead of having to enter the disk encryption password every time. If you are given the option to allow Apple ID to reset your password, you can leave it enabled6.
Re-enter encrypted boot volume password (probably for the last time).
- In Expess Set Up, accept the defaults unless you want to customise settings:
- You may want to disable Enable Location Services for a hardened machine.
- Analytics: disable share with Apple and Developers for a hardened machine.
- Enable Siri and set Siri language.
- Select light or dark mode (Mojave or later).
This completes initial installatin–you should now be logged in.
Startup Security Utility
Now that we’ve finished with the initial setup, for security, we can add a firmware password and/or turn off the ability to be able to boot from USB7.
- Boot into Recovery Mode (hold down
Command + Rduring startup).
- Select select Utilities > Startup Security Utility. When prompted, turn on firmware password, enter it, and save it in a password manager, then reboot (back into Recovery Mode) to activate it.
- Enter the Startup Security Utility again and change the setting to disable booting from external drives.
Enable automatic download and installation of software updates. Mojave (and later):
- Go to System Preferences > Software Update and enable Automatically keep my Mac up to date.
- Ensure all options in Advanced… are enabled.
High Sierra and previous:
- Open the Mac App Store and select Sign in (in the Store menu).
- Enter iTunes and App Store Apple ID credentials and 2-factor verification code if required, accept T&Cs.
- Select the Updates tab, and install any available updates.
- In App Store > Preferences, enable Install app updates and Install macOS updates.
- Install apps and set preferences
- Set up users
On earlier versions, downloading the installer from the app store might download the full installer, or it might just download a ~20MB bootstrap installer. There are workarounds which may work, including creating the installer on a computer already running High Sierra or later or upgrading first then downloading the installer.↩
Alternatively, you can pre-select the boot drive in Startup Disk preferences (in System Preferences, unlock the preferences pane by entering an administrator password if required)↩
It goes without saying (with the exception of down here in the footnotes) that you should copy any data you still want off the old drive before formatting it.↩
If installing High Sierra or earlier on a machine with a Fusion drive, select ‘Mac OS Extended (Journaled, Encrypted)’, as APFS only supports Fusion drives from Mojave onwards.↩
At this point, when re-installing High Sierra on a 2011 iMac with Fusion drive, I got a “Mac OS could not be installed on your computer” error. Eventually, following the instrctions here to completely delete the logical volume group that defines the fusion drive and recreate it. Also, as suggested in that post, I left the volume name as ‘Untitled’ for the duration of the installation process.↩
This option should not appear if you skipped signing in with an Apple ID earlier, but if you did sign in, it is useful to leave it enabled (unless you want to set up a hardeded machine–this setting means that, if your iCloud account is compromised, your computer is at risk (assuming an attacker with physical access to your computer)).↩
The ability to restrict booting from USB is a feature of Macs with an integrated T2 chip, currently the iMac Pro and 2018 Mac mini, MacBook Air and MacBook Pro models.↩