Update the operating system and software on Mac instances - Amazon Elastic Compute Cloud

Update the operating system and software on Mac instances

Warning

Installation of beta or preview macOS versions is only available on Apple silicon Mac instances. Amazon EC2 doesn't qualify beta or preview macOS versions and doesn't ensure instances will remain functional after an update to a pre-production macOS version.

Attempting to install beta or preview macOS versions on Amazon EC2 x86 Mac instances will lead to degradation of your Amazon EC2 Mac Dedicated Host when you stop or terminate your instances, and will prevent you from starting or launching a new instance on that host.

Steps to update software on x86 Mac instances and Apple silicon Mac instances.

Update software on x86 Mac instances

On x86 Mac instances, you can install operating system updates from Apple using the softwareupdate command.

To install operating system updates from Apple on x86 Mac instances
  1. List the packages with available updates using the following command.

    [ec2-user ~]$ softwareupdate --list
  2. Install all updates or only specific updates. To install specific updates, use the following command.

    [ec2-user ~]$ sudo softwareupdate --install label

    To install all updates instead, use the following command.

    [ec2-user ~]$ sudo softwareupdate --install --all --restart

System administrators can use AWS Systems Manager to roll out pre-approved operating system updates on x86 Mac instances. For more information, see the AWS Systems Manager User Guide.

You can use Homebrew to install updates to packages in the EC2 macOS AMIs, so that you have the latest version of these packages on your instances. You can also use Homebrew to install and run common macOS applications on Amazon EC2 macOS. For more information, see the Homebrew Documentation.

To install updates using Homebrew
  1. Update Homebrew using the following command.

    [ec2-user ~]$ brew update
  2. List the packages with available updates using the following command.

    [ec2-user ~]$ brew outdated
  3. Install all updates or only specific updates. To install specific updates, use the following command.

    [ec2-user ~]$ brew upgrade package name

    To install all updates instead, use the following command.

    [ec2-user ~]$ brew upgrade

Update software on Apple silicon Mac instances

Considerations

Elastic Network Adapter (ENA) driver

Due to an update in the network driver configuration, ENA driver version 1.0.2 isn't compatible with macOS 13.3 or greater. If you want to install any beta, preview, or production macOS version 13.3 or later and have not installed the latest ENA driver, use the following procedure to install a new version of the driver.

To install a new version of the ENA driver
  1. In a Terminal window, connect to your Apple silicon Mac instance using SSH.

  2. Download the ENA application into the Applications file using the following command.

    [ec2-user ~]$ brew install amazon-ena-ethernet-dext
    Troubleshooting tip

    If you receive the warning No available formula with the name amazon-ena-ethernet-dext, run the following command.

    [ec2-user ~]$ brew update
  3. Disconnect from your instance by typing exit and pressing return.

  4. Use the VNC client to activate the ENA application.

    1. Setup the VNC client using Connect to your instance's graphical user interface (GUI).

    2. Once you have connected to your instance using the Screen Sharing application, go to the Applications folder and open the ENA application.

    3. Choose Activate

    4. To confirm the driver was activated correctly, run the following command in the Terminal window. The output of the command shows that the old driver is in the terminating state and the new driver is in the activated state.

      systemextensionsctl list;
    5. After you restart the instance, only the new driver will be present.

Software update on Apple silicon Mac instances

On Apple silicon Mac instances, you must complete several steps to perform an in-place operating system update. First, access the internal disk of the instance using the GUI with a VNC (Virtual Network Computing) client. This procedure uses macOS Screen Sharing, the built in VNC client. Then, delegate ownership to the administrative user (ec2-user) by signing in as aws-managed-user on the Amazon EBS volume.

As you work through this procedure, you create two passwords. One password is for the administrative user (ec2-user) and the other password is for a special administrative user (aws-managed-user). Remember these passwords since you will use them as you work through the procedure.

Note

With this procedure on macOS Big Sur, you can only perform minor updates such as updating from macOS Big Sur 11.7.3 to macOS Big Sur 11.7.4. For macOS Monterey or above, you can perform major software updates.

To access the internal disk
  1. From your local computer, in the Terminal, connect to your Apple silicon Mac instance using SSH with the following command. For more information, see Connect to your instance using SSH.

    ssh -i /path/key-pair-name.pem ec2-user@instance-public-dns-name
  2. Install and start macOS Screen Sharing using the following command.

    [ec2-user ~]$ sudo launchctl enable system/com.apple.screensharing sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
  3. Set a password for ec2-user with the following command. Remember the password as you will use it later.

    [ec2-user ~]$ sudo /usr/bin/dscl . -passwd /Users/ec2-user
  4. Disconnect from the instance by typing exit and pressing return.

  5. From your local computer, in the Terminal, reconnect to your instance with an SSH tunnel to the VNC port using the following command.

    ssh -i /path/key-pair-name.pem -L 5900:localhost:5900 ec2-user@instance-public-dns-name
    Note

    Do not exit this SSH session until the following VNC connection and GUI steps are completed. When the instance is restarted, the connection will close automatically.

