Intermitent Rosetta install failures

AVmcclint
Honored Contributor

I have a Policy set to run first after Macs enroll in JamfPro that only contains the following in "Files and Processes"

softwareupdate --install-rosetta --agree-to-license

And for the most part it works great. The problem is that I have seen a lot of M1 Macs unable to install some packages because they are missing Rosetta. When I check the Policy log for installing Rosetta, the command does run, but it seems to successfully fail. There appears to be an issue with getting the Rosetta installer from Apple at that particular moment the command was run. Usually there will be a line that says "Rosetta is unavailable" or other messages about the server isn't available. I've been trying to find a fleshed-out script that can check for errors while executing that one-liner and tell Jamf that it failed so it shows as an actual failure. Does anyone have a script that takes these server-side failures into account?

I've already tried obtaining the Rosetta pkg via instructions found here https://stackoverflow.com/questions/70907499/download-a-package-copy-of-rosetta-to-manually-transfer... but the package has has a very hit-or-miss track record of working. I gave up on trying that as a method of deploying Rosetta directly and not relying on Apple's server to be working. 

1 ACCEPTED SOLUTION

bizzaredm
Contributor

@AVmcclint Perhaps using a script that checks to see if Rosetta is working, if not install, check again, if not install, check again if not, error.

Obviously this is not perfect... but if its works 9 out of 10 installs, then doing a double check might make it much more solid.

Whats tripping me up is that it seems we cant trust apples "successful"  install. AND, we could do a loop until rosetta works, but then you are stuck forever if it does not lol.

#!/bin/bash

# Installs Rosetta as needed on Apple Silicon Macs.

arch=$(/usr/bin/arch)

#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta not working, instaling now."
        	/usr/sbin/softwareupdate --install-rosetta --agree-to-license
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi



#wait for a few seconds for the install and everything
sleep 4

#Lets see if that all worked?
#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta not working, instaling now."
        	/usr/sbin/softwareupdate --install-rosetta --agree-to-license
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi

  
#Lets see if that all worked,again..
#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta NOT working, 2 failed attempts."
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi

 

View solution in original post

18 REPLIES 18

obi-k
Valued Contributor III

Does your log look like this too?

 

Running command /usr/sbin/softwareupdate --install-rosetta --agree-to-license...
Result of command:
softwareupdate[2606:22475] Package Authoring Error: 002-79206: Package reference com.apple.pkg.RosettaUpdateAuto is missing installKBytes attribute By using the agreetolicense option, you are agreeing that you have run this tool with the license-only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately. Installing: 0.0% Installing: 0.0% Installing: 100.0% Installing: 100.0% Installing: -1.0% Installing: 2.0% Installing: 2.0% Installing: 100.0% Install of Rosetta 2 finished successfully

AVmcclint
Honored Contributor

Many times, yes. There are variations that explicitly say Rosetta is not available. Or sometimes it’ll say that Apple’s servers are unavailable.  The end result is that Rosetta is not actually installed even if the final line of the output says it was. 

sdagley
Esteemed Contributor II

@AVmcclint Be sure to exclude the "softwareupdate[2606:22475] Package Authoring Error: 002-79206: Package reference com.apple.pkg.RosettaUpdateAuto is missing installKBytes attribute" message form any error check as that seems to be a persistent error with the Rosetta package but has never actually caused an install failure.

AVmcclint
Honored Contributor

Here's the most recent one that popped up:

Result of command:
2022-07-11 14:19:53.059 softwareupdate[2151:13678] Package Authoring Error: 002-66270: Package reference com.apple.pkg.RosettaUpdateAuto is missing installKBytes attribute
By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms.
If you do not agree, press CTRL-C and cancel this process immediately.

Installing: 0.0%
Installing: 0.0%
Installing: 0.0%
Installing: 100.0%
Installing: 100.0%
Installing: -1.0%
Installing: 2.0%
Installing: 100.0%
Install of Rosetta 2 finished successfully

In this case, Rosetta was not installed despite the last line "Install of Rosetta 2 finished successfully". I verified by trying to run intel-only apps.

I see this intermittently in my enviorment as well. My best guess is occasionally there are glitches utilizing Apple's software update servers for this. I recently ran across this article with instructions for how you can download the Rosetta pkg: https://tinyapps.org/blog/202103270700_backup_rosetta2.html

Here is the direct download link: https://swcdn.apple.com/content/downloads/04/39/001-50263-A_LEF5A7Q02Z/s4d18996ppu4gczumkptqmljgay79...

Maybe the direct download will work better than the copying from a different computer? I've changed my Rosetta install policy to do both the package and the command line install. 

AVmcclint
Honored Contributor

Hmmm I downloaded the pkg via the direct  link you provided and it is twice as big as the one I find buried deep in /var/folders/. Maybe that's the answer. I'll give it a try and report back.

I'm still confounded as to why Apple won't include Rosetta out of the box on all new Macs. AND how does a small 300KB package include all the necessary code to translate intel code to arm. I suspect everything is already there in the OS except for the last few files this pkg provides.

AVmcclint
Honored Contributor

Drat! I just tested this on a new Mac right out of the Box. The pkg downloaded directly from Apple says it was successful, but lo and behold, no Rosetta installed. This is really frustrating.

AVmcclint
Honored Contributor

In fact, when I ran the pkg on a Mac that already had Rosetta installed (and working) it broke Rosetta and I had to run the softwareupdate --install-rosetta --agree-to-license command on it to fix it.

bizzaredm
Contributor

- Realized some of what i posted is out of date, probably will just add more confusion. I am removing that.

@AVmcclint When the install broke Rosetta, did you try to do:

/bin/launchctl kickstart -k -p system/com.apple.oahd

/usr/bin/notifyutil -p com.apple.oah.did-install

 To see if it was there but just needed to be loaded?  

