Self Service 10.9 Upgrade

josaxo
New Contributor

Hi All - I am currently running an 8.71 JSS environment and would like to test the Mavericks update via self service. I have attempted to use the method that was proven to work for 10.8 - Copy installer local, call installer via policy, and have the user click through the installation options. With the Mavericks install, when the installer launches, i receive a prompt for admin credentials. Has anyone tried this process with Mavericks? I know 9.2 will offer a much more streamlined way to provide self service OS updates, but I am uncertain when I will be able to upgrade our server.

Thanks!

1 ACCEPTED SOLUTION

donmontalvo
Esteemed Contributor III

http://twitter.com/golby/status/392735213937508352

RT @golby Looks like Casper 9.2 and 8.73 have been released to support Mavericks.

So upload Install OS X Mavericks.app to JSS using Casper Admin and publish through Self Service. Done. User can upgrade w/o needing admin rights...follow usual routines to deal with the usual gotchas (hidden admin account, iCloud prompt...etc.).

Don

--
https://donmontalvo.com

View solution in original post

41 REPLIES 41

hkim
Contributor II

I can't speak to if this will work or not, but you may want to repackage the update installer using this.

http://managingosx.wordpress.com/2013/10/22/mavericks-day/

bentoms
Release Candidate Programs Tester

There is a 10.9 update for v8 coming. I doubt it'll have the whole streamed workflow but might be worth waiting on just incase it fixes something that is hindering you.

donmontalvo
Esteemed Contributor III

...or wait for 9.2 and not have to reinvent the wheel. ;)

--
https://donmontalvo.com

mm2270
Legendary Contributor III

JAMF mentioned they'll be updating the 8.x series to bring compatibility for Mavericks, as well as version 9. Maybe not any new features in 8, but in some limited testing we did, 10.9 and 8.71 (same version we're running) don't play so well together. It mostly works, but some stuff doesn't. Given this, you may actually want to wait until JAMF announces a Mavericks compatible release of the Casper Suite before moving forward with anything.

Also remember that typically new OS installs blow away any hidden admin accounts, so if you're using one as your Casper management account, you'll need to account for that.

donmontalvo
Esteemed Contributor III

http://twitter.com/golby/status/392735213937508352

RT @golby Looks like Casper 9.2 and 8.73 have been released to support Mavericks.

So upload Install OS X Mavericks.app to JSS using Casper Admin and publish through Self Service. Done. User can upgrade w/o needing admin rights...follow usual routines to deal with the usual gotchas (hidden admin account, iCloud prompt...etc.).

Don

--
https://donmontalvo.com

bentoms
Release Candidate Programs Tester

Damn that @golby.. To busy playing here. :)

Oh & this article has had an update. https://jamfnation.jamfsoftware.com/article.html?id=173

mm2270
Legendary Contributor III

@donmontalvo. Lol! And I was just commenting on the other thread about the 5 day release cycle they mentioned to you. I had a feeling it would be sooner.

donmontalvo
Esteemed Contributor III

@mm2270 LOL...dude, you were very much missed at JNUC. :)

--
https://donmontalvo.com

denmoff
Contributor III

@donmontalvo Could you elaborate on the "usual gotchas"? I know the hidden jamf user gets destroyed. Is there a guide to work around that?

josaxo
New Contributor

Thanks all for your feedback. I will be testing the upgrade process via Self Service with JSS 8.72 and 9.2.

rderewianko
Valued Contributor II

So far i've found:
Java 6 is removed on upgrade.
Maven / Ant need to be installed (developers)

DVG
New Contributor III

Any gotchas anyone sees--shoot them to this thread. Java is a good catch because we have several Snow Leo systems that it will affect. TYVM! ROCK ON JAMF NATION!

Dusty VanGilder

nessts
Valued Contributor II

if you have been using a com.apple.SetupAssistant.plist to prevent iCloud setup from running, you have to get a new one of those, there are more keys and the last seen on version bit is important.

donmontalvo
Esteemed Contributor III

@denmoff We found the two issues I listed after an initial test. Hoping to get more testing done in the coming days.

--
https://donmontalvo.com

denmoff
Contributor III

@donmontalvo I could only find vague references to someone writing a script to elevate sub-500 user accounts to be above 500 and then drop them below 500 again after the upgrade. I suppose that would a solution.

pickerin
Contributor II

Apple is removing Java 6 installations during the upgrade for everyone.
I had a non-managed system also lose Java. You then have to re-download and install it after the upgrade.

