Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5301. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_AMOS_BO_EN, extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5301
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5301 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 312. Here are my solutions to them.
1: Border lake claims it’s both 10 and 1A.
Click for a solution
Tahoe
Border lake (Lake Tahoe is on the border between California and Nevada) claims it’s both 10 and 1A (depending on where you look, it reports it’s version 16, 10 in hexadecimal, or 26, 1A in hex).
2: Clearly a new material comes with concentricity.
Click for a solution
Liquid Glass
Clearly (it uses transparency) a new material (as Apple describes it) comes with concentricity (markedly rounded corners are an obvious feature).
3: Patented in 1876, it’s finally on its way to our Macs.
Click for a solution
Phone
Patented in 1876 (the telephone was patented then by Alexander Graham Bell), it’s finally on its way to our Macs (macOS Tahoe introduces the Phone app).
A cynic might summarise the history of Mac OS in four eras:
rebuilding the Desktop (Classic Mac OS)
repairing system permissions (Mac OS X to OS X 10.10)
resetting Home permissions (OS X 10.11 to macOS 10.15)
cursing privacy protection (macOS 11 onwards).
There is slight overlap between the last two, in macOS 10.14 and 10.15.
Rebuilding the Desktop
Classic Mac OS built its Desktop illusion using hidden databases that associated types of document with icons set by the apps that created them. This was based on two four-character codes in every file to specify the file’s type and creator. Periodically, those databases became damaged and this association stopped working, with the result that all documents were displayed with the same generic icon.
Rebuilding those Desktop databases was initiated by restarting the Mac while holding the Command and Option keys until the dialog was shown. Mac OS then checked through all installed apps to reconstruct their associations with document types.
This had to be repeated for each volume in turn as it was mounted by Mac OS. If there wasn’t sufficient free space on a volume, the process failed. The price of some utilities like TechTool Pro was often justified by the tools they provided for assisting in this process.
Mac OS X ended that reliance on Desktop databases, leaving this to die with Classic Mac OS.
Repairing system permissions
Since its first beta-release, Mac OS X suffered from ill-defined and pervasive problems thought to result from corruption of files used by the system. Until the introduction of System Integrity Protection (SIP) in 10.11 El Capitan, those generally resulted from files within the system acquiring incorrect permissions. Various reasons were proposed for this, including installer scripts that overstepped their bounds.
To address this, Disk Utility had a feature whereby it could check and repair permissions of all major parts of the system, based on information contained in BoM files for system updates and installations. Repairing permissions in this way became one of the main panaceas in older versions of Mac OS X and OS X, and was an important feature in Disk Utility.
Although chiefly intended to provide better security protection, one of the benefits of SIP was that it largely prevented system files from gaining incorrect permissions, and the feature to repair them was removed from Disk Utility. In any case, because of SIP it was no longer possible for Disk Utility to change the permissions of files protected by SIP.
Resetting Home permissions
When macOS 10.12 Sierra was released, a different problem appeared, in which permissions apparently became set incorrectly not in system files generally, but in the user’s Home folder, and specifically in ~/Library/Preferences. To address this Apple added a new verb to the already complex command tool diskutil, resetUserPermissions, and described how to use this in a support note. It’s perhaps no coincidence that this new problem appeared at about the same time that cfprefsd took on the management of those preference files.
At that time, the following problems were attributed by Apple to incorrect permissions in ~/Library/Preferences:
changes to preference settings, particularly those for System Preferences, do not ‘stick’;
changes made to the Dock do not ‘stick’;
you are asked to authenticate when trying to move or alter some folders in your Home folder;
when trying to save, you are told that the file is locked, or that you don’t have permission;
Preview, TextEdit, and App Store apps (which are sandboxed) may crash when opened;
alerts appear warning that the startup disk has no more space available for app memory;
Safari or SafariDAVClient use large amounts of resources (memory);
the Mac runs very slowly;
iTunes cannot sync a device;
there are problems with Photos or iPhoto libraries, including inability to import into the library, or forgetting the library each time the app is opened.
Most if not all of those could be attributable to problems arising from bugs in cfprefsd.
Apple later changed its recommendations to include running a new tool repairHomePermissions in Recovery mode, then re-installing macOS. Shortly afterwards, in June 2020 when Big Sur was in beta, Apple withdrew that support note and all reference to repairing permissions, although the tool is still available in Recovery mode even on Apple silicon Macs.
Cursing privacy protection
Prior to macOS 10.14 Mojave, privacy protection had been limited and largely unobtrusive. We then began to discover that our favourite apps were being locked out of accessing files in many of our working folders.
