macOS installer script not working for Apple Silicon M1 Macbook + macOS Monterey

Bernard_Huang
Contributor III

Hi all,

  Referring to this macOS installer script.

macOSUpgrade/macOSUpgrade.sh at master · kc9wwh/macOSUpgrade · GitHub

  This script works fine for Intel Macbook upgrading to macOS Monterey 12.0.1.

  But it does not work with Apple Silicon Macbook 😞

  When attempting, I get the following error:

Expand
Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.
By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms.
If you do not agree, press CTRL-C and cancel this process immediately.

Investigating further, I run the following in a M1 Mabook's terminal.

Expand

/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps
Error: A method of password entry is required.
Usage: startosinstall

.....

The error suggests I need to supply admin username and password via 
--user, an admin user to authorize installation.
--passprompt, collect a password for authorization with an interactive prompt.
--stdinpass, collect a password from stdin without interaction.

 

I want JAMF to execute this. I DO NOT want to need to supply admin account and password.

Anyone got any suggestions?

3 ACCEPTED SOLUTIONS

oit-jamf
New Contributor II

Hi there,

I managed to get the upgrade to Monterey running on an M1 macbook via Self Service with the help of a script from https://github.com/therealmacjeezy/Scripts/tree/master/macOS%2010.14%20Update%20Script, it was originally created for upgrading to Mojave but I made some adaptations to get it running for Monterey.

You will need to create the installer package and have it within the self service policy, the install macOS Monterey.app has to be available for the script to work.  Got it here: https://scriptingosx.com/2021/10/download-full-installer-update/

Most important - the logged in user has to have a secure token. This user does not necessarily have to be an admin.

this is the main key that triggers upgrade.

echo $fvPass | ./startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

View solution in original post

Actually I wasn't patient enough. Works like a charm!

View solution in original post

 

Latest version working on both M1 and Intel macs

 

#!/bin/bash


# Pulls the current logged in user and their UID
currUser=$(ls -l /dev/console | awk '{print $3}')
currUserUID=$(id -u "$currUser")

fvPass=$(
# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT
set validatedPass to false
repeat while (validatedPass = false)
	-- Prompt the user to enter their filevault password
	display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} default button "Continue" with text and hidden answer
	set fvPass to (text returned of result)
	display dialog "Re-enter your macOS password to verify it was entered correctly" buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue" with text and hidden answer
	if text returned of result is equal to fvPass then
		set validatedPass to true
		fvPass
	else
		display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns"
	end if
end repeat
AppleScript
)
##Heading to be used for jamfHelper

heading="Please wait as we prepare your computer for macOS Monterey..."

##Title to be used for jamfHelper

description="

This process will take approximately 20-30 minutes.

Once completed your computer will reboot and begin the upgrade which can take an additional 15-20 minutes."

##Icon to be used for jamfHelper

icon=/Applications/Install\ macOS\ Monterey.app/Contents/Resources/InstallAssistant.icns

##Launch jamfHelper

/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &

jamfHelperPID=$!

##Start macOS Upgrade

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

exit 0

 

 

edited to include the fix from @benjmars 

 

 

View solution in original post

132 REPLIES 132

the M1 script is working for both M1 and intel at our org. 

@AtillaTheC -- do you users has admin rights? 

mixed bag here but I have tested on a standard account and its working for us. 

NGuedes
New Contributor III

Hi, 
Here I am getting the same results. Jamf Helper starts in full screen and I can see startosinstall and osinstallersetupd starting and disappearing from activity monitor when I use mission control and observe on the other workspace.

I have been trying with some changes but nothing worked until now.
(Trying upgrade from Big Sur to Monterey on a M1 device.)
Still need to test on Intel device

Marcelloman
New Contributor

we have local standard users and the script doesn't work for us either (Intel macs)
@AtillaTheC if you can mention the script here

#!/bin/bash


# Pulls the current logged in user and their UID
currUser=$(ls -l /dev/console | awk '{print $3}')
currUserUID=$(id -u "$currUser")

fvPass=$(
# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT
set validatedPass to false
repeat while (validatedPass = false)
-- Prompt the user to enter their filevault password
display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"
set fvPass to (text returned of result)
display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"
if text returned of result is equal to fvPass then
set validatedPass to true
fvPass
else
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon
end if
end repeat
APPLESCRIPT
)
##Heading to be used for jamfHelper

heading="Please wait as we prepare your computer for macOS Monterey..."

