Multizone | All our technotes

Purchasing a burner phone in the UK before travelling to the USA has never felt more relevant than it does in 2026. Whether you want to avoid handing your personal data to an increasingly surveillance-heavy border environment, sidestep punishing roaming charges, or simply keep your private communications away from government scrutiny, a dedicated travel phone is a sensible precaution. US Customs and Border Protection has continued to expand its practice of demanding access to travellers' devices at the border — including phones belonging to visa-holders and even permanent residents — and reports of device seizures and data extraction have become routine enough that this is no longer a niche concern. This article covers how to buy and set up a burner phone in the UK before you fly, what to look for, and how to use it wisely once you land. If you want maximum anonymity, take cash to a CeX store and pick up a second-hand unlocked handset — something like a recent mid-range Android or an older iPhone that still receives security updates. Pair it with a prepaid roaming SIM and you're ready to go.

TL;DR – Buy a second-hand, unlocked phone for cash from a physical reseller, pair it with a prepaid SIM that includes US roaming, keep personal accounts off it entirely, and factory-reset it before you reach the airport. The steps below explain exactly how.

Understanding burner phones in 2026

A burner phone is simply a handset you use for a defined purpose — travel, sensitive communications, keeping your data compartmentalised — and are prepared to leave behind, wipe, or discard when you're done. The concept hasn't changed, but the reasons for using one have sharpened considerably. Border authorities in the USA now routinely inspect devices, and courts have repeatedly upheld their right to do so without a warrant at the point of entry. That means the photos, messages, contacts, and app data on your everyday phone are all potentially visible to an agent who decides to take an interest.

A burner phone addresses this by giving you a clean, minimal device with nothing on it that you wouldn't be comfortable handing to a stranger. It's not a perfect shield — phones can still be tracked via cell tower triangulation, and a determined state actor has significant resources — but for the vast majority of travellers it dramatically reduces the surface area of your digital life that is exposed.

It's equally worth being clear about what a burner phone won't do. It won't make you invisible. If you log into your regular Google or Apple account, connect to your usual Wi-Fi networks, or install apps tied to your real identity, the anonymity evaporates immediately. The hardware is only as private as the habits you pair it with.

Choosing the best purchasing option

For genuine anonymity, the gold standard remains paying cash in person at a physical reseller. CeX (formerly Computer Exchange) remains one of the best options in the UK: their high street and retail park stores stock a wide range of second-hand unlocked handsets across a broad price range, and a cash transaction leaves no payment trail. Avoid using a loyalty card or creating an account if you visit in person.

Other reasonable options include independent phone repair and resale shops, charity shops in larger cities (which occasionally stock working handsets), and car boot sales if you have the time. The key is cash and no account creation.

Online purchasing — Amazon Marketplace, eBay, Back Market — is convenient but carries trade-offs. The retailer logs your name, address, and the IMEI of the device, which creates a record linking you to that specific handset. If traceability matters to you, online is not ideal. That said, if your concern is primarily about keeping your personal data off the device rather than concealing your identity from a state-level actor, buying online is perfectly workable.

Buying a phone once you land in the USA is possible but awkward. Major carrier stores typically require a US address and a US payment method to activate a prepaid plan, which rather defeats the purpose. Convenience stores and supermarkets like Walmart do sell prepaid handsets and SIM kits over the counter for cash, and this remains a viable option if you want to pick up a local number on arrival — but you'll still need to activate it, which usually requires at least an email address.

What phone to buy

The market for second-hand handsets has shifted since this article was first written. Older flagships that were premium devices a few years ago are now available at accessible prices and remain genuinely capable. The key criteria for a burner phone are: still receiving security updates, unlocked to all networks, and good enough to run the apps you'll actually need.

On the Android side, look for a handset from Google's Pixel range — older Pixel models (Pixel 6a, Pixel 7a) have dropped considerably in price on the second-hand market and benefit from Google's extended security patch commitment. Samsung's mid-range A-series phones are also widely available second-hand and receive several years of updates. Avoid very old Android handsets that are no longer receiving security patches; a phone that can't be updated is a liability.

On the Apple side, anything from the iPhone 12 onwards remains on a current iOS version as of 2026 and represents a reasonable choice. Prices for iPhone 12 and 13 handsets on the second-hand market have become quite accessible. The iPhone 7 and 8 are now outside Apple's support window and should be avoided for anything security-sensitive.

Whichever you choose, confirm it is unlocked before you buy. A locked handset tied to a UK carrier will not accept a US prepaid SIM. CeX grades and labels their stock clearly, and unlocked status is usually stated on the shelf ticket.

