Level 2 Clean Install of Ventura Solves Deep-Rooted Problems
TidBITS readers have recently asked me a few times if I think macOS 13 Ventura is mature enough to install on their Macs. My short answer was, “Yes, it’s fine,” because I have been running Ventura on my M1 MacBook Air since the beta last year and have experienced no problems. The longer answer was, “But I still haven’t upgraded my iMac, and once I do, I’ll write about it.”
You might wonder why I don’t keep my Macs in sync all the time. Even when a new version of macOS is working well, I like to keep one of my Macs on the previous release until I feel confident recommending the upgrade to everyone. Having the previous release available helps me compare behaviors or interfaces between the two and see if bugs have been fixed or introduced. (We won’t speak here of the abomination that is Ventura’s System Settings; it’s not a reason to avoid upgrading, but it is undeniably awful.)
So if you’ve been waiting for us to give the go-ahead, I encourage you to upgrade when convenient. As always, I recommend Joe Kissell’s Take Control of Ventura for upgrade help. Now here’s why it took me so long.
Kernel Panics and Boot Authentication Failures
I wasn’t been sticking with macOS 12 Monterey on my 2020 27-inch iMac because of concerns about Ventura reliability or app incompatibility. Instead, I had put off the upgrade because I wanted to perform a time-consuming clean install that I hoped would resolve two long-standing problems.
First, and most notable, was a series of kernel panics that started in mid-2021 in macOS 11 Big Sur and persisted through Monterey. My iMac sometimes panicked twice a day; more commonly, a week or two would pass between panics. Several times it even worked perfectly for 2 to 4 months before succumbing to another spate of panics. (I know all this because I saved 47 panic reports manually in my BBEdit Notes window. macOS used to generate panic logs that I could access in Console. Those logs may still be created, but I can’t find them.) The kernel panics almost never happened when I was sitting in front of the Mac, and once I restarted, macOS restored the state of the Mac to where I was before the panic. While extremely troubling, they weren’t all that disruptive.
The second problem was less frequent but equally inexplicable. Whenever I installed a minor macOS update, the first boot afterward wouldn’t have access to my keychain for some reason, so that when all my usual apps launched, I was plagued by so many authentication requests (20? 50?) that I had to fight off the dialogs and restart again. On that next restart and every subsequent one, everything was fine. (Fellow TidBITS writer Glenn Fleishman had a similar ongoing problem with privacy preferences after restarts. He wrote up a nuclear solution for fixing it.)
This problem has bedeviled me since at least macOS 10.13 High Sierra, and persisted through macOS 12 Monterey. I assumed it was software cruft because my workaround was to switch to an otherwise unused admin account before updating, suggesting that the problem was related to my account. However, I could never root out anything that helped, like a corrupted preference file.
Could a clean install eliminate these annoyances?
Levels of Clean Install
When I say “clean install,” I mean something more significant than the term generally implies. A clean install usually refers to reformatting the Mac’s boot drive and installing a fresh copy of macOS before restoring apps, settings, and data from a backup. Let’s call that a “Level 1 clean install.”
It’s no longer particularly helpful. Since Big Sur, your Mac’s drive is split into two parts, even though it still presents as a single volume in the Finder. All your data lives on one read/write volume, while all system files are locked on a separate, read-only, cryptographically signed volume called the Sealed System Volume. For security reasons, Macs don’t boot directly from that volume but instead from a snapshot of the system. Since every component is signed, any file being modified or corrupted in the smallest way—as little as a single bit flipped—due to a failure of the underlying storage will cause the seal to be invalid, and macOS will refuse to boot. The same would be true if someone developed malware that could unfathomably pierce the locked volume.
In other words, if anything is wrong with your installation of macOS, your Mac won’t boot at all. At least that’s what Apple says—I’ve never actually seen a Mac refuse to boot because of such a problem.
My iMac never refused to boot, and it installed the upgrade from Big Sur to Monterey and numerous minor updates within each major version without complaint. Resetting NVRAM, running hardware diagnostics, unplugging USB and Thunderbolt devices, and anything else I could think of made no difference or gave any hints toward a solution. My next step was a Level 2 clean install.
