Posted on 03-21-2022 06:42 PM
Hello,
We were using that solution for setting Big Sur deployment policy in Self Service:
https://www.jamf.com/blog/streamlining-your-macos-upgrade-process/
As far as I understand, it doesn't work on M1 Macs because it requires password for restart - as well as similar modified script for Monterey . There is an error in execution log:
Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt
I am thinking to create temporary admin account for policy execution, then delete this account when Monterey is installed. Would you please help me to modify deployment command, where account name and password should be added?
##Start macOS Upgrade
/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
Thanks!
Solved! Go to Solution.
Posted on 03-24-2022 11:30 AM
Yes, there is. Add `--user USERNAME` and `--stdinpass` and feed in the password in plain text (DANGER!).
So something like:
echo MYPASSWORD | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID --user USERNAME --stdinpass >> /var/log/startosinstall.log 2>&1 &
Posted on 03-21-2022 10:05 PM
See the following for the exact script you need for M1 Macs, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbo.... You may need to modify the part of the script that will display an error message when the typed in passwords don't match. Change the following from:
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon
to something like:
display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon POSIX file "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
You can change the icon to whatever you want but the original messageIcon doesn't appear to be working.
Posted on 03-22-2022 06:18 AM
@mhasman The erase-install script from @grahamrpugh will do the prompt for user password, and you can use the --preinstall-command and --postinstall-command options to run a policies that will promote the user to admin before launching the installer and then demote them after it runs.
03-22-2022 04:07 PM - edited 03-22-2022 04:08 PM
The solution is needed for non-admin users, or even been pushed.
That is why I am thinking about steps
- create temporary admin account;
- deploy "Install macOS" app to Applications;
- run it with tmp admin credentials;
- delete account when done
Question is how to change the command above adding ID and password... Please help :)
Thanks!
Posted on 03-22-2022 07:29 PM
@mhasman I believe to run the full installer the active user has to be an admin user, and you can't provide credentials for an admin account if the active user isn't an admin. That's why I was referring to the erase-install support for triggering other Jamf policies as part of the install process. That would allow you to run a script that adds the active user to the admin group so they can authorize the install, and another script that removes them from that group at the end of the install.
Posted on 03-23-2022 03:00 AM
The user does not normally have to be an administrator for an upgrade - it just needs to be a VolumeOwner. The user does have to be an admin to run `--eraseinstall`, therefore my `erase-install.sh` script automatically promotes the user to admin when using the `--erase` option.
Posted on 03-23-2022 06:32 AM
Add another reason I can't imagine using anything besides erase-install to run upgrades/re-images from Jamf Pro
Posted on 03-23-2022 09:07 AM
@sdagley No, it can be executed under non-admin account by providing another local admin account credentials
Posted on 03-23-2022 09:21 AM
Again, an admin account is not required, just a VolumeOwner.
Posted on 03-24-2022 10:49 AM
Got it, thank you!
My only question is if there is a way to hard-code account name and password in command here:
/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
Posted on 03-24-2022 11:30 AM
Yes, there is. Add `--user USERNAME` and `--stdinpass` and feed in the password in plain text (DANGER!).
So something like:
echo MYPASSWORD | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID --user USERNAME --stdinpass >> /var/log/startosinstall.log 2>&1 &