SIM cards and connectivity in the USA

You have two main routes: buy a UK prepaid SIM with international roaming before you leave, or pick up a US prepaid SIM on arrival.

A UK roaming SIM is the simpler option. Providers including Smarty, VOXI, and various MVNOs offer prepaid SIMs with US roaming included in their data allowances, or available as a bolt-on. Buy the SIM in a convenience store or supermarket for cash, activate it with a temporary email address, top it up with cash at the till, and you're done. Check the roaming terms carefully — some prepaid plans throttle speeds abroad or cap data usage.

A US prepaid SIM gives you a local number and often better data speeds and coverage. T-Mobile has the broadest network footprint across the continental USA and is generally the recommended choice for visitors. AT&T is a strong alternative in urban areas. Prepaid starter kits are available at Walmart, Target, and airport convenience stores. Activation typically requires an email address; use one created specifically for this purpose and not linked to your real identity.

One significant shift worth noting: eSIM has become the default on most new handsets, and an increasing number of US prepaid plans now support eSIM activation. This is convenient but creates a cleaner digital record of the transaction than a physical SIM swap. If traceability is a concern, a physical SIM remains preferable.

Factors to consider when buying

Beyond the handset itself, think through the following before you purchase:

• Battery life. A travel phone will work harder than usual — maps, translation, communication — often without easy access to a charger. Prioritise a handset with a decent battery or pick up a small power bank.
• Network compatibility. The USA operates on a mix of LTE bands and, increasingly, 5G. Most modern unlocked handsets sold in the UK support the relevant US bands, but check the spec sheet if you're buying an older model. GSM-only devices will struggle.
• Storage. You don't need much. Aim for at least 64GB so you're not constantly managing space.
• Condition. CeX grades handsets from A (excellent) to C (heavy wear). A grade B handset is usually the sweet spot — functional and presentable without the premium of grade A.

Maintaining privacy and security

The handset is only part of the picture. How you set it up and use it determines how private it actually is.

Set the phone up using a fresh Apple ID or Google account created specifically for this device — not your regular account. Use a temporary email address for this. Do not restore from a backup of your main phone; start entirely fresh. This prevents your contacts, photos, message history, and app data from appearing on the device.

Use a strong PIN rather than biometric unlock. Face ID and fingerprint unlock are convenient but can be compelled — an agent can hold the phone to your face or press your finger to the sensor. A six-digit PIN cannot be extracted without your cooperation, and in the USA you have at least some Fifth Amendment basis for refusing to provide it (though this remains legally contested at the border specifically).

Keep the apps on the device minimal and purposeful: maps, a messaging app, a browser, and whatever you genuinely need. Do not install your regular social media apps, email clients tied to your main accounts, or banking apps. Every app you install is a potential source of identifying data.

For messaging, Signal remains the gold standard for encrypted communication and works well on a burner device. WhatsApp is better than SMS but ties to a phone number and is owned by Meta. iMessage is end-to-end encrypted but links to your Apple ID — use it only if you've set up a clean Apple ID for the device.

Pay cash for everything related to the phone. SIM top-ups, accessories, and the handset itself should all be cash transactions if anonymity matters to you.

Tradecraft

Think carefully about when and where you power the phone on. Cell towers log which devices connect to them, and that data can place you at a specific location at a specific time. Switching the phone on near your home before you travel, or near your departure airport, creates a record linking the device to those locations and potentially to you.

Factory-reset your main everyday phone before you reach the airport if you're concerned about border searches. If your data is in the cloud, you can restore it once you've cleared immigration. Be aware, however, that cloud data is accessible to authorities with the appropriate legal process, and some governments can reach into commercial cloud services through mutual legal assistance treaties or direct pressure on providers.

Consider what you do with the burner phone when you return. If you're travelling again, store it somewhere safe with the SIM removed. If you're done with it, a full factory reset followed by a CeX trade-in is perfectly reasonable — or simply keep it as a dedicated travel device for future trips.

Using alternatives: burner apps

If carrying a second device feels excessive, burner apps offer a middle ground. Apps like Hushed and MySudo provide temporary virtual phone numbers that can receive calls and texts without exposing your real number. MySudo goes further, offering compartmentalised identities with separate email addresses and browsing profiles — a genuinely useful tool for travellers who want separation without a second handset.

These apps have become more capable and more polished since they first appeared, and for many travellers they're now the more practical choice. The trade-off is that they run on your existing device, which means your hardware — with its location history, app data, and associated accounts — is still present at the border. A burner app protects your phone number; it doesn't protect everything else on your phone.

For short trips where your main concern is keeping a local number private rather than full device separation, a burner app is often sufficient and considerably cheaper than buying a handset. For longer stays, or where device-level privacy matters, a dedicated phone remains the better option.

