macOS 10.12.4 upgrade via Self Service fails

I'm a little confused. Is this problem for the full-blown macOS Sierra 10.12.4 installer (for when you're running El Capitan or Yosemite and want to fully upgrade) or does this problem happen with the incremental 10.12.4 updater (for when you're already running 10.12.x<4) ? I've been holding off on putting the 10.12.4 updater in Self Service until I am 100% clear on it.

@AVmcclint I am distributing the 10.12.4 incremental and combo updates within my organization. I am first scoping to those requiring the 10.12.4 combo update (those currently with 10.12.0-10.12.2 installed) and the incremental update (those currently with 10.12.3 installed) and then caching the installers to their Waiting Room folder. Once it has cached, I run a script once daily that present them with a Jamf Helper window which simply suggests that they perform the update in Self Service. Here's the script I am using and have had very good success with.

#!/bin/bash

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# Created by Sepie Moinipanah
# April 13, 2017
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# jamfHelper Variables
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

loggedInUser=$(stat -f%Su /dev/console)
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
windowType="hud"
description="The <OrgName> Helpdesk has prepared a macOS Sierra 10.12.4 update for your computer and asks that you please perform this task within 10 days. Please note that this process will require approximately 15-20 minutes and a reboot to complete.  

• To initiate this process now, click 'UPDATE' below and select the macOS Sierra icon once Self Service has launched.

• To defer, click 'Cancel'. 

If you have any questions or require assistance, please call +1 (###) ###-HELP."
button1="UPDATE"
button2="Cancel"
icon=/Applications/Utilities/Disk Utility.app/Contents/Resources/AppIcon.icns
title="Update Available: macOS Sierra 10.12.4"
alignDescription="left" 
alignHeading="center"
defaultButton="2"
cancelButton="2"
timeout="300"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# System Checks
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

# Verify that macOS device is utilizing a power adapter or battery
pwrCheck=$( /usr/bin/pmset -g ps )
if [[ ${pwrCheck} == *"AC Power"* ]]; then
    pwrStatus="OK"
    echo "Power Check: OK - AC Power Detected"
else
    pwrStatus="ERROR"
    echo "Power Check: ERROR - No AC Power Detected"
fi

# Verify that macOS device has not updated to 10.12.4 since inventory updates are performed once daily
verCheck=$( /usr/bin/sw_vers -productVersion )
if [[ $verCheck == 10.12.4 ]]; then
    verStatus="macOS 10.12.4 Detected"
    echo "Update Not Needed"
else
    verStatus="macOS 10.12.4 NOT Detected"
    echo "Update Needed"
fi

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# jamfHelper Window
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

if [[ "$pwrStatus" == "OK" ]] && [[ "$verStatus" == "macOS 10.12.4 NOT Detected" ]]; then
    userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")
    echo "Jamf Helper was launched!"
else
    echo "The macOS device power check failed and/or no longer requires 10.12.4 update! Collect inventory and exit."
    jamf recon
    exit 0
fi

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# Logging
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

if [ "$userChoice" == "0" ]; then
    echo "User clicked UPDATE; now launching Self Service."
    /bin/launchctl asuser "$(id -u $loggedInUser)" sudo -iu "$loggedInUser" open -a /Applications/Self Service.app
elif [ "$userChoice" == "2" ]; then
    echo "User clicked Cancel or timeout was reached; now exiting."
    exit 0    
fi

H/t to @Rosko for the pwrCheck variable :)

pwrCheck=$( /usr/bin/pmset -g ps )
if [[ ${pwrCheck} == *"AC Power"* ]]; then
    pwrStatus="OK"
    echo "Power Check: OK - AC Power Detected"
else
    pwrStatus="ERROR"
    echo "Power Check: ERROR - No AC Power Detected"
fi

@Jason ... just FYI, your script keeps failing for me on the Disk Check portion, reporting 1GB free space on a machine with 1.07TB available. Looks like logic needs to be tweaked when $freeSpace returns a value in TB instead of GB on line 120.

@Taylor.Armstrong That part was from the original script. It looks like they're grabbing a line that looks like this on my machine: Volume Available Space: 155.8 GB (155812741120 Bytes) (exactly 304321760 512-Byte-Units) (31.2%)

print $4 would return "155.8". You could try also using awk to pull $5 to see if the system is GB or TB, and compensate for that. All of our systems are using 500GB drives, so we didn't run into that.

@AVmcclint This is only for when you use the full 10.12.4 installer from the Mac App Store.

