Jamf Pro; Install & Upgrade methods for macOS Catalina

ThijsX
Valued Contributor

Hi all,

Like the previous discussion i created on Jamf Nation about upgrade paths to Mojave back in september, i thought lets start a new fresh thread for sharing macOS Catalina installing & upgrade ideas and experiences.

Because there are already some real changes like;

  • macOS is now on a separate partition that is read-only
  • Activation Lock has been added to T2 Macs

Installing macOS through PreStage / DEP
Prestage enrollments works fine for now, The Jamf binary not works 100% but that is logical.

Modulair Imaging
We all know that "modulair" imaging is dead for a while, but to be honest for our older mac fleet that is not DEP registered and not having an T2 chip i still used Jamf Imaging and creating DMG's with AutoDMG for bringing that Mac's alive.

But assuming with the new read-only Macintosh HD partition this really will be painful.

Upgrading
The thing i already noticed is that in the past new macOS version were available in the Mac App store. Now the Software Update pane gets an 1 icon and will give you the option to download and install the upgrade.

So if you have an SUS in place, i assume we can prevent the update being delivered to production branch, and allow it on your pilot branch for instance.

For the past 2 upgrade methods i used, and still using the work of @bpavlov and i can confirm that this one is still working without issues for now.

This is an workflow of upgrading to an new macOS version through Self Service.
I upgraded from 10.14.5 to 10.15.0 Beta.

See my GitHub for the script, huge thanks again to @bpavlov .

Resources

  • WWDC 19 video on "What’s New in Managing Apple Devices" Devices Link
  • Robbert Hammen his blog with a lot of information Link
  • Bash shell not installed default anymore? comparison vs ZSH Link
  • How to change your default shell to zsh for instance "chsh -s /bin/zsh"

So, let's start sharing ideas and experiences for the upcoming months !
Brace yourself!

34 REPLIES 34

sebastianl
New Contributor III

I heard there is a reset (or was it restore) option in system preferences in Catalina, that works like an iPad where you can reset and erase the macOS to factory settings. I am not on beta, so I can't confirm that. If Apple added this feature in Catalina, that would be better than using imaging to reset computers with fresh macOS.

totalyscrewedup
New Contributor III

First, I want to say, the utilization of the 'Download and Install' through Management command for single computer or 'Action' via the search for multiple, didn't work for me. So, I've looked at the 'whitepaper' on how to install/ upgrade to Catalina but it seems one of the easiest ones for MDM infrastructure has been omitted....The 'Mac App Store Apps' approach.

Why use this approach, you ask? Because it beats the hell out of packaging something that is ready to be deployed, it's easy, don't take no space from deployment share and I had none fail.

!!!!Warning, this will reboot your system after the policy has executed, so be wise and revise your policy execution attributes as needed!!!!

Here is how I made it work:

  • First, make sure you go and 'purchase' (they are free) Mac OS Catalina licenses through 'VPP' (or whatever they're calling it today).

  • After your receive the email confirmation and Jamf Pro syncs with VPP, make sure that when you're reviewing the OS within 'Mac App Store Apps' and setting up scope, you're NOT selecting 'Site' under General tab but on the actual 'Scope' tab. Otherwise, you won't be able to assign the licenses gotten via VPP.

  • Setup a Policy that will run against the same scope as whatever you used for the Mac App Store

  • Said policy should execute following command (Within 'Files and Processes') '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction' (remove the apostrophes from the command)

Side Note: I like using 'Smart Groups' in conjunction with my scopes. It eliminates keeping track what has upgraded, shouldn't be upgraded and what happens when you image it with something else. So here is what I have as criteria:
1. Enrolled via DEP -> is -> Yes
2. OS Version -> greater than -> (I have a specific need for a specific version, so that's what I have there)
3. Building -> is -> my neck of the woods

Now just sit back and monitor policy for successes.

Cayde-6
Valued Contributor

@totalyscrewedup

Which is a perfectly fine way to go, however I prefer the scripted approach macOS Upgrade which gives the user clear instructions on what is happening. Your method will trigger a 30second countdown timer for users before it auto restarts, which could be fine for some but others could be doing a presentation before it restarts

mking529
Contributor

"Prestage enrollments works fine for now, The Jamf binary not works 100% but that is logical."

Sorry, but how's this logical? Jamf Pro is supposed to be supporting Catalina in full and PreStage enrollment is the official Apple method of provisioning computers. What exactly is not working?

I'm still amazed to see imaging mentioned. I considered our school one of the last holdouts but once the APFS change happened and I read what was necessary to make it maybe work, we finally submitted to provisioning via scripts and policies. It's definitely not as set it and forget it but it works. The real disappointment was DEP. All it really does is throw it in Jamf for you. Cool, so I don't have to do a QuickAdd. Sooo much time saved. /s

aaelic24
New Contributor III

@totalyscrewedup ... dude!! Why has nobody come else come up with this solution? You are awesome!!
I am going to test that option via VPP and self service.
Just wondering .. if I can scope to all machines and that app will take care the min requirements?
any one can chime in?

aaelic24
New Contributor III

Would there be away to do it without asking for admin credentials?

vcasiero
New Contributor II

I have just downloaded the installer app, added it to JAMF admin and made a self service policy when it caches the installer and then triggers the install.