One important caveat: burner apps will not help you if a border agent physically takes your phone and extracts its contents. The app number stays private, but the device data does not.

Legal considerations

Owning and using a prepaid or second-hand phone is entirely legal in both the UK and the USA. There is nothing inherently suspicious about a burner phone, and the vast majority of people who use them do so for entirely mundane reasons — travel, cost management, keeping work and personal communications separate.

Where it gets complicated is at the border. CBP agents have broad authority to search electronic devices at US ports of entry, and that authority has been upheld by courts even without suspicion of wrongdoing. A clean burner phone with no sensitive content is, in this context, an advantage rather than a red flag. Refusing to unlock a device can result in it being detained or confiscated, and in some cases can affect your entry.

Laws around privacy and data protection vary significantly between US states, but at the federal border those protections are substantially reduced. Being informed about this reality is not paranoia — it's straightforward travel preparation in 2026.

Conclusion

The case for a travel burner phone has only strengthened as border scrutiny of devices has intensified and the amount of personal data we carry on our everyday phones has grown. A second-hand unlocked handset bought for cash, paired with a prepaid SIM and a clean set of accounts, gives you a genuinely useful device with a minimal data footprint — and one you can hand over at the border without anxiety.

The setup doesn't need to be complicated. Buy the phone, configure it cleanly, test it before you travel, and leave your main device either at home or factory-reset before you fly. These are proportionate, practical steps for anyone who'd rather keep their personal life personal.

One final note: the same logic applies to laptops. If you routinely travel with a Mac or PC full of personal and professional data, consider whether you need to. A cheap Chromebook or a remote desktop connection to a machine left at home are both cleaner options than carrying your entire digital life through a border checkpoint. Leave anything you don't need at home, or access it remotely once you've cleared immigration.

These steps are calibrated for the ordinary traveller with reasonable privacy expectations. If your threat model is more serious — journalism, activism, legal exposure — you need specialist guidance well beyond the scope of this article.

Details

Last Updated: 08 June 2026

The UK refurbished MacBook market continues to adjust in response to Apple’s recent M4 MacBook and MacBook Pro release. Supply is healthy, but standout deals remain elusive. This week, Amazon Renewed listings havent changed much for desirable configurations after a drop last week.

Im only including 16 GB RAM and 1 TB SSD configurations because they offer significantly better longevity and maintain higher resale value, particularly among professional users seeking balanced capability. An emerging trend worth noting appears to be the increased availability of 1 TB models which provide ample storage for most use cases and these models are rapidly becoming the new baseline for buyers.

TL:DR – My pick of the week is (MacBook Air 13-inch M2, 2022) 16 GB / 1 TB at £791 on Amazon. Theres also a great value MacBook Pro (14-inch, M1, 2021) 16 GB / 1 TB at £849. These are astonishing value! Always read the fine print and compare prices widely before deciding.

Details

Last Updated: 08 June 2026

• macOS: The redefinition of modern Computing
• Apple Silicon: Redefining Performance and Efficiency
• Apple Computer: Innovation, Software, Electronics

Read more: MacBook Pro pick of the month

If you read my article Yes you can install Windows 11 on an unsupported processor chip you'll know I bought this total bargain Lenovo ThinkCentre 710q chiefly because it consumes low power, has all Lenovo's attention to detail for maintenance and spare part replacement, has a nice tiny form factor, and a reasonably modern architecture. The Think Centre supports secure boot, and has a Trusted Platform Module (TPM) 2.0. This one came with a DVD rw drive and now sports USB-C with DP video support, 32 GB of memory and a 1 TB SSD. The 6th Generation Intel® Core™ i7-7700T 'Skylake' processor and the Intel HD 530 graphics are end of life.

TL:DR —  There are loads of potential upgrades for these ThinkCentre 710q tiny workstations including WiFi which I didn't need and they are as cheap as chips. Plenty of parts are available, all very easily user replacable with ease by following Lenovo's documentation or just common sense. This is pretty much maxed out now and very very useful.

Details

Last Updated: 08 June 2026

Read more: Unexpectedly great hardware updates to my ThinkCentre 710q

Introduction: Where the Online Safety Act Stands in 2026

The UK Online Safety Act has moved from legislative ambition to live enforcement. Ofcom is now actively scrutinising platforms, issuing compliance notices, and — in the most serious cases — pursuing fines and criminal referrals. For any business providing an online service accessible to UK users, the question is no longer whether to comply, but whether your current compliance posture is robust enough to withstand regulatory inspection.

The Act's reach is international. It applies to services with links to the UK whether the provider is headquartered in London, Dublin, Delaware, or anywhere else. Ofcom has made clear it will pursue non-UK operators where there is evidence of harm to UK users.