##Title to be used for jamfHelper

description="

This process will take approximately 20-30 minutes.

Once completed your computer will reboot and begin the upgrade which can take an additional 15-20 minutes."

##Icon to be used for jamfHelper

icon=/Applications/Install\ macOS\ Monterey.app/Contents/Resources/InstallAssistant.icns

##Launch jamfHelper

/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &

jamfHelperPID=$!

##Start macOS Upgrade

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass

exit 0

dvasquez
Valued Contributor

I am running it on Intel Big Sur upgrading to Monterey and all works but no reboot. 

I know this has worked before but on my Intel laptop, it just sits there on the screen, full screen. 

I am testing before full deployment. 

Install .app is waiting to be used

The account is in FDEsetup 

Account is standard

I also ran in with echo (locally) and the command is receiving the proper user and additional information to run. So weird.  I am using the one with the apple script fix as I love the password verification. 

 

 

dvasquez
Valued Contributor

I am going to have a policy that uses the fetch full installer, then kick off the update script. No deferment, no additional prompts, just the straight process on an M1 Big Sur laptop. I knew this all worked before but now it is not. 

dvasquez
Valued Contributor

I removed all my helper prompts, and deferments. I used your fetch installer and sent it to a log to verify it is in fact downloading. It does. I get the full screen and it just hangs. I am using the script above.

Logs do not tell me much:

Running script Fetch Full Installer...
Script exit code: 0
Script result:
[STEP 3 of 6]
Running script Trigger Install policy macOS Intel and Silicon...
Script exit code: 0
Script result: Checking for policies triggered by "macos" for user "sallymay"...
Executing Policy (New) Upgrade macOS Monterey Silicon Running script M1 and Intel Upgrade to macOS Monterey... Script exit code: 0 Script result: Running Recon... Retrieving inventory preferences from https://123456.jamfcloud.com/... Finding extension attributes... Locating package receipts... Locating hard drive information... Locating accounts... Locating software updates... Locating applications... Searching path: /System/Applications Locating plugins... Searching path: /Library/Internet Plug-Ins Locating printers... Gathering application usage information from the JamfDaemon... Searching path: /Library/Application Support Searching path: /Applications Locating hardware information (macOS 11.6.7)... Submitting data to https://123456.jamfcloud.com/... <computer_id>324</computer_id> Submitting log to https://123456.jamfcloud.com/
[STEP 4 of 6]
[STEP 5 of 6]
Inventory will be updated when all queued actions in Self Service are complete.
[STEP 6 of 6]

Mac_User_
New Contributor III

Check to see if the device you are testing has both a bootstrap token and secure token. FileVault enabled for all users, including any managed accounts for Secure token. Check to see if there's a Bootstrap token by running this command from admin account: 

sudo profiles status -type bootstraptoken

If response = NO run this to install: 

sudo profiles install -type bootstraptoken

 In order to successfully run forced update on M1 Macs you will need both the above or script will report it has run successfully but not complete the install. 

dvasquez
Valued Contributor

all of the bootstrap statues are good and I was able to validate my bootstrap secure key as well using the following:

Validation: 

sudo profiles validate -type bootstraptoken

Status:

sudo profiles status -type bootstraptoken

Output:

profiles: Bootstrap Token supported on server: YES

profiles: Bootstrap Token escrowed to server: YES

and:

profiles: Bootstrap Token escrowed on server: YES

profiles: Bootstrap Token validated.

 

Thanks. 

 

 

dvasquez
Valued Contributor

I keep seeing these in the osinstall.log. The script without any of my deferments or helper prompts ran well on an M1 mac. But on my intel, standard user, Big Sur laptop. Same .pkg, same script. I verified bootstrap and secure tokens. 

