MacOS Ventura Upgrade on Standard User Account

Vinyboy
New Contributor III

Hello All,

On a Standard Account, when user tries to upgrade to MacOS Ventura it's asks to enter admin credentials.
On the Same machine when it's asks for Monterey 12.6.1 Update, user can update it wit out any admin rights. 

Trying to find out what could be the issue and how can we mitigate it.

Thank you.

 

1 ACCEPTED SOLUTION

EmreU
New Contributor III

you can use script below to proceed updates with standard accounts

https://github.com/euydu/macOSUpdatewithStandardUsers

View solution in original post

19 REPLIES 19

mainelysteve
Valued Contributor II

Is it admin credentials or volume owner credentials it's asking for?

For what's it worth I transitioned over to using the erase install script for upgrades with Monterey last year. It was less messy with standard users doing it that way. Put the policy in Self Service and targeted a version and you're off to the races.

EDIT: Had a brain fart and didn't finish the last sentence. I need more sleep.

Vinyboy
New Contributor III

We used to use the Erase install and download/install the MacOS Installer. But installer is taking space and updating via Software Update or Nudge is a good option to me.

Erase-Install would be amazing if it were able to reliably use an already existing update installer in /Applications/. But it's just not reliable. It seems to be more reliable if you use the --overwrite flag, but the it's going to be downloading the full 45 - 35GB (depending on if it's Monterey or Ventura) installer file every time, and not all of my users have that much space.

I tried Nudge, but it just brings users to Software Updates to do the major update, and they're not admin users, so they can't do that.

MDM update commands are like a 50/50 if they work or not.

Ugh.

Vincenthesse
New Contributor III

I'm agree with you. It's very crazy to see that why Jamf or/and Apple don't support this initiative. A mix between Nudge and Superman would be the perfect solution.

Agreed. I read something in the last month (can't find it now) where someone said Apple is hiring more people for their software update division and trying to prioritize making it more enterprise friendly. Remains to be seen, but we can hope.

I really like how Superman looks, looks like they added an erase-install integration somewhat recently too. I've been meaning to test it.

Vincenthesse
New Contributor III

Yes, does Nudge have the admin right when the user click on upgrade button ? Or this is just a notification to insist to the users to upgrade the Mac ?

Vinyboy
New Contributor III

It's an Admin Credentails.

MicrosoftTeams-image (6).png

Yuniel
New Contributor II

I have this same issue, only when the update is ran from  Apple Logo -  About this mac - Software Update - Upgrade Now    is the way that standard user (Filevault user) can enter their non-admin creds 

Yuniel_0-1677625781427.png

 

Jason33
Contributor III

The machine you're updating, is already on Monterey 12.x?  If so, then updating to 12.6.1 is a minor update, and I've never seen prompt for admin password.  Updating to Ventura did however require an admin password when using System Preferences/Software Update.  Using Erase Install upgrade for a standard user didnt prompt for admin; that is probably your best way to go if you're looking to resolve that.  The installer is still taking up space on your machine because its being downloaded to /Applications when you run Software Update.

Vinyboy
New Contributor III

Which mean for now to Upgrade Ventura we have to use admin Credentials and to deploy 100+ machines use Erase Install?
Question:-
Do we have to enter Admin Credentials again for next Ventura OS Update from Software Update in MacBook?
Or
The Admin Credentials would not pop-up and user can run the update from Software Update in MacBook? 
Or
Going forward to all managed Mac with standard Account we have to use the Erase Upgrade when there is an Ventura Update in Software Update?

mainelysteve
Valued Contributor II

You can also chose to wait the 30 days and try the delta upgrader. If the 12.6.1 update didn't prompt for admin credentials then it's possible the delta upgrader for Ventura might not either. Just get everyone to 12.6.1 and wait until late November or early December to allow Ventura installations.

All non-delta OS upgrade installers have always required admin credentials, no getting around that. Either use temporary privileged accounts created from a policy or use a policy or third party software like SAP privileges to elevate the existing user to admin during the install. 

McAwesome
Valued Contributor

This is expected behavior for Major macOS updates broadly.  Upgrades that use the "Install macOS ___" installer app require Admin Rights.

Apple did introduce a new non-admin route to get to macOS 13, but they disabled it on Supervised machines running macOS 12.3 through 12.6 for 30 days.  This is because of a bug that made that Major Update get detected as a Minor one.  That bug means that it won't respect enforced deferrals on Major Updates.  12.6.1 fixes that bug.