TL;DR – The phased compliance deadlines have now passed. If you have not yet completed your illegal content risk assessment, your children's access assessment, and — where applicable — your children's risk assessment, you are already exposed to enforcement action. Complete them immediately. The Act applies to any online service accessible in the UK, and Ofcom is no longer waiting.

{ToC}

Why the Online Safety Act Demands Attention Right Now

When the Act received Royal Assent in October 2023, many platforms took a wait-and-see approach. That window has closed. Ofcom's enforcement programme is operational: the Illegal Harms Codes of Practice came into force in March 2025, the Protection of Children Codes followed in July 2025, and Ofcom has since begun its first wave of formal compliance reviews targeting both large platforms and mid-tier services that assumed they were below the regulatory radar.

The regulator has been explicit that size is not a shield. Smaller platforms carrying high-risk content categories — particularly those involving children, financial fraud, or intimate image abuse — are being prioritised alongside the major players. Reputational damage, service restrictions, and personal liability for senior managers are all live consequences, not theoretical ones.

Who the Online Safety Act Applies To

The Act covers businesses both inside and outside the UK that provide services accessible to UK users. The level of obligation scales with the service type and the risks it poses, but very few interactive online services are entirely out of scope.

The regulations apply across a broad spectrum of online services:

Compliance Deadlines: Where Things Stand in 2026

All three major compliance phases have now passed. If your organisation has not acted on each milestone, you are in arrears and should treat remediation as urgent.

Ofcom has confirmed it will treat the failure to complete risk assessments as a standalone compliance breach — separate from any harm that may have actually occurred on a platform. Incomplete documentation is itself an enforcement trigger.

Understanding the Core Requirements of the Online Safety Act

How the Act Categorises Harmful Content

The Act identifies and categorises harmful content into 17 kinds of priority illegal content and a broader category of other illegal content, including non-priority offences. Platforms must actively work to prevent, detect, and remove material falling under these definitions — not simply respond to it after the fact.

The 17 Priority Illegal Content Categories

1. Terrorism: Content promoting, inciting, or glorifying terrorist activities.
2. Harassment, stalking, threats, and abuse: Material involving targeted harassment, stalking, credible threats, or sustained abuse.
3. Coercive and controlling behaviour: Content depicting or encouraging coercive control in intimate or family relationships.
4. Hate offences: Material inciting hatred against individuals or groups based on protected characteristics.
5. Intimate image abuse: The non-consensual sharing of private sexual images — now also addressed by the Criminal Justice Act 2024, which created new specific offences including the taking of such images without consent.
6. Extreme pornography: Content depicting extreme sexual acts that are illegal under UK law.
7. Child sexual exploitation and abuse (CSEA): Material involving the sexual exploitation or abuse of children, including AI-generated imagery which Ofcom has explicitly confirmed falls within scope.
8. Sexual exploitation of adults: Content depicting or facilitating the sexual exploitation of adults.
9. Unlawful immigration: Material facilitating or promoting illegal entry or stay.
10. Human trafficking: Content related to the illegal trade of people for exploitation or commercial gain.
11. Fraud and financial offences: Material promoting or facilitating fraudulent financial activity, including investment scams and authorised push payment fraud.
12. Proceeds of crime: Content concerning the handling or laundering of illegally obtained money.
13. Assisting or encouraging suicide or self-harm: Material that encourages or provides means for self-harm or suicide, a category Ofcom has flagged as particularly acute for platforms used by young people.
14. Drugs and psychoactive substances: Content promoting the sale or use of controlled drugs and novel psychoactive substances.
15. Weapons offences: Material promoting the illegal acquisition, possession, or use of knives, firearms, or other weapons.
16. Foreign interference: Content involving foreign state or non-state actors interfering in UK democratic processes or public discourse.
17. Animal welfare: Material depicting or promoting cruelty to animals.

It is worth noting that Ofcom's enforcement guidance published in late 2025 specifically highlighted fraud, CSEA, and suicide and self-harm content as areas where it found the most significant gaps in platform compliance during its initial review cycle. If your service has any exposure to these categories, they warrant priority attention.

Non-Priority Illegal Content

Beyond the 17 priority categories, all service providers must assess whether other forms of illegal content are likely to appear on their platform. Ofcom's Register of Risks identifies a range of non-priority illegal content, but the obligation extends further: if you have evidence or reasonable grounds to believe a particular type of illegal harm — even one not listed — is likely to occur on your service, it must be included in your risk assessment. The threshold is evidence-based, not exhaustive-list-based.