Given my role in the Mac world, I install a vast amount of software. In my Applications folder in Monterey, I had 236 items. Some dated back to early 2017, the last time I performed a Level 2 clean install. I don’t even recognize all the apps’ names! The problem is that some of these apps installed kernel extensions and other system-level components over the years, and while Apple’s macOS installer tries to disable crufty old bits that could cause problems, it’s not entirely effective.
Here’s how I perform a Level 2 clean install:
- I make several backups and verify that they’re good.
- To get started, I boot into macOS Recovery and erase the boot drive.
- Next, I install macOS, which takes a very long time.
- When restoring from my backup in Setup Assistant, I select the contents of my home folder but avoid restoring applications. (These choices are controlled by checkboxes in the process when the assistant asks what you want to restore.)
- When restoration is complete, I force myself to download every app and utility and install a fresh copy.
In the extremely unusual situation of an app I still use no longer being available for download, I can restore it from my backup, but I try hard to replace obsolete apps.
Most of the time, apps access their licenses and settings from my user account, so I can pick up using them where I left off. Installing each app fresh is tedious and cuts into my productivity for a week or two, but I appreciate the feeling of starting anew.
Is there a Level 3 clean install? Yes, but it would be a major pain, and I’ve never done one. For a Level 3 clean install, you would erase the boot drive, install macOS, and set up a new account. You would then manually copy just your data—no settings—into your new home folder. The hard part comes next. You must enter registration codes and reconfigure each app’s settings from scratch. For some apps, you’ll also have to sort through your home folder’s Library folder to find subfolders that contain essential data—like certain items in Application Support and your Mail folder. Don’t attempt a Level 3 clean install unless a Level 2 clean install hasn’t helped and you’re left fighting problems that occur in only your account.
Did It Work?
Although it may take months before I know for certain, the Level 2 clean install has apparently stopped the kernel panics. My iMac hasn’t suffered a single panic since I upgraded on 3 March 2023, while I had seven panics in the previous month.
The releases of macOS 13.3 and 13.3.1 also confirmed that a Level 2 clean install resolved the problem with authentication in the first boot after installing a minor update. Both of those updates installed fine, although I had to unlock my Time Machine drive and log in to Setapp after the macOS 13.3 update. No extra authentication requests appeared after the macOS 13.3.1 update.
Viva Ventura! But more to the point, you might need a Level 2 clean install to resolve some tricky problems, and others might succumb only to a Level 3 clean install. If you’re battling such recalcitrant gremlins, try deeper cleaning.
Your story sounded awfully familiar. I too have been plagued by kernel panics for some time now. They come seemingly random and in waves, sometimes a few a week, sometimes several per hour.
I first installed the OS over the drive, hoping this would straighten out the assumed bugs. This had no effect.
Then I did a level 3 clean Install. Took a long time to get back up and running, but getting rid of dead wood was worth it. The kernel panics didn’t go away though. Was I looking at a hardware defect?
I then resorted to an old utility, Onyx. This has reduced the kernel panic rate to just one or two a week, suggestive of a software cause. I now run Onyx once a week.
But the problem is not gone; Still a hardware fault? I’m not ready yet to bring my M1 MBP in for analysis and/or repair.
At least I’m not the only one having kernel panics…
Update: I just had two kernel panics in quick succession. Ran Onyx. Let’s see how long the current session lasts…
Thank you for clarifying that. I had suspected it, but I appreciate the confirmation, especially before I actually attempted it.
Panic reports are here:
Older ones get moved here:
On the other hand I started out with a 2008 INTEL iMac and have installed every version of macOS right over the top of the current one, then moved from that 2008 iMac to a 2013 iMac and now a Mac Studio Max using Migration Assistant to Ventura 13.3.1. No clean installs of any level and things are rock solid.
So is it luck or just karma? Am I typical or are you the outlier?
Thankfully, I’ve never had any of these problems. How much of your article is covered in any of the Take Control books? If not all, I hope it all will be soon - just in case!
