3 weeks ago
I'm trying to create a Policy to update mac like SUPER can since our organization won't allow it's use.
Issue i'm having is when running command I keep getting error messages saying
"
No such update
No updates are available.
"
Here is Syntax I have hopefully someone can point out my error.
sudo -S softwareupdate --install 'macOS Sequoia 15.2-24C101' --restart --force --no-scan --agree-to-license --stdinpass "$4" --user "$5"
I've tired "macOS Sequoia 15.2-24C101", "macOS Sequoia 15.2", "15.2"
Really appreciate everyone time for reviewing this posting.
Solved! Go to Solution.
3 weeks ago
Thanks for everyone's help I've gotten it working here's the resulted script
echo "$4" | sudo -u root softwareupdate --install --all --restart --force --no-scan --agree-to-license --user "$5" --stdinpass
I've tired looking in install.log, jamf.log & system.log and can't see anywhere that password is appearing is there another location i'm missing?
3 weeks ago
Is there a reason you are not using the MDM commands to run OS updates? Apple deprecated running OS updates from CLI a few years ago, and if I am not mistaken Superman uses the recovery volume to run updates (don't hold me to that, I have not reviewed superman in a few years).
I would also suggest trying the -aiR argument instead of trying to specify the version, this is what I used when I did CLI updates last.
3 weeks ago
Thanks for the reply. We use MDM commands to enforce the updates saying they have be done by predefined date and Time. The request is to provide our end users a simple to use button to push to allow them to take the updates and it's installed using a service account that has Volume owner rights.
I've changed the command per your suggestion and checking it in terminal
sudo softwareupdate --install --all --restart --force --no-scan --agree-to-license stdinpass "$4" --user "$5" and now getting "
Failed to authenticate"
Maybe making progress lol
3 weeks ago
Unfortunately, this is far out of the bounds of what Apple allows now. I have heard it may be possible to use an account like this in CLI to authorize OS updates, but I was never able to get it to work. There was a hook that required GUI interaction to authorize the secure token (volume ownership) that was I never able to get around. You could look in to making a policy round a Jamf API command to trigger the OS update MDM command to run.
Is there a reason the users are not volume owners? This would allow them to install their own OS updates.
3 weeks ago
Thanks for replying. Our end users are volume owners and can perform the updates we try to lean more towards customer hands off for updates and just like to offer buttons for tasks to complete but it appears we've met our Match with MacOS updates and can enforce deadline and just nag them to do it then.
3 weeks ago - last edited 3 weeks ago
@chriso16 wrote:sudo softwareupdate --install --all --restart --force --no-scan --agree-to-license stdinpass "$4" --user "$5"
Actually it's --stdinpass, and it does not mean pass the password on the command line, it means software update will actually expect the password to come in via standard input, so either echo "$4" | softwareupdate ..., or use an expect script to wait for the password request and then provide the password (the latter should be more reliable than the former, as the former basically assumes the password request will come almost instantly, either method is also not considered to be secure).
3 weeks ago
Thanks for the reply appears my understanding of --stdinpass isn't as I expected.
3 weeks ago - last edited 3 weeks ago
@chriso16 It is impossible to update macOS on an Apple Silicon Mac via the softwareupdate command unless you know the account name and password of an account that has the volume owner token. As @AJPinto references you need to be using MDM, or for the new scheduled update options added via DDM in macOS Sonoma. While MDM/DDM updates still aren't 100% effective they are the only Apple supported update mechanisms.
3 weeks ago
Thanks for the reply. We create service Account in Prestage and we use that account to login and enable filevault. this is the account i'm passing in the command is there another account I should use?
3 weeks ago
@chriso16 I can't stress enough that using MDM/DDM triggers for forcing updates is the only one that's going to be viable long term, but regarding what account on a Mac could be currently be used to drive softwareupdate @stevewood 's post in another thread (https://community.jamf.com/t5/jamf-pro/jamf-pro-laps-filevault-and-administrator-level-accounts/m-p/...) states an account created in a PreStage shouldn't be used as a service account since it shouldn't get a FileVault token.
2 weeks ago
Thanks for your reply. Our Organization's Policy requires that Filevault be enabled prior to customers first login so this Workflow doesn't work for us. I appreciate your time.
3 weeks ago
Apple has done everything they can to stop people from doing what you’re trying. I would go back and see why Superman isn’t allowed and if there’s something you can do to mitigate that.
2 weeks ago
Thanks for your reply. Our Organization requires all software to be reviewed for Business use and Superman uses IMB Notify to display notices similar to erase-install. I was unable to get SwiftDialog or IMB Notify approved. If either of those tools can switch to native dialog window then I can further investigate.
In the meantime I've got working solution assuming log file isn't storing our service account password somewhere.
Thank you for your time.
3 weeks ago
Have you looked at Graham Pugh's erase-install? https://github.com/grahampugh/erase-install
Getting around the account requirements/limitations can be difficult (has to be a "volume owner" for Apple Silicon Macs), but this script can automate the download and installation of macOS to a specific or even the latest version. Despite the name, it can do in-place upgrades as well as full erase and re-installs.
3 weeks ago
Thanks for the reply. Our Organization requires that any software we use has to be submitted for approval so just like SUPER they both use dialog boxes which I was unable to get approved.
I was able to get it working using this script.
echo "$4" | sudo -u root softwareupdate --install --all --restart --force --no-scan --agree-to-license --user "$5" --stdinpass
3 weeks ago
Thanks for everyone's help I've gotten it working here's the resulted script
echo "$4" | sudo -u root softwareupdate --install --all --restart --force --no-scan --agree-to-license --user "$5" --stdinpass
I've tired looking in install.log, jamf.log & system.log and can't see anywhere that password is appearing is there another location i'm missing?
3 weeks ago
Your best solution for this will likely be something that prompts (or nags) the users to perform the updates. I have been using Nudge for this for just over two years. It works really well. I have explored using Super too. Jamf Pro provides a software update feature that leverages Apple's MDM to enforce updates. I am exploring using a combination of the Jamf software update feature and prompts to users to do the updates themselves. I'm thinking that I can use the software update feature as my enforcement mechanism.
2 weeks ago
Thanks for the reply I currently have a custom made nag script that uses Native dialog window To display messages and opens System Settings Software Updates underneath directing them to push button and sign in. We also use JAMF Pro to enforce a deadline on the update using MDM Commands. Only part we are missing was a button in Self Service to start the update and I believe that may be working assuming i'm not missing log file somewhere.
Thank you for your time.