Your Risk Assessment Obligations

What a Compliant Risk Assessment Looks Like

A risk assessment under the Act is not a tick-box exercise. Ofcom expects documented, evidence-based analysis that demonstrates genuine engagement with the specific risks your service presents. A generic template submitted without service-specific evidence is unlikely to satisfy a compliance review.

Ofcom's Four-Step Methodology

1. Identify risks: Map the specific ways in which illegal or harmful content could emerge on your platform, given its features, user base, and content types.
2. Evaluate severity: Assess the likelihood and potential impact of each risk, considering both the probability of occurrence and the harm to users — particularly children and other vulnerable groups.
3. Mitigate risks: Implement proportionate, documented safeguards. Ofcom's Codes of Practice set out recommended measures; departing from them requires you to demonstrate that your alternative approach is equally effective.
4. Review and update: Risk assessments are living documents. They must be updated following significant platform changes, new regulatory guidance, or emerging threats identified through your own moderation data.

What Evidence to Use

Robust assessments draw on incident and moderation logs, user complaint data, law enforcement referrals, industry threat intelligence, and — where relevant — independent expert analysis. Platforms that have conducted user research on how their service is actually used by children tend to produce more credible assessments. Document everything: Ofcom may request your underlying evidence, not just your conclusions.

When to Conduct a Fresh Assessment

A new or substantially revised assessment is required whenever you make significant changes to your service's features or algorithms, when Ofcom publishes updated guidance or codes, or when your own data suggests a material shift in the risk landscape. Annual reviews are a minimum baseline; higher-risk services should review more frequently.

Your Legal Obligations in Practice

Conducting a Compliance Audit

A compliance audit maps your current policies, technical measures, and governance arrangements against the requirements of the Act and Ofcom's Codes of Practice. It should cover risk assessment documentation, content moderation workflows, reporting mechanisms, age assurance systems, transparency reporting, and staff training records. Gaps identified in an audit are far less costly to address proactively than during an Ofcom investigation.

Proactive Prevention vs. Reactive Moderation

The Act explicitly requires proactive measures for priority illegal content — waiting for users to report harmful material is not sufficient. For the highest-risk categories, platforms must deploy systems capable of detecting content before it reaches other users. The standard Ofcom applies is proportionality: larger platforms with greater resources face higher expectations, but no regulated service is excused from having some proactive capability.

Detecting, Removing, and Reporting Illegal Content

Platforms must have technically effective systems for identifying prohibited content, clear timelines for removal, and established channels for reporting to Ofcom and, where appropriate, law enforcement. The National Crime Agency and Internet Watch Foundation remain key referral bodies for CSEA content specifically. Platforms should have documented escalation procedures that staff can follow without ambiguity.

Age Assurance: The Raised Bar

Age verification requirements have become one of the most actively enforced areas of the Act. Ofcom's guidance makes clear that "highly effective age assurance" means more than a self-declaration checkbox. Technical measures — such as age estimation technology, credit card verification, or third-party identity checks — are expected for services likely to be accessed by children. Pornographic content services that have not implemented such measures by now are in direct breach. For other services, the children's access assessment determines whether age assurance is required and at what level.

Transparency Reporting

Platforms above certain thresholds must publish annual transparency reports covering their approach to illegal content, moderation volumes, appeals data, and age assurance measures. Ofcom has published a transparency reporting framework, and reports that fail to address its key metrics are treated as inadequate. Smaller services below the threshold are still expected to be able to produce compliance documentation on request.

User Safety Measures

Building Compliance Into Your Operations

Effective compliance is an operational discipline, not a one-off project. Automated content detection, human moderation, clear community standards, and accessible user reporting tools all need to work together. Ofcom has noted that platforms relying exclusively on automated moderation — without human review for edge cases and appeals — are likely to fall short of the standard required.

Staff Training

Everyone involved in content decisions, user safety, product development, and legal affairs needs a working understanding of the Act's requirements. Training should cover the priority illegal content categories, escalation procedures, how to handle user reports, and what triggers a mandatory referral to external authorities. Records of training completion should be maintained as part of your compliance documentation.

Algorithmic Accountability

AI-driven recommendation and moderation systems are under specific scrutiny. Ofcom expects platforms to be able to explain how their algorithms affect the distribution of potentially harmful content, and to demonstrate that automated systems are regularly audited for bias and effectiveness. As generative AI tools become more widely used to create content, platforms also need to consider how their moderation systems handle AI-generated material — including synthetic CSEA imagery, which is explicitly in scope.

