Erase-install script to upgrade OS

New Contributor III

How Erase-install script bypass the end user's admin credential to provide at the time of OS upgradation? In which step of script it is helping us to bypass the admin credential?  


Valued Contributor II

@Asifahmed  Passing administrator credentials are predicated upon architecture type. To do what you're asking is for silicon, passing users credentials is a tricky situation, but if you have a local IT only administrator account, you can pass those credentials, below is an example script. Bootstrap must also be escrowed. For adminName & adminPass, these are example variables, its advised to pass this information in an encrypted format.


I have not performed updates via this method in some time so if my above statements are incorrect, please someone correct the statements.





if [ "$arch" == "arm64" ]; then
    echo "Apple Architecture Detected"
    echo $adminPass | '/Applications/Install macOS' --nointeraction --agreetolicense --forcequitapps --user $adminName --stdinpass
elif [ "$arch" == "i386" ]; then
    echo "Intel Architecture Detected"
	'/Applications/Install macOS' --nointeraction --agreetolicense --forcequitapps

    echo "Unknown Architecture"




Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

New Contributor III

So in most the script they use some lines to bypass admin user and password to upgrade the macOS?

There are many scripts, erase-install and in HCS site they have another. If I download the Ventura 13.3 and package is it by MegaPkgr.zsh script and deploy on mac under /Applications and from second policy(Self-Service policy) if I run this type of script doing labelling the admin user name and password then it should bypass to ask admin credential to end user at the time of upgradation. Correct? 

Valued Contributor

Assuming you're talking about erase-install the --current-user flag will prompt the logged in user for their password, or you can specify a user by using the --user [username] flag instead.

This is detailed in the Wiki:

The logic for this starts around Line 1141. Line 3158 of the script passes the credentials to startosinstall.

Contributor III

From my brief use of the erase-install script (it's amazing) I did find it interesting that it does that.
From sleuthing around the script I found this:
"Finally, with the --erase option, the user is promoted to admin if required."

So I wanted to see where this is done.  On line 1154 I found this:
# if we are performing eraseinstall the user needs to be an admin so let's promote the user" with the code after it to promote the user.

Just be assured that at line 859 it states:
# if we promoted the user then we should demote it again"

So if erase is used, it promotes the user to admin...runs the commands it needs, and then demote the user base to non-admin status.