Jamf Pro; Upgrade methods for Mojave.

ThijsX
Valued Contributor
Valued Contributor

Hi All,

Lets share idea's about how to upgrade to macOS Mojave via;

  • Self Service
  • App Store
  • Others

Also an idea to share idea's an how to upgrade from 10.14.1 to 10.14.2 due the new Software Update pane in Sysprefs.

Cheers.

110 REPLIES 110

Gennaro
New Contributor III

Also interested in seeing if anyone has any upgrade or imaging solutions, we've tried a few things at our test environment but haven't had any luck yet with it.

tak10
Contributor II

We fully integrated DEP for new computer deployment.

I'm hoping for this workflow to work for upgrade: https://github.com/kc9wwh/macOSUpgrade

MatG
Contributor III

This is how we did it with High Sierra upgrade and will repeat for Mojave, its sounds hard but its very simple.

We put a Restricted Software policy to block updater from Apple and delete. The reason for this is Apple will start putting an Updater on the Mac and if you wait until .1 or .2 (10.14.1 etc) you will want the new installer from Apple App Store.

We then created a Self Service category called High Sierra Update.
In it we created a 01 High Sierra Pre-requisites self service item. This was a policy with a bunch of .pkgs we want to update before installing High Sierra. We also used Execute command to write a receipt on completion called hsready.pkg and we also do a recon and force a reboot.

We created a smart group with a criteria for the receipt hsready.pkg. Macs that has run 01 High Sierra Pre-requisites get added to the smart group. The Restricted software policy had this smart group as an exclusion. So once 01 High Sierra Pre-requisites the Mac can now run the HS updater.

We created a 02 Install High Sierra self service item, and scope the same smart group. This item is just a link to the apple App store to down the latest version of the High Sierra installer. User gets the file direct from Apple.

After the Mac reboots user goes back to self service and 02 Install High Sierra in now available to them and they can download and install.

Easy :)

ThijsX
Valued Contributor
Valued Contributor

Awesome idea’s. We succesfully tested the method developed by @bpavlov with recent Mojave beta.

link text

jwojda
Valued Contributor II

@txhaflaire we use @bpavlov 's solution as well and have been checking back periodically to his site for updates to his script, were there any changes you had to do or was it pretty much update the build #s and policies for the new OS?

bpavlov
Honored Contributor

Sorry guys. I've been quite busy on other things. I'll try to take a look at the script again and make whatever necessary changes are needed for 10.14.

spreston
New Contributor III
I'm hoping for this workflow to work for upgrade: https://github.com/kc9wwh/macOSUpgrade

Does anyone know if the github macOSUpgrade script works with Mojave yet? I tried it today and it appeared to have an issue with the download step -- it looks like the Install MacOS Mojave.app phones home to the Apple servers to get the install, and is only 22 MB versus the average 5 GB installers from Sierra/High Sierra. Doing it for High Sierra works fine.

We're not in a rush to deploy Mojave yet (we still have a few hurdles we need to address) but we wanted to at least start testing as we anticipate demand.

mjhersh
Contributor

@spreston I had the same issue at first, but I'm not sure why or how I got the tiny stub installer rather than the full 5GB+ installer. Apple does still give you the full installer. Try deleting it from /Applications and downloading again from the App Store. I suspect I might have got the small stub because I was still enrolled in the beta/developer program. I have not tested this by re-enrolling, so all I can say is it worked the first time I re-downloaded after un-enrolling my computer from the beta.

I'm not using that specific script, but I can tell you that the process is not much different than in High Sierra. The only difference I noticed is that startosinstall now complains if you specify --applicationpath (it is deprecated; and about time, too, since it was always redundant).

spreston
New Contributor III

@mjhersh - that was definitely it. Just did a re-download and it's 6 GB now. I'll re-package and try again. Thanks!!

timlarsen
Contributor

Just to add...

