macOS installer script not working for Apple Silicon M1 Macbook + macOS Monterey

Bernard_Huang
Contributor III

Hi all,

  Referring to this macOS installer script.

macOSUpgrade/macOSUpgrade.sh at master Β· kc9wwh/macOSUpgrade Β· GitHub

  This script works fine for Intel Macbook upgrading to macOS Monterey 12.0.1.

  But it does not work with Apple Silicon Macbook 😞

  When attempting, I get the following error:

Spoiler
Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.
By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms.
If you do not agree, press CTRL-C and cancel this process immediately.

Investigating further, I run the following in a M1 Mabook's terminal.

Spoiler

/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps
Error: A method of password entry is required.
Usage: startosinstall

.....

The error suggests I need to supply admin username and password via 
--user, an admin user to authorize installation.
--passprompt, collect a password for authorization with an interactive prompt.
--stdinpass, collect a password from stdin without interaction.

 

I want JAMF to execute this. I DO NOT want to need to supply admin account and password.

Anyone got any suggestions?

3 ACCEPTED SOLUTIONS

oit-jamf
New Contributor II

Hi there,

I managed to get the upgrade to Monterey running on an M1 macbook via Self Service with the help of a script from https://github.com/therealmacjeezy/Scripts/tree/master/macOS%2010.14%20Update%20Script, it was originally created for upgrading to Mojave but I made some adaptations to get it running for Monterey.

You will need to create the installer package and have it within the self service policy, the install macOS Monterey.app has to be available for the script to work.  Got it here: https://scriptingosx.com/2021/10/download-full-installer-update/

Most important - the logged in user has to have a secure token. This user does not necessarily have to be an admin.

this is the main key that triggers upgrade.

echo $fvPass | ./startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

View solution in original post

Actually I wasn't patient enough. Works like a charm!

View solution in original post

 

Latest version working on both M1 and Intel macs

 

#!/bin/bash


# Pulls the current logged in user and their UID
currUser=$(ls -l /dev/console | awk '{print $3}')
currUserUID=$(id -u "$currUser")

fvPass=$(
# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT
set validatedPass to false
repeat while (validatedPass = false)
	-- Prompt the user to enter their filevault password
	display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} default button "Continue" with text and hidden answer
	set fvPass to (text returned of result)
	display dialog "Re-enter your macOS password to verify it was entered correctly" buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue" with text and hidden answer
	if text returned of result is equal to fvPass then
		set validatedPass to true
		fvPass
	else
		display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns"
	end if
end repeat
AppleScript
)
##Heading to be used for jamfHelper

heading="Please wait as we prepare your computer for macOS Monterey..."

##Title to be used for jamfHelper

description="

This process will take approximately 20-30 minutes.

Once completed your computer will reboot and begin the upgrade which can take an additional 15-20 minutes."

##Icon to be used for jamfHelper

icon=/Applications/Install\ macOS\ Monterey.app/Contents/Resources/InstallAssistant.icns

##Launch jamfHelper

/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &

jamfHelperPID=$!

##Start macOS Upgrade

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

exit 0

 

 

edited to include the fix from @benjmars 

 

 

View solution in original post

123 REPLIES 123

Thank you.

I am having other issues and posted another question on the topic. 

Do not see a restart happen after the download of the install.app and after putting in my test credentials. Account is standard, in fdesetup. Just weird the process hangs at the full-screen helper prompt. 

what do the policy logs say? 

Screenshot 2022-07-28 at 9.42.30 AM.png

 

 

not all that much. the install downloads, then I am prompted for passwords, then the full screen then nothing.  I am adding just a few of my own informational helper prompts but those happen before the download. I am also adding a deferment of 1 day.  We need to give our end user a little time. 

what do the logs look like when you run the script the way it is without your changes? Also I have the download of the installer as a separate deployment. using the software update terminal command. 

I can take a look and run again but adding prompts should not hurt. In fact, this worked before. But maybe the deferment is causing the issues. 

