Enabling System Updates for Apple Silicon Devices

This article describes how to configure Action1 agent on Apple Silicon computers to enable macOS system updates. Without following these instructions, Action1 will be unable to deploy operating systems on Apple Silicon devices, and errors such as the following will be generated:

This agent is not configured to deploy system update macOS Sequoia 15.2, Version: 15.2

To configure system updates, run the following command in the Terminal app:

sudo /usr/local/action1/action1_agent enable-system-updates

The command above will prompt you for the admin user credentials. The admin credentials are needed to create an auxiliary user account, create a secure token for it and store it in the system keychain. For more details, please see Technical Details section below.

For an unattended deployment, run the following command using your MDM:

sudo /usr/local/action1/action1_agent enable-system-updates admin-user:”username” admin-pass:”password”

Note that both username and password must be enclosed in double quotation marks.

Troubleshooting

If something affects previously enabled system updates (e.g., the auxiliary user account or Keychain record is deleted), one of the following error messages may appear:

System update deployment error: account is missing.
System update deployment error: keychain record is missing.
System update deployment error: keychain error.

To resolve these errors, simply run this script in the Terminal app:

bash /usr/local/action1/reenable_system_updates.sh

If the error persists after running the script, please contact Action1 support.

Technical Details

To be able to install system updates on Apple Silicon, Action1 requires:

• an auxiliary user account
• a Keychain record for this account
• a secure token associated with this account

NOTE: To learn more about the macOS secure architecture, see Use secure token, bootstrap token, and volume ownership in deployments.

The enable-system-updates command creates an auxiliary user account named action1_os_updater with a randomly generated strong password. This password is stored securely in the Keychain and is accessible only to the Action1 agent. The auxiliary user account is then associated with a secure token.

During manual agent installation, this is done automatically. The interactive agent installer just prompts for admin user credentials twice, once for the installer itself and then for sysadminctl. If your Mac has fingerprint authentication configured, it can be used to authenticate the installer instead of typing a password.

For unattended installations, an additional step is required: running the enable-system-updates command. This command performs all necessary configurations (creating the user, generating the Keychain entry, and assigning the secure token).

Agent Uninstallation

Interactive: During interactive agent uninstallation, the uninstaller will attempt to remove the action1_os_updater auxiliary user and its Keychain entry. It will ask for additional permissions during the removal of the auxiliary user.

Unattended: In unattended uninstallation mode, the auxiliary user will not be removed automatically and must be deleted manually. However, the secure token associated with the auxiliary user will be removed during the uninstallation process.