macOS Update Provisioning for Apple Silicon – Action1 Agent Installation & Troubleshooting Tips
This section includes specific recommendations for installing or upgrading Action1 agent on Apple Silicon computers to provide for macOS system updates.
To be able to install system updates on Apple Silicon, Action1 requires:
- an auxiliary user account
- a Keychain record for this account
- a secure token associated with this account
NOTE:To learn more, see Use secure token, bootstrap token, and volume ownership in deployments.
Thus, being deployed on the macOS endpoint, the Action1 agent creates an auxiliary user account (named action1_os_updater) with a password and stores it in Keychain. This user account should be associated with a secure token, which is done manually or automatically, depending on the deployment scenarios, as explained below.
After you uninstall the Action1 agent, the action1_os_updater auxiliary user, and its key are removed from the Keychain.
NOTE: The user with the secure token and the keychain record will be removed if the Action1 agent has Full Disk Access privilege.
Scenario 1: Action1 agent installation via UI
Follow the installation steps described in the “Installing Action1 Agent” section here. You will be prompted for the user account credentials:
- For the installer itself
- For sysadminctl to enable the secure token.
NOTE: In some cases the secure token can be already enabled – then Action1 will only prompt for the administrative credentials once.
Scenario 2: Unattended Action1 agent installation
Follow the installation steps described in the “Installing Action1 Agent” section here.
After completing these steps, you should create and enable the secure token as described later in this instruction.
After the user account is created, stored in the Keychain and successfully associated with secure token, you will get a confirmation message.
Scenario 3: Automatic agent upgrade
In this scenario, all required operations (except secure token enablement) are performed automatically. You should enable the secure token as described later in this instruction.
After the user account is created, stored in the Keychain and successfully associated with secure token, you will get a confirmation message.
Enabling secure token
In the Terminal app run the following command:
sudo /usr/local/action1/action1_agent enable_secure_token [verbose]
NOTE: Using the “verbose” parameter is optional; it enables detailed output that can be helpful for troubleshooting.
About bulk installation
In some situations, you may need to install multiple agents in bulk using the unattended mode. There is a related command that should be, however, run at your own risk, as you have to put in the administrative user and password for your target endpoints:
sudo /usr/local/action1/action1_agent enable_secure_token admin_user:"..." admin_pass:"..." [verbose]
Creating a user with secure token
In some cases you may need to create a user account and a corresponding keychain record manually. For that, use the following command in the Terminal app:
sudo /usr/local/action1/action1_agent create_secure_token_user [verbose]
The secure token is not enabled automatically. To enable it, see the “Enabling secure token” section above.
Troubleshooting Tips
NOTE: Using the “verbose” option is recommended for the commands referenced in this section; it enables detailed output that can be helpful for troubleshooting.
Problem:
When trying to install system update on the macOS endpoint, the following error message is issued:
To install system update {name}, user account requires a secure token. Create a token and try again.
Cause:
The OS update requires a Keychain record and a user with a secure token. If the user and keychain record exist, but the user lacks a secure token, the error message is issued. In particular, it can be displayed after the old version of Action1 agent is automatically upgraded.
Solution:
Create and enable secure token for the user account as described in the “Enabling secure token” sections above, then retry.
Problem:
When trying to install system update on the macOS endpoint, the following error message is issued:
To install system update {name}, a user account with a secure token is required. Create a user account and try again.
Cause:
To perform the OS update, Action1 agent requires a Keychain record for a user with a secure token. If the user who should have a secure token is missing, the error message is issued.
Solution:
Create a user account with a secure token and enable the token as described in “Creating a user with secure token” and “Enabling secure token” sections above, then retry.
Problem:
When trying to install system update on the macOS endpoint, the following error message is issued:
To install system update {name}, a keychain record is required. Create it and try again.
Cause:
The OS update requires a Keychain record associated with a user with a secure token. The error message is displayed if the user exists, but the Keychain record is missing.
NOTE: Normally, this scenario should not occur.
Solution:
- Delete the auxiliary user account with the following command:
sudo dscl . -delete /Users/action1_os_updater - Create the user account anew:
sudo /usr/local/action1/action1_agent create_secure_token_user [verbose] - Enable the secure token for this account:
sudo /usr/local/action1/action1_agent enable_secure_token [verbose]
NOTE: It is recommended to use the “verbose” option for both operations.
Problem:
When trying to install system update on the macOS endpoint, the following error message is issued:
Failed to get secure token key from keychain. Update {name} cannot be installed.
Cause:
This error is displayed if both the auxiliary user and Keychain record exist, but the key value cannot be retrieved.
Solution:
- Delete the auxiliary user account with the following command:
sudo dscl . -delete /Users/action1_os_updater - Create the user account anew:
sudo /usr/local/action1/action1_agent create_secure_token_user [verbose] - Enable the secure token for this account:
sudo /usr/local/action1/action1_agent enable_secure_token [verbose]
NOTE: It is recommended to use the “verbose” option for both operations.