Here is the policy log from the script portion that is kicked off by the trigger:

 

Executing Policy (New) Upgrade macOS Monterey Silicon
Running script M1 and Intel Upgrade to macOS Monterey...
Script exit code: 0
Script result:
Running Recon...
Retrieving inventory preferences from https://12345.jamfcloud.com/...
Locating software updates...
Searching path: /System/Applications
Locating plugins...
Locating accounts...
Locating package receipts...
Gathering application usage information from the JamfDaemon...
Locating printers...
Searching path: /Library/Application Support
Searching path: /Applications
Locating hardware information (macOS 11.6.7)...

It is running now.

We have tested this script using a self-service policy. The test MacBook is on macOS Big Sur and we have tried using the 12.4 and 12.5 macOS Monterey installer. The account is a standard account with securetoken and FileVault enabled.

The policy runs but we get stuck on the waiting screen. After checking the logs, we keep getting this error "Error: could not get authorization ...." Any insight or ideas to fix this error?

PhilS
New Contributor III

This is *not* working for me to update M1 Macs already on Monterey up to 12.5.1. For users *confirmed* to have SecureToken, and with a meticulously correctly typed password, the startosinstall.log *still* shows "Error: could not get authorization…" Hope someone has some insight; management urgently wants all these systems patched.

This solution has been working so beautifully on my Intel and M1 machines, thank you!!  Is it possible to add a conditional statement in the beginning that double checks that the installer is downloaded before proceeding and then prompt the user to contact IT for support?  I tried playing with it, but my scripting isn't that good yet.  

PhilS
New Contributor III
I’m scoping against a smart group with the installer already in place. That’s not the issue. It’s that authentication is failing every time even with meticulously entered passwords, so the installation never begins.

DodsonNY
New Contributor

Sorry that posted in the wrong place - was meant as a separate question for me. 

cc_rider
New Contributor III

Thanks for this, man! It worked very well, but I'm puzzled by something though: the Self Service policy triggering the upgrade is not showing up in the Policy logs, so I cannot see which devices have been used it so far. Any ideas? Attaching the screenshots with 1 M1 device that I've tested with and the logs in Jamf for the Self Service policy...Screen Shot 2022-01-29 at 12.37.58 PM.pngScreen Shot 2022-01-29 at 12.33.43 PM.png

replace the last line with 

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

cc_rider
New Contributor III

Yep! It worked now! :)

Thanks again @AtillaTheC ! ;)

This is awesome. Thank you. Any way to add a progress bar to this or know where it is in the process?

You would need to use something like DEP notify for a feature like that. 

janderson215
New Contributor II

If I could give more kudos to you two, I would. Thank you!

Bernard_Huang
Contributor III

Thanks @oit-jamf 

Your line
echo $fvPass | ./startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

really does work!
Now user is prompted for the their password, and it does proceed to start macOS Monterey installation.

Thanks a million.

Now the real in-house testing of Monterey upgrade begins. Good luck to all Mac Admins.

andrew_betts
New Contributor II

Both the M1 and intel version work great for us- and launches into the installer very quickly. 

But of course it doesn't work for Big Sur.   Auto launching the Big Sur installer continues to be a nightmare.

Will92
New Contributor II

This is my working execute command for intel: /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps

My question is for the M1, how would I edit this command that works on intel to work for M1?

Would it be just like this below? or do I replace "$fvPass" with our local admin pw that is filevaulted on our macs?

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --user $currUser --stdinpass

oit-jamf
New Contributor II

Hallo Will92,

well in your case you would have to put the password. I believe there is a way to like have it garbled and not showing in plain text within the script. There should but be another enabled FileVault user on your devices besides your local admin on the devices, no? If so , please have a look at the script posted above by JamieG.

Infra
New Contributor II

Image from iOS (4).jpg
Both on the M1 and Intel Chips we get the error message. We tried the solutions from AtillaTheC.
Anyone experiencing the same issues? Any help regarding this?

SCCM
Contributor II

Do you have any software ristrictions still in place i.e install asssistant or the monterey app?

Infra
New Contributor II

Seems to be working now... I guess I was just not patient enough waiting for the command to run. Also I found out that the Install Monterey App can not be running or else it will break the cycle of the command for some reason.