To get around the stub installer (in my experience) if you manage to keep a computer around running something pre-Mojave, open the Mac App Store and alt-click the download (or install/get) button on the macOS Mojave app page and it will always download the full version. I'm not sure if this is officially documented anywhere, but it seems to work for me consistently, and avoids you having to download multiple times. The alt-click feature does not seem to work in the new Mac App Store, but I haven't checked this again since one of the more recent betas.

kcsantos
New Contributor III

I can't get our test machine to update to macOS Mojave!

We have 2 policies that download and install macOS Mojave.

  • I packaged up the Mojave 6GB installer, and the first policy that places the installer in the root /Applications folder.
  • Then a 2nd Policy runs the macOSupgrade.sh script with the parameters defined.

After the policy runs, I get the "Wait as we prepare your computer for mojave" screen. Looks like everything is going well until I get a prompt "osinstallersetupd wants to make changes" which requires the user to input a Admin password, which they do not have.

Is it something in my Install Policy's reboot settings? Some parameter I misdefined? Or is it the lack of a custom trigger? HELP!!

3eefa612ecb4422ba3216ea4cc9d068a

6daf206f08a243c9b7caf6a158339975
6815c7e7d7fd4188ad4f5286bbdd396b
724ba345389a40bd9324debd6b071ae5

mikemangino
New Contributor III

Yeah, I have the full installer copying down to /Applications, but when MacOSUpgrade.sh runs, it deletes it, then tries to download it via the custom trigger(which works if I call it manually from the command line), but then falls over dead saying it couldn't download successfully. Derp.

Caleb_Anderson
New Contributor III

I managed to get our test computer to install Mojave with the "Erase Install" script for post-10.13.4 machines, from a High Sierra machine through Self Service.

Obviously it completely images the computer so if you're only after an upgrade it won't work.

seann
Contributor

@Caleb.Anderson Also the eraseinstall flags only work on APFS formatted drives. Still, it has some use as an alternative for reimages.

alexkaloostian
New Contributor II

I am also having problems with startosinstall, it keeps asking for admin privileges. I get the osinstallsetupd prompt. Jamf logs says "Could not create a preboot volume for APFS install."

thoule
Valued Contributor II

Tagging for updates.

MLBZ521
Contributor III

There are several projects out there to perform upgrades and 'erase installs.' I haven't looked at some of the scripted methods since I created my own for my environment. Mine has been updated for Mojave In case anyone is still looking for one:

install_macOS

If setup properly, it will not prompt for credentials.

woodsb
Contributor

If you all need full installers please use installinstallmacos.py.It works every time.

ocla__09
Contributor

What are folks doing to get custom privacy preferences config profiles on the machine as soon as possible?

It appears that they wont install until recon is run and sees the machine is 10.14, since you cannot deploy to pre 10.14 machines ahead of time. I was thinking a script that ran "ongoing" that would be scoped off a dummy package. In the script, if the OS level was pre 10.14 the script would exit, but if it saw 10.14, it would delete the dummy receipt, run a recon and get the config profiles as a result.

Anybody have a better way?

woodsb
Contributor

@ocla&&09 Assuming that you're using the generic Self Service method, would it be possible to add a maintenance payload {update inventory} to your policy to run after the upgrade is complete? I guess you could also have an update inventory policy that runs at startup assuming that you already have a 10.14 smart group scoped for your profiles...I'm just trying to keep it simple.

jameson
Contributor II

@spreston

How did you solve the download issue for Mojave
I followed this one https://github.com/kc9wwh/macOSUpgrade

Everytime it just comes up that it could not be downloaded

spreston
New Contributor III

@jameson - is the Mojave installer ~5-6 GB? If not you may need to download/re-package again.

Other issue we encountered was if the drive was in the process of encrypting it would fail. (I initially missed that in the readme notes).

woodsb
Contributor

@jameson it sounds like you're using a stub installer. Use installinstallmacos.py to download full installers every time.

spreston
New Contributor III

Thanks @woodsb - didn't know about this!

kcsantos
New Contributor III

I created a support case for this issue. Here's the response I received from Tyler of the jamf support team in regards to the osinstallersetupd prompt:

"So what is happening is if the user is standard and have FIleVault 2 enabled it will require an admins password. In one discussion in Jamf Nation someone has modified the script that checks to see if the user is standard and has FileVault 2 enabled and if it does it will promote the user to Admin. Once the installation completes it uses a LaunchDaemon to demote the user back to standard. [...]"