Alternatively, if you've installed Oracle Java 7, it is untouched by the upgrade and survives fine.

donmontalvo
Esteemed Contributor III

@denmoff Have you tested this workflow? If so what result did you get?

--
https://donmontalvo.com

denmoff
Contributor III

@donmontalvo I have it all set to go in self service and i've backed up my test laptop, but i've left my power cord at home. So, i'm going to run it from home. Which would be the best place to test it anyway. :-)

donmontalvo
Esteemed Contributor III

@denmoff I noticed Rich Trouton post somewhere that his hidden admin account didn't get hosed, so I suppose YMMV. We have a LAB specifically for blowing $#!+ up. :D

--
https://donmontalvo.com

mm2270
Legendary Contributor III

I just ran a normal "user style" upgrade to Mavericks against a test MacBook Air previously running 10.8.4 and fully managed by our JSS running 8.71. Our hidden management account and all other sub 501 accounts are still present and accounted for. I tested the accounts and they are fully functional from what I can tell.
There are compatibility issues with JSS 8.71 and Mavericks, but that's another story.

So consider this another "thumbs up" that the hidden accounts aren't being clobbered by this install.

denmoff
Contributor III

@mm2270 Cool! Did you happen to have any admin accounts that were 500+? I'm curious if the installer looks for at least one 500+ admin account. In my area, we have only one standard user and one sub 500 admin user. Well...i should find out tonight if there's any issue.

mm2270
Legendary Contributor III

@denmoff, other than my AD based cached mobile account, which is an admin account, no, I didn't have any other local admin accounts on the box I upgraded.

I plan on doing another test from another managed Mac to test a few more things. If I can remember to do it, I'll create a local 50x admin account and let you know if it survives the upgrade, but my guess is it definitely will. In fact, it would be downright strange if it affected any of those accounts.

mpermann
Valued Contributor II

I can confirm the sub 501 Casper admin account survived a normal upgrade on a MacBook Pro that had 10.8.5 installed. I tested the Casper admin account by setting up a new policy to install an Office 2011 upgrade at the every 15 trigger and it ran without any problems. Hopefully a "self service" initiated Maverick update will also exhibit the same behavior when run on a test system. I haven't had a chance to test that combination yet. Since I'm only on 8.72 I can't use the new method supported by 9.2. I guess I'll wait to hear what others experience when doing that style upgrade.

bentoms
Release Candidate Programs Tester

Our 500+ local admin account survived.

denmoff
Contributor III

@mm2270 Sorry for the confusion, but i meant, if you do NOT have a local admin with 500+ uid, would the setup process try to create one? i.e., will the user be able to create an admin account. I'm wondering if the installer looks for a local admin and if there isn't one, runs the Q/A to create it.

denmoff
Contributor III

All went well with my self service upgrade. I had accidentally had the policy set to "Install" instead of "Install from Cache", but the result was just a longer wait while the installer package downloaded. Once it completed the install, i logged in with my standard user and ran thru the setup process which asked for iCloud credentials(which i skipped) and that was it. Everything was pretty seamless. All hidden accounts are still there. I'm pretty pleased with this result. Should make updating all my users pretty straight forward.

josaxo
New Contributor

One 'gotcha' i found so far is related to ADPassMon which requires the enablement of assistive devices. In Mountain Lion, this was located in System Preferences > Accessibility > Enable access for assistive devices (checkbox). In Mavericks, it is under System Preferences > Security and Privacy > Privacy > Accessibility (access is granted per app). I have yet to find the plist associated with these settings since fsventer isn't providing any direct clues.... WIll post back as I learn more.

@denmoff - You mentioned your self service update was successful, what JSS version are you running?

mm2270
Legendary Contributor III

@josaxo - I think you're going to come up empty looking for a plist for those Accessibility settings. It seems this is yet another one of the items Apple has moved into an SQLite database file, just like Location Services items and a few other things (although I'm not really sure where this particular db is even stored yet). I ran into this same thing when working with the Mavericks developer previews, but I couldn't really mention it b/c of the NDA.

As you found, every application that tries to control the GUI needs to be authorized now by the user, at least the first time, to be added into the list. I understand this makes the OS more secure, and that's a good thing overall, but this trend of Apple moving this stuff into these db files is concerning to me, because it makes manipulating and controlling them on an enterprise level considerably harder. (Apple not thinking about the enterprise - shocking!!) There may be a way to script it, but I don't get the feeling its going to be easy.

donmontalvo
Esteemed Contributor III

@mm2270 wrote:

(Apple not thinking about the enterprise - shocking!!)