 

SeetendraPanda
New Contributor III

Hello Everyone

What am i doing wrong here this did not work on a M1 and Intel as well

#!/bin/bash


# Pulls the current logged in user and their UID
currUser=$(ls -l /dev/console | awk '{print $3}')
currUserUID=$(id -u "$currUser")

fvPass=$(
# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT
set validatedPass to false
repeat while (validatedPass = false)
-- Prompt the user to enter their filevault password
display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"
set fvPass to (text returned of result)
display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"
if text returned of result is equal to fvPass then
set validatedPass to true
fvPass
else
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon
end if
end repeat
APPLESCRIPT
)

##Heading to be used for jamfHelper

heading="Please wait as we prepare your Mac for macOS Monterey....."

##Title to be used for jamfHelper

description="

This process will take approximately 60 minutes to complete.

Once completed your computer will reboot and begin the upgrade which can take an additional 45 minutes."

##Icon to be used for jamfHelper

icon=/Library/MicronJamf/Install\ macOS\ Monterey.app/Contents/Resources/InstallAssistant.icns

##Launch jamfHelper

/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &

jamfHelperPID=$(echo $!)

##Start macOS Upgrade

echo $fvPass | /Library/MicronJamf/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

exit 0

 

You havent actually put whats not working for you, or what  errors your getting? or the script output

vmalapati_mu
New Contributor III

Hi SCCM, Actually M1 macs are looking for admin rights to proceed with upgrade. I got this when I tried: 

echo $fvPass(local admin password) | /Library/Jamf/InstallmacOSMonterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $LocalAdmin --stdinpass

If you do not agree, press CTRL-C and cancel this process immediately.
Error: could not get authorization...

Do you have any other thoughts on this?

 

for FV2 enabled user: Error: You must provide authorisation for this volume by setting it as your startup disk.

it shouldnt be asking for admin if your running the script via jamf on a computer level, but the users will need to put there logged in account password in for the install to complete. Are the users getting the prompt, and are they typing it in?
Plus your line reads echo $fvPass(local admin password) | where in the dump above it shows echo $fvPass | . Try checking that line again
echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

Also worth checking that the users are filevault enabled or it will not work

 

Justin13579
New Contributor II

I have an M1 that I believe i've followed all the steps on - it runs the script, goes to a black screen with the Please wait.... and then never reboots. When I look at the Policy Log it shows it running, downloading monterey and then verifying the package and installing, then closing the package, then step 4 and 5 and shows completed. But the device is still sitting at the initial full screen splash page and hasn't gone anywhere from there.  Not sure what I'm missing.

I would pre-download monterey in a separate policy and verify its there then a separate one to call the script. 

My Intel chip Macs did this exact thing. No luck with actually executing the script on Intel macs.

After more testing the M1 script is working on both Intel and M1 macs, try using that one. 

I'll try the M1 script again.

The below is not working for me either at this point... IDK why its different with every OS version. 

Super frustrating. This "script worked flawlessly on the Big Sur upgrade (changing the app name within the script)

 

'Applications/Install macOS Monterey.app/Contents/Resources/startosinstall' --agreetolicense --forcequitapps --nointeraction

Justin13579
New Contributor II

Appreciate the advice. I had done that previously in my efforts. I am beginning to suspect the original upload had an issue. So I'm going to push a new version up and see if I fair better. Taking of course your advice to keep the steps separate. Will let you know how it goes. Thank you.

 

I don't even push the installer from JAMF I just run the below to have each machine download it from apple. 

softwareupdate --fetch-full-installer

I ended up using the below instead due to inconsistencies in the version people were pulling. 

softwareupdate --fetch-full-installer --full-installer-version=12.1

Can confirm, the above works flawlessly for my Intel devices. Haven't tested the M1 with this command yet.

I entered this in the Files and Processes>Execute Command section of a new Policy. 

manoj_sk
New Contributor

Did anyone found a solution for upgrading the Intel Macs to monterey via script ? Above mentioned scripts didn't work for me on Big Sur to Monterey upgrade. the Jamf helper screen simply sits on the desktop after running the above script (I'm mentioning intel Macs only)

the M1 script is working for both M1 and intel at our org. 

@AtillaTheC -- do you users has admin rights?