I just posted about this yesterday. Haven't heard anything and can't find much online.
Some of our users are so paranoid they refuse to enter their password into anything that looks the least bit suspicious.. And sadly the new password dialog looks "a lot suspicious".
Sent feedback to our rep on this. Been working this issue a while, both with the softwareupdate and the startosinstall commands. Not sure that it'll gather much attention but it's frustrating being forced into bad practices, especially when the man page is inaccurate:
"softwareupdate requires admin authentication for all commands except
--list. If you run softwareupdate as a normal admin user, you will be
prompted for a password where required. Alternatively, you can run
softwareupdate as root and avoid all further authentication prompts."
Hopefully it's a blip that was an oversight or gets fixed soon, but it's a pretty big one.
Any one have update on this?
I think some of you are barking up the wrong tree. This is not Jamf's issue to fix, when the Terminal command softwareupdate works this way on an unmanaged Mac running Big Sur. Three versions into Big Sur, it's becoming clear that updates are working as Apple intends for them to work.
IMO, it's time to move on to a combination of user education and stronger measures to prompt users to update, like Nudge.
@jefff sure but what about headless Macs (e.g. servers, Zoom Rooms)? Manually pushing MDM commands instead of a scheduled policy is not feasible. Apple know this and definitely need to address.
@jtrant Unfortunately, they (Apple) just don't care. Like @jefff said, they see it working as they intend for it to work. It sucks for business but they want everyone Mac to be used as if the user was the owner. They still allow some supervision ala MDM (Go Jamf!), but their ideal environment would be probably very similar to IBM's model. The computers themselves are free to use as the user sees fit and are essentially disposable. Any "business use" is via applications and other secure, no trust mechanisms. Nothing important on the computer itself. The computer is just the vessel to get to the data and the rest of the computer is for the end user to play with.
All of this update business is putting us in a bad place. We are discussing zero trust options. Basically if a Mac is out of date for a period of time it is totally locked down. In enterprise the general concept is users cannot be trusted and generally this is very true in most cases. It is very unfortunate that this is literally what Apple is intending. However, we are all paying JAMF to provide solutions for "organizations to succeed with apple". Software Updates have been a long standing weakness where JAMF has done nothing to enhance the experience.
With 11.3.0 released last week a security patch quickly followed it up with 11.3.1 and you really have no reliable way to force that update to install on Apple Silicon devices. JAMF still does not fully support "schedule an update" never mind they recommend using it to managed updates and we all know the complications of Auto Updates. The best I can recommend for everyone who sees this is to start blowing apple up with feature requests, and prod your JAMF Reps on the pending feature requests JAMF has.
M1 Apple Silicon devices are 'required' to go through Automated Device Enrollment if you want to send remote update MDM commands to them via a mass action task. Otherwise you have to go into each devices starup security utility in the recovery console to enable the tick box.
It's mentioned in this document Deploying macOS Upgrades and Updates with Jamf Pro
Note: On computers with Apple silicon (i.e., M1 chip), users may be prompted to authenticate before an update can be installed. There are additional requirements for computers with Apple silicon if you want the update to be installed automatically without user authentication:
Bootstrap token for target computers escrowed with Jamf Pro
The Allow remote management of kernel extensions and automatic software updates option enabled in the Startup Security Utility (in macOS Recovery)
For more information about how to enable this setting, see Change startup disk security settings on a Mac with Apple silicon from Apple's support website.
Alternatively, enrolling computers with Jamf Pro via a PreStage enrollment can automatically enable this setting.
Ok starting to tear my hair out with this. My M1 test machine has:
Been though Automated Device Enrollment.
The serial is in Apple School Manager.
It has a Bootstrap token escrowed with Jamf Pro.
The default setting in startup security utility is 'full security'. Which makes macOS behave like an iOS device. Putting the device through ADE didn't change anything. We're on Jamf 10.28. Will try upgrading to 10.29. Secure token for the user could be an issue. Not sure Jamf Connect creates one 
Haven't seen any prestage enrolment settings to set 'reduced security' for M1 devices and auto tick the allow remote management of software upates button.