Thus the era of adding apps to the Full Disk Access list started, and we came to curse the blessing of privacy protection.
Even better, Apple later added extended attributes that could prevent apps perfectly capable of editing documents from being able to save them just when we needed that most. And protected the extended attribute using SIP.
Maybe rebuilding the Desktop databases every couple of months wasn’t so bad after all?
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5300. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version modifies an existing rule for MACOS.a6d7810, whatever that might be.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5300
Sequoia systems only
This update has just been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check then enter your admin password. If that returns version 5300 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Updated 2215 10 June 2025 with iCloud release information.
As expected, Apple announced the next major version of macOS and its other operating systems, on the opening day of WWDC yesterday. This followed a disarming vision of Craig Federighi sporting a forest of grey hair and racing a Formula 1 car around the roof of Apple Park. Mercifully, that turned out to be a promotion for a new Apple TV+ production titled F1, rather than anything about to happen to macOS. And he didn’t crash.
Previews of each new OS were prefaced by the promise of “big announcements for all of our platforms”, and inevitably opened with plans for Apple Intelligence and Private Cloud Compute. Language support is going to be further extended, and additional new features are going to be announced later during this cycle. Perhaps most important is the news that third-party developers are to be given access to on-device Large Language Models (LLMs) through a Foundation Models Framework. This looks highly accessible, and it will be exciting to see what that enables.
As widely forecast, these new major versions bring a redesign intended to harness the power of Apple silicon, with a look dubbed Liquid Glass. This features layers of translucent controls that adapt to your actions, for example moving out of the way when scrolling. Although this is harmonised across devices, fears that macOS will be ‘dumbed down’ to resemble iOS appear unfounded. Indeed, iPadOS is steadily moving closer to macOS with a more Finder-like Files app, and iPads will at last be able to run background tasks.
Some features of Liquid Glass appear visually stunning, for example when providing 3D effects of depth in lock screen photos. Overall, from the little that has been shown so far, it looks impressive without being obtrusive or irritating. To get the best out of Liquid Glass, apps will need to be rebuilt against the improved API, and their appearance tuned lightly. Some special visual effects may need access to new API features, though.
To get the best out of this new look, icons need to be layered, and adapted for new appearance options including transparent. Apple has provided a new Icon Composer app to support that. Although I doubt whether it will become as popular as ResEdit was in Classic Mac OS, I can see Icon Composer being used more widely than the rest of Xcode.
Hardware support
Surprisingly, four Intel models continue to be supported by Tahoe. The full list given by Apple reads:
MacBook Pro 16-inch 2019, and 13-inch 2020 with four Thunderbolt ports,
iMac 2020,
Mac Pro 2019,
all Apple silicon models from 2020 onwards.
Although those Intel models will be able to use many of the new features in Tahoe, they continue to be unable to access any Apple Intelligence.
This means that Tahoe will continue to be a large Universal binary, and could in theory be supported by OCLP, although that’s likely to be more challenging. Apple has stated explicitly that Tahoe will be the last major version of macOS to support Intel Macs.
Version numbering
As rumoured, Apple has changed the numbering of all its OSes, bringing them in synchrony to version 26. This even applies to the new beta-release of Xcode for Tahoe.
Although that might come as a surprise to some code and scripts, because it’s a higher major version number than Sequoia this should present far fewer problems than did macOS 11 Big Sur. You might still like to check anything of yours that does check version numbers to ensure it doesn’t trip up.
Details
In keeping with the redesign, improvements in folder and icon appearance were mentioned early. Easy folder customisation is coming, allowing the standard icon to be enhanced with the superimposition of symbols and emoji, and its colour changed. Icons can be tinted by the user, as well as being layered in Icon Composer.
Continuity features that integrate Macs with devices are being extended with support for Live Activities added to macOS. The Phone app will be added as well, in its improved form from iOS 26.
Shortcuts gains ‘intelligent’ actions, and will have direct access to LLMs in Private Cloud Compute. Spotlight has undergone a major update, but in Global Spotlight features rather than local search. From the Spotlight icon, there will be intelligent actions integrated with Shortcuts, quick keys abbreviations, and it will be contextually aware. To take advantage of these, third-party apps will need to use App Intents.
Games will be integrated into a new Games app, and gain translucent controls.
The powerful GPUs in Macs supported by Tahoe should also become more capable, with the introduction of Metal 4.
Finally, Tahoe is dropping full first run security checks on notarized apps, which should ensure they all launch blazingly fast. Although a few malicious apps have been inadvertently notarized in the past, running XProtect checks on them seem pointless, as the notarization process involves more extensive checks than those performed by XProtect. If malware has managed to sneak past Apple’s checks and become notarized, then nothing in macOS is going to detect it as being malicious.