@bpavlov thanks for the clarification. One thing I have noticed with the 10.12.3 and 10.12.4 updaters - even when run outside of JSS and Self Service - is that the final reboot that should take you to your desktop sometimes hangs right at the iCloud login screen. Sometimes It hangs before actually displaying the window where you can choose to login or Skip. There was one time I got the window but there was no content within and no buttons to click until after about 5 minutes. I'm afraid that these unexpected and unusual hangs right in the home stretch of the updates users will get impatient and for the computer to reboot and who know what will happen then.

It is annoying that I'm using a config profile to disable all the Siri setup, iCloud, and other first-time user setup screens but these updates seem to disregard those settings.

The workflow that @Rosko built for this works awesome, TYVM @Rosko ! I have a restriction in place for the "Install macOS Sierra.app" file so in my testing I had to add an exemption for the computer I was testing. To deploy this in mass, anyone have a recommendation of how to use "Install macOS Sierra.app" while restricting any type of OS install from the mac app store?

@TomDay The easiest away around the Software Restrictions is to just rename the installer before you stage/cache it on the systems. Then it won't even be noticed. Otherwise you'd want to look at adding an API call to add that computer that is installing Sierra via the script to the exclusions either directly or via a static group.

@Rosko That worked perfectly, thank you. Follow up question if you don't mind? On the script, is it possible for me to add some lines to the First Boot section that will disable iCloud, Diagnostic and Siri pop-up settings?

@TomDay You are more than welcome to try, but I didn't have the greatest luck and would get mixed results with about a 50/50 success rate. I'm sure it's all in the timing, but I couldn't get in nailed down in the time I had. Please let me know if you do get it working though, would be happy to add it to the repo.

We're using this one and it's been working well. https://github.com/bp88/JSS-Scripts/blob/master/OS_Upgrade.sh

@TomDay I went the route of manually installing some profiles to suppress those items. Then after the system is upgraded I remove the profiles. I didn't have good luck when I tried disabling those items through scripting.

@TomDay Tom you're best using a launchdaemon or boot policy to write the appropriate plist values to each account on each boot. Otherwise they will return when a macos service update is released.

@Rosko gave it a shot and like you mentioned mixed results so I'm not going to tinker with that anymore. Will use a method of launch daemon and script to set the values like @seann mentioned thx for that @seann , testing now.

@lashomb Wow that script is awesome! Tested on a few devices and tweaking that for our environment now, thx for sharing that! How do you handle running Apple Software Updates after that OS gets upgraded? I'm finding it needs a few like iTunes etc.

@lashomb Have you had any issues with the computer going to sleep before the policy can execute fully? Tests have been working great but i ran into 1 situation where the device had a really low energy saver setting and the process just hung since the computer went to sleep. Guess I need to look into a couple of lines of code to extend the energy save settings!

@TomDay I use caffeinate -dis & to keep the computer awake for the workflow.

@mpermann that's a new one to me, awesome, thanks for that tip.

I'm using the recommended script here but when trying out an upgrade via Self Service I get the 'Requirements Not Met' error even though my test MBA is connected to AC power and has oodles of free disk space.

I did add the Check Installer Present section mentioned by @bdelamarche but even having commented out the power and free space check sections I still get that error message, any ideas?

The installer is definitely present and named correctly in /Users/Shared.

However I re-uploaded the original script to Casper Admin today and all went fine.

Is there anyway to get an authenticated FV2 restart on both reboots?

@ianmb Right now with 10.12.4 FV authenticated reboots are broken in the installer unfortunately.

FV auth reboot being broken is a total FAIL on Apple's part. I love how they rely on us to do their QA for them...

Anyone know if 10.12.5 still has this issue? (I am working on testing it now, just as soon as it downloads, and up to distribution server).

I tested my self service 10.12.5 combo updater install, and I found that my problem was that it finished the install, but then never restarted. The package itself is set to "Requires Restart", and my policy has the restart payload set to "restart immediately", for both user logged in and no user logged in. I also have "perform authenticated restart" checked.

After it was done it didn't restart, so I had to manually select Restart, and then it rebooted and everything was fine. But it did NOT do an authenticated restart, I had to log in to the FV2 screen. No actual problem with the install as far as I can tell, other than the fact that it didn't restart and didn't do an authenticated restart.

Issue not fixed with 10.12.5 full installer.

And when you put in a ticket with AppleCare they will surely say "This is the first we have heard of this issue! Please make sure to put in a bug report, and encourage others to put one in as well.". Ahhh in-house QA is sorely lacking for a $750b company... Sorry. Done being snarky. Or not.