Here's the modified macOSUpgrade script:

#!/bin/bash

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Copyright (c) 2018 Jamf.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the Jamf nor the names of its contributors may be
#                 used to endorse or promote products derived from this software without
#                 specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# This script was designed to be used in a Self Service policy to ensure specific
# requirements have been met before proceeding with an inplace upgrade of the macOS,
# as well as to address changes Apple has made to the ability to complete macOS upgrades
# silently.
#
# VERSION: v2.7.2.1
#
# REQUIREMENTS:
#           - Jamf Pro
#           - macOS Clients running version 10.10.5 or later
#           - macOS Installer 10.12.4 or later
#           - eraseInstall option is ONLY supported with macOS Installer 10.13.4+ and client-side macOS 10.13+
#           - Look over the USER VARIABLES and configure as needed.
#
#
# For more information, visit https://github.com/kc9wwh/macOSUpgrade
#
#
# Written by: Joshua Roskos | Jamf
#
# Created On: January 5th, 2017
# Updated On: September 28th, 2018
#
#
#
# Modified On: Novemeber 8th, 2018
# By: Lotusshaney
#
# MODIFICATION:
#     Added where if the user is Filevault 2 enabled and a standard user it will
#     the user to Admin to get around osinstallersetupd prompting for Admin credientials.
#     Once the installer has completed it utilizes a LaunchDaemon that will demote the
#     user back to standard and cleanup the script.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# USER VARIABLES
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

##Specify path to OS installer. Use Parameter 4 in the JSS, or specify here
##Example: /Applications/Install macOS High Sierra.app
OSInstaller="$4"

##Version of Installer OS. Use Parameter 5 in the JSS, or specify here.
##Example Command: /usr/libexec/PlistBuddy -c 'Print :"System Image Info":version' "/Applications/Install macOS High Sierra.app/Contents/SharedSupport/InstallInfo.plistr"
##Example: 10.12.5
version="$5"
versionMajor=$( /bin/echo "$version" | /usr/bin/awk -F. '{print $2}' )
versionMinor=$( /bin/echo "$version" | /usr/bin/awk -F. '{print $3}' )

##Custom Trigger used for download. Use Parameter 6 in the JSS, or specify here.
##This should match a custom trigger for a policy that contains just the 
##MacOS installer. Make sure that the policy is scoped properly
##to relevant computers and/or users, or else the custom trigger will
##not be picked up. Use a separate policy for the script itself.
##Example trigger name: download-sierra-install
download_trigger="$6"

##MD5 Checksum of InstallESD.dmg
##This variable is OPTIONAL
##Leave the variable BLANK if you do NOT want to verify the checksum (DEFAULT)
##Example Command: /sbin/md5 /Applications/Install macOS High Sierra.app/Contents/SharedSupport/InstallESD.dmg
##Example MD5 Checksum: b15b9db3a90f9ae8a9df0f81741efa2b
installESDChecksum="$7"

##Valid Checksum?  O (Default) for false, 1 for true.
validChecksum=0

##Unsuccessful Download?  0 (Default) for false, 1 for true.
unsuccessfulDownload=0

##Erase & Install macOS (Factory Defaults)
##Requires macOS Installer 10.13.4 or later
##Disabled by default
##Options: 0 = Disabled / 1 = Enabled
##Use Parameter 8 in the JSS.
eraseInstall="$8"
if [[ "${eraseInstall:=0}" != 1 ]]; then eraseInstall=0 ; fi
#macOS Installer 10.13.3 or ealier set 0 to it.
if [ "$versionMajor${versionMinor:=0}" -lt 134 ]; then
    eraseInstall=0
fi

##Enter 0 for Full Screen, 1 for Utility window (screenshots available on GitHub)
##Full Screen by default
##Use Parameter 9 in the JSS.
userDialog="$9"
if [[ ${userDialog:=0} != 1 ]]; then userDialog=0 ; fi

##Title of OS
##Example: macOS High Sierra
macOSname=$(/bin/echo "$OSInstaller" | /usr/bin/sed 's/^/Applications/Install (.*).app$/1/')

##Title to be used for userDialog (only applies to Utility Window)
title="$macOSname Upgrade"

##Heading to be used for userDialog
heading="Please wait as we prepare your computer for $macOSname..."