One: 

2022-08-01 11:24:29-05 MacBook-Pro osinstallersetupd[28871]: ROM Features returned: 68703483254

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: ROM Features returned: 68703483254

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: mountDiskImageWithPath: /Applications/Install macOS Monterey.app/Contents/SharedSupport/SharedSupport.dmg

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: Using product <OSISCollectionInstallProduct: 0x7fcfba8b57c0> at distance 10

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: Helper tool loaded

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: ROM Features returned: 68703483254

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: Install was requested to a disk that was not evaluated. Blocking on evaluation.

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: ROM Features returned: 68703483254

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: ROM Features returned: 68703483254

2022-08-01 11:24:30-05 MacBook-Pro osinstallersetupd[28871]: The requested target is not valid because: BIPreflightError - Domain: com.apple.BuildInfo.preflight.error Code: 9 UserInfo: {

    NSLocalizedDescription = "The update cannot be installed on this computer.";

    NSLocalizedFailureReason = "The update cannot be installed on this computer.";

    NSUnderlyingError = "Error Domain=BIErrorDomain Code=2 \"(null)\"";

 

Two:

/Library/Application Support/JAMF/tmp/Upgrade to macOS Monterey M1 and Intel: line 49: /Applications/Install macOS Monterey.app/Contents/Resources/startosinstall: No such file or directory

Error: The update cannot be installed on this computer.

By using the agreetolicense option, you are agreeing that you have run this tool with the license-only option and have read and agreed to the terms.

If you do not agree, press CTRL-C and cancel this process immediately.

(this one is repeated over and over)

 

dvasquez
Valued Contributor

Now I see this in the log, after coping a fresh one:

Running script Upgrade to macOS Monterey M1...
Script exit code: 0
Script result: Error: The update cannot be installed on this computer.
By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately.
Running Recon...

user-gyWlUuuekn
New Contributor II

Not sure if it helps someone, but it might save you the hassle that I had. The script in question has an Applescript section for the password prompt which ends with the string "APPLESCRIPT". This was causing the variable to be incorrectly populated in my case for some reason and I kept getting "Error: could not get authorization..." until I outputed the value of $fvPass and saw that it was "APPLESCRIPT". After removing said line, everything works as expected.

Edit: I'm wrong, see explanation below.

Correction: the string is actually needed, so do not remove it. Upon reordering my script and moving the string at the beginning of the line, it seems it is working as expected.

let me try that. But it all worked perfectly before now. 

Can you send an example, please?

Appreciateed.

I see exactly what your saying:

+ fvPass=AppleScript

+ heading='Please wait as we prepare your computer for macOS Monterey...'

+ description='

dvasquez
Valued Contributor

Just an update:

I was able to get the script to work on Silicon laptops by editing the apple script poprtion. Leaving the string at the beginning and editing the ending portion from AppleScript to > APPLESCRIPT which matched the top portion. 

In testing, before I ran the script captures the full fvPass and uses it. 

In Intel, right now I see the same behavior, but it stalls at the full window. 

Logs look the same. Nothing much there. 

aaronedmonton
New Contributor III

Not able to execute this script successfully anymore on our Intel devices.  It worked last week for my test devices, and is not working anymore. I am still lacking a reliable way to execute the update through Self Service. 

Screen Shot 2022-01-20 at 12.09.35 PM.png

Screen Shot 2022-01-20 at 12.12.42 PM.png

Have you tried the script I posted above with the FVpass?

I don't believe so. Also, I'm getting an Unable to Verify MacOS when running the installer manually as well so it may not be the script not working. I'm kinda sick of working on this to be honest. Can't install manually or automatically... 

sounds like a bad installer then, I would download it directly from apple to test the script. You usually get that error if its un-signed or from an external drive. 

So my test device, I ran my normal software update command to pull down the installer. Then I tried my simple execute install script, and received the "Unable to verify MacOS" error, as posted above. That was all through Jamf. I ended up just running that one manually and it ran fine.