Content Governance and Appeals

Community guidelines must be clear, consistently enforced, and accompanied by a meaningful appeals process. Users who have content removed or accounts actioned must have a route to challenge those decisions. Ofcom has indicated that platforms with no functional

Details

Last Updated: 08 June 2026

Backing up data is essential, but keeping multiple drives in sync and verifying file integrity across copies remains genuinely tricky — even in 2026. macOS Sequoia and its successors ship with a solid set of command-line utilities that handle the heavy lifting, and the third-party ecosystem has matured around them. Chief among the graphical options is Carbon Copy Cloner, which you should simply go ahead and use. It has earned its reputation over many years as the most dependable drive-cloning tool on the Mac. That said, knowing the underlying Unix tools gives you flexibility, scriptability, and a deeper understanding of what your backups are actually doing.

TL;DR – The best macOS tools for syncing and comparing backup drives include rsync for file transfer, diff for directory comparison, shasum for integrity checks, and fswatch for real-time monitoring. Carbon Copy Cloner handles all of this graphically with a polished interface and SafetyNet protection. Automating verification with cron or launchd keeps backups trustworthy without manual effort.

{ToC}

Carbon Copy Cloner

Start here. Carbon Copy Cloner (CCC) is not a command-line tool, but it is the gold standard for drive cloning on macOS and the first thing you should reach for. It has been actively developed and maintained for well over two decades, consistently keeping pace with every major macOS change — APFS, Apple Silicon, Sequoia's volume structure, all of it. The developer, Mike Bombich, is genuinely responsive; when I raised what turned out to be a misunderstanding on my part about APFS snapshot behaviour, I got a clear and patient reply. That kind of support is rare.

CCC's SafetyNet feature is worth highlighting on its own: it preserves deleted or overwritten files in a hidden folder on the destination drive for a configurable period, giving you a safety margin if a sync goes wrong. The task-based interface makes scheduling incremental backups straightforward, and the built-in snapshot support integrates cleanly with APFS. If you are running Apple Silicon hardware — an M3, M4, or later Mac — CCC handles the nuances of bootable backups that rsync alone cannot replicate.

Carbon Copy Cloner is available at bombich.com. It is paid software with a free trial, and it is worth every penny given how much grief a failed backup costs.

Using rsync for Efficient File Synchronisation

rsync is one of the most reliable tools for copying and syncing files. It transfers only changed data, making it well suited to incremental backups of large drives. macOS ships with rsync built in, though the bundled version has historically lagged behind the upstream release. If you want the current version, install it via Homebrew — it is worth doing.

Basic Usage

% rsync -av /source/directory/ /destination/directory/

-a (archive mode) preserves permissions, timestamps, symbolic links, and ownership.
-v enables verbose output so you can track what is being transferred.

Incremental Backups

To copy only files that are newer on the source than the destination:

% rsync -av --update /source/directory/ /destination/directory/

Always test a new rsync command with --dry-run (or -n) first. It shows exactly what would be transferred without touching anything:

% rsync -avn /source/ /destination/

Excluding Files and Folders

On modern macOS, certain system directories and APFS metadata will cause errors if you try to sync them directly. Use --exclude to skip them cleanly:

% rsync -av --exclude='.Spotlight-V100' --exclude='.fseventsd' --exclude='.Trashes' /source/ /destination/

This is particularly relevant when syncing between external drives formatted as APFS or HFS+, where macOS writes hidden metadata that does not need to travel with your backup.

Comparing Directories with diff

Checking Directory Differences

Use diff to compare the contents of two directories:

% diff -rq /dir1 /dir2

-r compares directories recursively.
-q reports only which files differ, without showing the actual content differences — useful when you just want to know whether two backup copies match.

Verifying Integrity with shasum

Generating and comparing checksums is the most reliable way to confirm that a copy is bit-for-bit identical to the source. Silent data corruption — sometimes called bitrot — is a real risk on drives that sit idle for extended periods, and checksums catch it where a simple directory comparison will not.

% shasum -a 256 file1 > file1.sha256
% shasum -c file1.sha256

For an entire directory, generate a manifest you can store alongside the backup:

% find /backup -type f -exec shasum -a 256 {} \; > /backup/checksums.sha256

Run shasum -c /backup/checksums.sha256 periodically to confirm nothing has changed unexpectedly. If you are storing backups on drives that spend months in a drawer, running this check every few months is genuinely worthwhile.

Finding Differences with comm and uniq

Comparing Sorted File Lists

comm is useful for comparing two sorted lists — for example, the file inventories of two backup drives:

% comm -3 <(ls /drive1 | sort) <(ls /drive2 | sort)

comm outputs three columns: lines only in the first input, lines only in the second, and lines in both. The -3 flag suppresses the shared entries, leaving only the differences.

