Operational Defect Database
BugZero updated this defect 32 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 82642
Unable to install apps via Workspace ONE UEM on macOS version 11 and above
Last update date:
4/17/2024
Affected products:
Workspace ONE
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Symptoms
Some customers are unable to deploy the following types of applications on macOS versions 11+ Intelligent Hub (automatic installation post-enrollment)Bootstrap PackagesApple Business Manager (VPP) apps The above apps are deployed via native MDM commands - InstallEnterpriseApplication and InstallApplication. Apps deployed via Internal Apps are not affected, as long as Intelligent Hub is already installed on the device.
Purpose
Log Snippets from macOS Console Log: default 12:17:04.241137-0700 appstored Polling completed, started 1 installation(s): ( "MNFF77CB966/com.airwatch.mac.agent" ) default 12:17:04.246015-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] Beginning downloading default 12:17:15.191613-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] PKInstallClient install started default 12:17:15.250349-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] installClientDidBegin default 12:17:15.250498-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] installClient:didFailWithError Error Domain=PKInstallErrorDomain Code=100 "Authorization is required to install the packages." UserInfo={NSLocalizedDescription=Authorization is required to install the packages.} error 12:17:16.292809-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] Failing installation after receiving error: Error Domain=PKInstallErrorDomain Code=100 "Authorization is required to install the packages." UserInfo={NSLocalizedDescription=Authorization is required to install the packages.} default 12:17:16.293732-0700 appstored Not presenting error alert/notification because install was from an MDM client: com.airwatch.mac.agent default 12:17:16.293939-0700 appstored [MNFF77CB966/com.airwatch.mac.agent] Notifying clients of the failed install with error: Error Domain=PKInstallErrorDomain Code=100 "Authorization is required to install the packages." UserInfo={NSLocalizedDescription=Authorization is required to install the packages.}
Cause
Customers using the Require admin password to install or update apps key in a macOS Restrictions profile will be affected by this issue. The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will unfortunately cause apps deployed via native MDM commands to fail. Behavior Observed: the InstallApplication/InstallEnterpriseApplication MDM command will be initially acknowledged by the device, seemingly to indicate a successful command transaction. But later macOS mdmclient silently fails with the following error seen in the logs - "Authorisation is required to install the packages." This behavior has not been reported in macOS 10.15 Catalina or lower versions. VMware has filed a bug report with Apple on this issue.
Impact / Risks
May cause issues provisioning newly enrolled macOS 11+ devices with all software needed.
Resolution
Uncheck the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device. If your organization mandates this setting be used across macOS, a newer key can be used within a custom settings payload to achieve the same functionality: <dict> <key>PayloadUUID</key> <string>6CFFE75F-14B1-4B7E-8C69-DEE2C6B03323</string> <key>PayloadIdentifier</key> <string>com.apple.SoftwareUpdate.6CFFE75F-14B1-4B7E-8C69-DEE2C6B03323</string> <key>PayloadType</key> <string>com.apple.SoftwareUpdate</string> <key>PayloadDisplayName</key> <string>New key for Require admin password to install or update apps</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>restrict-software-update-require-admin-to-install</key> <true/> </dict>
Workaround
For devices where expected Applications are not installed: Intelligent Hub (automatic installation post-enrollment)Bootstrap PackagesApple Business Manager (VPP) apps It is possible to re-push the expected application manually and this may result in application install. Otherwise please temporarily remove the restriction in UEM console and re-enroll the affected device.
