Could you just add the 'Files and Processes' payload to those policies and run the following command?

/usr/sbin/softwareupdate --install-rosetta --agree-to-license

Or just add a new policy to run this command on all M1 devices. I don't have an M1 device to test, but if it has already been installed, it should just error out and move on.

We'll, I did that but the issue is priority. I have several policies that install other apps. I need this one to kick off first before anything else.

It's not elegant but name your policy starting with an asterisk (*). It should run before policies that are named starting with A-Z or 0-9.

Do you do automated enrollment? Create a payload free package with a post install script that installs Rosetta2 and have it installed during enrollment. (I haven't actually tried this as I don't have a AS machine, but it was an idea I had.)

@cbrewer Thanks. yeah, that's sort of what I started doing but it was a real pain.
@RBlount All the M1 versions are automated. I'll try out what you suggested. Thanks!

@mwu1876 Let me know if my idea worked or not. Like I said, I don't think I will be getting an M1 units for testing anytime soon.

We created a post enrollment script that uses triggers to run various policies. This allows us to determine the order of install.

So, Rosetta 2 isn't already included with Big Sur on M1 at installation?!? That seems like a big oversight by Apple. Does it install automatically at first launch of a non-M1 native app? What good is that if the computer isn't on-line (that happens a lot outside of Cupertino, btw)? I don't have an M1 yet to test with... :(

Subscribing it see how people have done this with M1,

I have several M1 Airs and Pros I will test with next week. I plan on making a post-install script. That way when it starts up it's ready to receive policies that require Rosetta. Let's hope it works.

For prestage enrollments you can create a prestage package which runs a simple script with something like below for instance

#!/bin/bash

arch=$(/usr/bin/arch)

if [ "$arch" == "arm64" ]; then

    echo "Apple Silicon - Installing Rosetta"

    /usr/sbin/softwareupdate --install-rosetta --agree-to-license

elif [ "$arch" == "i386" ]; then

    echo "Intel - Skipping Rosetta"

else

    echo "Unknown Architecture"

fi

While I haven’t confirmed this directly with Apple I did notice that I needed to install Rosetta again after performing an OS update. In my example, my M1 came pre-installer with Big Sur 11.0 (20A2411) and I went ahead and installed Rosetta when I launched a PKG installer.

However, I then went through software update to bring it up to 11.0.1 (20B39) and when I next ran a PKG installer. I was again asked to install Rosetta.

This somewhat makes sense as the Rosetta install is just a 452KB package that installs the oahd helpers, so it’s logical that those would get updated with a new release of the OS. And because it’s not a core part of the OS, you have to perform the update separately.

@pbowden Thanks, I'll be on the lookout for that when I start testing again Monday.

I can confirm that Rosetta is not installed. Additionally when I tried to update and apply the 2.* GiG update it failed. Had to nuke and pave with a fresh install. @txhaflaire I'm about to test out your script on my PreStage and report back. Smoke 'em if you got 'em Mi Gente.

@txhaflaire Chefkiss it worked. People just create the script and make sure you set it up as before. So it pulls the update/installer from Apple before it start to install anything.

@Echevarria do you mind sharing your script/screen, I just tried to install and it didnt work

If rosetta is already installed but you run the "softwareupdate --install-rosetta --agree-to-license" command again will it try to download again and reinstall or will it gracefully exit with an "already installed" message?

Trying to see how to script the logic for this if I want to run it as a pre-script in my policies.

We're going with the script done by Rich Trouton - https://derflounder.wordpress.com/2020/11/17/installing-rosetta-2-on-apple-silicon-macs/

Deploying Rosetta with Rich Trouton's script and got a successfully installed message. Packages installed after it still thinks Rosetta is not installed. Anyone running into this?

So, I got this working. What I did was create a Smart Group for M1 machines. Then, then only policy that I had that kicked off as Enrollment complete is one that installs Rosetta. If it's not an M1 then it kicks off the rest of the policies. Once Rosetta is install I have an event trigger that fires off the rest of the policies. So far it's worked. This allows me more flexibility to quickly change around policies.

@yungstump did you update the version of macOS after using Rich’s script? In my experience, Rosetta needs to be re-installed (I.e. updated) after an OS update.

I got the script to work with a policy scoped to a new smart group of the macs that have been prestaged with my new silicon prestage. I named the policy A01 in hopes that it installs first. According to the history on the one computer I tested it on it seems to have installed first successfully. The intel apps open on the computer fine.

@mwu1876 So how did that work if the Jamf binary won't enroll the machine without Rosetta? Meaning, policies won't run if it's not enrolled and it can't install Rosetta as a policy without being enrolled.

@Kristopher Jamf running 10.25.2 or 10.26 should natively support Apple Silicon, and enrollments should work fine. I haven't gotten my M1 yet to test/confirm, but that's what the Jamf documentation states.

@Kristopher So if you ask Jamf to upgrade you to 10.25.2 it will enroll M1 machines. That's what I did. The upgrade too minutes and then I was able to enroll them. I still had to push out Rosetta. 10.25.2 supports M1. They sent, I believe, an email that said it's not a automatic deployment and that you have to request the version.

@kburns @mwu1876 Thanks! I will give that a shot. So you still need to push a Rosetta script to get that installed and going I see. Not bad. Need to figure out what all changes. So used to KEX and all that. Sophos is broken until they update it.