Big Sur and where to start

endor-moon
Contributor II

I get the feeling I'm behind the 8-ball. Our educational institution has been running macOS High Sierra until very recently when Adobe dropped support for it forcing us to upgrade to Mojave. Since the students are not using the labs due to COVID-19 I have time to catch up and learn what I should have learned in Mojave and Catalina but now for Big Sur. Why go to Big Sur? I prefer all my Mac labs to be on the same operating system version where possible and we are considering a lab of the new Mac Mini computers with Apple M1 SOC.

I setup my first Big Sur lab machine yesterday (a Mac Pro 2013) and none of the policies ran that I could see, nor did any of the installers execute. For example, my installer to create /Library/AdminToolBox and drop all my scripts there failed like this:

Checking for policies triggered by "recurring check-in"...
Executing Policy Copy Maya Installers
Mounting casper
cp: /Volumes/casper/Packages/Installers_2020.pkg: Operation not permitted

Error: The package (Installers_2020.pkg) could not be found.
Submitting log to https://mdm.mad.durhamcollege.ca:8443/
Executing Policy Install AdminToolBox
cp: /Volumes/casper/Packages/AdminToolBox_in_progress.pkg: Operation not permitted

Error: The package (AdminToolBox_in_progress.pkg) could not be found.
Submitting log to https://mdm.mad.durhamcollege.ca:8443/
Executing Policy Install Adobe CC 2021
cp: /Volumes/casper/Packages/AdobeMacLabSharedDev_Install.pkg.zip: Operation not permitted

Error: The package (AdobeMacLabSharedDev_Install.pkg.zip) could not be found.
Checking for patches...
No patch policies were found.
Unmounting file server...
Submitting log

I had to enroll the machine by taking it over with ARD and running Recon. Even then I don't see the MDM profile anywhere, have they moved?

My installers are all unsigned, do they need to be signed now?

Will Wacom tablet drivers work (kernel extension?) I understand kernel extensions are "going away".

It would be nice if there were a JAMF Pro guide to deployment with Big Sur. Our JAMF Pro instance is on premises, 10.24.2 which I believe is the current version. Sorry if these questions are rather "old hat", like I said, I'm rather behind due to sticking with the oldest and most stable operating system rather than upgrade every time.

Cheers from Canada.

Jim

1 ACCEPTED SOLUTION

endor-moon
Contributor II

It appears the computer wasn't completely enrolled. I needed to remove it, enrol through the browser's self enrol process, install the profile, approve the profile, then run the Recon GUI using ARD. Things have greatly improved. My thanks to Keng who I chatted with in JAMF support just now.

View solution in original post

12 REPLIES 12

rmckellar
New Contributor III

Jim,

I would start by updating your Jamf Pro to 10.25, to utilize Jamf Pro's updates for Big Sur.
I also believe (I may be wrong about this) that Jamf automatically signs the installers. It's possible that you need to grab updated versions of the installers for Big Sur.

That being said, as a District we don't update to major OS versions (ie, Mojave to Catalina, Catalina to Big Sur) until the summer. This gives me time to test and play to see what I need to fix, and gives Apple time to work out early version bugs. I haven't had much time yet to play around with Big Sur, so I can't give you too many specifics on anything. The best info I've been gathering has been by going through the stuff here on JamfNation and reading through others' experiences and findings.

Sorry, I don't have a ton of info for you, but hang in there. Big Sur is a big jump from High Sierra, don't get discouraged! :)

endor-moon
Contributor II

Thanks @rmckellar. Perhaps JAMF doesn't sign the installers unless there's a certificate that isn't self-signed? Sorry, I misquoted the version of JAMF I am on, it is 10.25.2, the current version. I may contact JAMF support on the cert issue.

