Jamf Nation Community

Apples vision for this is to use MDM Commands to run OS updates. Beyond giving your users volume ownership, you will not have a good time enabling and empowering users to run their own OS updates. This is absolutely something to submit feedback to Apple on.

Volume ownership

Mac computers with Apple silicon introduce the concept of volume ownership. Volume ownership in an organizational context isn’t tied to the true legal ownership or chain of custody of the Mac. Instead, volume ownership can loosely be defined as the user who first claimed a Mac by configuring it for their own use, along with any additional users. You must be a volume owner to make changes to the startup security policy for a specific install of macOS, authorize the installation of macOS software updates and upgrades, initiate an Erase All Content and Settings, and more. The startup security policy defines the restrictions around which versions of macOS can boot, as well as how and if third-party kernel extensions can be loaded or managed.

Use secure token, bootstrap token, and volume ownership in deployments - Apple Support

About software updates for Apple devices - Apple Support

---

Hi @TechSpecialist 

Thanks for the script, works like a charm on Intel machines.  Does it work for M1 ? anything to edit?

@AJPinto I was told that volume Owners (m1) doesn't need admin rights to install Ventura if not restricted, is that true?

Yes, this should be reporte back. Not making things easy !!

here is a script that I combined using a few other users scripts its pretty simple it has 2 JAMF Paramteres $4 and $5

$4= input verison number ex: 13.4
$5= input just .app location /Applications/Install macOS Ventura.app

#!/bin/bash

softwareupdate --fetch-full-installer --full-installer-version "$4"

###############################################
# This script will provide temporary admin #
# rights to a standard user right from self #
# service. First it will grab the username of #
# the logged in user, check if they are #
# already an administrator, and then either #
# skip the elevation or proceed accordingly. #
# Finally, it will create a launch daemon #
# that will count down from 10 minutes and #
# then run a secondary script to demote the #
# user back to a standard account. The launch #
# daemon will continue to count down no matter #
# how often the user logs out or restarts #
# their computer. #
###############################################

#############################################
# Find the logged in user and let them know #
#############################################

currentUser=$(who | awk '/console/{print $1}')
echo $currentUser

################################################
# Check if the user is already an administrator #
################################################

if dseditgroup -o checkmember -m $currentUser admin > /dev/null 2>&1; then
echo "User $currentUser is already an administrator. No elevation needed."
sudo open "$5"
exit 0
fi

#########################################################
# Write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make #
# sure it'll run, then load the daemon #
#########################################################

# Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

# Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

# Set the run interval to run every 10 minutes
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 600

# Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes

# Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

# Load the daemon
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10

#########################
# Make file for removal #
#########################

if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi

##################################
# Give the user admin privileges #
##################################

/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

########################################
# Write a script for the launch daemon #
# to run to demote the user back and #
# then pull logs of what the user did. #
########################################

cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 10m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF

sudo open "$5"

exit 0

---

@Eskobar wrote:

Hello everyone,

We have standard Intel/M1 accounts (non-admin) (OS: 10.14.6 to 12.6.1).

Could you advise how best I can grant them admin access to make the upgrade ?

Thank you.

---

---

@Eskobar wrote:

Hello everyone,

We have standard Intel/M1 accounts (non-admin) (OS: 10.14.6 to 12.6.1).

Could you advise how best I can grant them admin access to make the upgrade ?

Thank you.

---