I did not have the specific problems you describe, but I wanted to restore my M1 MacBook Air and start from scratch. I followed the instructions here, Erase your Mac and reset it to factory settings - Apple Support to erase my Mac and reset it to factory settings. Then I signed in with my Apple ID. I had previously saved the files that were not in iCloud so I copied them and then reinstalled all the third party applications. It took awhile, but I am retired. Anyway it all works and some funny little things that were annoying me are gone.
I was not aware of the feature mentioned in the linked Apple article. I think it must be something new.
Yes it is very powerful, and much easier and safer than going into Disk Utility and deleting volumes. It basically erases your -Data volume, restoring the Mac to factory state with just the SSV installed. Setup Assistant launches to enable the setup of the Data volume.
As Adam’s article says there is no need to erase a working SSV because if one byte has changed it will fail verification (which happens on every boot) and will not boot.
My first Mac was a 2006 White MacBook. After using Setup Assistant from Mac to Mac to my present 2018 Mac mini, a lot of cruft had accumulated and things got slightly quirky. About 6 months ago, after multiple backups on different drives, I did a level 3 clean install and manually copied the data files from a Home directory backup, leaving Library behind. I reinstalled apps as I needed them, which spread out the pain and left behind many old, unused apps. I keep current downloads of paid apps with registration details on a separate drive, separately backed up, so reinstalling was not much trouble.
Imported mail wound in a folder named Import under On My Mac, but the extensive subfolder structure was preserved. I forget now how I got the music over.
The only moment of panic was seeing that the new Photos library was empty. Option-starting Photos allowed me to open the old library and then to select it as the system library.
Smooth sailing ever since.
Just to clarify, “level N clean install” is as defined in this article, right? It’s not referred to by Apple as that in any of their documentation, is it?
Have you done a RAM check? Mine passed Apple diagnostics, but I never got to the point of doing the USB stick with MemTest86.
Drat! It appears that Time Machine doesn’t back up the ~/Library/Logs folder, so I can’t go back to see what’s there.
Again, I install a vast amount more software than most people. It’s certainly uncommon for people to have these sort of problems, but if they do happen, a clean install of some level can help.
I don’t know, sorry—that would be up to Joe Kissell and the current authors. (Tonya and I haven’t had much to do with Take Control since we sold it in 2017.)
Erase All Content and Settings is a relatively new option in macOS, so I honestly didn’t even think of using it. On reflection, it would probably provide the same level erasure as reformatting the boot drive, and since macOS can’t run if there’s any drive corruption rendering the seal invalid, I think it’s safe to assume that a reformat wasn’t necessary to eliminate lurking corruption.
However you erase the current drive, the important bit is not restoring everything from backup, but bringing apps and their components back selectively. It sounds like you did that successfully as well.
Yes, these are terms I’ve coined. “Clean install” is bandied about a lot, but it really makes a difference as to whether you restore everything, just data and settings, or just data.
I’m curious. You said you had 236 items in your Application folder and thought it a large number because your job calls for trying lots of software. My business doesn’t, but the current count in my 2018 MacMini running 12.6.5 is 268 items (from the Info box). Only four of them are 2018 or earlier – three years of TurboTax and a now-defunct web page app called Sandbox. Am I a digital pack rat, or is the count inflated by the contents of some folders in the App folder. For example, it contains the EasyDraw Folder which contains 50 items. Are they being counted as items? If I just count the number of visible apps or folders in the list, it looks there are really about 120 items.
It is the 120 you have to compare with. After a clean install you will have 35-40 Apple Applications. The rest is installed by you afterwards. I have 180. 236 is a lot!
It’s not ~/Library/Logs but /Library/Logs.
One of the benefits of using Carbon Copy Cloner is that it backs up that sort of stuff. That saved me when I needed things like /etc/hosts and /etc/fstab.
That leaves the final ‘Nuclear’ Level Zero Option.
Performing a full restore using a second Mac and Apple Configurator which is the only truly clean installation for Apple Silicon based Macs. It also works with Intel and especially those with the T2 Security Chip. The only requirements are a second working Mac with Apple Configurator installed and a Thunderbolt3/4 USB-C data cable. Charge cables may work in some cases but would be very slow if they do work.