##Title to be used for userDialog
description="This process will take approximately 5-10 minutes.
Once completed your computer will reboot and begin the upgrade."

##Description to be used prior to downloading the OS installer
dldescription="We need to download $macOSname to your computer, this will 
take several minutes."

##Jamf Helper HUD Position if macOS Installer needs to be downloaded
##Options: ul (Upper Left); ll (Lower Left); ur (Upper Right); lr (Lower Right)
##Leave this variable empty for HUD to be centered on main screen
dlPosition="ul"

##Icon to be used for userDialog
##Default is macOS Installer logo which is included in the staged installer package
icon="$OSInstaller/Contents/Resources/InstallAssistant.icns"

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# FUNCTIONS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

downloadInstaller() {
    /bin/echo "Downloading macOS Installer..."
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
        -windowType hud -windowPosition $dlPosition -title "$title" -alignHeading center -alignDescription left -description "$dldescription" 
        -lockHUD -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/SidebarDownloadsFolder.icns" -iconSize 100 &
    ##Capture PID for Jamf Helper HUD
    jamfHUDPID=$!
    ##Run policy to cache installer
    /usr/local/jamf/bin/jamf policy -event "$download_trigger"
    ##Kill Jamf Helper HUD post download
    /bin/kill "${jamfHUDPID}"
}

verifyChecksum() {
    if [[ "$installESDChecksum" != "" ]]; then
        osChecksum=$( /sbin/md5 -q "$OSInstaller/Contents/SharedSupport/InstallESD.dmg" )
        if [[ "$osChecksum" == "$installESDChecksum" ]]; then
            /bin/echo "Checksum: Valid"
            validChecksum=1
            return
        else
            /bin/echo "Checksum: Not Valid"
            /bin/echo "Beginning new dowload of installer"
            /bin/rm -rf "$OSInstaller"
            /bin/sleep 2
            downloadInstaller
        fi
    else
        ##Checksum not specified as script argument, assume true
        validChecksum=1
        return
    fi
}

cleanExit() {
    /bin/kill "${caffeinatePID}"
    exit "$1"
}

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# SYSTEM CHECKS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

##Caffeinate
/usr/bin/caffeinate -dis &
caffeinatePID=$!

##Get Current User
currentUser=$( /usr/bin/stat -f %Su /dev/console )

##Get Current Users homefolder
currentUserHomeDirectory=$( /usr/bin/dscl . -read "/users/$currentUser" NFSHomeDirectory | cut -d " " -f 2 )

##Check if FileVault Enabled
fvStatus=$( /usr/bin/fdesetup status | head -1 )

##Check if current user is an admin
/usr/bin/dscl . read /Groups/admin GroupMembership |  tr ' ' '
' | grep -x "$currentUser"
if [[ $? -ne 0 ]] ; then
    if [[ "$fvStatus" == "FileVault is On." ]] ; then
        /bin/echo "FV is on and OS User is not an Admin.  Adding $currentUser to Admin group"
        /usr/sbin/dseditgroup -o edit -a "$currentUser" -t user admin
        /bin/echo "Demote token file added for $currentUser at $currentUserHomeDirectory/.demoteafterupgrade"
        /usr/bin/touch "$currentUserHomeDirectory"/.demoteafterupgrade
    fi
fi

##Check if device is on battery or ac power
pwrAdapter=$( /usr/bin/pmset -g ps )
if [[ ${pwrAdapter} == *"AC Power"* ]]; then
    pwrStatus="OK"
    /bin/echo "Power Check: OK - AC Power Detected"
else
    pwrStatus="ERROR"
    /bin/echo "Power Check: ERROR - No AC Power Detected"
fi

