Admin needed for macOS Ventura Updates

MPL
Contributor II

Hello Jamf Nation,

 

Most of our users are a standard user on their mac. We've had a subset of users upgrade from Monterey to Ventura already and within that subset of users, there are a few who are being prompted for administrative credentials to process minor OS updates for Ventura (ex 13.2.1 to 13.3). 

 

One user was able to restart their system, and then they were able to process the OS updates without needing admin credentials. Another performed a restart and was still prompted.

 

Does anyone know why this would be happening? I've checked our policies and we do not have anything selected in restrictions that requires an admin password to process updates. 

2 REPLIES 2

bcrockett
Contributor III

This is happening for three reasons;

 

a. Secure Tokens

b. Volumen management

c. Apple's broken update process - which breaks Jamfs built-in remote command update processes 

More info on tokens is linked here

 

The solution I have been using to update standard users from macOS 13.2.1 to 13.3 is the same one I have been using for major updates. 

 

I use Nudge as a trigger for Erase Install to automate this process.

 

I have over 100 computers that have updated to macOS 13.3 with this workflow.

 

I have a video overview of this config linked here

 

Hope that helps ~B 

AJPinto
Honored Contributor III

Apples update process for macOS is completely and totally broken, and has been for years. As @bcrockett suggested you can use the erase install method, I dont really care for it as you need the full OS installer on the device but it works (usually). Its a good fall back. Your best, and only out of box Apple solution is to issue the OS updates with MDM command.

 

I recommend submitting feedback to apple, and opening a ticket if you can before trying any work arounds. This is the only way to actually make apple care.

 

Check to see if the users in question have a secure token, this is required to install OS updates if a user does not have admin access. It could be an easy way of explaining why some users keep having problems.