Failed Software Update on the External Drive of an Apple Silicon Mac
I thought I was out of the woods in setting up new Apple Silicon test macOS systems, after finally working around a Sequoia bug to get old versions of macOS to install on an external drive. Then Apple released the first beta for macOS 15.5, and I found that I couldn’t update to it.
After I agreed to the license and entered my password for software update, it would fail saying, “User interaction required. An error occurred while installing the selected updates.” I’ve had lots of problems with the Software Update pane of System Settings in recent years, but the command-line tool had always worked. So I tried sudo softwareupdate -irR, but that also kept failing, saying: “Failed to authenticate.”
This seems to have been caused by a problem with the LocalPolicy. I was aware that ownership is an issue with Apple Silicon Macs, but it had never really caused problems for me before. I would just enter the requested information for a prior account when installing macOS, and it seemed to all just work, albeit with some annoying extra steps.
This external Sequoia drive that I was trying to update to macOS 15.5 had been originally created using a different Apple Silicon Mac, so in retrospect it makes sense that the owner information wouldn’t be right for the Mac where I was trying to do the update. But this never occurred to me because the Mac was able to boot from the drive just fine. Apparently, the owner account is not necessary for booting but is necessary for updating.
A visible symptom of ownership problems seems to be that the Mac won’t auto-boot from the drive. It will either boot from the internal drive or take you to the startup manager. I didn’t notice this because I had been intentionally switching back and forth between different boot drives, always holding down the power key and selecting the drive using the startup manager.
I happened to boot into macOS Recovery and look in the Startup Security Utility, and I saw that it did not have access to change the security policy for the external drive. In order to do that, it said I had to set the drive as the startup disk. This kind of didn’t make sense because don’t the security options get set when booted from Recovery?
Anyway, I went to the Apple menu and chose Startup Disk and clicked on the external drive. Then I went back to Startup Security Utility and nothing seemed to have changed. OK, maybe I have to restart and it will use the Recovery from the newly selected startup disk? So I did that but ended up in the same place. It was still acting as though the external drive wasn’t the startup disk, even though I had selected it.
Maybe the startup disk will stick if I click the Restart button that’s in the Startup Disk window? That turned out to be the key. When I clicked the button, it showed this error:
This volume does not have any authorized users for this computer.
The selected system does not have any users that are authorized to administer this computer. You can continue to try to set the startup disk but some features such as software updates will not be functional. If you know the password of one or more users on this system you may authorize the users by clicking on “Authorize Users…”
I don’t know why software update couldn’t tell me this or why there is seemingly no direct GUI command to view or edit the authorized users. But restarting from within Startup Disk is apparently the way to get macOS to offer to fix the LocalPolicy. Once I added the user, I was able to do a normal boot from the external drive and software update normally.
Previously:
- How External Bootable Disks Work With Apple Silicon Macs
- Error 702 Installing macOS on an External Drive
- Checking Bootable Systems Using bputil
- Booting an M1 Mac From an External Disk With Monterey
- Owner Accounts on M1 Macs
- macOS 11.2 Beta 2 Adds Full Custom Kernel Support
9 Comments RSS · Twitter · Mastodon
I don't like the direction computing is headed. What benefit do these policies have?
The cynical take is that all this is an attempt to set up Macs for removal of external booting altogether. iPad-ification is only getting worse...
Why did they have to make the firmware and external booting and all of this so goddamn brittle?
20 years from now, the retro computing crowd is going to have a hell of a time with these machines. The hardware might work perfectly fine (assuming you removed the battery before it leaked liquid death all over the logic board), but no one will be able to load any software onto the damn things.
> The cynical take is that all this is an attempt to set up Macs for removal of external booting altogether.
Why even bother with all this half-ass shit then? Just kill external booting with the introduction of Apple Silicon.
@Mike I think the Apple Silicon Macs needs activation from Apple’s server, so I doubt they’ll be able to even install the OS.
That's why primary thing I do with at least non portable Macs is disable Activation Lock.
In the past I had multiple errors of updating operating system due to apple which send bad system signature via nsurl or due a not properly verified signature of iBoot prior installing firmware with system update.
Disabled Activation Lock and boom, Mac behaves like it should.
T2 and later require Internet, yeah. And with the T2 you have to depend on Internet Recovery if there's any failure of the internal installation unless you were clever enough to preempt this and turn off signature verification and turn on external bootability.
And for AS, yes, you had to have transferred ownership during installation for an external install to be updatable. I ran into this as well and back then there was no way to recover from this situation except starting from scratch. Unfortunately the whole thing is now very brittle and failure-prone, dependent on a load of variables that are very hard to estimate and it's pot luck more than anything whether it'll work or not. I don't think Apple intended it to be user-serviceable at all and it works only because Apple thought it was worth supporting, but not supporting well.
@Jon I recommend disabling Activation Lock, too, but I don’t think it has any bearing on any of the boot/install issues I’ve been writing about these last few weeks.
Apple says that all this mess is for privacy reasons. OK, then give us the option to select what privacy level do we want. I want to be able to do with my Macs whatever I want, including 100% booting from external SSD, booting different Macs from the very same external SSD, not installing anything in the internal SSD (booting 100% from the external SSD) leaving it empty or for Time Machine backups only, install any application from outside the Apple Store, etc.
Apple, they are my Macs, not yours, since I paid for them. Stop patronizing us. Give us options. Options are good.
I don't understand the problem. Just copy the "System" folder to the external disk. Oh wait... that's OS 9.
Okay, no problem. Well, it's a bit of a nuisance, but not that bad: just copy everything from the root of a working volume to the external volume, and "bless" the disk... right, that's OS X.
Oh, right. It's a Silicon Mac. What's that you say, follow an Apple Support article? No, that won't work. What you had better do is just send an email to this guy Howard Oakley...