Revive or restore a Mac with Apple silicon using Apple Configurator
# Revive or restore an Intel-based Mac using Apple Configurator
By default Apple Configurator will grab the latest macOS release. However you can obtain a specific IPSW installer for an older macOS version. You just need to download it from the Apple CDN manually. Here is a site to help you do just that without needing to reverse engineer the CDN and read XML / JSON data to do so. This site will grab any and all IPSW images for any Apple product. You add the IPSW to Apple Configurator.
IPSW Downloads (Apple Silicon Only)
The steps to entering DFU mode effectively require very specific steps and very specific USB-C ports and will likely take multiple attempts to achieve.
Once re-installed you now have a super clean macOS factory reload in perfect condition. Create the first user account which is very special as it has the systems first secure token. All other accounts should be created with this initial account to ensure they can boot the Mac. It’s recommended you consider this account an emergency admin account. Using this account to create your primary accounts which you can make as administrators or standard users. You should never remove the initial first account. Of course, the first account can be your only account, but it’s smart to add your primary accounts and leave this one alone. It can be useful for trouble-shooting, etc.
At this point you can decide to restore from backup either with Migration Assistant or another manual method. Then decide if you wish to restore your Apps or user settings or not.
The key is to ensure you have a super clean System volume and the DFU Restore does just that. The next most important thing about restoring your data and applications is to not reintroduce the problem by restoring the problem from backup. So copying only data and not the user settings and applications might be an essential although time consuming step. You’ll need to re-install, license, activate and configure all the software.
Many people have things installed that are old and out of date. Any advanced software that uses kernel or system extensions will have compatibility issues with newer macOS releases as Apple has been making changes for years. One needs to ensure that those applications are compatible and up-to-date. It is very likely such software would require an upgrade.
Can an older mac like my MacBook Pro (Retina, 15-inch, Mid 2015) run Configurator to restore my MacBook Pro M1? Do not need it now and hope never to, but nice to know.
Yep, @paalb is right. I was just counting the apps, not the contents of folders. Other than the
/Applications/Utilitiesfolder, pretty much all of my apps are loose in the
/Applicationsfolder. To be clear, I’m not recommending what I do! It’s generally better to keep things clean, but it’s just too hard for me. (Don’t ask what my iPhone App Library looks like, either.)
Oops, thanks! Although Time Machine seems to back up that folder, I suspect what it’s actually showing are just available snapshots, since they only go back 24 hours.
I do have a duplicate made with Super Duper that would have the files, but after a week or so of Ventura working fine, I started those duplicates again, thus overwriting the old logs.
Good to know for the future, thanks!
Good suggestion! I’d forgotten about this approach, and it’s probably overkill unless the Mac is entirely unresponsive, but it’s certainly good to know about.
I actually have no idea how many apps are in my Applications folder because I never open it…about 99.9% of my app launches are either double clicking a doc or selecting either the doc or app in LaunchBar and hitting Return…all of my repeatedly opened apps or docs have abbreviations in LB to make it easier to type. Back many versions of macOS ago…some apps got installed in Utilities subfolder but later installers sometimes put them there, sometimes in Apps or their own folder, or sometimes are just a .dmg and you drag it wherever you want it…and sometimes they get put into user’s Application folder depending on authentication. I’ve found that some installers recently put it in some place but if you move it the app breaks which never used to happen…Topaz is an offender here as some apps are in Apps and some in Apps/Topaz…and if you move the former into the latter it won’t launch.
@paalb - Older Mac’s that do not have a T2 Security Chip nor Apple Silicon SoC CPU can just be re-installed via a bootable thumb drive installer.
Here’s how you download macOS (including older versions):
Here’s how to create a bootable installer on a flash drive:
Then on older Intel Macs you hold down the Option key when powering on and you can choose to boot from the flash drive. At that point you can go to the Utilities menu and Disk Utility and completely erase the internal storage. Then you install macOS cleanly on the disk.
