7 min read

macOs clean install

These are the instructions I use to do a ‘clean install’ when setting up a ‘new’ Mac, which I seem to do more often than I should (and certainly, way more often then when I actually have a new Mac).

Preparation

Create installer

Modern Macs can upgrade/repair macOS without any install media so long as they have an internet connection. However there are times when you need installation media, such as when installing a new SSD, or if you want to wipe the machine clean and start again (i.e., perform a ‘clean install’). In this case, you’ll need a USB installer. Apple has instructions for creating installation media. These instructions worked for me when downloading the installer on a computer already running High Sierra or later1.

Boot drive/recovery mode

To boot from the installation media, reboot the Mac with the USB inserted and hold down Alt during startup to select the boot drive (i.e., the installer you created).

If booting from external volumes is restricted, change this settig first by booting into Recovery Mode (hold down Command + R during startup), then select Utilities > Startup Security Utility. Enter administrator/firmware password if required, and change the setting to allow booting from external drives. Restart while holding down Alt again, then select the relevant boot drive.

Format drive2

Select Utilities > Disk Utility and select the drive you want to format (be sure, of course, to choose the right one). Select Erase, and choose APFS (Excrypted) as the drive format if available3. Enter a password for the drive encryption. Save the password in the password manager (and note in the Password hint field that it has been saved there if you like).

APFS (Encrypted) versus FileVault

Historically, Apple has offered FileFault as an encryption solution. APFS supports native encryption, so you would think that ‘FileVault’ would be deprecated, but it lives on in System Preferences > Security & Privacy > FileVault. If you format the startup drive with APFS (Encrypted), ‘FileVault’ will already turned on in Security & Privacy settings once installation is completed, so it seems that Apple is just applying the FileVault marketing term to the full disk encryption now provided by APFS (i.e. FileVault == APFS (Encrypted)).

Secure erase

For a drive that has previously been encrypted, it is not necessary to overwrite the free space on the disk as any data written there will have been encrypted anyway. However, if reusing a drive that was previously used unencrypted, it may be useful to overwrite the free space. Even then, though, because of the way data are written to SSDs, the original data will quickly become unreadable so unless you are setting up a hardened machine where an attacker may have physical access, it’s probably safe to skip this step.

If you nevertheless want to erase free space:

  • In Recovery mode, go to Utilities > Terminal.
  • Use diskutil list to list available volumes, and note the mount point of the volume you want to secure erase.
  • To erase free space enter diskutil secureErase freespace 0 volumemountpoint, where volumemountpoint is the mount point noted above, e.g.: diskutil secureErase freespace 0 /Volumes/Ardbeg.
  • Level 0 = overwrite with 0s, which takes around two hours for a 1TB SSD on a 2012 MacBook Air. See the diskutil man page (not available in Recovery mode) for more options, but all other options take an inordinate amount of time for a disk of any meaningful size.
  • Format the drive as usual using Disk Utility (APFS (Encrypted) if available).

The diskutil man page offers this warning on the use of diskutil secureErase:

NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly "erased" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).

This is good advice, but it fails to address the situation where you have a disk with unencrypted data on it, that you now want to re-use and need to securely wipe first (for reasons as outlined above). So, all told, maybe you need to do a secure erase one last time, but you shouldn’t need to do it ever again. (This note also confirms our suspicion that APFS encryption == FileVault.)

Install macOS

Now you’re ready to actually install macOS, so boot from the USB installer (hold down Alt during startup to select the boot drive), select Install macOS and follow the prompts. In general, just follow the prompts, making selections as appropriate, taking note of the following:

  • Select appropriate install destination, then enter the drive encryption password you used when formatting the drive. Continue with the installation. When the computer reboots as part of the installation, you will need to enter the drive encryption password again (once macOS is installed, this will no longer be required).
  • Transfer Information to This Mac: select Don’t transfer any information now.

  • Skip signing in with an Apple ID (we will do this later).

  • Create a Computer Account. The user created here will be the default (i.e. first) admin account. I create an admin account here that is distinct from the main user account that I (or other computer users) will use. Remember to use a strong password, and to store it in a password manager–for this reason, I don’t enter anything in the Hint (though you could put in a reminder there to check in your password manager…). Leave the Allow this account to unlock the disk option enabled–this will mean that entering your account password at login decrypts the disk, instead of having to enter the disk encryption password every time. If you are given the option to allow Apple ID to reset your password, you can leave it enabled4.
  • Re-enter encrypted boot volume password (probably for the last time).

  • In Expess Set Up, accept the defaults unless you want to customise settings:
    • You may want to disable Enable Location Services for a hardened machine.
    • Analytics: disable share with Apple and Developers for a hardened machine.
    • Enable Siri and set Siri language.
    • Select light or dark mode (Mojave or later).

This completes initial installatin–you should now be logged in.

Tidy-up

Startup Security Utility

Now that we’ve finished with the initial setup, for security, we can turn off the ability to be able to boot from a USB5 and add a firmware password.

  • Boot into Recovery Mode (hold down Command + R during startup).
  • Select select Utilities > Startup Security Utility. When prompted, turn on firmware password, enter it, and save it in a password manager, then reboot (back into Recovery Mode) to activate it.
  • Enter the Startup Security Utility again and change the setting to disable booting from external drives.

Updates

Reboot and log in as admin user.

  • Open the Mac App Store and select Sign in (in the Store menu).
  • Enter iTunes and App Store Apple ID credentials and 2-factor verification code if required, accept T&Cs.
  • Select the Updates tab, and install any available updates.
  • In App Store > Preferences, enable Install app updates and Install macOS updates.

  1. On earlier versions, downloading the installer from the app store might download the full installer, or it might just download a ~20MB bootstrap installer. There are workarounds which may work, including creating the installer on a computer already running High Sierra or later or upgrading first then downloading the installer.

  2. It goes without saying (with the exception of down here in the footnotes) that you should copy any data you still want off the old drive before formatting it.

  3. It may be necessary to play around with this a few times, rebooting between attempts, in particular on a machine with a Fusion drive.

  4. This option should not appear if you skipped signing in with an Apple ID earlier, but if you did sign in, it is useful to leave it enabled (unless you want to set up a hardeded machine–this setting means that, if your iCloud account is compromised, your computer is at risk (assuming an attacker with physical access to your computer)).

  5. The ability to restrict booting from USB was, I believe, first introduced in Mojave.