Deploy Rosetta on M1 machines before everything else

mwu1876
Contributor

We have several M1 chip MacBooks that we want to deploy. How can we push and ensure the Rosetta policy to install (softwareupdate --install-rosetta) gets installed before all the other policies (i.e. Office, TeamViewer, etc.) ? If not, the other installs will fail. I can create a separate policy for each application that has a different scope but that becomes a pain.

1 ACCEPTED SOLUTION

mwu1876
Contributor

So, I got this working. What I did was create a Smart Group for M1 machines. Then, then only policy that I had that kicked off as Enrollment complete is one that installs Rosetta. If it's not an M1 then it kicks off the rest of the policies. Once Rosetta is install I have an event trigger that fires off the rest of the policies. So far it's worked. This allows me more flexibility to quickly change around policies.

View solution in original post

104 REPLIES 104

jcarr
Contributor III

Could you just add the 'Files and Processes' payload to those policies and run the following command?

/usr/sbin/softwareupdate --install-rosetta --agree-to-license

Or just add a new policy to run this command on all M1 devices. I don't have an M1 device to test, but if it has already been installed, it should just error out and move on.

mwu1876
Contributor

We'll, I did that but the issue is priority. I have several policies that install other apps. I need this one to kick off first before anything else.

cbrewer
Valued Contributor II

It's not elegant but name your policy starting with an asterisk (*). It should run before policies that are named starting with A-Z or 0-9.

johntgeck
New Contributor III

Have you tested this and does it actually work? I would *love* to not have to reconfigure all of our myriad policies to accommodate for this issue.

Tribruin
Contributor III
Contributor III

Do you do automated enrollment? Create a payload free package with a post install script that installs Rosetta2 and have it installed during enrollment. (I haven't actually tried this as I don't have a AS machine, but it was an idea I had.)

mwu1876
Contributor

@cbrewer Thanks. yeah, that's sort of what I started doing but it was a real pain. @RBlount All the M1 versions are automated. I'll try out what you suggested. Thanks!

Tribruin
Contributor III
Contributor III

@mwu1876 Let me know if my idea worked or not. Like I said, I don't think I will be getting an M1 units for testing anytime soon.

rdodd
New Contributor

We created a post enrollment script that uses triggers to run various policies. This allows us to determine the order of install.

cwaldrip
Valued Contributor

So, Rosetta 2 isn't already included with Big Sur on M1 at installation?!? That seems like a big oversight by Apple. Does it install automatically at first launch of a non-M1 native app? What good is that if the computer isn't on-line (that happens a lot outside of Cupertino, btw)? I don't have an M1 yet to test with... 😞

j_allenbrand
New Contributor III

Subscribing it see how people have done this with M1,

mwu1876
Contributor

I have several M1 Airs and Pros I will test with next week. I plan on making a post-install script. That way when it starts up it's ready to receive policies that require Rosetta. Let's hope it works.

ThijsX
Valued Contributor

For prestage enrollments you can create a prestage package which runs a simple script with something like below for instance

#!/bin/bash
arch=$(/usr/bin/arch)
if [ "$arch" == "arm64" ]; then
    echo "Apple Silicon - Installing Rosetta"
    /usr/sbin/softwareupdate --install-rosetta --agree-to-license
elif [ "$arch" == "i386" ]; then
    echo "Intel - Skipping Rosetta"
else
    echo "Unknown Architecture"
fi

pbowden
Contributor III

While I haven’t confirmed this directly with Apple I did notice that I needed to install Rosetta again after performing an OS update. In my example, my M1 came pre-installer with Big Sur 11.0 (20A2411) and I went ahead and installed Rosetta when I launched a PKG installer.

However, I then went through software update to bring it up to 11.0.1 (20B39) and when I next ran a PKG installer. I was again asked to install Rosetta.

This somewhat makes sense as the Rosetta install is just a 452KB package that installs the oahd helpers, so it’s logical that those would get updated with a new release of the OS. And because it’s not a core part of the OS, you have to perform the update separately.

mwu1876
Contributor

@pbowden Thanks, I'll be on the lookout for that when I start testing again Monday.

Wakko
Contributor

I can confirm that Rosetta is not installed. Additionally when I tried to update and apply the 2.* GiG update it failed. Had to nuke and pave with a fresh install. @txhaflaire I'm about to test out your script on my PreStage and report back. Smoke 'em if you got 'em Mi Gente.

@txhaflaire Chefkiss it worked. People just create the script and make sure you set it up as before. So it pulls the update/installer from Apple before it start to install anything.

j_allenbrand
New Contributor III

@Echevarria do you mind sharing your script/screen, I just tried to install and it didnt work

fernando_gonzal
Contributor

If rosetta is already installed but you run the "softwareupdate --install-rosetta --agree-to-license" command again will it try to download again and reinstall or will it gracefully exit with an "already installed" message?

Trying to see how to script the logic for this if I want to run it as a pre-script in my policies.

avail
New Contributor III

yungstump
New Contributor

Deploying Rosetta with Rich Trouton's script and got a successfully installed message. Packages installed after it still thinks Rosetta is not installed. Anyone running into this?

mwu1876
Contributor

So, I got this working. What I did was create a Smart Group for M1 machines. Then, then only policy that I had that kicked off as Enrollment complete is one that installs Rosetta. If it's not an M1 then it kicks off the rest of the policies. Once Rosetta is install I have an event trigger that fires off the rest of the policies. So far it's worked. This allows me more flexibility to quickly change around policies.

