Skip to content

bug: macOS Sequoia: Home Manager activation fails at checkAppManagementPermission when using home.stateVersion = "25.11" #8336

New issue
New issue
Open
Open
bug: macOS Sequoia: Home Manager activation fails at checkAppManagementPermission when using home.stateVersion = "25.11"#8336
Labels
bugtriageIssues or feature request that have not been triaged yet
@TatsuShino

Description

@TatsuShino
TatsuShino
opened on Dec 13, 2025

Are you following the right branch?

  • My Nixpkgs and Home Manager versions are in sync

Is there an existing issue for this?

  • I have searched the existing issues

Issue description

System Information

  • OS: macOS Sequoia 15.7.2 (Darwin 24.6.0)
  • Architecture: x86_64 (Intel Mac)
  • Host: MacBook Pro (15-inch, 2018/2019)
  • Nix: 2.31.2 (multi-user install)
  • Sandbox: disabled
  • Nixpkgs: nixpkgs-25.11-darwin
  • Nix-Darwin: nix-darwin-25.11
  • Home Manager: release-25.11

Description

When running Home Manager on macOS Sequoia, activation consistently fails during the
checkAppManagementPermission step only when home.stateVersion is set to "25.11".

The same configuration succeeds without issues when home.stateVersion is set to "23.11",
even though all flake inputs (nixpkgs, nix-darwin, home-manager) are already on their respective 25.11 branches.

This appears to be related to macOS TCC (App Management) integration during Home Manager activation.

Observed Behavior

During darwin-rebuild switch, the system build completes successfully, but activation fails at the Home Manager stage.

Relevant output

Activating home-manager configuration for <username>
Starting Home Manager activation
Activating checkAppManagementPermission
error: permission denied when trying to update apps, aborting activation
home-manager requires permission to update your apps, please accept the notification
and grant the permission for your terminal emulator in System Settings.

If you did not get a notification, you can navigate to
System Settings > Privacy & Security > App Management.

Steps to Reproduce

  1. Use macOS Sequoia (15.7.2 in my case)

  2. Set flake inputs to

    • nixpkgs-25.11-darwin
    • nix-darwin-25.11
    • home-manager/release-25.11

  3. Configure Home Manager with

home.stateVersion = "25.11";
  1. Run
darwin-rebuild switch --flake .
  1. Activation fails at checkAppManagementPermission

Expected Behavior

Home Manager activation should complete successfully with home.stateVersion = "25.11",
as it does with "23.11" under the same environment and inputs.

What Works

  • Setting home.stateVersion = "23.11"
    → Activation succeeds

  • The issue is independent of the terminal emulator

    • Apple Terminal
    • WezTerm

    (both tested and show the same behavior)

What I Have Tried

1. Granting App Management permission

  • System Settings → Privacy & Security → App Management
  • Enabled permission for
    • Apple Terminal
    • WezTerm

The permission toggle appears enabled, but activation still fails on subsequent builds.

2. Clean rebuilds and garbage collection

sudo nix-collect-garbage -d
nix-store --gc
darwin-rebuild switch --flake . --show-trace

No change in behavior.

3. Verified no unsupported or removed options are used

Confirmed that none of the following options are present anywhere in the configuration

grep -R "enableAppManagement" .
grep -R "checkAppManagementPermission" .

Only historical references exist in .git/logs.

4. Configuration minimization

  • Homebrew and masApps integration removed
  • No explicit App Management–related options enabled
  • Issue persists as long as home.stateVersion = "25.11"

Notes / Hypothesis (Non-conclusive)

  • The failure occurs during activation, not evaluation
  • It seems related to how Home Manager performs App Management permission checks on macOS
  • The behavior changes strictly with home.stateVersion
  • It is unclear whether this is due to
    • a change in Home Manager’s activation logic for 25.11
    • stricter TCC behavior on macOS Sequoia
    • or an interaction between the two

I am reporting this mainly as an observed regression / behavior change and would appreciate any guidance on whether this is expected, a known issue, or something that should be adjusted in configuration or Home Manager itself.

Minimal Reproducer (Excerpt)

home-manager.users."<username>" = { pkgs, ... }: {
  home.username = "<username>";
  home.homeDirectory = "/Users/<username>";

  # Works:
  # home.stateVersion = "23.11";

  # Fails:
  home.stateVersion = "25.11";
};

Additional Information

  • This occurs on an Intel-based Mac (x86_64), not Apple Silicon
  • Nix is installed in multi-user daemon mode
  • Sandbox is disabled

Closing

If additional logs (e.g. TCC-related system logs) or further reduction would be helpful,

I am happy to provide them.

Maintainer CC

No response

System information

- system: `"x86_64-darwin"`
 - host os: `Darwin 24.6.0, macOS 15.7.2`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.31.2`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/store/fc1kp3qryanah6nwbj7zpjrim9p9c0p8-source`

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugtriageIssues or feature request that have not been triaged yet

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions