Jamf Nation Community

Bernard, I think this is proxy related. Are your Macs behind a proxy server?

Sometimes Apple wants to download some additional updates during a macOS installation (or macOS minor/major update, e.g. from 10.14.0 to 10.14.1), even if you have downloaded the whole and most current 6 GB installer package.
We found that these additional updates are mostly firmware related updates. We had this on all touchbar devices, when they were released in 2017 and now the same with all 2018 models.

Even if all other Apple updates will work behind a proxy, these special firmware updates require a direct internet connection. I guess, Apple don't trust any proxy server behind their servers and your Mac and force you to use a direct connection for these high secure updates.

It's really a pain and we don't have a solution for this in our company. Users have to run the update installer at home or over a personal hotspot with their mobile phone. (in some cases, you have to really remove all proxy settings e.g. proxy.pac from the network settings, even if you already are connected directly to the internet)
And the worst: it's not predictable, when and on which models this will happen, so we can't exclude these devices.

I seem to be seeing something similar on 10.13.6. It appears that some of the latest Security Updates, when applied to 2018 TB MBPs also require an internet connection during the installation process (for firmware updates I assume). Problem is, our 802.1x wireless isn't connected post-logout, so unless the MBP is on ethernet, the installs will fail until you connect to ethernet, option boot the Mac back to Macintosh HD, and let it complete. It's pretty frustrating to be honest, as we don't have a good solution given our network setup and most employees being exclusively on 802.1x wireless.

Are you pushing your 802.1x profile with Jamf? It has the option for login screen connection that works fine for me; as long as it's a computer level policy. It sounds like your profile is a user level. We use machine authentication for wireless, so system keychain is fine and that works at login screen
(not entirely though, if you try to log on to a new account it has issues which I think is the keychain creating for the new user, and the wifi drops in and out)

Just to side track slightly from the OP. lol.

@summoner2100 - I seriously doubt it's a corrupted download of Mojave installer.
The installer worked on all El Cap > High Sierra with Macbook Pro 2017 or older (Obviously I haven't tested every combination of hardware and OS)
The only one that don't work is Macbook Pro 2018 with High Sierra 10.13.6. 13.6 is the minimum version this Macbook comes with.

The JAMP Pro policy is simply installing package "Install macOS Mojave.app.tar". Nothing extra.

@hansjoerg.watzl - Yes, we are behind a proxy, and yes, it blocks most of the things related to Apple. And yes, I have experienced many other functions that would normally work for any Macbook, but doesn't work within our company.

I did try to connect the Macbook Pro 2018 to a 4G dongle (direct external internet). It still didn't like it for some reason :(

Overnight I did come up with a solution. Go to the Macbook 2018's recovery partition, allow to boot from external drive.
Then boot off the bootable Mojave installer, and install it from there. This worked.
Good news it is retained all of user's data, it is just like an upgrade ran from the normal macOS session.
Bad news is I can't distribute this via JAMF. I can only do this to every single Macbook Pro 2018 physically.

@summoner2100 We do install our wireless config profile via Jamf, though as a pkg, because we don't want network access to go pear shaped if something goes on with MDM or the client binary. It loads our root certs into the System keychain, but does not pipe the login info in from the Login Screen, as it draws out login. Folks auth after login, and store the creds in their login keychain.

@Bernard.Huang Hm, a .tar for the installer app? I haven't tried that, I'm copying it into applications wrapping it inside a dmg as that works for me. Maybe the script trying to run it isn't extracting it? Or it's not waiting long enough for the extraction process of the app, because that will take time for that installer.

Question, got any instructions for doing wifi config with a pkg install? I haven't tried it that way

@summoner2100 When uploading the Install macOS Mojave.app onto JAMF Admin, it automatically zips it int a .tar file.

Hi all,

I've just come across another situation where Macbook Pro 2018 (with the T2 Secure SEP) suck!

I'm am upgrade a newly out-of-the box Macbook Pro from 10.14.1 to 10.14.2 via the combo update package. This is prior to any JAMF Pro enrolment, so there is no restricted policies anywhere. The Macbook has a direct internet connection. That's how it downloaded the upgrade installer. it does not go through our company's proxy.

After downloading the upgrade installer, the Macbook refused the upgrade. The work around, again as above, is to boot into recovery mode, then disable the T2 secure
Then boot back into the macOS, then the 10.14.2 upgrade would work.

Is anyone else getting this? I've google-ing and searching forums, I don't hear others complaining about the Macbook Pro 2018. But my experiences is nothing but Apple suck

I have seen this on New T2 Chip Mac Book Pro's while behind proxy connections. and is due to the fact that the systems need to download specific security firmware, and the traffic is being proxy. To solve it you need to have your network/proxy team, allow/bypass https://swscan.apple.com/ and https://swdist.apple.com/

@gio.martell Is this bypass only for upgrades or will it allow new installs such as running an SHB install with 10.13.6 package?

We had the exact same problem and were finally able to find a solution to it. I hope this helps somebody else.

This problem seemed to only occur on T2 macs as you mentioned. We have another issue that is very similar to what was happening here: https://www.jamf.com/jamf-nation/discussions/30382/a-software-update-required-to-use-this-startup-disk

We were able to solve both of these issues by changing the way restarts were performed. If we performed a restart from JAMF's policies section, we'd have the "internet connection required" error for Mojave and the startup disk issue with general updates. Same results if we used "sudo shutdown -r".

According to Apple Support, T2 chips require a shutdown command after upgrades rather than a reboot. We tested this and it seemed to be true.

"sudo shutdown -h +10" calling this command in a script after installing Mojave (or general updates) were performed fixed both of our issues. We allow the user to defer the installation of the update and then let them know that the machine will restart in 10 minutes. Manually restarting seems to be okay as well.

@angle.52 Thanks for bringing the T2-update-shutdown requirement to attention here; if you need this as part of your workflow - and it only makes sense to integrate this if Apple's introduced this functional requirement - you can upvote this feature request:

https://www.jamf.com/jamf-nation/feature-requests/7285/add-softwareupdate-restart-support

It seems a bit out of date and may now be considered part of PI-006891 [Software Update policy payload does not support shutdowns] per ponyboy's comment. But it can't hurt to express your voice whether it's a feature or bug (and as far as I know Jamf doesn't have a way to vote on what bugs should be fixed... )