Identifying Duplicates

To find duplicate entries in a sorted file list:

% uniq -d file_list.txt

Monitoring Changes with fswatch

Real-Time File Monitoring

fswatch watches a directory and reports file-system events as they happen. It is not built into macOS but is available via Homebrew:

% brew install fswatch

% fswatch -o /backup-drive

This is useful for confirming that a backup task is actively writing, or for triggering a script whenever a monitored directory changes. Piping fswatch output into a sync command gives you a lightweight continuous-backup workflow without a full daemon.

Automating Backup Verification

Scheduling with cron

cron is the classic Unix scheduler — old, ubiquitous, and perfectly functional for periodic backup checks. Add a job to verify your checksum manifest weekly:

0 3 * * 1 shasum -c /backup/checksums.sha256 >> /backup/logs/sha256.log 2>&1

This runs every Monday at 3 am and appends results to a log file. Edit your crontab with crontab -e.

Using launchd as an Alternative

macOS has long preferred launchd over cron for scheduled tasks, and on modern macOS it is the more robust option — particularly for tasks that need to run even after a reboot or when the system wakes from sleep. You define a job as a property list file in ~/Library/LaunchAgents/ and load it with launchctl. It is more verbose to configure than a cron entry, but it integrates properly with macOS power management and logs to the unified logging system, which makes debugging easier. For anything running unattended on a machine you care about, launchd is the better long-term choice.

Summary

rsync, diff, and shasum are built into macOS. fswatch is available via Homebrew — see Installing wget with Homebrew on macOS for a guide to getting Homebrew set up if you have not already. Carbon Copy Cloner is available at bombich.com.

Together these tools give you a complete picture of your backup health: CCC for reliable, scheduled cloning with SafetyNet protection; rsync for scriptable incremental sync; shasum to catch silent corruption; and diff or comm to confirm two copies match. Automating the verification step is the part most people skip, and it is the part that matters most — a backup you have never tested is a backup you cannot trust. Run the checks, review the logs, and make sure you have at least one copy that is not Time Machine. Time Machine is excellent, but it should not be your only safety net.

Details

Last Updated: 08 June 2026

VMware's shift to a free-for-personal-and-commercial-use model under Broadcom's ownership has settled into the new normal by 2026, and the practical benefits are now well understood. VMware Workstation Pro and VMware Fusion Pro are both available at no cost for individual use, meaning developers, IT professionals, and businesses can move virtual machines between macOS, Windows, and Linux without worrying about licensing fees. If anything, the bigger friction point today is navigating Broadcom's portal to actually download the software — but once you're past that, cross-platform VM migration is genuinely straightforward.

TL;DR — Moving virtual machines between Intel-based Mac computers, Windows PCs, and Linux desktops using VMware's free tools is easier than ever in 2026. Apple Silicon Macs are a different story — read on.

{ToC}

For professionals transitioning away from Intel-based Macs, or anyone consolidating their lab onto a single Windows or Linux workstation, the migration path from VMware Fusion to VMware Workstation Pro is well-trodden. This guide walks through the steps for a smooth move. If you're setting up the destination machine first, you may also want to read Installing VMware Workstation Pro for Ubuntu 24.04, which covers the Linux side of the install process.

The Apple Silicon caveat

Before diving in, one important boundary condition: this guide applies to Intel-based Macs. If your source machine is an Apple Silicon Mac (M1, M2, M3, or M4), the situation is more complicated. VMware Fusion on Apple Silicon runs ARM-based virtual machines, and those VMs are not directly portable to an x86-64 Windows or Linux workstation running VMware Workstation Pro. The CPU architectures are incompatible at the VM level, so a direct copy-and-import will not work. Your options in that scenario are to migrate the workload rather than the VM itself — reinstalling the guest OS on the destination and transferring data separately — or to use an intermediary tool to convert the disk image. For Intel-to-Intel or Intel-to-AMD migrations, however, the process described below works reliably.

It's also worth noting that Broadcom has continued to refine both products since the acquisition. VMware Workstation Pro 17.x and Fusion Pro 13.x are the current release lines as of 2026, and both support the latest guest operating systems including Windows 11 24H2 and recent Linux kernels. Hardware compatibility profiles have been extended accordingly, which matters when you're moving an older VM and want to take advantage of newer virtual hardware features on the destination host.

Preparing for the migration

A little preparation on the source machine saves a lot of troubleshooting on the destination. VMware maintains broad compatibility between Fusion and Workstation, but macOS-specific configuration in Fusion can occasionally cause confusion when the VM lands on Windows or Linux.

