Like the previous discussion i created on Jamf Nation about upgrade paths to Mojave back in september, i thought lets start a new fresh thread for sharing macOS Catalina installing & upgrade ideas and experiences.
Because there are already some real changes like;
Installing macOS through PreStage / DEP
Prestage enrollments works fine for now, The Jamf binary not works 100% but that is logical.
We all know that "modulair" imaging is dead for a while, but to be honest for our older mac fleet that is not DEP registered and not having an T2 chip i still used Jamf Imaging and creating DMG's with AutoDMG for bringing that Mac's alive.
But assuming with the new read-only Macintosh HD partition this really will be painful.
The thing i already noticed is that in the past new macOS version were available in the Mac App store. Now the Software Update pane gets an 1 icon and will give you the option to download and install the upgrade.
So if you have an SUS in place, i assume we can prevent the update being delivered to production branch, and allow it on your pilot branch for instance.
For the past 2 upgrade methods i used, and still using the work of @bpavlov and i can confirm that this one is still working without issues for now.
This is an workflow of upgrading to an new macOS version through Self Service.
I upgraded from 10.14.5 to 10.15.0 Beta.
So, let's start sharing ideas and experiences for the upcoming months !
I heard there is a reset (or was it restore) option in system preferences in Catalina, that works like an iPad where you can reset and erase the macOS to factory settings. I am not on beta, so I can't confirm that. If Apple added this feature in Catalina, that would be better than using imaging to reset computers with fresh macOS.
First, I want to say, the utilization of the 'Download and Install' through Management command for single computer or 'Action' via the search for multiple, didn't work for me. So, I've looked at the 'whitepaper' on how to install/ upgrade to Catalina but it seems one of the easiest ones for MDM infrastructure has been omitted....The 'Mac App Store Apps' approach.
Why use this approach, you ask? Because it beats the hell out of packaging something that is ready to be deployed, it's easy, don't take no space from deployment share and I had none fail.
!!!!Warning, this will reboot your system after the policy has executed, so be wise and revise your policy execution attributes as needed!!!!
Here is how I made it work:
First, make sure you go and 'purchase' (they are free) Mac OS Catalina licenses through 'VPP' (or whatever they're calling it today).
After your receive the email confirmation and Jamf Pro syncs with VPP, make sure that when you're reviewing the OS within 'Mac App Store Apps' and setting up scope, you're NOT selecting 'Site' under General tab but on the actual 'Scope' tab. Otherwise, you won't be able to assign the licenses gotten via VPP.
Setup a Policy that will run against the same scope as whatever you used for the Mac App Store
Said policy should execute following command (Within 'Files and Processes') '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction' (remove the apostrophes from the command)
Side Note: I like using 'Smart Groups' in conjunction with my scopes. It eliminates keeping track what has upgraded, shouldn't be upgraded and what happens when you image it with something else. So here is what I have as criteria:
1. Enrolled via DEP -> is -> Yes
2. OS Version -> greater than -> (I have a specific need for a specific version, so that's what I have there)
3. Building -> is -> my neck of the woods
Now just sit back and monitor policy for successes.
Which is a perfectly fine way to go, however I prefer the scripted approach macOS Upgrade which gives the user clear instructions on what is happening. Your method will trigger a 30second countdown timer for users before it auto restarts, which could be fine for some but others could be doing a presentation before it restarts
"Prestage enrollments works fine for now, The Jamf binary not works 100% but that is logical."
Sorry, but how's this logical? Jamf Pro is supposed to be supporting Catalina in full and PreStage enrollment is the official Apple method of provisioning computers. What exactly is not working?
I'm still amazed to see imaging mentioned. I considered our school one of the last holdouts but once the APFS change happened and I read what was necessary to make it maybe work, we finally submitted to provisioning via scripts and policies. It's definitely not as set it and forget it but it works. The real disappointment was DEP. All it really does is throw it in Jamf for you. Cool, so I don't have to do a QuickAdd. Sooo much time saved. /s
I have just downloaded the installer app, added it to JAMF admin and made a self service policy when it caches the installer and then triggers the install.
Have had multiple people try it and it seems to work just fine. I have a SUS in place, so I am limiting the installer that way.
User can install at their convenience.
@txhaflaire does your script take into account Standard users performing the upgrade? I know for upgrading to Mojave, admin creds were required and there was a scripted workaround of granting temporary admin access to the user's account during the upgrade process, then revoking admin post-install.
Modular imaging is only mostly dead! We still use Jamf Imaging in combination with DEP (when we can).
But Why? Because DEP with "Enrollment Complete" trigger isn't reliable - If I can get 75% success with that combination I'm super happy. But what if you have to make sure that everything the user needs is installed when you hand it to them? Well, now we've got a problem. Especially when users are (super busy and easily distracted) nincompoops who will go into a literal war zone without updating.
When the "Enrollment Complete" trigger is > 95% successful, we'll re-evaluate it. But we've got 58 packages, < 30 GB of apps, settings, presets, and codecs, that get installed as part of our typical machine. And the last thing I need is a producer or on-camera talent camped out between Russian, Turkish, Kurdish, and ISIS soldiers shooting at each other who can't do his job because he forgot to install something before he left the bureau. And when your only internet connection is a portable satellite terminal where downloads cost $4.35/MB and max out at 384Kbps, the last thing anyone needs is a $7,873.50 bill so someone could reinstall Premiere.