##Check if free space > 15GB
osMajor=$( /usr/bin/sw_vers -productVersion | /usr/bin/awk -F. '{print $2}' )
osMinor=$( /usr/bin/sw_vers -productVersion | /usr/bin/awk -F. '{print $3}' )
if [[ $osMajor -eq 12 ]] || [[ $osMajor -eq 13 && $osMinor -lt 4 ]]; then
    freeSpace=$( /usr/sbin/diskutil info / | /usr/bin/grep "Available Space" | /usr/bin/awk '{print $6}' | /usr/bin/cut -c 2- )
else
    freeSpace=$( /usr/sbin/diskutil info / | /usr/bin/grep "Free Space" | /usr/bin/awk '{print $6}' | /usr/bin/cut -c 2- )
fi

if [[ ${freeSpace%.*} -ge 15000000000 ]]; then
    spaceStatus="OK"
    /bin/echo "Disk Check: OK - ${freeSpace%.*} Bytes Free Space Detected"
else
    spaceStatus="ERROR"
    /bin/echo "Disk Check: ERROR - ${freeSpace%.*} Bytes Free Space Detected"
fi

##Check for existing OS installer
loopCount=0
while [[ $loopCount -lt 3 ]]; do
    if [ -e "$OSInstaller" ]; then
        /bin/echo "$OSInstaller found, checking version."
        OSVersion=$(/usr/libexec/PlistBuddy -c 'Print :"System Image Info":version' "$OSInstaller/Contents/SharedSupport/InstallInfo.plist")
        /bin/echo "OSVersion is $OSVersion"
        if [ "$OSVersion" = "$version" ]; then
          /bin/echo "Installer found, version matches. Verifying checksum..."
          verifyChecksum
        else
          ##Delete old version.
          /bin/echo "Installer found, but old. Deleting..."
          /bin/rm -rf "$OSInstaller"
          /bin/sleep 2
          downloadInstaller
        fi
        if [ "$validChecksum" == 1 ]; then
            unsuccessfulDownload=0
            break
        fi
    else
        downloadInstaller
    fi

    unsuccessfulDownload=1
    ((loopCount++))
done

if (( unsuccessfulDownload == 1 )); then
    /bin/echo "macOS Installer Downloaded 3 Times - Checksum is Not Valid"
    /bin/echo "Prompting user for error and exiting..."
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$title" -icon "$icon" -heading "Error Downloading $macOSname" -description "We were unable to prepare your computer for $macOSname. Please contact the IT Support Center." -iconSize 100 -button1 "OK" -defaultButton 1
    cleanExit 0
fi


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# CREATE FIRST BOOT SCRIPT
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

/bin/mkdir -p /usr/local/jamfps

/bin/cat > /usr/local/jamfps/finishOSInstall.sh <<'EOL'
#!/bin/bash
## First Run Script to remove the installer.
## Clean up files
/bin/rm -fr "$OSInstaller"
/bin/sleep 2
## Update Device Inventory
/usr/local/jamf/bin/jamf recon
## Remove LaunchDaemon
/bin/rm -f /Library/LaunchDaemons/com.jamfps.cleanupOSInstall.plist
## Remove Script
/bin/rm -fr /usr/local/jamfps
##Demote if user was not an admin before upgrade
##Get Current User
currentUser=$( /usr/bin/stat -f %Su /dev/console )
##Get Current Users homefolder
currentUserHomeDirectory=$( /usr/bin/dscl . -read "/users/$currentUser" NFSHomeDirectory | cut -d " " -f 2 )
if [[ -e "$currentUserHomeDirectory"/.demoteafterupgrade ]] ; then
    /bin/echo "User was not an Admin before upgrade, Removing $currentUser from Admin group"
    /usr/sbin/dseditgroup -o edit -d "$currentUser" -t user admin
    /bin/echo "Demote token file removed for $currentUser at $currentUserHomeDirectory/.demoteafterupgrade"
    rm -f "$currentUserHomeDirectory"/.demoteafterupgrade
fi  
exit 0
EOL

