Local AI Infrastructure Notes (6/15) — Mac Mini Home Server Troubleshooting: macOS Auto-Update
Root cause of remote access failure and a power/update configuration checklist for server-mode Macs
Summary
- Mac Mini M4 home server became unreachable — cause: macOS software update triggered an automatic restart.
- After restart, the system sat at the login screen → Tailscale and LaunchAgents did not start → extended downtime.
- Fix: block automatic update installation (allow download only) + enable auto-login to prevent recurrence.
Background
The Mac Mini M4 runs as a headless home server connected via Tailscale VPN, with multiple agents and automation scripts running continuously. Stability is a hard requirement in this configuration.
When macOS reboots for an automatic update, LaunchAgents do not start until a user session is established. This brings down all user-space services — Tailscale VPN, SSH, agents — and leaves no remote path to diagnose the failure.
Body
1. Diagnosis
After gaining physical access to the machine, trace the cause. macOS logs power events and software update history in separate log channels.
① Check reboot history
last reboot
An unexpected reboot entry appears in the log. If you have no record of manually restarting the machine, that timestamp marks the start of the outage.
② Check power management log
pmset -g log | grep -i "restart\|shutdown\|sleep"
Look for a RestartCountdownOperationIdleSleep assertion from SoftwareUpdateNotificationManager. This confirms that the software update subsystem triggered the restart.
SoftwareUpdateNotificationManager is the assertion macOS registers with the power management subsystem when scheduling an update-install restart. It operates independently of pmset sleep suppression settings.
③ Reboot without a preceding shutdown
A reboot entry with no prior shutdown record is the signature of a macOS-forced update restart — no user involvement.
④ System halted at login screen after restart
This is the actual service failure. The restart itself is benign, but while the system waits for a password at the login screen:
- Tailscale is not running → remote access unavailable
- LaunchAgents are not running → all agents and schedulers stopped
- The server is effectively down
In macOS, user-session services (LaunchAgents, user environment variables, Tailscale, etc.) only start after login. Without auto-login, the server cannot self-recover after a restart without physical intervention.
2. Root Cause Summary
| Item | Detail |
|---|---|
| Direct cause | macOS software update automatic restart |
| Root cause | System waiting at login screen after restart → user services not started |
| Existing configuration | sleep=0, autorestart=1 — power settings were correct |
| Gap | Software update restarts bypass the pmset mechanism |
pmset power settings alone cannot prevent a software-update restart. macOS software updates trigger restarts through a separate code path.
3. Fix: Block Auto-Install + Enable Auto-Login
Core principle: do not disable automatic updates entirely — allow download, block installation (restart).
Keeping downloads enabled ensures security patches are ready, while you retain control over when installation occurs.
① Block automatic update installation (keep downloads enabled)
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
② Enable auto-login (recovery after any restart)
sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser "username"
Even if a manually installed update causes a restart, auto-login ensures Tailscale and LaunchAgents start immediately. The server recovers without physical intervention.
4. Server-Mode Mac Power & Update Configuration Checklist
| Setting | Value | Command |
|---|---|---|
| Disable sleep | 0 | sudo pmset -a sleep 0 |
| Auto-restart after power loss | on | sudo pmset -a autorestart 1 |
| Wake on LAN | on | sudo pmset -a womp 1 |
| Automatic update download | on | sudo defaults write ...SoftwareUpdate AutomaticDownload -bool true |
| Automatic update installation | off | sudo defaults write ...SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false |
| Auto-login | on | sudo defaults write ...loginwindow autoLoginUser "username" |
5. Diagnostic Commands
Commands to trace the cause when the server stops responding.
last reboot
pmset -g log
uptime
sysctl kern.boottime
Caveats
-
pmset settings alone are not sufficient. Power management and software updates are separate mechanisms. Both must be configured.
-
Disabling automatic updates entirely is a security risk. Allowing downloads while blocking installation is the right balance. Apply updates manually on a regular schedule.
-
Auto-login is a security trade-off. Acceptable in physically controlled environments; not recommended for servers with external exposure.
Closing
Infrastructure failures in server operation more often originate from OS-level settings than from code bugs. This was the second infrastructure incident in a short span, following an OAuth token expiry.
The shared lesson is the same: the goal is not a system that never fails, but one that self-recovers after failure. A single auto-login setting is all it takes to make the server come back on its own after any restart.
Series overview: Series index
๋๊ธ
๋๊ธ ์ฐ๊ธฐ