Release dates
Apple has already released the first developer beta-test version of Tahoe and its sister OSes. The first public beta is promised for July, and full release of macOS 26.0 is due in the fall/autumn.
I hope that you enjoyed Saturday’s Mac Riddles, episode 311. Here are my solutions to them.
1: Shines a beam of light into files and the web.
Click for a solution
Spotlight
Shines a beam of light (a spotlight) into files and the web (it searches both local files, and the web).
2: The detective who found for Apple from 1998.
Click for a solution
Sherlock
The detective (Sherlock Holmes, created by Sir Arthur Conan Doyle) who found for Apple (it became the Mac’s search tool) from 1998 (introduced in Mac OS 8.5 in 1998).
3: His faithful assistant came from Karelia and went to Java.
Click for a solution
Watson
His faithful assistant (Dr Watson was Sherlock Holmes’ assistant) came from Karelia (developed by Karelia Software) and went to Java (after it was ‘sherlocked’ by Apple, it was ported to Java for Sun).
The common factor
Click for a solution
They have all been search tools popular on the Mac.
Until now, LogUI has only been able to access the active log of your Mac, by reading it directly. There are occasions when you can’t do that, or want to preserve the log for future reference. You also can’t browse the log directly on any of Apple’s devices. In these cases, and others, the best solution is to make a logarchive, and browse that instead. I’m delighted to provide an update to LogUI that can browse logarchives, including those created in iOS, iPadOS, and on Apple’s other devices.
What is a logarchive?
A logarchive is an undocumented package containing copies of all the files from the active log at the moment the logarchive was created. They can be opened and browsed by Console, Consolation 3, Ulbow, the log command tool, and now by LogUI. Because they contain all the files that make up the log, they can be large, and typically range in size from about 300 MB to over 1 GB. All the files containing log entries are stored in their original binary tracev3 format, proprietary to Apple, and again undocumented, although that format has been reversed in the past.
Create a logarchive
The easiest way to create a logarchive is to run a sysdiagnose, and that’s the standard way for saving a logarchive on one of Apple’s devices. Methods vary by device, and include:
On a Mac, use the System Diagnostics… option in Activity Monitor’s Action tool, or press the Shift, Command, Control, Option and . keys at the same time, or run sudo sysdiagnose -f ~/Documents to save it to your Documents folder.
On an iPhone or iPad, press and hold both volume buttons and the side or top button at the same time, for about 2 seconds. This combination may trigger other features, though. The sysdiagnose file will be made available in Settings > Privacy & Security > Analytics & Improvements > Analytics Data, from where you can transfer it to your Mac.
Unpack the .tar.gz archive resulting from that, and you’ll find a system_logs.logarchive inside it.
On a Mac, you can instead use the log collect command to create a logarchive directly. For example, log collect --output ~/Documents/my.logarchive --last 5m
collects the last 5 minutes of log in the specified logarchive package. macOS security will block you from trying to save that logarchive on an external volume, though.
My free log browser Ulbow uses another method for assembling logarchives, and the next build of LogUI will incorporate that and other tools for working with logarchives.
Browse a logarchive in LogUI
This new build of LogUI has a seventh tool, to Use Logarchive. Click on that and you’ll be prompted to select the logarchive to open and browse.
Because the dates and times used in the logarchive will be different from current clock time, the LogUI window displays red warning text just to the left of the Start time. Set the date and time to a period within the scope of that logarchive, and use the Get Log tool as normal.
The log excerpt shown in the screenshot above is taken from the kernel boot sequence of my iPhone 15 Pro, to demonstrate how this all works.
If you want to return that window to browsing the active log, click on the Use Logarchive tool again, but this time cancel the selection. Other windows will of course continue to browse the active log unless you set them to use a logarchive as well.
Coming soon
Although browsing saved log entries in a logarchive is exactly the same as those of the active log, dates and times can be a pain. If you want to check when log files in a logarchive were written, use the Finder’s contextual menu to show their contents, scroll to the foot of the folders inside, select the Persist folder and check the file creation dates there.
This is made even easier in the forthcoming new build of LogUI, which features a Logarchive Tool to help you navigate logarchives, and learn which date and time ranges are appropriate.
I’ll be along with a new build in a few days, once I have tested and documented its Logarchive Tool. In the meantime, I hope you’ll find LogUI useful for studying the first beta-releases of Apple’s new operating systems.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5299. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds three new rules, for MACOS_ODYSSEY_A, MACOS_ODYSSEY_B and MACOS_SOMA_M.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5299.
