Posted on 10-26-2022 04:21 AM
Hello All,
On a Standard Account, when user tries to upgrade to MacOS Ventura it's asks to enter admin credentials.
On the Same machine when it's asks for Monterey 12.6.1 Update, user can update it wit out any admin rights.
Trying to find out what could be the issue and how can we mitigate it.
Thank you.
10-26-2022 05:20 AM - edited 10-26-2022 07:52 AM
Is it admin credentials or volume owner credentials it's asking for?
For what's it worth I transitioned over to using the erase install script for upgrades with Monterey last year. It was less messy with standard users doing it that way. Put the policy in Self Service and targeted a version and you're off to the races.
EDIT: Had a brain fart and didn't finish the last sentence. I need more sleep.
Posted on 10-26-2022 05:27 AM
We used to use the Erase install and download/install the MacOS Installer. But installer is taking space and updating via Software Update or Nudge is a good option to me.
Posted on 12-15-2022 12:18 PM
Erase-Install would be amazing if it were able to reliably use an already existing update installer in /Applications/. But it's just not reliable. It seems to be more reliable if you use the --overwrite flag, but the it's going to be downloading the full 45 - 35GB (depending on if it's Monterey or Ventura) installer file every time, and not all of my users have that much space.
I tried Nudge, but it just brings users to Software Updates to do the major update, and they're not admin users, so they can't do that.
MDM update commands are like a 50/50 if they work or not.
Ugh.
Posted on 12-21-2022 09:50 AM
I'm agree with you. It's very crazy to see that why Jamf or/and Apple don't support this initiative. A mix between Nudge and Superman would be the perfect solution.
Posted on 12-21-2022 10:30 AM
Agreed. I read something in the last month (can't find it now) where someone said Apple is hiring more people for their software update division and trying to prioritize making it more enterprise friendly. Remains to be seen, but we can hope.
I really like how Superman looks, looks like they added an erase-install integration somewhat recently too. I've been meaning to test it.
Posted on 12-21-2022 09:20 AM
Yes, does Nudge have the admin right when the user click on upgrade button ? Or this is just a notification to insist to the users to upgrade the Mac ?
Posted on 10-26-2022 05:25 AM
It's an Admin Credentails.
Posted on 02-28-2023 03:09 PM
I have this same issue, only when the update is ran from Apple Logo - About this mac - Software Update - Upgrade Now is the way that standard user (Filevault user) can enter their non-admin creds
Posted on 10-26-2022 06:31 AM
The machine you're updating, is already on Monterey 12.x? If so, then updating to 12.6.1 is a minor update, and I've never seen prompt for admin password. Updating to Ventura did however require an admin password when using System Preferences/Software Update. Using Erase Install upgrade for a standard user didnt prompt for admin; that is probably your best way to go if you're looking to resolve that. The installer is still taking up space on your machine because its being downloaded to /Applications when you run Software Update.
Posted on 10-26-2022 06:44 AM
Which mean for now to Upgrade Ventura we have to use admin Credentials and to deploy 100+ machines use Erase Install?
Question:-
Do we have to enter Admin Credentials again for next Ventura OS Update from Software Update in MacBook?
Or
The Admin Credentials would not pop-up and user can run the update from Software Update in MacBook?
Or
Going forward to all managed Mac with standard Account we have to use the Erase Upgrade when there is an Ventura Update in Software Update?
10-26-2022 07:17 AM - edited 10-26-2022 07:17 AM
You can also chose to wait the 30 days and try the delta upgrader. If the 12.6.1 update didn't prompt for admin credentials then it's possible the delta upgrader for Ventura might not either. Just get everyone to 12.6.1 and wait until late November or early December to allow Ventura installations.
All non-delta OS upgrade installers have always required admin credentials, no getting around that. Either use temporary privileged accounts created from a policy or use a policy or third party software like SAP privileges to elevate the existing user to admin during the install.
Posted on 10-26-2022 09:23 AM
This is expected behavior for Major macOS updates broadly. Upgrades that use the "Install macOS ___" installer app require Admin Rights.
Apple did introduce a new non-admin route to get to macOS 13, but they disabled it on Supervised machines running macOS 12.3 through 12.6 for 30 days. This is because of a bug that made that Major Update get detected as a Minor one. That bug means that it won't respect enforced deferrals on Major Updates. 12.6.1 fixes that bug.
For more information, here's Apple's support page about it.
10-31-2022 08:34 AM - edited 10-31-2022 08:36 AM
Posted on 12-15-2022 12:10 PM
Wouldn't this only work for admin users?
Posted on 11-02-2022 09:57 AM
This script isn't working on my M1's who have standard accounts. Anyone else experiencing this?
Posted on 11-14-2022 08:53 AM
the script listed above does not seem to work. i left it sit for over an hour and nothing happened.
Posted on 11-25-2022 02:32 AM
We're seeing some strange behaviour at our end aswell.
When reviewing the startosinstall.log, is anyone seeing issues with the --agreetolicense flag?
Also, we were having users occasionally see endless JAMFhelper black screens.
I wrote a couple of checks after the script to confirm the PID that closes the JAMFhelper window is still running.
If it isn't, it kills the process and presents some closable windows that aim to offer some guidance as to what went wrong.
# sleep 1 minutes
sleep 60
echo "Slept for 60 seconds. Checking if PID is still running"
if ps -p $macOSupdatePID > /dev/null
then
echo "$macOSupdatePID is still running"
else
echo "$macOSupdatePID is not running, closing jamfHelper."
sudo kill $jamfHelperPID
logs=$( tail -n 5 /var/log/startosinstall.log )
echo "$logs"
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
-windowType hud \
-title " " \
-heading "MacOS Upgrade not completed" \
-description "We apologise for the difficulties experienced:
Force quit any running applications.
Check you have your device charging.
Please restart your computer.
Then attempt the installation process again.
Thank you for your patience." \
-icon "/Applications/Install\ macOS\ Ventura.app/Contents/Resources/InstallAssistant.icns" &
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
-windowType hud \
-windowPosition lr \
-title " " \
-heading "Upgrade logs" \
-description "$logs" &
exit 1
fi
# sleep 5 minutes
sleep 300
echo "Slept for 5 more minutes. Checking if PID is still running"
if ps -p $macOSupdatePID > /dev/null
then
echo "$macOSupdatePID is still running"
else
echo "$macOSupdatePID is not running, closing jamfHelper."
sudo kill $jamfHelperPID
logs=$( tail -n 5 /var/log/startosinstall.log )
echo "$logs"
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
-windowType hud \
-title " " \
-heading "MacOS Upgrade not completed" \
-description "We apologise for the difficulties experienced:
Force quit any running applications.
Check you have your device charging.
Please restart your computer.
Then attempt the installation process again.
Thank you for your patience." \
-icon "/Applications/Install\ macOS\ Ventura.app/Contents/Resources/InstallAssistant.icns" &
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
-windowType hud \
-windowPosition lr \
-title " " \
-heading "Upgrade logs" \
-description "$logs" &
exit 1
fi
Posted on 12-16-2022 11:57 PM
I’m surprised nobody has tried nesting the above in their script yet.
You plonk the above code in after the main startos script someone posted above.