M1 OS Update paths

gwhaley262
New Contributor III

What's everyones preferred process for updating the OS on M1 macs? I'd like to implement a process where I can instruct macs to download and install say Monterey 12.5.1  to M1 macs during overnight hours. I've seen some posts where updates were deployed via Self Service but I'd rather not go that path if I don't have to.

1 ACCEPTED SOLUTION

bwoods
Valued Contributor

Honestly, I've tried multiple things. Updating with full macOS installers, creating detailed API scripts to run MDM commands, password prompts with the softwareupdate command, but I eventually gave in and implemented Nudge. Deployed 12.5.1 with Nudge last Thursday afternoon and my fleet of 500+ machines is already at 75% compliance. It's going to be even more useful when Ventura is released. 

My advice, get your team on board with Nudge and don't look back. Apple has basically given us no other choice. 

GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.

I've basically outlined configuration here: Re: The Nudge Launch Agent Do not open - Jamf Nation Community - 270817

View solution in original post

11 REPLIES 11

Tribruin
Valued Contributor II

Right now your options are very limited. M1s required authorization to update. In most cases, that requires a volume owner (typically an admin user) to run the update from Software Update. 

You could try using the Download and Install Updates MDM command, but that has been pretty unreliable. 

This is why we went to Nudge to prompt our users to update and annoy them if they don't. 

mm2270
Legendary Contributor III

Yeah, as soon as you start talking M1s, your options shrink. Not that even with Intel Macs it's particularly expansive, but as @Tribruin already mentioned, M1s require someone using the Mac to authorize the update, so it's a PITA. There's no real overnight automation options here.

bwoods
Valued Contributor

Honestly, I've tried multiple things. Updating with full macOS installers, creating detailed API scripts to run MDM commands, password prompts with the softwareupdate command, but I eventually gave in and implemented Nudge. Deployed 12.5.1 with Nudge last Thursday afternoon and my fleet of 500+ machines is already at 75% compliance. It's going to be even more useful when Ventura is released. 

My advice, get your team on board with Nudge and don't look back. Apple has basically given us no other choice. 

GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.

I've basically outlined configuration here: Re: The Nudge Launch Agent Do not open - Jamf Nation Community - 270817

gwhaley262
New Contributor III

Ugh. Thanks. I'll take a look at Nudge.

@bwoods What is your workflow for moving your fleet from macOS Monterey to macOS Ventura? 

 

I have not found a way to use Nudge to force major OS updates such as the one from Monterey to Ventura on apple silicon - m1 devices. 

bwoods
Valued Contributor

@bcrockett, I'm personally waiting for Apple to allow delta upgrades on MDM managed systems. But you can also change what the update button does in Nudge. You can make it run a function that prompts a user for the password and run a Ventura installer. This would work for even M1 devices. 

 

Something like this should work: 

 

#!/bin/bash

####Variables

# Determine the current user
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Determine the current user id
currentUID=$(id -u "$currentUser")

###Functions

Password(){
	# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
	/bin/launchctl asuser "$currentUID" sudo -iu "$currentUser" /usr/bin/osascript <<APPLESCRIPT
	set validatedPass to false
	repeat while (validatedPass = false)
	-- Prompt the user to enter their filevault password
	display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"
	set fvPass to (text returned of result)
	display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"
	if text returned of result is equal to fvPass then
	set validatedPass to true
	fvPass
	else
	display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns"
	end if
	end repeat
APPLESCRIPT
}

executeUpdate(){
	Password | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currentUser --stdinpass
}

###Script
executeUpdate

exit 0		## Success
exit 1		## Failure

 

 

Got it. Thank you for sharing your work and helping me understand this better. 

 

I will try this in my lap and deploy it to the fleet if it tests well. 

bwoods
Valued Contributor

One more thing, you'll probably need to change the path within this command to a path containing the macOS Ventura.app. Just FYI. 

bwoods_0-1669775101078.png

 

Good pro tip! 

#!/bin/bash

####Variables

# Determine the current user
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Determine the current user id
currentUID=$(id -u "$currentUser")

###Functions

Password(){
	# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
	/bin/launchctl asuser "$currentUID" sudo -iu "$currentUser" /usr/bin/osascript <<APPLESCRIPT
	set validatedPass to false
	repeat while (validatedPass = false)
	-- Prompt the user to enter their filevault password
	display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"
	set fvPass to (text returned of result)
	display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"
	if text returned of result is equal to fvPass then
	set validatedPass to true
	fvPass
	else
	display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns"
	end if
	end repeat
APPLESCRIPT
}

executeUpdate(){
	Password | /Applications/Install\ macOS\ Ventura.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currentUser --stdinpass
}

###Script
executeUpdate

exit 0		## Success
exit 1		## Failure

 

foobarfoo
Contributor

While Apple has left no other forced way than MDM commands open, we utilize (in addition to MDM commands) erase-install . This will prompt users on ARM systems to enter their password, but if they do, it still works. But for reluctant users, MDM commands are the only option. Also note that the softwareupdated daemon has a tendency to hang, so it might be a good idea to restart it with launchctl (though a policy) if the uptime is high and they are behind on updates. In order to add that extra nag factor to really annoy the users into upgrading, we also use a blank action policy with user interactions that they need to acknowledge. With all this said, nudge accomplishes this in a similar fashion, but is reliant on user action alone, while a more diversified approach isn't, at least not to the same degree.

In our case, we just paste erase-install as a script in Jamf Pro, and use the following script switches:

--force-curl

--reinstall

--update

--current-user

--depnotify

@foobarfoo 

This will prompt users on ARM systems to enter their password, but -->if<-- they do, it still works.

 

I am trying to figure out how to force my users to enter their passwords to trigger a major update. 

 

Does erase-install automate the token authentication process for Volume owners?

 

In simple, language can you trigger a major update on apple silicon without volume ower authentication - 1st users entering a password? 

 

Apple deployment documentation article titled: Use secure token, bootstrap token, and volume ownership in deployments  suggest this is not possible. 

______

 Major macOS upgrades require elevated privileges to begin, but standard user ownership credentials can be used with the required user options on the macOS Installer’s startosinstall command-line tool (if it’s already running with elevated privileges) However, if the --eraseinstall option is used, the credentials must be from a user who is both an owner and an administrator.

#########

If it is possible I would like to know how. 

 

Thanks, ~ B