Installing Nix fails with SUIS premount dissented
Nix users on macOS in some enterprises may see the following error:
The following macOS configuration profile includes a ‘Restrictions - Media’ policy, which interferes with the Nix Store volume:
A computer-wide profile:
- Name: Don’t allow mounting internal devices
- Version: 1
- ID: Grahams-MacBook-Pro.F2204C07-A533-47D1-B4AA-47E7A3A0A35A
- UUID: F2204C07-A533-47D1-B4AA-47E7A3A0A35A
- Installation Date: 2024-05-02 20:48:54 +0000
Users of the nixos.org Nix installer will see a much more cryptic error:
Volume on disk3s7 failed to mount: "SUIS premount dissented"
Or, on older versions of the Determinate Nix Installer:
Failed to execute command with status 1 `"/usr/sbin/diskutil" "mount" "Nix Store"`, stdout:
stderr: Volume on disk3s7 failed to mount: "SUIS premount dissented"
Background
“SUIS premount dissented” is an obscure error indicating that the SystemUIServer has a policy preventing the disk from being mounted. The SystemUIServer’s policies are distributed through MDM and macOS Profiles.
A dissenting policy may look like this, where mounting internal hard disks is denied:
<key>PayloadType</key>
<string>com.apple.systemuiserver</string>
<key>PayloadContent</key>
<dict>
<key>mount-controls</key>
<dict>
<key>harddisk-internal</key>
<array>
<string>deny</string>
</array>
</dict>
</dict>
SystemUIServer policies are deprecated since macOS 11, but continue to remain effective in later versions of macOS.
Resolution
Your MDM administrator should create an exception to this policy for machines running Nix. macOS machines running Nix should not set this policy option.
Need help? Join us on Discord, or contact support@determinate.systems.