Have had multiple people try it and it seems to work just fine. I have a SUS in place, so I am limiting the installer that way.

User can install at their convenience.

jlang_remedy
New Contributor III

@txhaflaire does your script take into account Standard users performing the upgrade? I know for upgrading to Mojave, admin creds were required and there was a scripted workaround of granting temporary admin access to the user's account during the upgrade process, then revoking admin post-install.

jjimenez10
New Contributor II

@vcasiero Where did you download the installer app? Did you had to put it in composer before adding it to JAMF admin? I'm trying to push out Catalina via Patch Management but the package doesn't seem to work, so not sure what I'm doing wrong.

cwaldrip
Valued Contributor

Modular imaging is only mostly dead! We still use Jamf Imaging in combination with DEP (when we can).

But Why? Because DEP with "Enrollment Complete" trigger isn't reliable - If I can get 75% success with that combination I'm super happy. But what if you have to make sure that everything the user needs is installed when you hand it to them? Well, now we've got a problem. Especially when users are (super busy and easily distracted) nincompoops who will go into a literal war zone without updating.

When the "Enrollment Complete" trigger is > 95% successful, we'll re-evaluate it. But we've got 58 packages, < 30 GB of apps, settings, presets, and codecs, that get installed as part of our typical machine. And the last thing I need is a producer or on-camera talent camped out between Russian, Turkish, Kurdish, and ISIS soldiers shooting at each other who can't do his job because he forgot to install something before he left the bureau. And when your only internet connection is a portable satellite terminal where downloads cost $4.35/MB and max out at 384Kbps, the last thing anyone needs is a $7,873.50 bill so someone could reinstall Premiere.

So How? (Hint: Jamf Imaging doesn't have to install an OS) If it doesn't already have your supported OS version (10.13 or later) then install it, do a reboot/clean install. If it's in DEP then it gets managed, if it's not then you need to take the corporate AmEx away from an executive and manually get it managed (user initiated enrollment). For us, we use the "Enrollment Complete" trigger to (hopefully) get VPN, VPN Profiles, Bomgar, and Jamf Imaging on the machine. We've got about an 80% success rate with that limited number of packages. Even a DEP machine will probably need help, so we've got Jamf Imaging in our Self Service (which gets installed on enrollment about 95% of the time).

Here's the magic! Once you've got Jamf Imaging on the machine, launch it, authenticate, log in, choose the configuration (none of which install an OS), tell it to image the boot drive, and go. None of our policies are configured to 'install on boot drive' since they're already being installed to the boot drive, but a restart is still done by Jamf Imaging which is fine because several installers require a restart.

Ta-dah! Modular Imaging in 2019!

And don't think I didn't see that the 'Jamf Imaging.app won't be updated' note a few releases ago... awesome! 😣

sdagley
Honored Contributor II

@cwaldrip Have you looked into DEPNotify and the DEPNotify Starter for Jamf Pro script? Instead of a bunch of policies trigged via Enrollment Complete only the DEPNotify Starter for Jamf Pro needs to trigger off of that, and it in turn calls your other install policies. I don't know that I've had a single failure on DEP enrollment since switching to it.

cwaldrip
Valued Contributor

@sdagley I'll look into it again, and it may be our only option if/when Jamf kills Jamf Imaging.app. But killing the app seems like a waste since it still works perfectly fine since we're not deploying an OS. I think Jamf should re-evaluate their decision not to keep Jamf Imaging around. Sad to see development on that go to waste.

sdagley
Honored Contributor II

@cwaldrip Don't let the DEPNotify name mislead you, nothing about the tool or Jamf's script to drive it is DEP specific. Before we enabled DEP I modified the DEPNotify Starter for Jamf Pro script to mimic my existing workflow which was triggered by Enrollment Complete. When we switched to DEP pretty much nothing had to change.

tcandela
Valued Contributor

just let the users upgrade to Catalina themselves. Why go through all this. If there computer is compatible it will install, if not it won't.

vcasiero
New Contributor II

@jjimenez10 Just downloaded it from software update following this link. https://itunes.apple.com/us/app/macos-catalina/id1466841314?ls=1&mt=12
It downloaded the full installer into "Applications". Then just dragged and dropped the .app into JAMF Admin. It auto zipped it into a tar file and recognized is as a MacOS Installer.

nwagner
New Contributor III

Anyone else seeing issues after reboot?

NOTE: This is for 10.15.1 full installer. We are upgrading machines from 10.14.6 (w/the supplemtals and the security update).

We've seen some machines get stuck at the "Screen Time" setup screen, which means we had to force the machine down and cold boot. I have yet to see an explanation for this phenomenon, but I have seen that it's a common issue.