Apple Configurator is more for supervising Mac’s. It’s a poor-mans MDM (Mobile Device Manager). There are unlikely to be IPSW installers for older Macs. Only the new ones and mostly Apple Silicon and supposedly any Intel w/T2 models.
Any MacBook Pro from 2018+ with Intel will have the T2 Security Chip unless it is an Apple Silicon M1/M2 in which case the security is built-in to the SoC. This hardware makes it more difficult to reload an OS from scratch. You can’t even boot external if the internal disk is missing specialized partitions. In that case the only option is using an Apple Configurator full Restore to fix it.
The question was the opposite of your reply. Can the old mac be used to restore the new?
Yes if you have two Macs you can install Apple Configurator on the older Mac and restore a newer Mac.
Intel Macs with a T2 should also support this. The catch is that you need to use the Startup Security Utility and set the security level to medium (to allow booting versions of macOS that aren’t the latest) and enable booting from external/removable media.
You need to run this utility from Recovery mode (use Internet Recovery if your internal SSD’s recovery partition doesn’t exist or doesn’t work), but once it is done, you should be able to boot from a thumb drive with a compatible version of macOS.
Doing this on an Apple Silicon Mac is not as easy. I think it is possible, but I don’t remember all the hoops you need to jump through.
Seems this “cleaning” is more difficult on Mac’s prior to 2020. Like me. I have a 2019 iMac and would like to do a clean install like this, but it does seem more complex.
As said, using Apple Configurator 2 completely erases the machine. It is the only way to erase and restore the firmware and the iBoot partition which is essential for booting event from Recovery or from an external. The main reason for using AC2 is when all else has failed because the iBoot has been deleted by misuse of Disk Utility or because you want to roll back the firmware to an earlier version.
Of course it erases the SSV but there is no point in using Apple Configurator 2 on a healthy machine. It does not do a “deeper” clean.
I think all I am saying is this process:
Is lots more complicated (it sounds) than what Adam and those with Apple Silicon (Or t2 Macs).
I can see LOTS that might go wrong following these instructions.
That process has a lot of steps, but it’s really not as complicated as it seems. Most of the steps are very simple actions, like signing out of various Apple services. There really isn’t anything of significance that can go wrong with this process that can’t go wrong with the “Erase All Content and Settings” process. EACaS just automates these into fewer steps.
Good article, but step 4 is misleading.
That step (“Sign out of iTunes”) says you should skip the step if you’re using Catalina or later. This implies that new versions of macOS don’t need to be de-authorized from store purchases, which is not true.
If you’re using Catalina or later, you still need to deauthorize purchases, but you do it from either the Music or TV app instead of from iTunes.
I thought I might try a Level 2 install of Ventura on an external drive to see if it would clear up the Calendar syncing issues I’ve been having. However, something popped up early: HOW does a fresh install of Ventura on a freshly reformatted volume automatically connect to a password protected local WiFi? NOTHING but the Ventura user name had been setup.
I would assume that, like any other new system, it would have to ask you for credentials unless you’re connected to an unsecured network (like a local Ethernet).
Once you’re on some network with Internet access, then you can log into iCloud and sync your keychain to get all the rest of your credentials, but if your initial connection requires them, you’re going to have to manually type them in. So make sure you have access to a copy you can use for this.
You misunderstood me. IT DID AUTOMATICALLY CONNECT!
How and where did it get that password? I don’t use anything “cloud” much less iCloud Keychain.
I went into my router to verify that the WiFi connection was secure.
It does have local Ethernet access, but how does that get it to password protected WiFi?
After doing some web searching, it appears that macOS stores Wi-Fi for your preferred networks in NVRAM.
The intent is for Internet recovery, so you aren’t repeatedly asked for credentials during the recovery and installation process.
If you type
nvram preferred-networks, you can see what it has stored. On my system it is an array of binary data that appears to contain the 6 Wi-Fi networks on my Mac’s preferred network list. According to someone else’s analysis, that data also contains the Wi-Fi pre-shared key (the binary key generated from your passphrase).
Which is also why Apple recommends resetting NVRAM as a part of wiping a Mac before getting rid of it. While it’s not a huge security problem (someone getting your computer would have to visit your home network location to use the data), it’s something you probably don’t want to distribute to strangers.
