Jamf Nation Community

Thanks for the reply. We use MDM commands to enforce the updates saying they have be done by predefined date and Time. The request is to provide our end users a simple to use button to push to allow them to take the updates and it's installed using a service account that has Volume owner rights. 

I've changed the command per your suggestion and checking it in terminal 

sudo softwareupdate --install --all --restart --force --no-scan --agree-to-license stdinpass "$4" --user "$5"  and now getting "

Failed to authenticate"

Maybe making progress lol

Unfortunately, this is far out of the bounds of what Apple allows now. I have heard it may be possible to use an account like this in CLI to authorize OS updates, but I was never able to get it to work. There was a hook that required GUI interaction to authorize the secure token (volume ownership) that was I never able to get around. You could look in to making a policy round a Jamf API command to trigger the OS update MDM command to run.

Is there a reason the users are not volume owners? This would allow them to install their own OS updates.

Thanks for replying. Our end users are volume owners and can perform the updates we try to lean more towards customer hands off for updates and just like to offer buttons for tasks to complete but it appears we've met our Match with MacOS updates and can enforce deadline and just nag them to do it then.

---

@chriso16 wrote:

sudo softwareupdate --install --all --restart --force --no-scan --agree-to-license stdinpass "$4" --user "$5"

Actually it's --stdinpass, and it does not mean pass the password on the command line, it means software update will actually expect the password to come in via standard input, so either echo "$4" | softwareupdate ..., or use an expect script to wait for the password request and then provide the password (the latter should be more reliable than the former, as the former basically assumes the password request will come almost instantly, either method is also not considered to be secure).

Thanks for the reply appears my understanding of --stdinpass isn't as I expected. 

Thanks for the reply. We create service Account in Prestage and we use that account to login and enable filevault. this is the account i'm passing in the command is there another account I should use?

@chriso16 I can't stress enough that using MDM/DDM triggers for forcing updates is the only one that's going to be viable long term, but regarding what account on a Mac could be currently be used to drive softwareupdate @stevewood 's post in another thread (https://community.jamf.com/t5/jamf-pro/jamf-pro-laps-filevault-and-administrator-level-accounts/m-p/...) states an account created in a PreStage shouldn't be used as a service account since it shouldn't get a FileVault token. 

Thanks for the reply. Our Organization requires that any software we use has to be submitted for approval so just like SUPER they both use dialog boxes which I was unable to get approved. 

I was able to get it working using this script. 

echo "$4" | sudo -u root softwareupdate --install --all --restart --force --no-scan --agree-to-license --user "$5" --stdinpass