Help

Long login time after zero-touch provisioning and upgrade to Sonoma

Go to solution
howie_isaacks
Valued Contributor II

a month ago

I am working on deploying a new zero-touch provisioning process. This new policy alerts the user that they're running an outdated macOS if they enroll a Mac running macOS older than Sonoma. The alert includes a button to click to launch Software Update. After the upgrade to Sonoma, the ZTP policy launches automatically thanks to a launchdaemon that gets installed on Macs running an OS older than Sonoma. After the ZTP policy completes, the user needs to reboot. When they login, they are kept waiting 10-12 minutes before they reach the desktop. When I ran this through on my test Mac, I found that softwareupdatd is responsible for this but I have not figured out exactly what is allegedly updating. Since we just ran an upgrade to Sonoma, all of the OS components should be up to date. If a Mac running Sonoma (any version of Sonoma) enrolls, we don't see this issue. This is not a complete disaster. It's just an annoyance. I did not see this happen with a Mac VM that I enrolled yesterday. The only difference between the Mac VM and my test Mac aside from one being virtual and the other being hardware is that the VM is not getting the profile that enforces FileVault. Also, the VM was a user-initiated enrollment. I'm about to run this through again and this time take note of install times in the install log to pinpoint exactly when this issue starts. Does anyone have an idea why this is happening?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II

a month ago

@howie_isaacks I have a little more direct approach for when someone tries to enroll a Mac running a version of macOS lower than our current minimum - an enrollment policy that shows a message to the user why and then runs the erase-install script configured to re-image the Mac with the appropriate version of macOS.

View solution in original post

4 REPLIES 4

Go to solution
sdagley
Esteemed Contributor II

a month ago

@howie_isaacks I have a little more direct approach for when someone tries to enroll a Mac running a version of macOS lower than our current minimum - an enrollment policy that shows a message to the user why and then runs the erase-install script configured to re-image the Mac with the appropriate version of macOS.

Go to solution
howie_isaacks
Valued Contributor II
In response to sdagley

a month ago

I like this idea! Getting a fresh install means that I don't need to install a LaunchDaemon to ensure that my ZTP policy launches again. For the time being, I will keep my current (annoying) setup in place while I work on implementing your suggestion.

0 Kudos

Go to solution
howie_isaacks
Valued Contributor II

3 weeks ago

I have not 100% figured out exactly why this was happening but the issue was being caused by FileVault. All of our Macs receive a profile that enforces FileVault. Users must enable FileVault the next time they login after enrollment. When I excluded my test Mac from getting this profile, there was no long login process after the ZTP process had ran. I created a smart group for newly enrolled Macs running an older OS than Sonoma and excluded the group from getting this profile. The profile won't get installed until after the macOS Sonoma upgrade instead of getting it immediately upon enrollment. My guess is that something related to FileVault is getting updated during the login process after the ZTP process has ran. I could dig through the install log on the affected Macs and eventually figure out exactly what was happening but I don't really need to now.

0 Kudos

Go to solution
CaseySimpson
New Contributor

a week ago

Thank you so much for the solution.

0 Kudos