Wow! Thanks! That explains a lot of things I’ve been curious about. But it is a bit creepy…
I assumed I should type
nvram preferred-networksin Terminal, so I did. Here’s what I got in response.
nvram: Error getting variable - 'preferred-networks': (iokit/common) data was not found
Is Terminal the correct place? Should I run it admin (or use
sudo?) Is the command for something more recent than macOS 11.7.6? I believe (and hope) I connect to a password-protected Wi-Fi. Thanks.
I go that too. But yes, the Terminal is the place. Try “man nvram” for more info; although, I found it one of the less helpful man pages. Sudo will get you the same error.
I dumped it all to a text file, but its not very readable (a good thing, I guess… :-)
nvram -xp > Desktop/NVRAM-vars.txt
Yes, typing the command into Terminal is the right place. The error means that there is no data named
preferred-networksin your Mac’s NVRAM.
Do you have any preferred networks stored on your Mac? Go to System Preferences → Network → Wi-Fi → Advanced…
On my system, this preference panel shows the same list of networks that the
nvramcommand shows. If your system has nothing on the list (maybe you never added any network to the list), then the corresponding NVRAM data probably doesn’t exist.
Also of interest is
nvram current-network, which will show you the data (SSID and credentials) for the Wi-Fi network you’re currently connected to. This data will not be present if you’re not currently connected to any Wi-Fi network.
You can also type
nvram -pto show all of the variables in your NVRAM.
I do have a key in nvram named preferred-networks, however (if I’m reading the man page correctly), perhaps the command form
nvram <key>has been removed (I’m on v13.3.1)? But the following command does work (good ol’ grep)…
nvram -p | grep preferred-networks
Yes, many. (And thanks for the reminder of where to look for them.)
nvram: Error getting variable - 'current-network': (iokit/common) data was not found
Now it gets interesting. There is a section for preferred-networks, and the (sparse) plain text does include the names of some networks in my preferred networks. However, there were eight (human-readable) network names in the preferred-networks part of the output, and I have 29 entries in the preferred networks pane of System Preferences.
There was also an entry for current-network, and some of the plain text matched the name of my current network.
Unrelated to all this, you might recall that Time Machine has not completed a back up of my MBA M1 since I installed macOS 11.7.1 last November. Is it possible that something in the NVRAM is interfering with the completion of Time Machine backups? I’m grasping at straws, but my inability to get preferred networks makes me wonder if something else is wonky. Thanks.
Apple ranks “Preferred Networks” by times you’ve switched to it (for auto-join, etc.), maybe for NVRAM too?
How iOS, iPadOS, and macOS decide which wireless network to auto-join
Is that new for Ventura? On my Macs (Big Sur and Sierra), the preferred network list is manually sortable. I can drag SSIDs to any order I want and the most-preferred networks are always the ones at the top of the list.
Actually the doc says “your ‘most preferred network’” so perhaps they are only applying that to auto-joining?
The Apple doc I linked is dated March 27, 2023.
But it has all been for naught… ;-) The Level 2 did nothing for my Ventura issues.
Network sorting has been gone on macOS for a while. It’s like iOS now. No more user order.
I can still reorder the order of my preferred WiFi networks on MacOS 12.6.3.
When I got my M1 MacBook Pro, I hadn’t done any sort of clean install for at least 8 years, possibly more. So I decided to do a ‘Level 3’ clean install as I didn’t want a load of old settings transferring over (especially as corrupted settings files can happen and cause odd behaviour in apps). But I guess I ended up doing a sort of hybrid – I have selectively, as I’ve needed an app, downloaded the current version of an app and then transferred over the settings files manually from my old Library folder. For apps with simple settings I don’t bother transferring the settings files over. I have a Find Any File saved search that helps me quickly locate relevant settings files for an app. For my overall system settings, I went through and set them up anew, so I wasn’t importing many years’ worth of updated settings.
Well, it’s been gone since the first release of Ventura. Yay for the iOS-ification of macOS. The gift that keeps on giving.
Join the discussion in the TidBITS Discourse forum