AVmcclint
Honored Contributor

Yes, I added that to the Files & Processes so it runs after the pkg installs. Still no bueno. My current state is I have disabled the pkg install policy and reverted back to the command line install.  I have added the kickstart and notifyutil commands to the end of the install command in Files & Processes.  Even though the command line install isn't 100%, it's better than 50%.

bizzaredm
Contributor

@AVmcclint Perhaps using a script that checks to see if Rosetta is working, if not install, check again, if not install, check again if not, error.

Obviously this is not perfect... but if its works 9 out of 10 installs, then doing a double check might make it much more solid.

Whats tripping me up is that it seems we cant trust apples "successful"  install. AND, we could do a loop until rosetta works, but then you are stuck forever if it does not lol.

#!/bin/bash

# Installs Rosetta as needed on Apple Silicon Macs.

arch=$(/usr/bin/arch)

#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta not working, instaling now."
        	/usr/sbin/softwareupdate --install-rosetta --agree-to-license
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi



#wait for a few seconds for the install and everything
sleep 4

#Lets see if that all worked?
#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta not working, instaling now."
        	/usr/sbin/softwareupdate --install-rosetta --agree-to-license
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi

  
#Lets see if that all worked,again..
#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta NOT working, 2 failed attempts."
        else
         echo "Rosetta is already installed and working. Nothing to do."
         exit 0
    fi
else 
    echo "No need to install Rosetta on intel."
    exit 0
fi

 

AVmcclint
Honored Contributor

That looks like it may increase the chances of it getting installed.  I just ran the script on my Mac (Rosetta working) and it exited gracefully. I then deliberately broke Rosetta by installing the pkg I grabbed from Apple; the script identified that it was broken, installed Rosetta via softwareupdate, then after it waited a few seconds, it identified that Rosetta is working.  This looks good, but you're right about the potential for it to get stuck in a loop.  I wonder if maybe I can figure out how to run the loop for x number of times and then exit regardless of the status so it doesn't get stuck forever. If I can get it to register an exit status as a failure in the policy log, that will at least give it better visibility. 

The above version should fail after 2 attempts, on the third block it does echo "Rosetta NOT working, 2 failed attempts.", if its found not working. - That way you should get some sort of error in jamf and it wont hang on trying forever.

A forever looping version, is below, though it scares me ha!

 

#!/bin/bash

# Installs Rosetta as needed on Apple Silicon Macs.

arch=$(/usr/bin/arch)


while [ "$finished" != "true" ]; do

#if arch type is arm64
if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
    arch -x86_64 /usr/bin/true 2> /dev/null
    if [ $? -eq 1 ]; then
            echo "Rosetta not working, instaling now."
        	/usr/sbin/softwareupdate --install-rosetta --agree-to-license
        else
         echo "Rosetta is already installed and working. Nothing to do."
finished="true"
    fi
else 
    echo "No need to install Rosetta on intel."
finished="true"
fi

done
exit 0

 

 

 

AVmcclint
Honored Contributor

UPDATE: I just discovered that the reason for our "The Rosetta 2 update is not available"  error is because of Zscaler. If the user disabled Zscaler, installing Rosetta actually works. From what I understand, Apple blocks packet inspection between Macs and their servers. Getting Zscaler to not inspect the packets to Apple beyond my hands though.  I'm working with our InfoSec team to figure out how they can let this work.

For Macs that have Zscaler disabled, the script above works like a champ.  Hopefully it will be just as effective during enrollment.

AVmcclint
Honored Contributor

UPDATE 2: To clarify, the  "The Rosetta 2 update is not available" error is a direct result of Zscaler. For all other Rosetta failures, the cause for that is still unknown.

Using the script provided by @bizzaredm I built this Extensions Attribute to help identify Macs that have broken or missing Rosetta installations.

#!/bin/bash
# this will report if Rosetta is working on Apple Silicon Macs. A smart group can be built to focus repair efforts

arch=$(/usr/bin/arch)

if [ "$arch" != "arm64" ]; then
	echo "<result>intelCPU</result>"
fi

if [ "$arch" == "arm64" ]; then # is rosetta 2 working? 
	arch -x86_64 /usr/bin/true 2> /dev/null
	if [ $? -eq 1 ]; then
		echo "<result>RosettaBroken</result>"
	else
		echo "<result>RosettaOK</result>" 
	fi
fi	

@AVmcclint 

Hello--were you ever able to get a resolution for this issue? We are also using Zscaler and having this exact same problem. From packet captures it LOOKS like the traffic is coming from Akamai content servers, which we can't exactly bypass from filtering. But it also looks like the traffic flow is allowed and just kind of slows and stops rather than being explicitly blocked, so I'm confused as to the nature of the problem.

AVmcclint
Honored Contributor

Our InfoSec folks who manage Zscaler said Apple does not permit packet inspection and that's why it's being blocked. We have an Active Directory group that contains all the Mac users and that group is set on the Zscaler side to NOT do packet inspection for all traffic between the Macs and Apple. The reason our setup failed was due to a sync issue with Okta and AD that was not putting users in the group. Once we got that resolved, then it started working normally.   However, I did find the script above to be extremely helpful even in cases where the problem wasn't caused by zscaler.  

EDIT: I was told that Zscaler is aware of Apple blocking packets. if your Zscaler folks need guidance on how to fix the issue, they should be able to reach out to Zscaler support and they should be able to guide them on setting an exception for Apple traffic.

sdagley
Esteemed Contributor II

@AVmcclint Apple publishes the Use Apple products on enterprise networks KB article to document the Apple servers you need to exclude from packet inspection. Sadly it's not always accurate, or up to date, as Apple typically added new servers for each macOS release which don't get added beforehand.