Self-Service upgrade to 10.10.3 with createosxinstallpkg not booting into OS X installer

@etippett, I didn't post it to my blog but here's the general idea:

https://jamfnation.jamfsoftware.com/discussion.html?id=14728#responseChild91053

LOL, I guess I should've looked back through my own discussion! Thanks for pointing that out, @rtrouton .

@clindsey Concerning the repository already mounted errors, what version of the JSS are you running? I submitted a feature request to have the jamf binary be smart enough to check if the repo is already mounted before trying to do so again.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2444
Until looking that FR up just now, I didn't realize it had been marked as a duplicate and the original FR was implemented in 9.62!

Come to think of it, the original FR https://jamfnation.jamfsoftware.com/featureRequest.html?id=1601 is different enough that it may not solve the issue you and I have both seen with the repository already mounted error. Since I didn't know about the new feature implementation, I had developed workarounds (basically using smart groups and creative policy naming to break up steps and ensure run order so that I didn't have to chain policies together by calling them from a script) and am not sure if this fixed the issue or not. If you're running 9.62 or newer, I would say that I need to have my feature request re-opened.

@rtrouton as always, thank you for your contributions. I did try your method (adapted for 10.11.x), specifically for the FV2 encryption portion of your script. When I tried it on a machine, it didn't detect that it was FV2 enabled (I verified it was finished before I started the upgrade). When it rebooted it still prompted for the password. Did I miss something?

@jwojda, would you please post the script that you're using? That may help with figuring out what's going on.

@rtrouton sure. I took yours and left it mostly in tact, only changing lines 44 and 45

#!/bin/bash

available_free_space=$(df -g / | tail -1 | awk '{print $4}')
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
needed_free_space="$4"
os_name="$5"
insufficient_free_space_for_install_dialog="Your boot drive must have $needed_free_space gigabytes of free space available in order to install $os_name using Self Service. It has $available_free_space gigabytes available. If you need assistance with freeing up space, please contact the help desk."
adequate_free_space_for_install_dialog="$os_name may take up to 30 minutes to download and prepare for installation. Please be patient. Once the operating system has downloaded, this Mac will automatically restart to begin the installation process."

if [[ "$available_free_space" -lt "$needed_free_space" ]]; then
   jamf displayMessage -message "$insufficient_free_space_for_install_dialog"
fi

if [[ "$available_free_space" -ge "$needed_free_space" ]]; then
   echo "$available_free_space gigabytes found as free space on boot drive. Installing OS."

   # Checking for FileVault 2 encryption. If found, set FileVault 2's automatic login to
   # be disabled. 
   #
   # The reason to do this is that when upgrading a FileVault2 enabled Mac to 10.10, 
   # automatic login should  be disabled  when installing additional packages at first boot. 
   # If automatic login is not disabled, the additional packages will be skipped over.

   if [[ ${osvers} -eq 7 ]]; then
    ENCRYPTION=`diskutil cs list | grep -E "Encryption Type" | sed -e's/|//' | awk '{print $3}'`
       if [ "$ENCRYPTION" = "AES-XTS" ]; then
           echo "FileVault 2 is enabled. Disabling FDEAutoLogin."
           defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
       else
           echo "FileVault 2 is not enabled."
       fi
   fi

   if [[ ${osvers} -ge 8 ]]; then
       FDE=`fdesetup status | grep "Off"`
       if [ "$FDE" = "" ]; then
           echo "FileVault 2 is enabled. Disabling FDEAutoLogin."
           defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
       else
           echo "FileVault 2 is not enabled."
       fi
   fi

   jamf displayMessage -message "$adequate_free_space_for_install_dialog"
   jamf policy -trigger cache-elcap-installer
   jamf policy -trigger run-elcap-install
   shutdown -r now
fi

exit 0

@jwojda, are you running this via Self Service? Or are you using some other method?

The reason I'm asking is that the encryption check assumes that you're booted from the Mac with the encrypted drive. If you're not (for example, if you're booted from another non-encrypted disk or a NetBoot set), the encryption check will be run on the drive you're currently booted from.

@etippett turns out my predecessor had not migrated the JDS / Casper Share. So, pretty much nothing was working as expected. After upgrading to 981 and migrating, things are working much better!

@rtrouton As for your post upgrade script , do you make it a flat package using your First Boot Package Install Generator and add it to the createOSXInstallPKG so that it runs immediately after the update?