So How? (Hint: Jamf Imaging doesn't have to install an OS) If it doesn't already have your supported OS version (10.13 or later) then install it, do a reboot/clean install. If it's in DEP then it gets managed, if it's not then you need to take the corporate AmEx away from an executive and manually get it managed (user initiated enrollment). For us, we use the "Enrollment Complete" trigger to (hopefully) get VPN, VPN Profiles, Bomgar, and Jamf Imaging on the machine. We've got about an 80% success rate with that limited number of packages. Even a DEP machine will probably need help, so we've got Jamf Imaging in our Self Service (which gets installed on enrollment about 95% of the time).
Here's the magic! Once you've got Jamf Imaging on the machine, launch it, authenticate, log in, choose the configuration (none of which install an OS), tell it to image the boot drive, and go. None of our policies are configured to 'install on boot drive' since they're already being installed to the boot drive, but a restart is still done by Jamf Imaging which is fine because several installers require a restart.
Ta-dah! Modular Imaging in 2019!
And don't think I didn't see that the 'Jamf Imaging.app won't be updated' note a few releases ago... awesome! 😣
@cwaldrip Have you looked into DEPNotify and the DEPNotify Starter for Jamf Pro script? Instead of a bunch of policies trigged via Enrollment Complete only the DEPNotify Starter for Jamf Pro needs to trigger off of that, and it in turn calls your other install policies. I don't know that I've had a single failure on DEP enrollment since switching to it.
@sdagley I'll look into it again, and it may be our only option if/when Jamf kills Jamf Imaging.app. But killing the app seems like a waste since it still works perfectly fine since we're not deploying an OS. I think Jamf should re-evaluate their decision not to keep Jamf Imaging around. Sad to see development on that go to waste.
@cwaldrip Don't let the DEPNotify name mislead you, nothing about the tool or Jamf's script to drive it is DEP specific. Before we enabled DEP I modified the DEPNotify Starter for Jamf Pro script to mimic my existing workflow which was triggered by Enrollment Complete. When we switched to DEP pretty much nothing had to change.
@jjimenez10 Just downloaded it from software update following this link. https://itunes.apple.com/us/app/macos-catalina/id1466841314?ls=1&mt=12
It downloaded the full installer into "Applications". Then just dragged and dropped the .app into JAMF Admin. It auto zipped it into a tar file and recognized is as a MacOS Installer.
Anyone else seeing issues after reboot?
NOTE: This is for 10.15.1 full installer. We are upgrading machines from 10.14.6 (w/the supplemtals and the security update).
We've seen some machines get stuck at the "Screen Time" setup screen, which means we had to force the machine down and cold boot. I have yet to see an explanation for this phenomenon, but I have seen that it's a common issue.
How are you folks avoiding terrifying your users with hung reboots, finder crashes, etc etc, all the known issues that people are having after this upgrade?
@sdagley I am setting up a DEPNotify to replace my existing workflow and was wondering if there's a way to prevent/postpone policies set to run at "recurring check-in" while those triggered by DEPNotify run.
Right now they seem to overlap, I mean if a policy called by DEPNotify takes a long time to finish, those at "recurring check-in" begin to run.
Maybe it is just time has come to review my existing workflow...
@totalyscrewedup hey! So I was able to get VPP for the installer and push out as a policy.
Having trouble with the last part. How do I write a script so it can execute the command '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction'?
I want to create a policy so the startosinstall can run as soon as I push it out. Eventually I do want to put it on Self Service adding the Erase option as well.
@carlo.anselmi Unfortunately short of having a breadcrumb dropped at the end of the enrollment complete policy, and then changing all of your recurring check-in policies to exclude systems without that breadcrumb I don't know of a good solution (everybody please Up Vote the Feature Request that @donmontalvo references above). Currently I have tweaked my DEPNotify script that I use so it typically runs in less time than my check in interval.
Hey all, been seeing quite a bit of weirdness with our upgrade testing. We're setting up to silently cache the installer, then trigger it via Self Service. SS policy is just
/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction
We're seeing the policy sit at running for about 20 minutes, then it attempts to restart, but throws a strange Cocoa error (screenshot attached to this post). This error prevents Self Service from quitting and holds up the restart. I've done some digging on this error and haven't found much, just one person thinking it might be Self Service barfing on a large policy. Any ideas would REALLY be appreciated
@JZaczyk: Just add an ampersand ("&") at the end of the command line:
/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction &
With " &" at the end of the command line the process starts in the background, allowing the script to complete successfully and the reboot will happen cleanly.
see also: https://www.jamf.com/blog/streamlining-your-macos-upgrade-process/
Has anybody else used the script in-place upgrade to macOS Catalina? When I run the script, it downloads the OS to the Applications folder, and then the file disappeared /current OS Mojave/. And start over to downloading it. After OS .pkg shows up in the Application folder a second time, pop up the error message that cannot install the OS. I'm following those steps from here:https://hcsonline.com/images/PDFs/Upgrade_Catalina_Jamf.pdf. What I'm doing wrong I appreciate any help with the macOS upgrade.sh script has updated on 11/30/2020 Do not have DEP or VPP.