Sequoia systems only
This update has now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check then enter your admin password. If that returns version 5299 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Updated 1845 GMT 4 June 2025 with iCloud availability at last.
I hope that you enjoyed Saturday’s Mac Riddles, episode 310. Here are my solutions to them.
1: London to Pontarddulais in Macs for six months.
Click for a solution
M4
London to Pontarddulais (route of the M4 motorway in Britain) in Macs for six months (first shipped in Macs last November).
2: Jupiter’s flash now reaches 80 for the Pros.
Click for a solution
Thunderbolt 5
Jupiter’s flash (a thunderbolt) now reaches 80 (it offers 80 Gb/s transfer rates) for the Pros (it’s available in M4 Pro and Max chips).
3: Very long run from the Thames to Eastleigh came to the workshop in March.
Click for a solution
M3 Ultra
Very long run (an ultra) from the Thames to Eastleigh (route of the M3 motorway in England, from Sunbury-on-Thames) came to the workshop in March (first available in the Mac Studio of March 2025).
The common factor
Click for a solution
They’re all new hardware in Macs released over the last six months or so.
With strong rumours that Apple intends changing its version numbering system for the next major release of macOS and its other operating systems, it’s a good time to see how we got to macOS 15.
Early Classic Mac OS
The first version of Classic Mac OS released with the original Macintosh 128K naturally came with System 1.0 and Finder 1.0. Within a few months, version numbering was already becoming confusing, when the successor System Software 0.1 had apparently started at 0.0, but the System itself had reached 1.1. This worsened when System Software 1.0 was released two years later, and came with System 3.1 and Finder 5.2.
Apple then adopted its first triplet numbering scheme that resembled modern Semantic Versioning in System 6.0 of June 1988. Over the following three years that worked its way steadily up to version 6.0.8, then handed over to System 7 on 13 May 1991 without any minor versions being released.
System 7
The first full use of the triplet numbering scheme came with System 7. That had four minor versions, 7.0, 7.1, 7.5 and 7.6, with each having patch releases such as 7.0.1 in between. This scheme followed the rules:
the first number gives the major version;
the second number gives the minor version that should remain backward-compatible in its changes;
the third number gives the patch version denoting backward-compatible bug fixes.
It was then that Apple started to release special versions of Mac OS to support new models, for example 7.1P5 for Performa models, complicating the numbering. This was even worse with System 7.1.2, which was only supplied with some early Power Macs and a few 68K Quadra models. That was accompanied by System 7.1.2P, a special version for models released around the time that Apple also released System 7.5, in September 1994.
System 7.5 brought a different numbering scheme to deal with exceptions. For example:
System 7.5.3 Revision 2 followed 7.5.3 without any Revision 1, and made various improvements;
System 7.5.3 Revisions 2.1 and 2.2 were released on the same day to address problems with Revision 2 on different models;
System 7.5.4 was never released at all, and the next release was 7.5.5.
Fortunately, the remaining versions of Classic Mac OS were conventional in their numbering, until the last in Mac OS 9.2.2 in December 2001.
Mac OS X
The public beta of Mac OS X introduced build numbers to supplement their triplet version numbering. At this time, the build number was based broadly on three components:
the first number or build train gives the major version, starting from 4 for 10.0, as this includes NeXTSTEP up to version 3;
the letter gives the minor version number, starting from A, which can also be bumped for hardware-specific builds, so may not match the triplet minor version number;
the remaining number is the sequential build number within that minor version, usually incremented daily. That’s normally three digits, but an additional digit can be prefixed to indicate specific hardware platforms.
Triplet versions and build numbers were surprisingly well behaved until 2010, although separate build numbers were used during the transition from PowerPC to Intel architecture in Mac OS X 10.4 Tiger.
The first signs of complications came with Mac OS X 10.6.3, in March-April 2010, which came in three different builds and a v1.1, and 10.6.8 also had a v1.1 released a month after the original update. Mac OS X 10.7 Lion set a trend for a final Supplemental Update to 10.7.5, and frequent Security and Supplemental Updates became the rule by 2018, with macOS 10.12 Sierra and its successors.
By 2019, these updates had become uncontrollable. macOS 10.14 Mojave, for example, had three Supplemental Updates in the two months after its final release, named as 10.14.6 Supplemental Update, 10.14.6 Supplemental Update (a second time), and 10.14.6 Supplemental Update 2 (really 3).
macOS 11
The first version of macOS to support Apple silicon Macs, macOS 11 Big Sur, had been generally expected as macOS 10.16, but shortly before its announcement at WWDC in June 2020 the decision was made for it to become macOS 11, incrementing the major version number for the first time in almost 20 years. As that reset the minor version number from 15 to 0, there was the potential for chaos, as many scripts and much code had come to ignore the major version number, and to rely on the minor version to determine which release was running.
