This script works great...apart from that we restrict staff from running the install app so it fails. Is there anyway we can bypass this restriction or do you think just renaming the install app would be enough?

@allanp81 I'm not sure what you mean. If you're referring to @Rosko's upgrade method, it doesn't/shouldn't run afoul of most Restricted Software settings, unless you somehow added in the startosinstall process to be blocked. His script does not call the application bundle directly, it calls that binary, which is inside the app and allows for the upgrade to start without running the full application. You shouldn't be seeing it get blocked, unless you have some very specific and unusual restrictions in place.

Hmm, that's odd then as it seems to get blocked. Will have a proper look into it tomorrow.

@mm2270 & @allanp81 If you have the process named "Install macOS Mojave.app" in a Restricted Software configuration it will cause startosinstall to fail when it tries to start the helper app it uses. <VoiceOfExperience/>

@sdagley Ok, interesting. Thanks for that info. I believe that's why I've never had an issue with it. I have always only blocked the InstallAssistant executable, which is what gets run when double clicking the app installer. Using the full install app bundle name for Restricted Software is folly in my opinion as it's stupidly easy to get around it by renaming the app bundle even with just one character difference.

If there's a need to keep that "Install macOS Mojave.app" restriction in place until upgrade time, my recommendation would be to drop a breadcrumb of some kind on the machines that are prepped for the upgrade, use an Extension Attribute to track the presence of that file and a corresponding Smart Group. So meaning, make a Smart Group like "Mojave Upgrade Ready" that only contains machines with the requisite hidden file or preference setting in place. Then use that group as an Exclusion to the Mojave Restricted Software item. You will have to have something do a recon or jamf policy on those machines to make sure the restriction gets removed from them. Once it does, the OSUpgrade script should work fine.

@mm2270 Thanks for the hint on blocking InstallAssistant instead of the Install macOS XXX.app, I'm going to give it a try. With non-admin users I'm not too worried about the app being renamed to bypass the block, rather I like the idea of one restriction for all of the macOS install GUI versions. For users with admin rights it's easy enough for them to find documentation on startosinstall so blocking InstallAssistant is also pretty easy to bypass. My hope is all will take the easy way through Self Service.

BTW, I have used the breadcrumb approach to exclude members of the Smart Group from a Restricted Software configuration, but it's also been my experience that restriction removal is not always reliable even with multiple restarts, check-in, and recons. Running jamf manage usually works though.