How are you folks avoiding terrifying your users with hung reboots, finder crashes, etc etc, all the known issues that people are having after this upgrade?

donmontalvo
Esteemed Contributor II

@cwaldrip wrote:

Ta-dah! Modular Imaging in 2019!

Postpone all policies until "Enrollment Complete" policy finishes

--
https://donmontalvo.com

Surajit
New Contributor III

This still works for us.
Tested today for 10.15.1 In-Place upgrade, we are on Jamf 10.16.1
Credit Goes to @Rosko.

carlo_anselmi
Contributor III

@sdagley I am setting up a DEPNotify to replace my existing workflow and was wondering if there's a way to prevent/postpone policies set to run at "recurring check-in" while those triggered by DEPNotify run. Right now they seem to overlap, I mean if a policy called by DEPNotify takes a long time to finish, those at "recurring check-in" begin to run.
Maybe it is just time has come to review my existing workflow...
Many thanks!

DJL
New Contributor

We've seen the machines get stuck at the "Screen Time" setup screen issue happen a lot. We're also having big issues getting AD logon to work - they just get stuck logging in. Plus one Mac mini has been bricked and sent back for repair.

Not impressed so far!

jhuls
Contributor III

Count me in the group for seeing the "Screen Time" freeze on one of our early test machines. That was 1 out of 2...fills me with warm joy to see those stats. sigh

nwagner
New Contributor III

thank you @jhuls and @DJL Has anyone else seen any form of a hung reboot after the install/upgrade finishes?

Is there are workaround that does not involve a cold boot?

If my users see a hung boot, they will lose their damn minds.

jjimenez10
New Contributor II

@totalyscrewedup hey! So I was able to get VPP for the installer and push out as a policy.

Having trouble with the last part. How do I write a script so it can execute the command '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction'?

I want to create a policy so the startosinstall can run as soon as I push it out. Eventually I do want to put it on Self Service adding the Erase option as well.

sdagley
Honored Contributor II

@carlo.anselmi Unfortunately short of having a breadcrumb dropped at the end of the enrollment complete policy, and then changing all of your recurring check-in policies to exclude systems without that breadcrumb I don't know of a good solution (everybody please Up Vote the Feature Request that @donmontalvo references above). Currently I have tweaked my DEPNotify script that I use so it typically runs in less time than my check in interval.

donmontalvo
Esteemed Contributor II

@sdagley yeap, @dliberti was suggesting the same thing.

--
https://donmontalvo.com

SZPAG_Jamf
New Contributor

@totalyscrewedup how to Setup a Policy that will run against the same scope as whatever you used for the Mac App Store did ot get it

SZPAG_Jamf
New Contributor

@totalyscrewedup how to Setup a Policy that will run against the same scope as whatever you used for the Mac App Store did ot get it thank you

SZPAG_Jamf
New Contributor

@vcasiero how please?

JZaczyk
New Contributor

Hey all, been seeing quite a bit of weirdness with our upgrade testing. We're setting up to silently cache the installer, then trigger it via Self Service. SS policy is just

/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction

We're seeing the policy sit at running for about 20 minutes, then it attempts to restart, but throws a strange Cocoa error (screenshot attached to this post). This error prevents Self Service from quitting and holds up the restart. I've done some digging on this error and haven't found much, just one person thinking it might be Self Service barfing on a large policy. Any ideas would REALLY be appreciated

50c591be9c114cd0b1dfa1e4cf891d22

chrisB
New Contributor III

@JZaczyk: Just add an ampersand ("&") at the end of the command line:

/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction &

With " &" at the end of the command line the process starts in the background, allowing the script to complete successfully and the reboot will happen cleanly.

see also: https://www.jamf.com/blog/streamlining-your-macos-upgrade-process/

hth

carlo_anselmi
Contributor III

@sdagley sorry for the late reply and thanks for your message.
The breadcrumb is an interesting workaround until I tweak my workflow
Cheers!

jonrh
New Contributor

Interesting .. thanks for all the info!

Initialised
Contributor

Thanks for the tips!

My Catalina Workflows:
New Mac - DEP as usual exclude 32-bit Apps
Refresh Mac 10.13.4+ APFS (All Labs and Mojave Macs) - Deploy Catalina Installer - EraseInstall
Upgrade Mac - Deploy Catalina Installer - Delete/Uninstall 32-Bit Apps - Update Apps - StartOSinstall

nikjamf
New Contributor III

Hello,
Has anybody else used the script in-place upgrade to macOS Catalina? When I run the script, it downloads the OS to the Applications folder, and then the file disappeared /current OS Mojave/. And start over to downloading it. After OS .pkg shows up in the Application folder a second time, pop up the error message that cannot install the OS. I'm following those steps from here:https://hcsonline.com/images/PDFs/Upgrade_Catalina_Jamf.pdf. What I'm doing wrong I appreciate any help with the macOS upgrade.sh script has updated on 11/30/2020 Do not have DEP or VPP.