I notice startosinstall on Big Sur now has an extra option --reducedsecurity could be related to the above for M1 devices.
Fun and games...
You can varify if Jamf Pro has escrowed a bootstrap token with the below:
sudo profiles status -type bootstraptoken
If the token has has been escrowed you will see the below:
profiles: Bootstrap Token is supported on server: YES
profiles: Bootstrap Token escrowed on server: YES
For me with the token escrowed and reduced security enabled with “Allow remote management of kernel extensions and automatic software updates” selected im still prompted with a password for updates.
@gavin.pardoe Thanks for the info. The statements from Jamf documentation surrounding this feature are so far, vague. I will continue to read up on it...
Silent Knight states the following:
even with the setting ticked and reducd security enabled, DEP approved MDM operations are still nope.
I've now also discovered if you do a startosinstall --agreetolicense --eraseinstall --passprompt command on a device that has reduced security enabled in its startup security utility, it will reset the setting to full security by default and disable your tick boxes. I tried adding --reducedsecurity and the upgrade failed at the recovery console, had to roll it back. This may have been because reduced security was already manually enabled. It could also be a 'feature'.
Upgraded today to 10.29. Don't see any difference compared to 10.28
Put my test M1 device through ADE. Full Security is still the default boot state and DEP approved privileged MDM operations = No
I have confirmed that a bootstrap token is escrowed with the server.
I've resorted to having the users manually check for updates. Nothing I've tried from Jamf has worked, and even mass action is broken at the moment for updates.
We recently updated to JAMF 10.30.1 and still are unable to force OS updates. This is getting extremely frustrating as I have 200+ lab and classroom computers that remain unattended at all times and will be needing OS updates regularly.
@kacey3 JAMF really has no functional way to manage macOS updates, and Apple Silicon just made matters worse. It is long past JAMF to get their mess together on this. We have decided to skip Apple Silicon in our environment until MacOS 12 comes out which adds some controls for macOS updates.
Apple should have done this Bootstrap/Secure token thing at the same time with adding the preference domains to manage it. Its absurd how in Big Sur there are no user notification or deferral options for updates, the machine just goes down when the updates download and that is it. Assuming the updates work at all, and best yet no logging or reporting by default; you have to build all of that. How they want you to deal with macOS updates now Big Sur (on Apple Silicon) is absolute trash in this regard and this should have been addressed by 11.1 or 11.2 at latest, certainly not waiting until macOS 12.
< /rant >
It is extremely annoying at the very least that OS update compliance has essentially been broken for a full OS release, and only looks to be fixed in the next OS, which is MONTHS away.
@AJPinto @dgreening If you have access to the macOS 11.5 beta release notes you might see some promising news in there regarding changes that will land before macOS 12.
@sdagley The only thing I am seeing about software updates is 11.5 beta 3 fixes an issue that stops network extensions from loading after running updates. Is there something I missed?
@dgreening Agreed, but the main problem here is Apple does not see it as broken. It is working as intended. What really happened is Apple released an incomplete product, again... I have had a few conversations with Apples Engineers, and every time the question comes up they advise that Apple Silicon's M1 implantation is not intended for power users. M1 targeted at the general consumer. Apple really needs to add this to their marketing. Apple Silicon is not yet the end all be all they advertise it to be, this is really a public beta of what is to come and is still very much a work in progress. This work in progress state is why personally I think we have yet to see the higher end Mac Mini, MBP13 or MBP16 get updated to Apple Silicon. Those devices are their power user devices and Apple knows Apple Silicon is not ready for that market yet and Apple needs to be open about that.
@sdagley I'm in the Developer program and AppleSeed for IT, but the developer page shows no release notes for 11.5 Beta 3. Am I missing something?
Ben Toms from JamJar recently did a presentation on - Administering Apple Silicon devices
Ben Toms - Administering apple silicon
He describes how it's 'supposed' to work in a modern MDM. I have yet to see any of my ADE machines do this automatically. On 10.30.1, still no reduced security button ticked.
@jtrant The changes I'm alluding to were in 11.5 Beta 2
