What causes the installation of CA Client Automation on MAC OS X machines to fail with System Integrity Protection enabled ?

Document ID : KB000011558
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Installing or uninstalling CA Client Automation Agents on the MAC OSX fails.

You may have an issue where the install or uninstall will fail.

Looking at the ca-dsm###.log you see will permission related errors even when launching the installation as root.

The error in the log will look like this:

 

13:53:01 +++ Install: /usr/bin/ca_lsm 
Creation of link /usr/bin/ca_lsm failed with errno 1 (Operation not permitted). 
Reason: The link from one file to another could not be created. 
Action: Find the error description on the link or ln command manual page (man link or man ln).

Check whether the base file for the link was packaged with the product. 

Question:

What causes the installation of CA Client Automation on

MAC OS X machines to fail with System Integrity Protection enabled ?

Environment:
CA Client Automation - All Versions MAC OSX - All Versions
Answer:

The above message is caused by a Security change made to the MAC OS X Operating System

where by the System Integrity Protection or SIP for short prevents all users

including the root user from writing to the certain filesystems.

This is detailed in an article from Apple at this link:

https://support.apple.com/en-us/HT204899

 

The only workaround is to disable that security feature and rerun the installation of CA Client Automation.

For details of the steps to take to disable System Integrity Protection in MAC OSX please do a web search

for the terms “disable SIP” or “Disable System Integrity Protection MAC OSX”

And there are many sites that details the steps.

The reason CA Technologies Support doesn’t not list the steps is that it involves disabling a

security component of the operating system.

Please consult with the MAC support team should you need assistance with this procedure. 

 

 

https://support.apple.com/mac

Additional Information:

Please note that once the command to disable SIP is run a reboot is required

for that change to take effect.

Once that is done proceed with either the install and or uninstall of CA Client Automation

agents and you should not get the same failed installation.

It is also OK to enable it after the installation completes and reboot.