Well, Apple did mention "enterprise" at least once during their announcement. ;)

Don

--
https://donmontalvo.com

corbinmharris
Contributor

This is the error I get on my test MBP running 10.8.4. Casper is 9.2

Executing Policy OS X 10.9 "Mavericks" Installer...
Installing Install OS X Mavericks.InstallESD.dmg...
Preparing for in-place OS upgrade...
Cannot detect version of OS X Installer. Must be 10.7 or later to deploy it as an upgrade.
Closing package...
Blessing i386 OS X System on /...
Creating Reboot Script...

denmoff
Contributor III

@josaxo I'm running JSS version 9.2. Upgraded OS X 10.8.5 to Mavericks.

ernstcs
Contributor III

My sub 500 management account survived the upgrade on two systems that I've upgraded from 10.8 to 10.9.
I also had to reinstall JAVA afterwards.

ndelgrande
New Contributor

I am testing the upgrade with an external drive running off USB 3.0. The internal drive is already 10.9 and FileVaulted. When the policy runs everything looks good but it just kicks me back to the login window. I think it has to do with the USB external SSD. I have a Mac Mini I can try.

corbinmharris
Contributor

"When the policy runs everything looks good but it just kicks me back to the login window. "

Batting about .800 on the upgrade to Mavericks. This is happening on a number of our Macs and this what I'm seeing in the logs -

Executing Policy Upgrade OS X...
[STEP 1 of 1]
Installing InstallESD.dmg...
Error: The package "InstallESD.dmg" could not be mounted (no mountable file systems).
Blessing in-place OS upgrade directory...
/OS X Install Data is not a directory

I have not opened a ticket at this time since I wanted to see if anyone else was having the same issue first.

Corbin

ImAMacGuy
Valued Contributor II

I've had good success so far (no failures yet), but only tested doing 10.8.x --> 10.9. I also used teh createOSXInstallpkg so I could eliminate the icloud portion at reboot and have java reloaded.

acostj
New Contributor II

@corbin3ci

We perfected the automated method using createOSXInstallpkg by of course creating our custom installer.

Found same issue like you did on running our custom installer directly using jamf install policy. So took the installer wrapped it up using Composer into a DMG which will hide it in the OS (IE /var/.hiddenOSX or something like that).

Create an extension attribute to read the existence of the OSX install pkg and announce to user that they can install 10.9 via Self Service or you can tie it to a policy which can trigger a bash script to silently install the pkg from hidden location, delete installer pkg, and reboot the Mac so it begins the upgrade.

This is much simpler overview of what we have going on but it circumvents using the jamf binary to install the pkg and also gets rid of all the failures you are seeing.

cstout
Contributor III
Contributor III

@donmontalvo, you mentioned about the hidden admin account getting hosed. Has this happened to you before? I just set up 10.9.1 upgrade via Self-Service and after a successful OS install, my hidden admin account is completely missing from the client. My local admin account is still there, but the hidden account named "admin" is no longer present and Casper Remote fails on every attempt to authenticate.

donmontalvo
Esteemed Contributor III

@cstout][/url This had something to do with UID for hidden accounts being reset to 500> making them visible. Is the home directory there for your admin account?

--
https://donmontalvo.com

cstout
Contributor III
Contributor III

@donmontalvo, The home directory is now missing and when I attempt to send any command from Casper Remote to this client the system.log shows:

Feb 19 08:39:48 COM-FinalTest sshd[6916]: Invalid user admin from 10.3.4.191
Feb 19 08:39:48 COM-FinalTest sshd[6916]: input_userauth_request: invalid user admin [preauth]
Feb 19 08:39:49 COM-FinalTest sshd: unknown [pam][6918]: in od_record_create(): failed: 13
Feb 19 08:39:49 COM-FinalTest sshd: unknown [pam][6918]: in od_record_create_cstring(): failed: 13

dscl shows no record for my hidden administrative account which is titled "admin." I verified on another managed 10.9.1 system that the admin account is residing properly in /private/var/admin. I ran the quickadd package again to see if that would build out the admin account again and it didn't. The strange part is that this computer is continuing to report to the JSS without issue. I don't know how that's possible if the management account is missing.