To cater for this, when those checked ProcessInfo.processInfo.operatingSystemVersion.minorVersion (or its equivalent), Big Sur identified itself as macOS 10.16. Apps ported to Xcode 12 used the 11.0 SDK; when they checked ProcessInfo.processInfo.operatingSystemVersion.minorVersion (or its equivalent), Big Sur identified itself as macOS 11.0. Those who relied on command tools were provided with a workaround, as sw_vers -productVersion
returned 10.16 when running in Big Sur on an Intel Mac, but 11.0 on an Apple Silicon Mac.
This enabled Apple to return to a triplet scheme without the complications of Supplemental Updates or other vagaries. Each year’s major version of macOS has thus been x.0, with scheduled minor versions numbered from x.1 to x.5 or x.6, and intermediate patch releases (usually security updates) from x.x.1 upwards. At the end of its year as the current release of macOS, x.6 marked the start of its first year of security-only support, and x.7 for the second and final year. The exception to this has been Sonoma, which started its first year of security-only support with version 14.7, so its security updates have coincided in their minor and patch numbers with the older Ventura.
The only complication to this much clearer system was introduced in Ventura with Rapid Security Responses (RSRs). Those didn’t change the triplet version, as macOS proper remained unchanged, but added a letter to form, for example, macOS 13.4.1 (c). That proved clumsy, and when reflected in a resulting Safari version number it broke a lot of major websites that were unable to identify the browser version correctly. Since RSRs have fallen out of favour, this proved to be a passing phase.
When I wrote about the unexpected change in version numbering brought in Big Sur, I claimed that “no matter what Apple may eventually settle on, I shouldn’t have to change that again for many years.” I’m not sure that five counts as many, but here we go again.
Searching for a file with a distinctive word in its name should be straightforward, but here I show some weird problems that could catch you out. I’m very grateful to Sam for drawing my attention to this, and welcome all and any rational explanations of what’s going on.
In some accounts of ancient Greek mythology, Cleta (Κλήτα) was one of the two Charites or Graces, alongside Phaenna. Her name apparently means renowned, and is still occasionally used as a first name today. It’s not the sort of word that should give Spotlight any cause for concern, and should prove easy to find.
Demonstration
To see the problems it can cause, create a folder somewhere accessible, in ~/Documents perhaps, and create half a dozen files with the names shown below.
Now open a new Finder window, and set it to Find mode using that command at the foot of the File menu. Then type into its search box the letters cleta
Only four of the files in that folder are found, excluding the first two, despite the fact that all their names clearly contain the search term.
Now clear the search box, and in the search criterion below, set it to find Name contains cleta, which you might have thought would be the same as the previous search.
Now all six files are found successfully.
You can try other variations of the file name to see which can be found using the search box, and which remain hidden. For example, 1995z_spectacletable_01.txt also appears susceptible to this problem, suggesting that other examples might have the form [digits]_[chars]cleta[chars]_[digits].[extension]
Separators
There are some other oddities at work as well, that you can see in the four file names that haven’t yet played hide and seek. So far I’ve been using Spotlight to find file names that simply contain the characters cleta. Now extend that to cletapainting
While you would expect the second of those to appear, Spotlight has elided the hyphen embedded in the first, as if it wasn’t there. Although Spotlight doesn’t provide a simple way to search for discrete words in file names, that’s a feature readily accessible in several third-party search utilities, including Find Any File and HoudahSpot. If you use Spotlight much, both of those are essentials, and you may wish to add Alfred as well.
As expected, Find Any File has no problems in finding all six test files when looking for names containing cleta
Set it to find names containing the wordcleta, though, and it recognises spaces, hyphens and underscore _ characters as word separators, but doesn’t oblige with CamelCase, whether or not you capitalise its initial character.
Conclusions
Avoid using the characters cleta in file names, as they can confuse Spotlight.
Leave the search box in the Finder’s Find window empty and construct your search in the lower search bars instead.
Spotlight can overlook hyphens in file names, but does treat them as word separators.
Searching for words in file names can treat spaces, hyphens and underscore _ characters as word separators, but can’t cope with CamelCase.
Spotlight’s rules are largely unwritten. Apple’s brief account is here, and doesn’t even mention the name Cleta.