##Set the permission on the file just made.
/usr/sbin/chown root:admin /usr/local/jamfps/finishOSInstall.sh
/bin/chmod 755 /usr/local/jamfps/finishOSInstall.sh

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# LAUNCH DAEMON
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

/bin/cat << EOF > /Library/LaunchDaemons/com.jamfps.cleanupOSInstall.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.jamfps.cleanupOSInstall</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/bash</string>
        <string>-c</string>
        <string>/usr/local/jamfps/finishOSInstall.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
EOF

##Set the permission on the file just made.
/usr/sbin/chown root:wheel /Library/LaunchDaemons/com.jamfps.cleanupOSInstall.plist
/bin/chmod 644 /Library/LaunchDaemons/com.jamfps.cleanupOSInstall.plist

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# LAUNCH AGENT FOR FILEVAULT AUTHENTICATED REBOOTS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

##Determine Program Argument
if [[ $osMajor -ge 11 ]]; then
    progArgument="osinstallersetupd"
elif [[ $osMajor -eq 10 ]]; then
    progArgument="osinstallersetupplaind"
fi

/bin/cat << EOP > /Library/LaunchAgents/com.apple.install.osinstallersetupd.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.install.osinstallersetupd</string>
    <key>LimitLoadToSessionType</key>
    <string>Aqua</string>
    <key>MachServices</key>
    <dict>
        <key>com.apple.install.osinstallersetupd</key>
        <true/>
    </dict>
    <key>TimeOut</key>
    <integer>300</integer>
    <key>OnDemand</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>$OSInstaller/Contents/Frameworks/OSInstallerSetup.framework/Resources/$progArgument</string>
    </array>
</dict>
</plist>
EOP

##Set the permission on the file just made.
/usr/sbin/chown root:wheel /Library/LaunchAgents/com.apple.install.osinstallersetupd.plist
/bin/chmod 644 /Library/LaunchAgents/com.apple.install.osinstallersetupd.plist

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# APPLICATION
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

if [[ ${pwrStatus} == "OK" ]] && [[ ${spaceStatus} == "OK" ]]; then
    ##Launch jamfHelper
    if [ ${userDialog} -eq 0 ]; then
        /bin/echo "Launching jamfHelper as FullScreen..."
        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &
        jamfHelperPID=$!
    else
        /bin/echo "Launching jamfHelper as Utility Window..."
        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$title" -icon "$icon" -heading "$heading" -description "$description" -iconSize 100 &
        jamfHelperPID=$!
    fi
    ##Load LaunchAgent
    if [[ ${fvStatus} == "FileVault is On." ]] && [[ ${currentUser} != "root" ]]; then
        userID=$( /usr/bin/id -u "${currentUser}" )
        /bin/launchctl bootstrap gui/"${userID}" /Library/LaunchAgents/com.apple.install.osinstallersetupd.plist
    fi
    ##Begin Upgrade
    /bin/echo "Launching startosinstall..."
    ##Check if eraseInstall is Enabled
    if [[ $eraseInstall == 1 ]]; then
        eraseopt='--eraseinstall'
        /bin/echo "   Script is configured for Erase and Install of macOS."
    fi

    osinstallLogfile="/var/log/startosinstall.log"
    if [ "$versionMajor" -ge 14 ]; then
        eval /usr/bin/nohup ""$OSInstaller/Contents/Resources/startosinstall"" "$eraseopt" --agreetolicense --nointeraction --pidtosignal "$jamfHelperPID" >> "$osinstallLogfile" &
    else
        eval /usr/bin/nohup ""$OSInstaller/Contents/Resources/startosinstall"" "$eraseopt" --applicationpath ""$OSInstaller"" --agreetolicense --nointeraction --pidtosignal "$jamfHelperPID" >> "$osinstallLogfile" &
    fi
    /bin/sleep 3
else
    ## Remove Script
    /bin/rm -f /usr/local/jamfps/finishOSInstall.sh
    /bin/rm -f /Library/LaunchDaemons/com.jamfps.cleanupOSInstall.plist
    /bin/rm -f /Library/LaunchAgents/com.apple.install.osinstallersetupd.plist

    /bin/echo "Launching jamfHelper Dialog (Requirements Not Met)..."
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$title" -icon "$icon" -heading "Requirements Not Met" -description "We were unable to prepare your computer for $macOSname. Please ensure you are connected to power and that you have at least 15GB of Free Space.