For more information, here's Apple's support page about it.

shashank_varma
New Contributor II
Use this script from self service .
 
#!/bin/bash
# Pulls the current logged in user and their UID
currUser=$(ls -l /dev/console | awk '{print $3}')
currUserUID=$(id -u "$currUser")
fvPass=$(
# Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.
/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT
set validatedPass to false
repeat while (validatedPass = false)
-- Prompt the user to enter their filevault password
display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"
set fvPass to (text returned of result)
display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"
if text returned of result is equal to fvPass then
set validatedPass to true
fvPass
else
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon
end if
end repeat
APPLESCRIPT
)
##Heading to be used for jamfHelper

heading="Please wait as we prepare your computer for macOS Ventura..."

##Title to be used for jamfHelper

description="

This process will take approximately 20-30 minutes.

Once completed your computer will reboot and begin the upgrade which can take an additional 15-20 minutes."

##Icon to be used for jamfHelper

icon=/Applications/Install\ macOS\ Ventura.app/Contents/Resources/InstallAssistant.icns

##Launch jamfHelper

/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$icon" -heading "$heading" -description "$description" &

jamfHelperPID=$!

##Start macOS Upgrade

echo $fvPass | /Applications/Install\ macOS\ Ventura.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

exit 0

Wouldn't this only work for admin users?

user-NTKbCXOtlH
New Contributor

This script isn't working on my M1's who have standard accounts. Anyone else experiencing this?

indeskize
New Contributor II

the script listed above does not seem to work. i left it sit for over an hour and nothing happened. 

Qwheel
Contributor II

We're seeing some strange behaviour at our end aswell.
When reviewing the startosinstall.log, is anyone seeing issues with the --agreetolicense flag?

Also, we were having users occasionally see endless JAMFhelper black screens.
I wrote a couple of checks after the script to confirm the PID that closes the JAMFhelper window is still running.
If it isn't, it kills the process and presents some closable windows that aim to offer some guidance as to what went wrong.

# sleep 1 minutes
sleep 60
echo "Slept for 60 seconds. Checking if PID is still running"
if ps -p $macOSupdatePID > /dev/null
then
   echo "$macOSupdatePID is still running"
else
   echo "$macOSupdatePID is not running, closing jamfHelper."
	sudo kill $jamfHelperPID
	logs=$( tail -n 5 /var/log/startosinstall.log )
    echo "$logs"
	
	/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
    -windowType hud \
    -title "         " \
    -heading "MacOS Upgrade not completed" \
    -description "We apologise for the difficulties experienced:

    Force quit any running applications. 
    Check you have your device charging.
    Please restart your computer.

    Then attempt the installation process again.
    Thank you for your patience." \
    -icon "/Applications/Install\ macOS\ Ventura.app/Contents/Resources/InstallAssistant.icns" &

    /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
    -windowType hud \
    -windowPosition lr \
    -title "         " \
    -heading "Upgrade logs" \
    -description "$logs" &

    exit 1
    fi

# sleep 5 minutes
sleep 300
echo "Slept for 5 more minutes. Checking if PID is still running"
if ps -p $macOSupdatePID > /dev/null
then
   echo "$macOSupdatePID is still running"
else
   echo "$macOSupdatePID is not running, closing jamfHelper."
	sudo kill $jamfHelperPID
	logs=$( tail -n 5 /var/log/startosinstall.log )
    echo "$logs"
	
	/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
    -windowType hud \
    -title "         " \
    -heading "MacOS Upgrade not completed" \
    -description "We apologise for the difficulties experienced:

    Force quit any running applications. 
    Check you have your device charging.
    Please restart your computer.

    Then attempt the installation process again.
    Thank you for your patience." \
    -icon "/Applications/Install\ macOS\ Ventura.app/Contents/Resources/InstallAssistant.icns" &

    /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
    -windowType hud \
    -windowPosition lr \
    -title "         " \
    -heading "Upgrade logs" \
    -description "$logs" &

    exit 1
    fi

Qwheel
Contributor II

I’m surprised nobody has tried nesting the above in their script yet.

You plonk the above code in after the main startos script someone posted above.

EmreU
New Contributor III

you can use script below to proceed updates with standard accounts

https://github.com/euydu/macOSUpdatewithStandardUsers