What are people doing to get around the --passprompt or --stdinpass when running the --eraseinstall command with the Big Sur installer?
I have a script available in Self Service for users that want to wipe their machines that works great in Catalina and I was trying to use it for Big Sur as well, but I'm getting an error "Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt." This happens even when I use sudo or login as root and try the command.
@DBrowning Do you have the --agreetolicense --nointeraction options in your call to startosinstall?
I'm using startosinstall --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename "Macintosh HD"
What happens if you leave out --newvolumename "Macintosh HD"?
So interesting turn of events...I was running this on the new M1 laptop. Just ran it on an Intel MBP and its working......
More fun things about dealing with M1 Macs
Hah! You got forked!
Seeing the same thing on an M1 based MBA.
Apparently on Apple silicon the startosinstall requires authentication by the user.
The policy runs fine on Intel Macs, bit fails on M1 Macs.
Here is the log:
“/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”...
Result of command:
Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.
Attempt to pipe admin password into startosintall command fails with another error:
echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”…
Error: Could not find provided owner on this system…
If I only adding --stdinpass flag without piping the password - the policy hangs at “Running”.
When I enter the password right after --stdinpass flag I’ve got yet another error:
“/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass “adminpass” --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”...
Result of command:
startosinstall: An extraneous argument was specified with option ‘stdinpass’
I hope someone with access to developer documentation can figure out how to use properly the new flags in startosinstall command.
New flags like --stdinpass, --cloneuser or --reducedsecurity are available on M1 Macs.
startosinstall --usage in Terminal shows only this:
--user, an admin user to authorize installation.
--passprompt, collect a password for authorization with an interactive prompt.
--stdinpass, collect a password from stdin without interaction.
--reducedsecurity, configure target volume's security policy as Reduced Security (will prompt for authorization after reboot).
--cloneuser, Copy account settings for the owner provided with --user when installing to a new volume.
If I only adding --stdinpass flag without piping the password - the policy hangs at “Running”.
while it was sitting at the blank line, i decided to type in my password. Grant it was in plain text, the process started.
@DBrowning Yes, you can do it in Terminal while running command as admin user, but the question is - how to do it in Self Service, when script runs as a root and better yet - automate it...
@Strannik Yeah..... I'm trying to see if i can figure something out using expect. Not working so well right now....
@Strannik Does trying --user admin --stdinpass, where "admin" is "root" instead do anything? I am about to take a look at this myself
Edit: Please see my below responses
Does this work?
echo “YOURPASSWORDHERE” | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --user "YOURADMINHERE" --stdinpass
Manually in Terminal
echo 'YOURPASSWORDHERE' | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --stdinpass ```
Worked for me. Logged in as myself (an admin), and echoing my password.
However, echoing a password of a different user and using --user to specify which user results inecho 'YOURADMINPASSHERE' | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --user "YOURADMINHERE" --stdinpass
Error: could not get authorization...
```
So now to try out some combos in a policy
EDIT: Did not work. I made a dumb
However, it seems that even if you su or sudo to another user, it still checks against the user running it. So in jamfs case, root.
We are piping in the password using the --stdinpass parameter with no issues. Just have to make sure to use the --user parameter.
echo $pass | /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --eraseinstall --newvolumename "Macintosh HD" --nointeraction --agreetolicense --forcequitapps --user $user --stdinpass &@luke.reagor that is working on M1 macs for you?
@DBrowning Yes. We have an M1 Air and that's the one I'm using it on.
@luke.reagor I could have sworn I tried that.....I may have been missing the --user part. But its working!!
@DBrowning Yeah, that was the last part we had to add to get ours working when we were working through this. But I'm glad you got it going!
@luke.reagor Hmm... I wonder why it didn't work for me?
I was getting this:
echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”…
Error: Could not find provided owner on this system…
Maybe it didn't like my Admin account which was created by Jamf through PreStage Enrollments > Account settings > Create a local administrator account before the Setup Assistant ?
@Strannik It's possible. Our admin is created the same way with "Make the local administrator account MDM-enabled" and "Skip Account Creation" selected.
It wont work with --user if the --user account does not have a secure token... Just did some testing. That seems to be why it did not work for me
You can test with
sudo sysadminctl -adminUser [admin user] -adminPassword - -secureTokenOn [user being granted SecureToken] -password -sudo sysadminctl -adminUser [admin user] -adminPassword - -secureTokenOff [user being granted SecureToken] -password -This will prompt you, at the CLI, to first enter the admin user's password and then the user's password.
I assume this error points to that. I see this error in the "install.log" in console
2020-12-11 09:38:31-05 M1TEST startosinstall[1243]: OSISClient: Failed to set LACredentialTypeBootPassword credential: Error Domain=com.apple.LocalAuthentication Code=-1 "Password rejected (3)" UserInfo={NSLocalizedDescription=Password rejected (3)}
Thats what happens to me if the --user account does not have a securetoken. "LACredentialTypeBootPassword"
So there goes my idea of creating a temp admin account in the script.
@bizzaredm @DBrowning My Admin user, created by Jamf PreStage, did have a secure token, but command running in script
echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”failed with error:
Could not find provided owner on this systemThat's because although I specified admin user and piped the password the script runs as root.
Solution for me was to run command as user:
/usr/bin/su -l admin -c "echo adminpass | /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --eraseinstall --newvolumename 'Macintosh HD' --nointeraction --agreetolicense --forcequitapps --user admin --stdinpass"That worked for me to reinstall Big Sur in Self Service on M1 MacBook Air.
I don't like using admin password inside a script, so it would be good to encrypt it as shown here:
https://github.com/jamf/Encrypted-Script-Parameters
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.