Jamf Nation Community

mhasman · ‎03-21-2022

Hello,

We were using that solution for setting Big Sur deployment policy in Self Service:

https://www.jamf.com/blog/streamlining-your-macos-upgrade-process/

As far as I understand, it doesn't work on M1 Macs because it requires password for restart - as well as similar modified script for Monterey . There is an error in execution log:

Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt

I am thinking to create temporary admin account for policy execution, then delete this account when Monterey is installed. Would you please help me to modify deployment command, where account name and password should be added?

##Start macOS Upgrade

/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

Thanks!

grahamrpugh · ‎03-24-2022

Yes, there is. Add `--user USERNAME` and `--stdinpass` and feed in the password in plain text (DANGER!).

So something like:

echo MYPASSWORD | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID --user USERNAME --stdinpass >> /var/log/startosinstall.log 2>&1 &

View solution in original post

SeyhaSoun · ‎03-21-2022

See the following for the exact script you need for M1 Macs, https://community.jamf.com/t5/jamf-pro/macos-installer-script-not-working-for-apple-silicon-m1-macbo.... You may need to modify the part of the script that will display an error message when the typed in passwords don't match. Change the following from:

display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon

to something like:

display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon POSIX file "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

You can change the icon to whatever you want but the original messageIcon doesn't appear to be working.

sdagley · ‎03-22-2022

@mhasman The erase-install script from @grahamrpugh will do the prompt for user password, and you can use the --preinstall-command and --postinstall-command options to run a policies that will promote the user to admin before launching the installer and then demote them after it runs.

mhasman · ‎03-22-2022

The solution is needed for non-admin users, or even been pushed.

That is why I am thinking about steps

- create temporary admin account;

- deploy "Install macOS" app to Applications;

- run it with tmp admin credentials;

- delete account when done

Question is how to change the command above adding ID and password... Please help :)

Thanks!

sdagley · ‎03-22-2022

@mhasman I believe to run the full installer the active user has to be an admin user, and you can't provide credentials for an admin account if the active user isn't an admin. That's why I was referring to the erase-install support for triggering other Jamf policies as part of the install process. That would allow you to run a script that adds the active user to the admin group so they can authorize the install, and another script that removes them from that group at the end of the install.

grahamrpugh · ‎03-23-2022

The user does not normally have to be an administrator for an upgrade - it just needs to be a VolumeOwner. The user does have to be an admin to run `--eraseinstall`, therefore my `erase-install.sh` script automatically promotes the user to admin when using the `--erase` option.

sdagley · ‎03-23-2022

Add another reason I can't imagine using anything besides erase-install to run upgrades/re-images from Jamf Pro

mhasman · ‎03-23-2022

@sdagley No, it can be executed under non-admin account by providing another local admin account credentials

grahamrpugh · ‎03-23-2022

Again, an admin account is not required, just a VolumeOwner.

mhasman · ‎03-24-2022

Got it, thank you!

My only question is if there is a way to hard-code account name and password in command here:

/Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

grahamrpugh · ‎03-24-2022

Yes, there is. Add `--user USERNAME` and `--stdinpass` and feed in the password in plain text (DANGER!).

So something like:

echo MYPASSWORD | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --pidtosignal $jamfHelperPID --user USERNAME --stdinpass >> /var/log/startosinstall.log 2>&1 &

Jamf Nation Community

Set Monterey deployment policy in Self Service