1. Check the virtual machine's hardware compatibility level — VMware Fusion lets you set a hardware compatibility profile per VM. Open the VM's settings and confirm it's set to a version that Workstation Pro on the destination also supports. Aligning both to the same hardware version avoids upgrade prompts and potential driver churn after import.
2. Update VMware Tools inside the guest — Do this before you export or copy anything. Current VMware Tools ensures the guest's drivers and services are in good shape, which reduces the chance of network, display, or storage issues appearing after the move.
3. Shut down cleanly, don't suspend — A suspended VM carries a memory snapshot that can cause problems on a different host. Power off the guest fully before exporting or copying.
4. Back up the VM — Migration issues are rare but not unheard of. A copy of the original .vmwarevm bundle on a separate drive means you can always start over without losing work.

Exporting the virtual machine from VMware Fusion

There are two practical routes: exporting as an Open Virtualisation Format (OVF or OVA) file, or manually copying the raw VM files. Each has trade-offs.

Using OVF/OVA export

• Open VMware Fusion and select the VM you want to migrate.
• Go to File > Export to OVF.
• Choose a destination folder and wait for the export to complete. Larger disks take time — plan accordingly.
• Copy the resulting OVF file and its accompanying .vmdk files (or the single .ova archive if Fusion produces one) to an external drive or a network share accessible from the destination PC.

OVF export is the cleanest method for cross-platform moves. The trade-off is that snapshots are not preserved — you get the current state of the VM only. If your snapshot tree matters, use the manual copy method instead, or flatten snapshots before exporting.

Manually copying VM files

For cases where you need to retain snapshots or want a more direct transfer:

• Locate the VM's .vmwarevm bundle in macOS — by default this lives in ~/Documents/Virtual Machines/.
• Right-click the bundle and select Show Package Contents.
• Copy the .vmdk (virtual disk) and .vmx (configuration) files — and any snapshot delta disks if present — to your external drive. If in doubt, copy everything inside the bundle.

This approach retains more of the VM's state but may require a small amount of manual reconfiguration once it's open in Workstation Pro on the other side.

Importing the virtual machine into VMware Workstation Pro

Once the files are on the destination PC, importing is quick.

Importing an OVF or OVA file

• Open VMware Workstation Pro and go to File > Open.
• Select the .ovf or .ova file.
• Work through the import wizard. You'll be asked to name the VM and choose a storage location — the defaults are fine for most cases.
• Review the VM's hardware settings before powering it on. Pay particular attention to the network adapter type and the number of virtual CPUs, which occasionally get reset to conservative defaults during import.

Manually opening copied VM files

If you used the manual copy method:

• Open VMware Workstation Pro and click Open a Virtual Machine.
• Navigate to the copied .vmx file and select it.
• When prompted, choose I Moved It rather than I Copied It. This preserves the VM's unique identifiers and avoids unnecessary MAC address regeneration.
• Review network and resource settings before first boot.

Post-migration steps

The VM will usually boot without drama, but a few things are worth checking before you declare the migration complete.

1. Networking — Fusion and Workstation Pro use different virtual network stacks. If the guest had a static IP or specific network adapter configuration, you may need to reconfigure the virtual NIC type (VMXNET3 is the right choice for most modern guests) and update the guest's network settings to match the new host environment.
2. VMware Tools update — Even if you updated Tools before export, Workstation Pro may prompt you to install a newer version. Accept it. The Tools package is host-specific and the version bundled with Workstation Pro on Windows or Linux will be better matched to that environment.
3. Operating system and application reactivation — Windows in particular ties activation to hardware fingerprint. A VM that has moved to a new host may trigger a reactivation prompt. Have your licence keys to hand. Some enterprise software with node-locked licensing will need attention from a licence administrator.
4. Performance tuning — Revisit CPU and RAM allocation based on what the new host machine actually has available. If the destination machine has NVMe storage, enabling SSD pass-through hints in the VM settings can noticeably improve disk performance inside the guest.
5. Snapshot cleanup — If you carried snapshots across, this is a good moment to review and delete any that are no longer needed. Snapshot chains slow down disk I/O and consume space; a clean baseline snapshot taken post-migration is more useful than a chain inherited from the old machine.

Conclusion

With VMware Workstation Pro free for individual use and the tooling mature after several years under Broadcom's stewardship, moving virtual machines between macOS and Windows or Linux is about as painless as this kind of task gets. The main things to get right are the hardware compatibility level, a clean shutdown before export, and a few minutes of post-import housekeeping on networking and VMware Tools. Everything else largely takes care of itself.

For developers and IT professionals who routinely work across platforms, the ability to carry a fully configured VM from a Mac workstation to a Linux or Windows machine — and have it running within the hour — is a genuine productivity asset. The barrier in 2026 is no longer cost or complexity; it's just knowing the steps.

Details

Last Updated: 08 June 2026