 

I have tried updating two of my user's devices manually and they are getting the "Unable to verify MacOS" installer error (not through Jamf, this is while I'm remoted into their computers). I had two others that ran just fine. 

 

Im thinking I may have to fix this Verify MacOS error before going back to the policy method.

Fixed my issue.

 

We have Netskope agents on our computers and it started blocking the updates. Removed Netskope from the machine and able to install manually. I haven't been able to try the script after removing Netskope but it sounds like it would work for us now. 

user-EMxOpSEmyy
New Contributor II

Hi Folks and @AtillaTheC I tried out your script (posted on 11-10-2021 and works great when I enter the correct password. However I also tried entering my mac password wrong and once I verified with the incorrect password it stays on the "please wait while we update xxx" screen. I have to force reboot it. That isn't by design if I read your script correctly yea?

 

else
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon
end if
end repeat

  

I believe its checking the 2 passwords you enter are the same, not looking at the system's password as It won't know that until it attempts the install. 

Ty. So whats the expected behavior when a user enters the incorrect password?

unfortunately what you are seeing is the expected behavior, It's why I have in our support instructions if it stays on that screen for more then 40 minutes to reboot. I'm open to edits on the script, i'm no BASH expert. 

The problem we're running into is that the double password check isn't working. I can type in 2 different passwords and never get the "Please enter matching password" dialogue. It just jumps to the black update screen "Please wait..." We have the exact script posted above with the APPLESCRIPT fix. Any thoughts?

SCCM
Contributor III

The script isnt looking to see if your typing the wrong password, its confirming you are typing the same password twice, then using it to run the install command. It doesnt take into account you typing the wrong password twice.

In your case your typing the wrong password in twice so it will use that to run the install, which will fail. The screen your seeing will remain. What your seeing seems to be expected behaviour and the machine will never restart.

Got ty you two! Your replies here have made our week with this!

user-LYBGeLSLLt
New Contributor II

Hello Everyone, iam new to the Jamf Tool and want to know, how should i do this with the script ? DO i need to deploy the Installer from App Store first ? And then deploy the script ?

This script allows the end-user to authorize the installation for themselves. They'll need to have the MacOS Monterey installer present on their machine prior to running the script, this can be achieved in a multitude of different ways.

A common practice is to create a policy with an iteration of the following command and scope it to your community: softwareupdate --fetch-full-installer --full-installer-version=12.1

Thanks, i tooked the Script and deployed it to my Macbook to test it, i got a popUp winodow to enter my Filevault password and then the DEP Notify Screen, which is freezing over 2 hours....

Mac_User_
New Contributor III

If you're reading this thread and have tried all the scripts, and even Remote Commands with no success... do you have Microsoft ATP?

Our issue was being caused by Microsoft ATP. I tested uninstalling ATP and both my Intel & M1 Test machines successfully installed Monterey. After countless error free failures, leaving everyone at Jamf Support stumped. Looks like Microsoft is aware of the issue, and fixes has yet to be released. Even on today's latest version: 101.56.62

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mde-apparently-blocks-macos-m... 

Hopes this helps some people!

Thank you so much, @Mac_User_ for sharing this info.  I can confirm that we are having the same issue and narrowed ours down to the DLP module.  By disabling DLP from Defender we were able to install updates with no issues.  Our security team is working with Microsoft to resolve the issue.

atomczynski
Valued Contributor

Do not have a good success rate.
The script launches, I'm presented with the notice to enter the user password two times.
and that is it. Sits there.

I have alos noticed typing incorrect/different password does not tell me the passwords do not match.

Thoughts?

rcole
Contributor II

Gents: I would recommend utilizing this https://github.com/grahampugh/erase-install script/workflow by Graham to do your updates and fresh installs. It works on both intel and silicon. 

dvasquez
Valued Contributor

@rcole  the process you sent at that link is a wonderful process. In testing, it works perfectly. It does take some reading and some configuration but the individual contributors have done a magnificent job. Just amazing!

What a community!

@dvasquez I'm so glad to hear this! 😀