    If you continue to experience this issue, please contact the IT Support Center." -iconSize 100 -button1 "OK" -defaultButton 1

fi

cleanExit 0

We just ran this script under a policy with all the Parameters defined. Our FileVault2 encrypted MacBook finally went to the installer without an Admin pw prompt! We verified the computer was updated to Mojave, but haven't got a chance to run through the computer to check for problems (it's Friday, I'm working late enough already...)

Hopefully this helps any others trying to upgrade to Mojave! And if you do use this method, please share your experiences!

As with anything else, please test before you deploy this script...

boberito
Valued Contributor

This script works great when it works.

Maybe 50% of the machines I use it on that I upgrade from Sierra to High Sierra are getting errors like "nohup: can't detach from console: Inappropriate ioctl for device" or startosinstall works, machine reboots...no installer begins and it just boots back up to the current OS.

I wish there was a fully Jamf built in way.

jameson
Contributor II

In the enrollment process (user initiated) I as last step want to upgrade to Mojave OS(should be forced not self service). I have downloaded the 6gb installer and created a package in composer

But I have the following questions
1. What if the mac already have Mojave installed (is it possible to skip, so the client don´t need to download the 6gb package, as it is a bit waste of time if it is not needed) DOn´t know what options there is to skip that step in enrollment

boberito
Valued Contributor

@jameson Just scope it to machines not on Mojave.

MTFIDjamf
Contributor II

@kcsantos We have tried the in-place upgrade from High Sierra to Mojave with the edited script that you posted above. While the process no longer prompts for Admin credentials it seems to not remove them from the user when the process completes.

Begin the process from Self Service as a standard user, wait for the whole thing to finish, back to the logon screen. Login as the user; they are now an Admin on the Mac. The Admin rights that were given automatically to run through the process were not removed.

Anyone seeing similar?

tnielsen
Valued Contributor

I have a question, why would it not be feasible to simply download the installer from apple to the applications folder, then create a self service item to launch it normally. Which the user could then next next next next, through?

arpierson
New Contributor III

Our setup is fairly simplistic. We don't check for AC Power or battery level.

I created a .pkg with Composer that puts the macOS installer app in /Users/Shared. After that, we run the following script (not my script, but I can't remember I got it):

#!/bin/sh

macOSinstallerAppPath="/Users/Shared/Install macOS Mojave.app"

CurrentloggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

# There was an issue with startosinstall command that "Install macOS..app" needs to be opened once by logged in user to get it working properly
effectiveUserID=$(/usr/bin/id -u "$CurrentloggedInUser")
/bin/launchctl asuser "$effectiveUserID" sudo -u "$CurrentloggedInUser" /usr/bin/osascript <<EOT
        tell application "${macOSinstallerAppPath}" to activate
EOT
# Wait for 5 seconds to settle down then quit the app
/bin/sleep 5
/bin/launchctl asuser "$effectiveUserID" sudo -u "$CurrentloggedInUser" /usr/bin/osascript <<EOT
        tell application "${macOSinstallerAppPath}" to quit
EOT

# Run upgrade command
"${macOSinstallerAppPath}/Contents/Resources/startosinstall" --applicationpath "${macOSinstallerAppPath}" --rebootdelay 10 --nointeraction

# Reboot immediately if it has not rebooted by 'startosinstall'
#/usr/local/jamf/bin/jamf reboot -background -immediately

exit 0

kcsantos
New Contributor III
@kcsantos We have tried the in-place upgrade from High Sierra to Mojave with the edited script that you posted above. While the process no longer prompts for Admin credentials it seems to not remove them from the user when the process completes. Begin the process from Self Service as a standard user, wait for the whole thing to finish, back to the logon screen. Login as the user; they are now an Admin on the Mac. The Admin rights that were given automatically to run through the process were not removed.

