OS update via Self Service for M1 Devices Bash Command issue

heitorpereira10
New Contributor

Does anyone know the correct Bash command to upgrade the OS on a M1 device via self-service, we currently been using the following Execute command as part of the Policy that is made available via Self Service:

/Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction

however this doesn't work with M1 devices as we get an error 

Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.

we have attempted to try the following but still no luck?

Applications/Install\ macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user <admin account> --stdinpass <admin password>

has anyone been successful on creating a policy that works in a similar way for m1 devices? 

 

3 ACCEPTED SOLUTIONS

ssoun
New Contributor III

See here, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbo.... I've used this to upgrade M1 Macs in a policy through Self Service for our standard users and didn't have any issues. You will first need a policy that automatically downloads the Monterey installer then create a Smart Group to check that the installer is present. You then scope this policy to the Smart Group.

 

You will have to change this line:

"title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon" or else it will not display a message if the typed in passwords don't match. The part you want to change is messageIcon.

View solution in original post

jcarr
Release Candidate Programs Tester

Have you tried erase-install?  I have policy that pushes out the erase-install package and a package that I put together to run recon on the next boot, and then executes the following command:

 

 

/Library/Management/erase-install/erase-install.sh --reinstall --os=12 --update --min-drive-space=35 --current-user --check-power --no-fs --depnotify --cleanup-after-use

 

 

I put this in self service using this icon. It's been a while since I've tested it, but if memory serves, this does work on Apple Silicon with standard users.  It will run faster if you pre-download the macOS installer app, but that is not required.

 

Here's what it looks like:

1.png2.png

View solution in original post

TechSpecialist
Contributor

The Erase-Install Solution I believe is the best and most user-friendly solution.

The problem your having is that on M1 Macs you have to deal with something called Volume Ownership in addition to a FileVault Token (if you have it enabled). This script will use the jamfadmin in combination with a prompted user password to elevate the permissions to have the Install of macOS done without the user having to have Administrative privs

View solution in original post

4 REPLIES 4

talkingmoose
Moderator
Moderator

To date, there is no secure method to allow a standard (non-admin) macOS user to initiate a startosinstall update from an Apple Silicon (M1) computer itself.

There's a section on this blog post called "When we know the password" that provides the command syntax others have reported works for them. Keep in mind that admin password can be seen by anyone who's monitoring for activity using Terminal. You don't want to use an admin password that's common across all your computers.

The command is part of the blog post for those who find the risk of using it acceptable, but Jamf does not endorse using this method. Instead, send a Wipe command from your Jamf Pro console. If your computer is running macOS Monterey, the Wipe command will actually be an "Erase All Content and Settings" command.

https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/

ssoun
New Contributor III

See here, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbo.... I've used this to upgrade M1 Macs in a policy through Self Service for our standard users and didn't have any issues. You will first need a policy that automatically downloads the Monterey installer then create a Smart Group to check that the installer is present. You then scope this policy to the Smart Group.

 

You will have to change this line:

"title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon" or else it will not display a message if the typed in passwords don't match. The part you want to change is messageIcon.

jcarr
Release Candidate Programs Tester

Have you tried erase-install?  I have policy that pushes out the erase-install package and a package that I put together to run recon on the next boot, and then executes the following command:

 

 

/Library/Management/erase-install/erase-install.sh --reinstall --os=12 --update --min-drive-space=35 --current-user --check-power --no-fs --depnotify --cleanup-after-use

 

 

I put this in self service using this icon. It's been a while since I've tested it, but if memory serves, this does work on Apple Silicon with standard users.  It will run faster if you pre-download the macOS installer app, but that is not required.

 

Here's what it looks like:

1.png2.png

TechSpecialist
Contributor

The Erase-Install Solution I believe is the best and most user-friendly solution.

The problem your having is that on M1 Macs you have to deal with something called Volume Ownership in addition to a FileVault Token (if you have it enabled). This script will use the jamfadmin in combination with a prompted user password to elevate the permissions to have the Install of macOS done without the user having to have Administrative privs