My thanks again to Sam for providing me with the example of cleta that made this possible if apparently highly improbable.
Postscript
For those who think this all works as they expect, try the following file name:
A basic Mac system consists of the Mac itself and external storage for its backups, and is by far the most popular configuration. For many folk backing up the whole of its Data volume is wise, but that isn’t always the most economical. If the Data volume contains large items that don’t need to be backed up as often as its working folders, that can waste space. This article shows how you can make it more efficient without additional cost or hardware.
Backups and local snapshots
Most good backup utilities including Time Machine also make local snapshots of the volumes they back up. Let’s say your Data volume contains 100 GB of files that either change little or don’t need to be backed up as frequently as the rest. One proven strategy for minimising the time and storage required for backups is to add those to the exclusion list, and back them up separately, maybe only once a week. You can do that to another volume on external storage, provided you ensure there’s sufficient space for both that and your normal automatic backups.
What that doesn’t do is keep those 100 GB out of the frequent snapshots made of the Data volume. While you can exclude files and folders from backups, snapshots always include everything in that volume, without exclusions. The only way to save the space they add to snapshot size is to move them to another volume that doesn’t get snapshots made of it. But your Mac’s standard disk layout doesn’t provide any spare volume for that.
This could apply to all sorts of relatively static data that doesn’t need Time Machine’s automatic hourly backups, including Virtual Machines and some large media libraries, although you won’t then be able to share these in iCloud Drive, which would require them to be in your Data volume.
Boot disk layout
Standard layout of the internal SSD of an Apple silicon Mac running Sequoia or earlier is shown below.
Intel Macs have the same Apple APFS container with the Boot Volume Group in it, but the other two containers are replaced by a single small EFI partition.
Adding another partition or container is possible, but not recommended as it has a fixed size, and lacks the flexibility of a volume. It also risks disturbing the three existing partitions/containers. As they’re essential for the Mac to start up successfully, you don’t want to meddle with them.
In practice, the best place to add a new volume is inside the third container, the one already holding the System and Data volumes. Add that in Disk Utility once you’ve decided the next two steps.
Limit volume size
Your new volume is going to share space in its container with all the existing volumes, including both System and Data. It’s usually wise to impose a maximum limit on the size it can grow to, to avoid compromising any of those. When you add the new volume, put a sensible limit on its Quota Size.
Encryption
Although Apple’s documentation isn’t explicit, volumes added to the boot container aren’t protected by FileVault, unlike the Data volume. If you want your extra volume to be encrypted, you’ll have to format it in APFS (Encrypted). Whether that’s accelerated by the hardware in the Secure Enclave isn’t clear, and on Apple silicon Macs it’s hard to tell the difference, as you should get similar full speed performance from your extra volume to that of the Data volume.
Setting it up
Open Disk Utility, ensure its View options are set to Show All Devices, then select the Container holding the boot volumes. Click the + tool to add the new volume.
Give the volume a name, then click on the Size Options… button.
Enter your chosen Quota Size, as the maximum you want to allow the extra volume to use on the boot SSD, and click OK.
Then select whether you want it formatted in plain APFS, or encrypted, and click the Add button.
If you’ve opted for APFS (Encrypted) you’ll then be prompted to enter the encryption password. Unlike FileVault, there’s no option for a Recovery Key, or for iCloud Recovery.
When you first unlock the extra volume, you’ll be given the option to save its password to your keychain. That confirms this isn’t being performed by FileVault, as that protects its encryption keys in the Secure Enclave.
There are a couple of quirks:
If you try unmounting the extra volume using the Finder’s contextual menu, macOS might try to unmount all volumes on the boot disk, and warn you that it can’t. Simply cancel those warnings, and the extra volume should unmount fine. If you’re worried by this, unmount the volume in Disk Utility, which isn’t as silly.
You can use the Finder contextual menu to encrypt or decrypt the volume if you change your mind.
Summary
To save space in local snapshots made for backups of your Data volume, move bulky items that you back up separately to an extra volume alongside the Data volume.
Set a Quota Size on the extra volume to limit the maximum space it can take.
Use plain APFS or APFS (Encrypted) as the extra volume can’t be protected by FileVault.
If you encrypt the volume, safeguard its password as there’s no recovery option if you lose it.
The extra volume performs as well as any other volume on the internal SSD, and is far faster than using external storage.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5298. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds new rules for MACOS.ADLOAD.CODEP, MACOS.ADLOAD.BYTE.B and MACOS.PIRRIT.OP.OBF, and amends the rule for MACOS.PIRRIT.BM.OBF.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5298.
