Posted on 03-29-2023 11:46 AM
How Erase-install script bypass the end user's admin credential to provide at the time of OS upgradation? In which step of script it is helping us to bypass the admin credential?
03-29-2023 12:13 PM - edited 03-29-2023 12:15 PM
@Asifahmed Passing administrator credentials are predicated upon architecture type. To do what you're asking is for silicon, passing users credentials is a tricky situation, but if you have a local IT only administrator account, you can pass those credentials, below is an example script. Bootstrap must also be escrowed. For adminName & adminPass, these are example variables, its advised to pass this information in an encrypted format.
I have not performed updates via this method in some time so if my above statements are incorrect, please someone correct the statements.
#!/bin/bash
adminName=$4
adminPass=$5
if [ "$arch" == "arm64" ]; then
echo "Apple Architecture Detected"
echo $adminPass | '/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --nointeraction --agreetolicense --forcequitapps --user $adminName --stdinpass
elif [ "$arch" == "i386" ]; then
echo "Intel Architecture Detected"
'/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --nointeraction --agreetolicense --forcequitapps
else
echo "Unknown Architecture"
fi
Posted on 03-30-2023 03:33 AM
So in most the script they use some lines to bypass admin user and password to upgrade the macOS?
There are many scripts, erase-install and in HCS site they have another. If I download the Ventura 13.3 and package is it by MegaPkgr.zsh script and deploy on mac under /Applications and from second policy(Self-Service policy) if I run this type of script doing labelling the admin user name and password then it should bypass to ask admin credential to end user at the time of upgradation. Correct?
03-29-2023 12:39 PM - edited 03-29-2023 12:43 PM
Assuming you're talking about erase-install the --current-user flag will prompt the logged in user for their password, or you can specify a user by using the --user [username] flag instead.
This is detailed in the Wiki: https://github.com/grahampugh/erase-install/wiki
The logic for this starts around Line 1141. Line 3158 of the script passes the credentials to startosinstall.
Posted on 04-05-2023 06:08 AM
From my brief use of the erase-install script (it's amazing) I did find it interesting that it does that.
From sleuthing around the script I found this:
"Finally, with the --erase option, the user is promoted to admin if required."
So I wanted to see where this is done. On line 1154 I found this:
"# if we are performing eraseinstall the user needs to be an admin so let's promote the user" with the code after it to promote the user.
Just be assured that at line 859 it states:
"# if we promoted the user then we should demote it again"
So if erase is used, it promotes the user to admin...runs the commands it needs, and then demote the user base to non-admin status.