04-21-2022 06:45 AM - edited 04-21-2022 06:52 AM
Hello Everyone,
Posting this after much head banging/frustration with these M1 machines. We currently are utilizing grahampugh's, erase-install to have our user's upgrade their machines in our organization from Self Service. It's working great so far for manual upgrading.
The issue we have is, we have a deadline to meet for all machines to be upgraded to Monterey, and as you all may know, you are going to have some outlying users who do not update. One thing to note is almost all user accounts are standard user's and not administrators.
Specific to the M1 machines, it does not seem like we've been able to find a way to force the upgrade without manual user input (user/pass). We've tried a variety of methods from trying to force updates via JAMF Management Commands, to utilizing scripts to create admin accounts, authorize the startosinstall, and then delete the admin account after and also scripts such as
echo "<password>" | ‘/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall’ --agreetolicense --nointeraction --forcequitapps --user <username> --stdinpass (used many variations of this)
Is there any possible way to force an upgrade on an M1 machine without user input?
04-21-2022 06:52 AM - edited 04-21-2022 06:58 AM
@MPL As long as your Jamf Pro instance has a Bootstrap Token escrowed for the machines you can use a Management Command to force the Monterey upgrade.
Posted on 04-21-2022 06:53 AM
@sdagley We do have a bootstrap token escrowed for the machines. We were trying methods to use that yesterday. Do you have an example of a script that we could use to do that?
Posted on 04-21-2022 07:01 AM
@MPL You can trigger the update via a script (I think that requires 10.37.0), but I haven't gotten around to trying that yet. I've added the manual steps to my original post.
Posted on 04-21-2022 07:22 AM
@sdagley Just tried this on one of our M1 test machines with Big Sur and it did not work. All that happens is an alert pops up in the top right and says "A new update was requested to be installed by an administrator". This machine already had the installer present in the /Applications/ directory and I waited a good 15 minutes before reaching out here again.
Not sure if maybe it takes longer or if I'm not doing something correct. Followed the directions you posted above exactly.
Posted on 04-21-2022 07:30 AM
@MPL It's not instantaneous, but it's been pretty reliable for me. If it's still not updated in another 15 minutes try re-booting and sending the command again.
04-21-2022 08:25 AM - edited 04-21-2022 08:25 AM
Tested again by removing Crowdstrike AV and then pushing command and it didn't work. Restarted machine and pushed command again and it didn't work either.
Not sure what else to do :(
Posted on 04-21-2022 08:52 AM
When you look at the computer record in your JSS what does the management history log for your test Mac show for the update commands?
04-21-2022 08:55 AM - edited 04-21-2022 09:01 AM
It shows that there are 0 pending/0 failed commands.
Looking in the logs, the AvailableOSUpdates & ScheduleOSUpdate is under the Completed Commands section.
Posted on 04-21-2022 10:32 AM
Is the Mac you're testing plugged in to a power source? And if you run Activity Monitor, then select All Processes from the View menu, is there any indication of disk activity, or that the update may be downloading (I don't know if the installer in the /Applications folder will be used with this upgrade mechanism)
Posted on 04-21-2022 10:57 AM
Yep! The Macbook Air (M1) has been plugged in the whole time.
Looking in Activity Monitor theres nothing that shows any huge amount of disk activity / update being downloaded. Activity Monitor is the one using the most %CPU.
Posted on 04-21-2022 11:19 AM
Can you leave the Mac logged in and set to not sleep when the screen locks overnight? You could be running into the problem where softwareupdate gets bored and goes to graze off a cliff instead of doing what was asked of it, or for some reason the update is being deferred until some time in the middle of the night as would be done by the options that ask the user if they'd like to install an update overnight, so if might attempt the update overnight.
04-21-2022 11:38 AM - edited 04-21-2022 11:38 AM
@sdagley Our machines by default are setup to not sleep when plugged in. I'll try to leave it plugged in and turned on overnight to see if anything gets pushed through.
Besides issuing the built-in remote commands with JAMF, are there any other methods out there to force a machine to do an OS upgrade with no user input?
Posted on 04-21-2022 11:47 AM
@MPL wrote:Besides issuing the built-in remote commands with JAMF, are there any other methods out there to force a machine to do an OS upgrade with no user input?
Not without having some other user account with admin rights and a secure token to authorize the install, and it looks like you've already tried that without success.
04-21-2022 12:46 PM - edited 04-21-2022 12:47 PM
We do have a hidden admin account created by jamf which I believe has a bootstrap token but for whatever reason we can't get that to work either.
Using the script below it gets stuck on the license agreement (By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately.) or provides a auth error (Script result: Error: could not get authorization...)
echo "<admin password>" | ‘/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall’ --agreetolicense --nointeraction --forcequitapps --user <admin username> --stdinpass (used many variations of this)
Posted on 04-26-2022 11:37 AM
Thank you, Apple, for borking simple, device administrator issued software updates. Can't wait to see what declarative-management-based solution you come up with that's much harder to implement than it was before, that only works reliably for devices enrolled as either ADE / A(BS)M or BYOD with managed AppleIDs but not for devices manually enrolled or not available for ADE. I'm sure you can figure out something that frustrates us even more! (My speculation is that the whole reason Apple removed the "just works" softwareupdate command functionality was fear of a malware in the middle attack with "corrupt" packages that facilitated jailbreaking of devices or other subversion of current security implementations. After all, an OS package can do things that are otherwise prevented by SIP!)
Posted on 05-23-2022 02:07 PM