View solution in original post

pbowden
Contributor III

@yungstump did you update the version of macOS after using Rich’s script? In my experience, Rosetta needs to be re-installed (I.e. updated) after an OS update.

jnm1
New Contributor II

I got the script to work with a policy scoped to a new smart group of the macs that have been prestaged with my new silicon prestage. I named the policy A01 in hopes that it installs first. According to the history on the one computer I tested it on it seems to have installed first successfully. The intel apps open on the computer fine.

Kristopher
New Contributor III

@mwu1876 So how did that work if the Jamf binary won't enroll the machine without Rosetta? Meaning, policies won't run if it's not enrolled and it can't install Rosetta as a policy without being enrolled.

kburns
New Contributor III

@Kristopher Jamf running 10.25.2 or 10.26 should natively support Apple Silicon, and enrollments should work fine. I haven't gotten my M1 yet to test/confirm, but that's what the Jamf documentation states.

mwu1876
Contributor

@Kristopher So if you ask Jamf to upgrade you to 10.25.2 it will enroll M1 machines. That's what I did. The upgrade too minutes and then I was able to enroll them. I still had to push out Rosetta. 10.25.2 supports M1. They sent, I believe, an email that said it's not a automatic deployment and that you have to request the version.

Kristopher
New Contributor III

@kburns @mwu1876 Thanks! I will give that a shot. So you still need to push a Rosetta script to get that installed and going I see. Not bad. Need to figure out what all changes. So used to KEX and all that. Sophos is broken until they update it.

yungstump
New Contributor

@mwu1876 That is what I did as well, I made Rosetta run initially and reported it installed successfully. The policies after still fails to install and says Rosetta is required and needs to be installed. Not sure if a computer needs to be rebooted first after a Rosetta install.
@pbowden I did not update the OS, testing this out a fresh out of the box M1

dmiguel
New Contributor II

What criteria did you guys use to flag apple m1 chip macs for your smart group?

dmiguel
New Contributor II

@txhaflaire how would you package the scrip on prestage? So this will ignore intel machines and only install on m1. looks good

!/bin/bash

arch=$(/usr/bin/arch)
if [ "$arch" == "arm64" ]; then echo "Apple Silicon - Installing Rosetta" /usr/sbin/softwareupdate --install-rosetta --agree-to-license
elif [ "$arch" == "i386" ]; then echo "Intel - Skipping Rosetta"
else echo "Unknown Architecture"
fi

dmiguel
New Contributor II

@mwu1876 What criteria did you use to flag apple m1 chip macs for your smart group?

ccliff
New Contributor II

you can try the criteria Architecture Type is arm64

ThijsX
Valued Contributor

@dmiguel Just set it as a postinstall script when creating your package and that simply it is.

mwu1876
Contributor

@dmiguel @ccliff is correct. I only have one criteria in the smart group and it's to look for anything with an Architecture Type of "arm64". I use that smart group for several things including installing Rosetta but also for apps like Chrome which have a specific version for M1 processors.

analog_kid
Contributor

I really hope Rosetta becoming dysfunctional after an OS update is a bug, not a feature.

theelysium
New Contributor III

You can make a smart group that filters ARM Architecture.

tcandela
Valued Contributor

@mwu1876 can you describe your event trigger that kicks off after the enrollment policy installs rosetta?

is the event trigger a policy with a script, and the script then calls each policy using the (jamf policy -id ????)

konfio
New Contributor

You know why Self Service in M1 already with Rosetta Installed does not work when installing Intel Apps, it remains in a loop but does not install anything.

jelockwood
Contributor

I don't know how big Rosetta2 is but if it is less than 1GB arguably it should be installed as standard, especially as all other OS components are. (Apple has not had a customisable OS installer for a very long time.)

The issue about it being 'broken' again when the OS is update is a bigger problem and frankly I consider this to be a bug, it should see it already installed and do an update for Rosetta2 as part of the OS update. Just like an OS update may also update Safari.

To fix Apple's mess here, does anyone know how to check the version of Rosetta2 that is installed? We could then have a script which compares the version to the OS version and hence then if needed trigger another Rosetta2 install command. Perhaps looking at a date stamp of an OS file would be a way? That is if the OS file is 'newer' than the Rosetta2 file then trigger another Rosetta2 install.

It would be helpful if someone could list the file paths for the various Rosetta2 components.

mwu1876
Contributor

Sure. So here's how I have everything work. 1. Smart Group with the criteria for Architecture Type is arm64
2. You will want to create two scripts. The first is simple script to install Rosetta

#!/bin/sh
/usr/sbin/softwareupdate --install-rosetta --agree-to-license

3. The second script is to trigger all the remainder policies using sudo jamf policy -event trigger unless you're using DEPNotify.
4. Next I created a policy that only runs with the smart group for M1 processors. The triggers are Enrollment and a Custom Event called install-rosetta (just in case I need to use it manually or via another script).
5. Then I created a second policy to run after Rosetta is installed which fires off the second script that runs the remainder of the policies. That one is only set to run via Custom Event start-enrollmentinstallers.

So far everything is working. I'm testing out DEPNotify which does change how this is done but for now, it's fine.