Admin Credentials to Upgrade to Sonoma

Alvaro1337
New Contributor II

Hey everyone, we're currently working on upgrading to MacOS Sonoma using Jamf Pro as Admin. We're looking for a way to run the upgrade overnight without requiring end users to enter admin credentials. According to Apple Support documentation, users need to be volume owners to initiate the upgrade, but they still need admin credentials to do so.

https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web#dep7d4a58bed

Can we implement any type of policy to run the upgrade without asking for admin credentials?

Alvaro Ortiz
11 REPLIES 11

sdagley
Esteemed Contributor II

@Alvaro1337 You can use an MDM command to force installation of an update without requiring user credentials. The likelihood of that working varies depending of the version of macOS currently running.

bcrockett
Contributor II

You can do that with erase-install.  Users still need to enter their password though. 

 

I will have a deep dive film on how to automate this process with nudge + erase-install by next week. 

thank you, appreciate the help!

Alvaro Ortiz

I got it done today. 

 

MacOS 14 Sonoma updates automated! With Nudge and Erase Install - Deep Dive!

 

 Links to items used in the film: Nudge Post-install https://github.com/dan-snelson/Nudge-Post-install/wiki Erase-install https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro

 

Command used in post install script: 

 

/Library/Management/erase-install/erase-install.sh --update --reinstall --fs --power-wait-limit 180 --postinstall-command "jamf recon"

I hope it helps! 

sdagley
Esteemed Contributor II

@bcrockett The recommendation from @grahamrpugh (the author of erase-install) is to not use "jamf recon" as a --postinstall-command. It is not going to do what you think it will (e.g. it's going to do nothing):

1) The command will be run after erase-install completes, not after the Mac restarts to finish the macOS install that startosinstall initiates, and that's not really useful because you heat't updated macOS yet.

2) If you are calling erase-install directly the policy running it will never complete because the startosinstall tool the script calls will restart the Mac and leave the policy in the pending state. Using the earse-install-launcher.sh script (it's in the erase-install GitHub repo) as an intermediary for launching erase-install will allow the policy running it to complete.

1. I believe jamf recon does what the logs show. Report to jamf.  That said, what do you think are the best post-install commands? 

 

2. Can you clarify what you mean by installing directly?
My setup is basic but functional. 

a. Use a policy to do two things, first install the erase-install-31.0.pkg, second run a script with this command:

/Library/Management/erase-install/erase-install.sh --update --reinstall --fs --power-wait-limit 180 --postinstall-command "jamf recon"

I have updated over 100 computers in my fleet with this workflow without issues. 

However, if there is a way to improve the workflow I would like to learn more about it. 

 

Thanks, ~ B

sdagley
Esteemed Contributor II

1) The  --postinstall-command will run at the completion of the startosinstall process, not after the Mac restarts, so if your goal is to do a recon when the Mac starts up after an update that's not going to happen. There's multiple ways to get a post upgrade recon. Easiest is probably scheduling a policy to do a recon on login. For my environment we deploy a LaunchDaemon & script that checks to see if the macOS build version has changed since the previous login and does a recon if so.

2) The non-return behavior may be specific to the --erase option, but even for the --reinstall option using the erase-install-launcher script is recommend when running via Jamf Pro. See the Use in Jamf Pro  section of the erase-install Wiki for details why.

agyekum28
New Contributor III

Erase Install package is your best friend for this use case, user will have to enter in their own creds and confirm the upgrade though

D-
New Contributor

We have discovered that with this upgrade the need to run the erase-install is no longer needed. Users are free to install the update any time without the need for admin creds. 

healthcareaa
New Contributor III

Weird. Our standard users are able to update without Admin credentials. 

I am noticing this myself. Since major macOS upgrades have normally required an admin user's password to run, I came up with a whole procedure for temporarily granting users admin rights and then have them automatically be demoted back to a standard user account after upgrading to Sonoma. As I was going through my procedure with one of my test Macs, I tried doing the upgrade from a standard user account without following the procedure I devised, and I was able to start the process without being asked for a password. This is on an Intel MacBook Pro. As soon as I have my Apple Silicon test Mac ready to go, I will try doing a macOS Sonoma upgrade on it with a standard account so see if a standard user can do a major macOS upgrade.