Big Sur - Non Admin users

jonathan_massey
New Contributor III

I was wondering if there was anybody out there who had come up with a good workflow for allowing non-admin users on Big Sur to update their computers. We are a K-12 environment with a really large fleet and having to ask an admin to enter credentials is a huge headache.

15 REPLIES 15

shaquir
Contributor III

sharriston
Contributor III

I just want to say I second @shaquir. This method has so far worked on our test machines. The only caveat I would say about the macOS update script is by default it has in it require 48 gb for macOS 11. I found that number almost impossible to hit with everyone have 128 gb airs. Just a thought.

cnorrisAdmin
New Contributor III

If you are looking to just do updates and not upgrade, I have this script that lists the updates that were installed and when, shows the updates that are available for the specific system, then prompts the user to update or do it later.

!/bin/bash

exec >> "/Library/Logs/My Script.log" 2>&1

Last modified March 4, 2020, Chris Norris

echo " $0" date "%A %B %d, %Y %H:%M" " "
echo ""
/usr/bin/osascript -e '
tell application "System Events" activate set thisday to do shell script "date
%m/%d/%Y" set updatehistory to do shell script "softwareupdate --history | cut -c -42,62-72" set updatelist to do shell script "softwareupdate --list"

display dialog "Good morning! Today is " & thisday & " The following are the updates installed and when: " & updatehistory & " " buttons ("Next") default button "Next" with title "Apple Software Updates"

display dialog "Installing any SECURITY or OS UPDATES, will FORCE the system to RE-BOOT." & " Here are the available updates for your system: " & updatelist & " ______________ updates listed above ______________ Do you want to install updates now? " buttons ("Later","Ok") default button "Later" with title "Available Apple Software Updates" if button returned of result = "Ok" then display dialog "Running Software Update now..." with icon caution do shell script "softwareupdate -ia" else if button returned of result = "Later" then display dialog "Will install updates later. Remember to keep your system up-to-date." with icon caution end if
end tell'

echo " $0 Completed " date "+%A %B %d, %Y %H:%M" " "

mikeo
New Contributor III

@shaquir , @sharriston , and @cnorrisAdmin that's interesting but looks like a way to upgrade to Big Sur using Self Service or update Big Sur systems with user interaction. I believe what @jonathan.massey is looking for (and what I am looking for) is a way to update Big Sur to the latest Apple software updates without admin access. I would even prefer a way to apply updates with no user interaction. Does anybody know a way to do that in Big Sur?

sharriston
Contributor III

In my testing I have found that all previous Self Service upgrading has been super inconsistent in Big Sur. I found a discussion that basically said to run a script which opens the Software Update preference pane and to make sure you have a configuration profile that allows standard users to install updates. Would you like either of those things posted?

Can you let me know how to have a configuration profile that allows standard users to install updates? I'm having a hard time finding the option.

Cayde-6
Release Candidate Programs Tester

I just use a script to call /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall

Arguments I use
agreetolicense
forcequitapps

mikeo
New Contributor III

@sharriston the OP might be interested but I need to do updates at the loginwindow with no user logged in. Thanks @Cayde-6 , I've seen online that doing the full install every time will provide updates, but I was hoping to avoid the ~30 minutes that takes to run and having the full installer on every machine.

I've hijacked this ticket enough, so anybody interested in updating Big Sur at the loginwindow, with no interactive user logged in, I have another discussion going here.

jimmy-swings
Contributor II

Using a script to call softwareupdate should suffice.

I have a daily script that lists and downloads available updates. A smart group is scoped to prompt the user to “install” these pending updates with a timeout of 9 hours. This allows the user to work through a business day without impact and / or execute at their convenience (ie. at lunchtime).

donmontalvo
Esteemed Contributor III

Not sure if it works with Big Sur, but for lower macOS versions, this worked at the Login Window:

softwareupdate --install --all --agreetolicense --nointeraction --forcequitapps && reboot
--
https://donmontalvo.com

mikeo
New Contributor III

Yeah @donmontalvo , unfortunately that doesn't work in Big Sur. There is a known problem with updates with no user logged in in Big Sur. Also, I don't think some of those flags are valid in the Big Sur version of softwareupdate.

user-CqUlRTAQgf
New Contributor

I'm currently testing how to let users install Big Sur via VPP (and made available in Self Service), with the catch being that the users are not admins. Right now, it prompts the user to enter admin credentials

 Is there a way to bypass this?

 

Regards

 

Tab Nawaz

 

 

 

 

 

Was there a solution on installing Big Sur updates without admin rights?

I would also like to know the answer here...

 

currently i am trying to get this working:

https://babodee.wordpress.com/2021/03/30/handling-major-upgrades-and-minor-updates-for-macos-with-ja...

but it is a bit complicated. If there was a simple setting. Like for instance on windows GPO, you can set "allow limited users to install updates" and boom done. Does jamf have a similar setting? I dont care about forcing it at this time, i just want to allow the user to install without admin privs.

mikeo
New Contributor III

The short answer is, as far as I know, there is no easy way to allow standard users to do OS upgrades.  One thing I got working is putting the Big Sur installer on the machine.  Then I run the installer via a script as a policy in JAMF, with the adminuser password stored as Parameter 4 in the policy.  (This requires a admin user account that is allowed to do OS updates on the machine.)

echo $4 | /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --user adminuser --stdinpass

This isn't the most secure, but it's the only option I've found to automate the process.  I don't use Self Service, so you may want to caution users that this will start the update immediately, so save your work, yada, yada, yada.