  6. From your local computer, connect to localhost:5900 using the following steps:

    1. Open Finder and select Go.

    2. Select Connect to Server.

    3. In the Server Address field, enter vnc://localhost:5900.

  7. In the macOS window, connect to the remote session of the Apple silicon Mac instance as ec2-user with the password you created in Step 3.

  8. Access the internal disk, named InternalDisk, using one of the following options.

    1. For macOS Ventura or above: Open System Settings, select General in the left pane, then Startup Disk at the lower right of the pane.

    2. For macOS Monterey or below: Open System Preferences, select Startup Disk, then unlock the pane by choosing the lock icon in the lower left of the window.

    Troubleshooting tip

    If you need to mount the internal disk, run the following command in the Terminal.

    APFSVolumeName="InternalDisk" ; SSDContainer=$(diskutil list | grep "Physical Store disk0" -B 3 | grep "/dev/disk" | awk {'print $1'} ) ; diskutil apfs addVolume $SSDContainer APFS $APFSVolumeName
  9. Choose the internal disk, named InternalDisk, and select Restart. Select Restart again when prompted.

    Important

    If the internal disk is named Macintosh HD instead of InternalDisk, your instance needs to be stopped and restarted so the dedicated host can be updated. For more information, see Stop or terminate your Amazon EC2 Mac instance.

Use the following procedure to delegate ownership to the administrative user. When you reconnect to your instance with SSH, you boot from the internal disk using the special administrative user (aws-managed-user). The initial password for aws-managed-user is blank, so you need to overwrite it on your first connection. Then, you need to repeat the steps to install and start macOS Screen Sharing since the boot volume has changed.

To delegate ownership to the administrator on an Amazon EBS volume
  1. From your local computer, in the Terminal, connect to your Apple silicon Mac instance using the following command.

    ssh -i /path/key-pair-name.pem aws-managed-user@instance-public-dns-name
  2. When you receive the warning WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!, use one of the following commands to resolve this issue.

    1. Clear out the known hosts using the following command. Then, repeat the previous step.

      rm ~/.ssh/known_hosts
    2. Add the following to the SSH command in the previous step.

      -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  3. Set the password for aws-managed-user with the following command. The aws-managed-user initial password is blank, so you need to overwrite it on your first connection.

    1. [aws-managed-user ~]$ sudo /usr/bin/dscl . -passwd /Users/aws-managed-user password
    2. When you receive the prompt, Permission denied. Please enter user's old password:, press enter.

      Troubleshooting tip

      If you get the error passwd: DS error: eDSAuthFailed, use the following command.

      [aws-managed-user ~]$ sudo passwd aws-managed-user
  4. Install and start macOS Screen Sharing using the following command.

    [aws-managed-user ~]$ sudo launchctl enable system/com.apple.screensharing sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
  5. Disconnect from the instance by typing exit and pressing return.

  6. From your local computer, in the Terminal, reconnect to your instance with an SSH tunnel to the VNC port using the following command.

    ssh -i /path/key-pair-name.pem -L 5900:localhost:5900 aws-managed-user@instance-public-dns-name
  7. From your local computer, connect to localhost:5900 using the following steps:

    1. Open Finder and select Go.

    2. Select Connect to Server.

    3. In the Server Address field, enter vnc://localhost:5900.

  8. In the macOS window, connect to the remote session of the Apple silicon Mac instance as aws-managed-user with the password you created in Step 3.

    Note

    When prompted to sign in with your Apple ID, select Set Up Later.

  9. Access the Amazon EBS volume using one of the following options.

    1. For macOS Ventura or later: Open System Settings, select General in the left pane, then Startup Disk at the lower right of the pane.

    2. For macOS Monterey or earlier: Open System Preferences, select Startup Disk, then unlock the pane using the lock icon in the lower left of the window.

    Note

    Until the reboot takes place, when prompted for an administrator password, use the password you set above for aws-managed-user. This password might be different from the one you set for ec2-user or the default administrator account on your instance. The following instructions specify when to use your instance's administrator password.

  10. Select the Amazon EBS volume (the volume not named InternalDisk in the Startup Disk window) and choose Restart.

    Note

    If you have multiple bootable Amazon EBS volumes attached to your Apple silicon Mac instance, be sure to use a unique name for each volume.

  11. Confirm the restart, then choose Authorize Users when prompted.

  12. On the Authorize user on this volume pane, verify that the administrative user (ec2-user by default) is selected, then select Authorize.

  13. Enter the ec2-user password you created in Step 3 of the previous procedure, then select Continue.

  14. Enter the password for the special administrative user (aws-managed-user) when prompted.

  15. From your local computer, in the Terminal, reconnect to your instance using SSH with username ec2-user.

    Troubleshooting tip

    If you get the warning WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!, run the following command and reconnect to your instance using SSH.

    rm ~/.ssh/known_hosts
  16. To perform the software update, use the commands under Update software on x86 Mac instances.