Help

Admin user on Ventura can't install Mac OS updates

dlondon
Valued Contributor

Posted on ‎07-27-2023 08:29 PM

We have a mac where the user is admin and has a secure token but still can't install updates to the OS

The user account is an Active Directory Mobile Account and is the second user to log in. 

Any thoughts on what else to check or enable?

0 Kudos
Reply
2 REPLIES 2

AJPinto
Honored Contributor III

‎07-28-2023 06:01 AM - edited ‎07-28-2023 06:03 AM

You need both a Secure Token, and Volume Ownership to install OS updates on Apple Silicon. On an Intel Mac you just need a Bootstrap token (Admin Access). You mentioned this is the second user to log in, macOS does not like to reboot with two users logged in.

 

If the device is a Apple Silicon Mac.

Check to see if the user is a volume owner. This usually comes with FileVault access.

/usr/sbin/sysadminctl -secureTokenStatus username_goes_here

This command can give volume ownership if something is wrong.

/usr/sbin/sysadminctl -secureTokenOn username_goes_here -password – -adminUser user_with_secure_token_goes_here -adminPassword –

 

This being a mobile account should not impact this work flow, MacOS still behaves as if it was a local account. Though I do suggest looking in to getting away from AD binding.

0 Kudos
Reply

dlondon
Valued Contributor

Posted on ‎07-31-2023 06:26 PM

Thanks @AJPinto 
When I mentioned this user was the second user, I meant the second user to be made on the machine not that there were two people logged on at the same time.

I've made a script to check for Volume Ownership and the user has Volume Ownership as does the other user and they both have Secure Token.

We decided to sidestep the issue and make a local admin for the user as well to see and that allows the installation of the Mac OS updates.  That account also has Secure Token and Volume Ownership just like the other two accounts. 

It's a puzzle indeed

0 Kudos
Reply