2nd item for clarity, part of the self_service_yosemite_os_install script changes preference for disabling FDE autologin. If I don't want users to be required to login to FileVault 2 and login again to access the User's desktop, I will need to follow up with another script or even better add the command to set it back to NO in the post upgrade script mentioned above.

@rtrouton is this script no longer available on your github? I looked through and couldn't find it.

@krispayne I believe the URL slightly changed:

https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/Casper_Scripts/self_service_os_install/elcapitan/self_service_elcapitan_os_install.sh

This should work.

@perrycj Thanks!

@rtrouton Can I use your script even if I don't include any first boot pkgs? Have you seen errors in that? Would it just skip over if none are found without any errors?

Thanks for your help,
Ronnie

@rqomsiya,

I don't see why not having a firstboot package would be an issue. You'd be installing a stock copy of OS X and nothing else though.

I have more details on my upgrade process available here:

https://derflounder.wordpress.com/2015/11/23/providing-os-x-upgrades-via-caspers-self-service/

@rtrouton Thanks for the quick response! Much appreciated. i'll give it a shot.

@rqomsiya If you do implement Self Service OS Install script because you don't plan to include any first boot packages, be aware that the script will toggle a setting for FileVault. The result is the Mac will prompt once to proceed on with FileVault unlock, boot the OS, and then prompt again for a user to login.

There are a couple options: A) Remove the part of the Self Service OS Install script that sets the "DisableFDEAutoLogin".
or
B) If you leave the Self Service OS Install script as it is and you don't want that behavior, you'll want to follow up with a policy or a first boot package that changes that setting back to Apple's default. That later is what your trying to avoid.

Does this hold true even if I have FileVault turned on? All my machines in 10.10.5 are FV2 encrypted.

@rqomsiya His script does not turn file vault on or off, it changes a behavior in the boot up processes that is necessary for the "first boot packages process to work."

I've used the following to avoid that behavior change at a time when I was not including any first boot packages.

#!/bin/bash

#REF: https://jamfnation.jamfsoftware.com/discussion.html?id=14728
#REF:  https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/Casper_Scripts/self_service_yosemite_os_install/self_service_yosemite_os_install.sh


available_free_space=$(df -g / | tail -1 | awk '{print $4}')
needed_free_space="$4"
os_name="$5"
insufficient_free_space_for_install_dialog="Your boot drive must have $needed_free_space gigabytes of free space available in order to install $os_name using Self Service. It has $available_free_space gigabytes available. If you need assistance with freeing up space, please contact the help desk."
adequate_free_space_for_install_dialog="$os_name may take up to 30 minutes to download and prepare for installation. Please be patient. Once the operating system has downloaded, this Mac will automatically restart to begin the installation process."

if [[ "$available_free_space" -lt "$needed_free_space" ]]; then
   jamf displayMessage -message "$insufficient_free_space_for_install_dialog"
fi

if [[ "$available_free_space" -ge "$needed_free_space" ]]; then
   echo "$available_free_space gigabytes found as free space on boot drive. Installing OS."

   jamf displayMessage -message "$adequate_free_space_for_install_dialog"
   jamf policy -trigger cache-elcapitan-installer
   jamf policy -trigger run-elcapitan-install
   shutdown -r now

fi

exit 0

Hi all,

So i just attempted to run this. It runs through the script, then restarts into the FV2 login window. If i enter my credentials it just loads back to the desktop with self-service launched. Any ideas as to whats going on? Thanks!

When looking at the logs see this for the "Install El Capitan Installer" Policy:
Executing Policy Install El Capitan Installer...
Installing InstallOSX_10.11.3_15D21.pkg.zip...
Installation failed. The installer reported: installer: Package name is OS X
installer: Installing at base path /
installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

-Ronnie

@rqomsiya I've seen the same error message when there wasn't enough disk space. When using a customized .pkg file made with createOSXinstallPkg I've found I need at least 22 GB of free space on the disk for the installation to complete properly from Self Service. I do not cache the package before hand so I am not sure if that would lessen the storage requirements or not.

I was able to go through the entire upgrade with only one small issue: The after the policy caches the installer and reboots, i'm still prompted to authenticate on the FV2 screen. Any ideas whats going on?

@rqomsiya,

That's expected behavior when using a createOSXInstallPkg-built OS X installer. For more details on this behavior, please see the link below:

https://derflounder.wordpress.com/2013/11/30/upgrading-a-filevault-2-encrypted-mac-to-10-9-differences-between-createosxinstallpkg-and-apples-mavericks-installation-methods/

Nevermind! The logs are saying that the package cannot be found. I cached the package again and am now able to install.

Thanks,
John