@MTFMRCO - Good observation.I just noticed the same thing on my end, the Standard User who ran the upgrade has not been reverted back to a Standard User after. uggghhh... thought this was the solution! Back to more research on this policy.

michaelherrick
New Contributor III

@kcsantos @MTFMRCO I have this same problem as well; I am going to try running the script with the verbose flag to see if I can pinpoint the error and will get back to this thread. I observed that the ".demoteafterupgrade" token creates successfully , but the launchdaemons and the /usr/local/jamfps directory do not get created by the script for some reason.

michaelsawilson
New Contributor

We did the upgrade via Self Service as well. Created a Policy that cached the Mojave installer to any systems with an earlier version of OSX. Then created a Reimage Mac OS Policy and set it for Self Service only and leave it disabled until I want to upgrade a system.

kcsantos
New Contributor III
by tnielsen I have a question, why would it not be feasible to simply download the installer from apple to the applications folder, then create a self service item to launch it normally. Which the user could then next next next next, through?

@tnielsen - Our Users are local Standard Users and have FileVault 2 enabled. When a Standard user with FileVault2 enabled tries to run the script, they get the "osinstallersetupd wants to make changes" prompt which requires an admin password.

And yes, we have a pre-policy that caches the full macOS Mojave 6GB installer into the /Applications folder.

kcsantos
New Contributor III

@arpierson -- Interesting... quick question: Are your users Standard Users with FileVault 2 enabled on the partition?

arpierson
New Contributor III
Interesting... quick question: Are your users Standard Users with FileVault 2 enabled on the partition?

@kcsantos Yes and no. Our users are Standard, but we don't utilize Filevault 2 as the vast majority of our devices are mobile labs that don't leave the building. Even teacher MacBooks aren't encrypted as we've found that they do such a poor job of backing up that Filevault just prevents us from doing data recovery and all of our sensitive student data is web-based, not stored locally. Since we don't use Filevault, I haven't encountered the "osinstallersetupd wants to make changes" prompt in my testing.

szultzie
Contributor II

Hi All,

We are also looking into a in place upgrade from 10.13.3 to 10.14.x (x being the latest version available)

So for new machines we have a full DEP workflow that seems to be working pretty good, but i wont get into that unless people want to hear about it. I think i already did in another post (which i can link to if anybody is interested)

so for our Upgrade process...

In the Sierra to High Sierra upgrade we tested an in place using two Jamf Policies, first copies the App Store installer (Install macOS High Sierra.app) we pre stage that on machine a few days before the actual upgrade. Then we would send the second policy that basically ran the installer silently using the following script

#!/bin/bash

/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --applicationpath "/Applications/Install macOS High Sierra.app" --rebootdelay 30 --nointeraction

#killall "Self Service"

exit 0

This process worked great. So i tested the same process for Mojave the script is as follows

#!/bin/bash

/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --applicationpath "/Applications/Install macOS Mojave.app" --rebootdelay 30 --nointeraction

#killall "Self Service"

exit 0

The upgrade works as well, but we ran into some weirdness and i cant find if anybody else that is seeing the same thing. It happens no matter if a user initiates the policy from Self Service or if i have it done on check-in over night.

The issue:

When i log in for the first time with a user (Mobile AD Account or a local admin account) the computer reboots and says 13 more minutes with an Apple Logo on a black background with the bar under it, (like a reboot during an upgrade) this wouldn't be that big of an issue with our faculty, but this cant happen in a fully automate lab install. Also we get a new Privacy Acceptance screen and the LIght vs Dark Mode (anybody have a way to suppress these two? light dark mode more important than the Privacy statement)

Is anybody else seeing this during an upgrade? I don't see this when i did a test directly from the App Store and clicking next, next ,next.

Very frustrating with all the new "features" and "security upgrade" in the OS. Its like Apple hates System admins and is trying to make our lives a living Hell every month =)

-Peter

tnielsen
Valued Contributor

@kcsantos I would suggest writing a script to give the local user administrative rights during caching, then remove them after it's been detected the system is on 10.14.

I'll write the launchdaemon for ya, this was my idea about a month ago but I never had time to do it.