- Jamf Nation Community
- Products
- Jamf Pro
- Re: Remote Install update macOS 12.6.3
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 12:11 PM
Hello friends,
So we are a very small team and I am very new to this admin role and we are realizing that we should have done this a few months back, but didn't do enough research at the time. So, excuses aside, here is the issue.
We had our users upgraded to Monterey prior to Ventura releasing. We've deferred the updates for Ventura (per the following posts) as we haven't had the time to properly test things in our infrastructure. We also had turned off our forced system update policy that ran updates weekly.
We're still not ready for Ventura (getting a few things resolved, but have only had a couple accidental test cases).
So we are sitting at a place where most users are running Monterey between 12.3 and 12.6, so if we turn the updates back on, majority of them will upgrade to 13 and no longer be able to access our internal network until we get the issues resolved.
My plan is to build policies to download the full installer for 12.6.3 and run the updates via Self Service script. Then we'll be able to turn updates back on and have a bit more breathing room for testing Ventura.
I'll be building a smart group of OS 12.6.1 and higher to turn weekly updates back on. Everyone 12.6.0 and below I will put into a group to run the installer policies to get up to 12.6.3.
I guess the question is has anyone else gone through this? Any tips or tricks or things to be very careful to do/not do? My worst fear is to set this plan in motion and then have people get the update initiated and restart in the midst of a meeting or something.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 01:02 PM
I would take a look at this project:
It would allow you set a specific version of the O/S you want your user to update to and download the specific version. Even if you are deferring updates via Software Deferrals.
(P.S. Don't forget you have approximately one month to be ready for Ventura. Once the 90 day mark has passed for 13.2, you won't be able to block users on at least 13.2 from downloading and installing the delta update.)
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 01:02 PM
I would take a look at this project:
It would allow you set a specific version of the O/S you want your user to update to and download the specific version. Even if you are deferring updates via Software Deferrals.
(P.S. Don't forget you have approximately one month to be ready for Ventura. Once the 90 day mark has passed for 13.2, you won't be able to block users on at least 13.2 from downloading and installing the delta update.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 03:09 AM
You can still try to block with "restricted software" and block "Install macOS Ventura.app"... better than nothing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 05:45 AM
That wont work. MacOS 12.3+ installs macOS 13 as a delta. There is no install macOS Ventura.app to block.
For macOS 11 and older releases of MacOS 12 it will work. However you will need to update past macOS 12.3 to patch this 0-day which will stop blocking the install app from working. Never mind the 0-day from august and the one from July that are not patched in 12.3.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 07:25 AM
Thanks for this! I'll definitely be looking into it.
My immediate questions, which you may be able to expedite my research on, are:
- Can a user run erase-install without admin?
- Will this fully wipe the computers so we'll need to backup/restore their data to finalize the upgrade?
- Will this allow me to install 12.5.1 (for a testing machine) which does not appear to still be available from Apple?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2023 07:32 AM - edited 02-15-2023 07:33 AM
- Can a user run erase-install without admin? On Intel, yes if its run from JAMF the bootstrap token will handle things. On Apple Silicon, no as you need a Secure Token which cannot be passed via CLI.
- Will this fully wipe the computers so we'll need to backup/restore their data to finalize the upgrade? It depends on how you configure it to work.
- Will this allow me to install 12.5.1 (for a testing machine) which does not appear to still be available from Apple? Use the --fetch-full-installer argument to the softwareupdate command.
softwareupdate --fetch-full-installer 12.5.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 12:17 PM
In terms of whether you can install 12.5.1 on a device, unless you already happen to have an InstallAssistant.pkg for that version or a full "Install macOS Monterey.app" that installs 12.5.1, then the answer is no.
You can use softwareupdate --list-full-installers to see which versions Apple still hosts. 12.5.1 is no longer one of them.
% softwareupdate --list-full-installers
Finding available software
Software Update found the following full installers:
* Title: macOS Ventura, Version: 13.2.1, Size: 12261711KiB, Build: 22D68
* Title: macOS Ventura, Version: 13.2, Size: 12261428KiB, Build: 22D49
* Title: macOS Ventura, Version: 13.1, Size: 11931164KiB, Build: 22C65
* Title: macOS Ventura, Version: 13.0.1, Size: 11866460KiB, Build: 22A400
* Title: macOS Monterey, Version: 12.6.3, Size: 12115350KiB, Build: 21G419
* Title: macOS Monterey, Version: 12.6.2, Size: 12104568KiB, Build: 21G320
* Title: macOS Monterey, Version: 12.6.1, Size: 12108491KiB, Build: 21G217
* Title: macOS Big Sur, Version: 11.7.3, Size: 12119247KiB, Build: 20G1116
* Title: macOS Big Sur, Version: 11.7.2, Size: 12119307KiB, Build: 20G1020
* Title: macOS Big Sur, Version: 11.7.1, Size: 12119247KiB, Build: 20G918
* Title: macOS Big Sur, Version: 11.6.6, Size: 12121263KiB, Build: 20G624
* Title: macOS Big Sur, Version: 11.6.5, Size: 12121404KiB, Build: 20G527
* Title: macOS Big Sur, Version: 11.6.4, Size: 12147782KiB, Build: 20G417
* Title: macOS Big Sur, Version: 11.6.3, Size: 12143674KiB, Build: 20G415
* Title: macOS Big Sur, Version: 11.6.2, Size: 12141944KiB, Build: 20G314
* Title: macOS Big Sur, Version: 11.6.1, Size: 12137180KiB, Build: 20G224
* Title: macOS Big Sur, Version: 11.5.2, Size: 12149332KiB, Build: 20G95
* Title: macOS Catalina, Version: 10.15.7, Size: 8055650KiB, Build: 19H15
* Title: macOS Catalina, Version: 10.15.7, Size: 8055522KiB, Build: 19H2
* Title: macOS Catalina, Version: 10.15.6, Size: 8055450KiB, Build: 19G2021
* Title: macOS Mojave, Version: 10.14.6, Size: 5896894KiB, Build: 18G103
* Title: macOS Mojave, Version: 10.14.5, Size: 5892394KiB, Build: 18F2059A whole bunch of old Big Sur installers show up, but only a few Monterey ones as you can see. Don't ask me why, though I'm sure there's some security related reason.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 12:41 PM
Yeah, I realized this today as I was researching. It also doesn't seem like the installer for 12.5.1 I have (from a machine that had previously downloaded, but never installed) is working. When I run it, it just goes unresponsive.
My guess is they removed the Monterey versions that auto update to Ventura for that reason or there's a massive security patch in 12.6.1. But it's equally likely I'm giving Apple way too much credit.
Thankfully, I've found a few computers in our inventory with 12.6.0 that I can use as test cases for an erase-install policy solution!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 04:23 AM
We’re in the same boat. The restricted software no longer works, but we’ve sent out a communication to Mac users about not updating to Ventura. The erase-install works well, but it does download the full installer. It has a bunch of different options you can set. It does always work for us, but we use the package and set the options in files and processes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 05:42 AM
If you are installing the OS updates from install macOS Monterey.app probably wont install the Safari update which you will also need.
You are in a really bad place though. There is literally no way to stop anyone form updating to Ventura at this point. For macOS 14, I recommend getting in Apples Beta Seed as soon as macOS 14 is available and start testing day 1. In the past it took us 3-6 months to be ready for the new OS, for macOS 13 we were ready within 15 days, all security tools and everything ready.
