Admin Credentials to Upgrade to Sonoma

Alvaro1337
New Contributor III

Hey everyone, we're currently working on upgrading to MacOS Sonoma using Jamf Pro as Admin. We're looking for a way to run the upgrade overnight without requiring end users to enter admin credentials. According to Apple Support documentation, users need to be volume owners to initiate the upgrade, but they still need admin credentials to do so.

https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web#dep7d4a58bed

Can we implement any type of policy to run the upgrade without asking for admin credentials?

Alvaro Ortiz
1 ACCEPTED SOLUTION

I got it done today. 

 

MacOS 14 Sonoma updates automated! With Nudge and Erase Install - Deep Dive!

 

 Links to items used in the film: Nudge Post-install https://github.com/dan-snelson/Nudge-Post-install/wiki Erase-install https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro

 

Command used in post install script: 

 

/Library/Management/erase-install/erase-install.sh --update --reinstall --fs --power-wait-limit 180 --postinstall-command "jamf recon"

I hope it helps! 

View solution in original post

17 REPLIES 17

sdagley
Esteemed Contributor II

@Alvaro1337 You can use an MDM command to force installation of an update without requiring user credentials. The likelihood of that working varies depending of the version of macOS currently running.

bcrockett
Contributor III

You can do that with erase-install.  Users still need to enter their password though. 

 

I will have a deep dive film on how to automate this process with nudge + erase-install by next week. 

Alvaro1337
New Contributor III

thank you, appreciate the help!

Alvaro Ortiz

I got it done today. 

 

MacOS 14 Sonoma updates automated! With Nudge and Erase Install - Deep Dive!

 

 Links to items used in the film: Nudge Post-install https://github.com/dan-snelson/Nudge-Post-install/wiki Erase-install https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro

 

Command used in post install script: 

 

/Library/Management/erase-install/erase-install.sh --update --reinstall --fs --power-wait-limit 180 --postinstall-command "jamf recon"

I hope it helps! 

sdagley
Esteemed Contributor II

@bcrockett The recommendation from @grahamrpugh (the author of erase-install) is to not use "jamf recon" as a --postinstall-command. It is not going to do what you think it will (e.g. it's going to do nothing):

1) The command will be run after erase-install completes, not after the Mac restarts to finish the macOS install that startosinstall initiates, and that's not really useful because you heat't updated macOS yet.

2) If you are calling erase-install directly the policy running it will never complete because the startosinstall tool the script calls will restart the Mac and leave the policy in the pending state. Using the earse-install-launcher.sh script (it's in the erase-install GitHub repo) as an intermediary for launching erase-install will allow the policy running it to complete.

1. I believe jamf recon does what the logs show. Report to jamf.  That said, what do you think are the best post-install commands? 

 

2. Can you clarify what you mean by installing directly?
My setup is basic but functional. 

a. Use a policy to do two things, first install the erase-install-31.0.pkg, second run a script with this command:

/Library/Management/erase-install/erase-install.sh --update --reinstall --fs --power-wait-limit 180 --postinstall-command "jamf recon"

I have updated over 100 computers in my fleet with this workflow without issues. 

However, if there is a way to improve the workflow I would like to learn more about it. 

 

Thanks, ~ B

sdagley
Esteemed Contributor II

1) The  --postinstall-command will run at the completion of the startosinstall process, not after the Mac restarts, so if your goal is to do a recon when the Mac starts up after an update that's not going to happen. There's multiple ways to get a post upgrade recon. Easiest is probably scheduling a policy to do a recon on login. For my environment we deploy a LaunchDaemon & script that checks to see if the macOS build version has changed since the previous login and does a recon if so.

2) The non-return behavior may be specific to the --erase option, but even for the --reinstall option using the erase-install-launcher script is recommend when running via Jamf Pro. See the Use in Jamf Pro  section of the erase-install Wiki for details why.

agyekum28
New Contributor III

Erase Install package is your best friend for this use case, user will have to enter in their own creds and confirm the upgrade though

D-
New Contributor

We have discovered that with this upgrade the need to run the erase-install is no longer needed. Users are free to install the update any time without the need for admin creds. 

healthcareaa
New Contributor III

Weird. Our standard users are able to update without Admin credentials. 

I am noticing this myself. Since major macOS upgrades have normally required an admin user's password to run, I came up with a whole procedure for temporarily granting users admin rights and then have them automatically be demoted back to a standard user account after upgrading to Sonoma. As I was going through my procedure with one of my test Macs, I tried doing the upgrade from a standard user account without following the procedure I devised, and I was able to start the process without being asked for a password. This is on an Intel MacBook Pro. As soon as I have my Apple Silicon test Mac ready to go, I will try doing a macOS Sonoma upgrade on it with a standard account so see if a standard user can do a major macOS upgrade.

Miff_Weaver
New Contributor II

I've had a number of no admin users successfully update from Big Sur onward to Sonoma without issue, this is across both Intel and Apple Silicon. I recall reading something about secure token being used for authentication... but could be wrong. Previously we've used a Self Service object, leveraging 30 minute admin and startosinstall, but running the update via macOS is a much cleaner experience for users.

Just to clarify, do your users upgrade as tokenized admins? 

Tokenised non admins - feel free to test it out and let me know if you get the same outcome 🙂

As long as they have tokens they can update as you described.
If they do not have tokens I use this script triggered through a policy in self-service to token them. 

 

*note I still think using nudge is the best way to get users to update in mass. However, nudge could be configured to get users to update the "normal" way. Or the erase-install way. 

 

 

#!/bin/bash


#get logged in user
currentuser=$(/bin/ls -la /dev/console | /usr/bin/cut -d ' ' -f 4)

user_entry=""

#prompt user for their password
while  [ "$user_entry" = "" ] ; do
	
	user_entry=$(osascript -e '
tell application "Finder"
	activate
	try
		display dialog "Please enter local password" with title "Assign SecureToken" default answer ""
		set user_entry to the (text returned of the result)
	on error number -128
		set user_entry to ""
	end try
	return user_entry
end tell')
	
done
echo $user_entry

#pass info into terminal to grant token from admin user

sudo /usr/sbin/sysadminctl -secureTokenOn $currentuser -password $user_entry interactive || -adminUser $4 -adminPassword $5

exit 0

 

 

 

I tried your script out but I'm still prompted for admin credentials even after supplying them with $4 and $5 fields.

You may need to write a new script to reach that end goal. Or search GitHub to see of someone else has written something you can use.