PaulHazelden
Valued Contributor

I think AFP has been dropped from Big Sur, so if your Distribution point is AFP, you will need to sort that out. The error you are seeing looks a bit like one I had when migrating DP to a new server, and there were issues. The policy knew what it wanted but couldn't access it. I switched to HTTPS for my distribution points and that sorted it all out

When I make packages in Composer I have it set to Sign them with a certificate. I have 2 options our Apple Developer installer certificate or the JAMF one. Its in the Preferences for Composer. And yes Apple want signed installer pkg's.

Also when you use older packages from your High Sierra days, they could now be installing in places where Apple will no longer allow any changes. So you will have to go back and re build them all from clean installs on the newer OS.

Kernel Extensions are a whole big issue, If you push out the allow for Kernel extensions configuration profile from your MDM (JAMF) they are supposed to work still, but going forward they may stop working. But by then the Developers should have written System Extensions versions of them. In my opinion, they should be available now as System Extensions are supported in Catalina, which has been out for a year already.

Hope some of this is useful for you. And it sure is a big leap from High Sierra to Big Sur.

endor-moon
Contributor II

It appears the computer wasn't completely enrolled. I needed to remove it, enrol through the browser's self enrol process, install the profile, approve the profile, then run the Recon GUI using ARD. Things have greatly improved. My thanks to Keng who I chatted with in JAMF support just now.

diegoFA
New Contributor

Edit: apologies, did not mean to comment on the thread. Done by mistake.

larry_barrett
Valued Contributor

^ Same.

In case anyone doesn't know, the quick add package is at https://jss.YOURORG:8443/enroll?type=QuickAdd if you're on-prem

Big Sur isn't super great but all my installers seem to be working. So far I've had Chrome, Office, SmartNotebook, Adobe Reader, our AV, Zoom, Firefox all install "normally".

AJPinto
Valued Contributor

For the most part (PPPC aside) most management works fairly well between High Sierra and Catalina. Big Sur retiring KEXTs is another thing entirely, and for my organization that broke all our security applications. We are upgrading from JAMF Pro (on prem) 10.24 to 10.25.2 to get full ARM support, we normally only update annually. I consider early adopters essentially freelance unpaid public beta testers, let others get the bumps and bruises of the new stuff out of the way.

I myself would skip the first gen ARM Macs, they are probably not going to be supported anywhere near as long as the 2nd gen. Apple is learning with this and will move on to Gen2 pretty quick.

endor-moon
Contributor II

Great information, thanks folks. We're actually considering a lab of the new M1 Mac Mini, but there's plenty of time to shake down everything as we're still in near-lockdown just outside of Toronto.

dmw3
Contributor III

Ok, where do you start with Big Sur?
Most packages install fine, we have issues with Configuration Profiles being stuck in a pending state.
No System Preferences/Profiles dialog.
Opening Self-service constant request to Approve MDM Profile every time this app is opened, click the link and goes to the System Preferences/Profiles but just a blank dialog box (see image below)

Big Sur 11.0.1
Jamf 10.26

0c962362ed2142dbbf3d3ad79c1e1604

endor-moon
Contributor II

Perhaps the new 10.26.1 release fixes that problem? I don't know how I missed 10.26 but I'm still on 10.25.2, I believe.

bemord-entefy
New Contributor

What was the indicator that the device "wasn't completely enrolled"?

endor-moon
Contributor II

Sorry @bemord-entefy, just seeing your follow-up now. I think the computer could never mount my JAMF repository, probably because the required profiles were missing when I enrolled with Recon. The JAMF support person figured it out quickly. My new process for Big Sur deployment is to boot the fresh M1 Mac Mini, set some preferences like Energy Saver, Sharing, Remote Login, bind to AD, do a manual enrol to my JSS with Safari, approve the profiles, then pause for a couple of minutes setting preferences, then run QuickAdd.pkg. If I run QuickAdd too quickly, no pun intended, it fails and needs to be installed again. Then I logout, wait for my policies to run, which install various things like Office and Adobe (package for Apple Silicon), come back to the machine with Apple Remote Desktop and run the Big Sur update from 11.2 to 11.5.2.