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5298 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
I hope that you enjoyed Saturday’s Mac Riddles, episode 308. Here are my solutions to them.
1: One of two of the three at the start, he left for 12 years with the successor before returning for one more thing.
Click for a solution
Steve Jobs (1955-2011)
One of two of the three at the start (co-founder of Apple with Steve Wozniak and Ronald Wayne), he left for 12 years with the successor (from 1985-1997 he ran NeXT) before returning (in 1997, when Apple bought NeXT) for one more thing (his catch-phrase used to introduce a new product at the end of a keynote).Wikipedia.
2: Writer for Bannister and Crun who originated and named it without a mouse.
Click for a solution
Jef Raskin (1943-2005)
Writer for Bannister and Crun (he first worked for Apple as a contract writer through his company Bannister and Crun) who originated and named it (he created and named the Macintosh project in 1979) without a mouse (he originally disliked the mouse).Wikipedia.
3: First to copy and paste, then changed Pascal and Newton, but was always modeless.
Click for a solution
Larry Tesler (1945-2020)
First to copy and paste (he devised these when working at Xerox PARC), then changed Pascal (he worked with Niklaus Wirth to develop Object Pascal for Lisa and Mac) and Newton (he led development of Apple’s Newton device), but was always modeless (throughout his career he eschewed modal interfaces).Wikipedia.
The common factor
Click for a solution
They’re three of the most influential people responsible for the development of the Mac.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5297. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a single new rule for MACOS.SOMA.L.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5297.
Sequoia systems only
This update has now been released for Sequoia via iCloud, as of 1930 GMT. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5297 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
I hope that you enjoyed Saturday’s Mac Riddles, episode 307. Here are my solutions to them.
1: Workshop exhibition with thunder and lightning from the A13 in 68.58 cm.
Click for a solution
Studio Display
Workshop (a studio) exhibition (a display) with thunder and lightning from the A13 (it contains an Apple A13 Bionic chip with CPU cores named Thunder and Lightning) in 68.58 cm (27 inches).
2: First person seed vessel contact takes music wherever.
Click for a solution
iPod Touch
First person (I) seed vessel (a pod) contact (touch) takes music wherever (it does). (The first model came with a Samsung S5L8900 ARM SoC.)
3: Notes of brief communication from a pioneering mathematician.
Click for a solution
MessagePad
Notes (in a pad) of brief communication (a message) from a pioneering mathematician (Sir Isaac Newton). (It came with an ARM 610 processor running at 20 MHz.)
In computing, the term Quality of Service is widely used to refer to communication and network performance, but for Macs it has another more significant meaning, as the property that determines the performance of each thread run on your Mac, most importantly in Apple silicon chips.
Processes and threads
Each process running on your Mac consists of at least one thread. Threads are single flows of code execution run on one CPU core at a time, sharing virtual memory allocated to that process, but with their own stack. In addition to the process’s main thread, it can create additional threads as it requires, which can then be scheduled to run in parallel on different cores. As all recent Macs have more than one core, processes with more than one thread can make good use of more than one core, and so run faster.
Take the example of a file compressor. If it’s coded so that it can perform its compression in four threads that can be run simultaneously, then it will compress files in roughly a quarter of the time when it runs on four CPU cores, compared with running on a single core (ignoring input and output to disk).
That only works when those four cores are all free. If your Mac is also trying to build its Spotlight indexes at the same time, the threads doing that will compete with those of your compression app. That’s where the thread’s Quality of Service (QoS) settings come in, as they assign priority. On Apple silicon Macs, a thread’s QoS will also help determine whether it’s run on its Performance or Efficiency cores.
Standard QoS settings
QoS is set by the process, and is normally chosen from the standard list:
QoS 9 (binary 001001), named background and intended for threads performing maintenance, which don’t need to be run with any higher priority.
QoS 17 (binary 010001), utility, for tasks the user doesn’t track actively.
QoS 25 (binary 011001), userInitiated, for tasks that the user needs to complete to be able to use the app.
QoS 33 (binary 100001), userInteractive, for user-interactive tasks, such as handling events and the app’s interface.
There’s also a ‘default’ value of QoS between 17 and 25, an unspecified value, and in some circumstances you might come across others used by macOS.
These are the QoS values exposed to the programmer. Internally, macOS uses a more complex scheme with different values.
CPU core type
When running apps on Intel Macs, because all their CPU cores are identical, QoS has more limited effect, and is largely used to determine priority when there are threads queued for execution on a limited number of cores.
Apple silicon Macs are completely different, as they have two types of CPU core, Efficiency (E) cores designed to use less energy and normally run at lower frequencies, and Performance (P) cores that can run at higher frequencies and deliver maximum performance, but using more energy.
