“Account Locked”

The problem turns out to be a corrupt /Library/Preferences/com.apple.networkextension.plist file. This needs to be deleted, such that the system can create a new one. Unfortunately that’s not possible because in Apple’s “infinite wisdom“ even the root user has been degraded to a lowly user account with selective admin privileges, instead of being the God account it’s supposed to be. As a consequence, one must boot into recovery mode, open a terminal session, and then delete the file from there.

The outage described in this thread was resolved on the same day that it occurred. If you’re working in an Enterprise team and having problems deploying your apps, I recommend that you seek help from either your MDM vendor or, if you’re doing this yourself, from Apple Support. You can also see community help over in the Apple Support Community, and specifically in the Business and Education topic area, where you’re more likely to find folks with enterprise app deployment experience. I’m locking this thread because a) the issue it covered is most definitely resolved, and b) I don’t want it to become a distraction for folks who have enterprise deployment problems. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

Q1: Yes, I used Migration Assistant to move files to this Mac mini (Apple Silicon). I believe I only migrated files, not the full user account. My previous Mac likely had uid 502 assigned to my user account, which may have carried over to the system directories on this new Mac. Q2: There is only one user account on this Mac. Q3: No, this is a personal Mac, not managed by any organization. No endpoint security software installed. Q4: I don’t believe so. This Mac mini is relatively new and I don’t recall ever disabling SIP. Please let me know if there’s any additional diagnostic information I can provide, or if there’s a recommended fix for the uid mismatch.

@TE2026, ok, thanks for letting me know about not having a developer account. Let me try to get some more info from you here, if you know. What we are able to tell through your report is that there are system directories on your Mac that have a different owning file user than expected, where the directory is owned by uid 502 instead of the expected uid 501, and that's tripping up the device management infrastructure. This is pretty unusual, and it would be helpful to us to figure out how you got into this situation, if possible. Here are some questions to maybe help you think through things, but I'm really looking for anything that you can point out as potentially unusual in how this Mac is set up or used: Have you migrated this macOS user account to different Macs over many OS versions? Is there only one user account on the Mac, or is this Mac used in some sort of a multi-user environment? Is this Mac managed in some way, such as by a company or educational institution, according t

I briefly tried to get this to work today using the old Carbon API, which I must confess I'm not super familiar with (before my time), but didn't have any success. Before I posted this thread, I tried what looked like the most straightforward way to accomplish this: No, that won't work. NSFileBusy is looking at ExtendedFileInfo.extendedFinderFlags and checking if kExtendedFlagObjectIsBusy is set. I don't think it's really used today, but my recollection was that this meant “busy” in the file access/locking sense, which is different than the creation case of the Finder. In any case, I'd start by checking/setting kMagicBusyCreationDate. I believe that's the Finder primary mechanism, and, more practically, it's not deprecated and easier to access than type/creator. __ Kevin Elliott DTS Engineer, CoreOS/Hardware

Yeah, the obvious way doesn't work so well if you're using auto-renewing subscriptions - forcing the user to run the outer app every three days when the grace period expires to see if the user is still subscribed is a non-starter - this needs to be transparent and just work™ once the user has bought the subscription - my target customers are mastering engineers and similar - I wouldn't put up with that from a plugin for long, so I cannot expect my customer to. I have one local beta tester I'm going to try a TestFlight version with subscription support enabled and lots of logging and see if the extension is able to see products defined for the outer app. The fact that all of this is essentially untestable by the developer (getting a StoreKit config through to the extension process seems to be a no-go, not to mention my experience with local StoreKit configs working on a much simpler iOS app spotty enough not to trust) is fairly maddening. The combinatorics in the state machine you need for definitely-not-subsc