Skip to main content

I've run into this issue a few times on different machines, where i let a user upgrade to the next macos version and after downloading the update it prompts admin credentials to install. Neither the local admin or the user's secondary admin accounts work and the only way to upgrade the macos is to sign out of the standard user, sign in as one of the admin accounts and run the update there. Is anyone else running into this issue too or found any solutions? It isnt bad when they are in the office, but remote users without access to admin accounts are unable to upgrade their os. 

 

And yes, jamf has the software update ability, but ive yet to see that succeed in working for major updates. 

sounds like secure token / bootstrap etc.. .. check this video from the the most excellent folks over at Mac Sys Admin

https://docs.macsysadmin.se/2023/video_h265/Day4Session1.mp4

If you've got your fleet onto macOS 14 (and you really should) OS updates are... better.. with JAMF / DDM etc.. 

 

Major OS Upgrades require both a Secure Token and Admin access to install.

  • If you user does not have admin access, they cannot authorize a Major OS Update.
  • If your local admin does not have a Secure Token, it cannot authorize any OS updates.

 

Accounts created with prestage enrollment do not get a Secure Token until AFTER they log in interactively for the 1st time. Apple has a feature request open to change this behavior, though lord only knows when they will "fix" this.

Major OS Upgrades require both a Secure Token and Admin access to install.

  • If you user does not have admin access, they cannot authorize a Major OS Update.
  • If your local admin does not have a Secure Token, it cannot authorize any OS updates.

 

Accounts created with prestage enrollment do not get a Secure Token until AFTER they log in interactively for the 1st time. Apple has a feature request open to change this behavior, though lord only knows when they will "fix" this.


I thought starting with macOS 12.3 or later, any user can perform a software upgrade. 

BigSur and higher versions need tokenized account to proceed updates on silicon CPU devices. 

Tokenized accounts creating by DEP or you can create by yourself by using system preferences/settings pane.

So if you create an account by JAMF to proceed updates that wont work because it'll not be tokenized account.  In this case, you must deploy a script to give tokenized right on the disk. 

If you are using this method with standard accounts, you can try script below. The script gives temporary admin right to the standard users for 30 minutes or until next restart. The script also creating an OSAS pop-up to get credential from the current user and update can be proceed properly. 

https://github.com/euydu/macOSUpdatewithStandardUsers

 

Let me know if you have question/problem  

Terms & ConditionsCookie settingsAccessibility statement