QoS is therefore used to determine which type of core a thread should be run on. Threads with a QoS of 9 (background) are run on E cores, and can’t be promoted to run on P cores, even when there are inactive P cores and the E cores are heavily loaded. Threads with a QoS of 17 and above will be preferentially run on P cores when they’re available, but when they’re all fully occupied, macOS will run them on E cores instead. In that case, the E cores will be run at higher frequencies for better performance with less economy.
If your Apple silicon Mac has a base variant chip with 4 E and 4 P cores, this results in the following:
apps with a total of up to 4 threads at high QoS will be scheduled and run at full speed on the P cores;
when those P cores are all busy with high QoS threads, running another thread will then result in that being run on the E cores, and slightly slower than it would on a P core;
a total of 8 high QoS threads can thus be run on P and E cores together;
when running low QoS background threads on E cores, a maximum of 4 can be run at any time when the E cores are available, but those threads can’t spill over and run on the P cores, even if those are idle.
Controls
As QoS is normally either set by the process for its threads, or for services in their LaunchDaemon or LaunchAgent property list, the user has little direct control. A few apps now provide settings to adjust the QoS of their worker threads. Among those in the compression utility Keka, together with a couple of my own utilities such as the Dintch integrity checker.
In Keka’s settings, you can give its tasks a maximum number of threads, and even run them at custom Quality of Service (QoS) if you want them to be run in the background on E cores, and not interrupt your work on P cores.
Dintch has a simple slider, with the green tortoise to run it on E cores alone, and the red racing car at full speed on the P cores.
App Tamer and taskpolicy
The great majority of threads run at low QoS on the E cores are those of macOS and its services like Spotlight indexing. When a thread has already been assigned a low QoS, there’s currently no utility or tool that can promote it so it’s run at a higher QoS. In practice this means that you can’t accelerate those tasks.
What you can do, though, is demote threads with higher QoS to run at low QoS, more slowly and in the background. The best way to do this is using St. Clair Software’s excellent utility App Tamer. If you prefer, you can use the taskpolicy command tool instead. For instance, the command taskpolicy -b -p 567
will confine all threads of the process with PID 567 to the E cluster, and can be reversed using the -B option for threads with higher QoS (but not those set to low QoS by the process).
That can be seen in this CPU History window from Activity Monitor. An app has run four threads, two at low QoS and two at high QoS. In the left side of each core trace they are run on their respective cores, as set by their QoS. The app’s process was then changed using taskpolicy -b and the threads run again, as seen in the right. The two threads with high QoS are then run together with the two with low QoS in the four E cores alone.
Virtualisation
Although Game Mode does alter the effects of QoS and core allocation, its impact is limited. The one significant exception to the way that QoS works is in virtualisation.
macOS Virtual Machines running on Apple silicon chips are automatically assigned a high QoS, and run preferentially on P cores. Thus, even when running threads at low QoS, those are run within threads on the host’s P cores. This remains the only known method of electively running low QoS threads on P cores.
Key points
Threads are single flows of code execution run on one CPU core at a time, sharing virtual memory allocated to that process, but with their own stack.
Apps and processes set the Quality of Service (QoS) for each of the threads they run.
On Apple silicon chips, low QoS of background results in that thread being run on E cores alone.
Higher QoS threads are preferentially allocated to P cores, but when they aren’t available, that thread will be run on E cores at high frequency.
Some apps now provide controls over the QoS of their worker threads.
App Tamer and taskpolicy let you demote high QoS threads to be run with low QoS on the E cores, but can’t promote low QoS threads to run faster on P cores.
Virtual machines run all threads at high QoS as far as the host Mac is concerned.
I hope that you enjoyed Saturday’s Mac Riddles, episode 306. Here are my solutions to them.
1: Where I left my heart in our words since 2015.
Click for a solution
San Francisco
Where I left my heart (I Left My Heart in San Francisco) in our words since 2015 (when it became the system font across all Macs and Apple’s devices, now abbreviated to SF).
2: The first windy city from Susan Kare until 1997.
Click for a solution
Chicago
The first (the first system font on the Mac from 1984) windy city (Chicago) from Susan Kare (she designed the font) until 1997 (when it was replaced by Charcoal).
3: Bigelow and Holmes brought great clarity for the millennium.
Click for a solution
Lucida Grande
Bigelow and Holmes (it was designed by Charles Bigelow and Kris Holmes) brought great (grande) clarity (the origin of Lucida) for the millennium (it was adopted as the system font from 1999-2000 onwards).
Login
