Skip to main content
Menu
Solved

OS update via Self Service for M1 Devices Bash Command issue

heitorpereira10
Forum|alt.badge.img+1

Does anyone know the correct Bash command to upgrade the OS on a M1 device via self-service, we currently been using the following Execute command as part of the Policy that is made available via Self Service:

/Applications/Install\\ macOS\\ Big\\ Sur.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction

however this doesn't work with M1 devices as we get an error 

Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.

we have attempted to try the following but still no luck?

Applications/Install\\ macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user <admin account> --stdinpass <admin password>

has anyone been successful on creating a policy that works in a similar way for m1 devices? 

 

Best answer by ssoun

See here, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbook/m-p/250873/highlight/true#M233793. I've used this to upgrade M1 Macs in a policy through Self Service for our standard users and didn't have any issues. You will first need a policy that automatically downloads the Monterey installer then create a Smart Group to check that the installer is present. You then scope this policy to the Smart Group.

 

You will have to change this line:

"title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon" or else it will not display a message if the typed in passwords don't match. The part you want to change is messageIcon.

View original
    Did this topic help you find an answer to your question?

    4 replies

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Community Manager
    • 1909 replies
    • May 20, 2022

    To date, there is no secure method to allow a standard (non-admin) macOS user to initiate a startosinstall update from an Apple Silicon (M1) computer itself.

    There's a section on this blog post called "When we know the password" that provides the command syntax others have reported works for them. Keep in mind that admin password can be seen by anyone who's monitoring for activity using Terminal. You don't want to use an admin password that's common across all your computers.

    The command is part of the blog post for those who find the risk of using it acceptable, but Jamf does not endorse using this method. Instead, send a Wipe command from your Jamf Pro console. If your computer is running macOS Monterey, the Wipe command will actually be an "Erase All Content and Settings" command.

    https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/

    bern
    heitorpereira10
    2 people like this
    • bern
      bern
    • heitorpereira10
      heitorpereira10
    S
    Forum|alt.badge.img+8
    • ssoun
    • Contributor
    • 20 replies
    • Answer
    • May 20, 2022

    See here, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbook/m-p/250873/highlight/true#M233793. I've used this to upgrade M1 Macs in a policy through Self Service for our standard users and didn't have any issues. You will first need a policy that automatically downloads the Monterey installer then create a Smart Group to check that the installer is present. You then scope this policy to the Smart Group.

     

    You will have to change this line:

    "title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon" or else it will not display a message if the typed in passwords don't match. The part you want to change is messageIcon.

    heitorpereira10
    1 person likes this
    • heitorpereira10
      heitorpereira10
    J
    Forum|alt.badge.img+21
    • jcarr
    • Valued Contributor
    • 322 replies
    • May 24, 2022

    Have you tried erase-install?  I have policy that pushes out the erase-install package and a package that I put together to run recon on the next boot, and then executes the following command:

     

     

    /Library/Management/erase-install/erase-install.sh --reinstall --os=12 --update --min-drive-space=35 --current-user --check-power --no-fs --depnotify --cleanup-after-use

     

     

    I put this in self service using this icon. It's been a while since I've tested it, but if memory serves, this does work on Apple Silicon with standard users.  It will run faster if you pre-download the macOS installer app, but that is not required.

     

    Here's what it looks like:

    T
    1 person likes this
    • T
      TechSpecialist
    T
    Forum|alt.badge.img+8

    The Erase-Install Solution I believe is the best and most user-friendly solution.

    The problem your having is that on M1 Macs you have to deal with something called Volume Ownership in addition to a FileVault Token (if you have it enabled). This script will use the jamfadmin in combination with a prompted user password to elevate the permissions to have the Install of macOS done without the user having to have Administrative privs

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings