Silent macOS Monterey Upgrade on M1 machines

MPL
Contributor II

Hello Everyone,

Posting this after much head banging/frustration with these M1 machines. We currently are utilizing grahampugh's, erase-install to have our user's upgrade their machines in our organization from Self Service. It's working great so far for manual upgrading.

 

The issue we have is, we have a deadline to meet for all machines to be upgraded to Monterey, and as you all may know, you are going to have some outlying users who do not update. One thing to note is almost all user accounts are standard user's and not administrators.

 

Specific to the M1 machines, it does not seem like we've been able to find a way to force the upgrade without manual user input (user/pass). We've tried a variety of methods from trying to force updates via JAMF Management Commands, to utilizing scripts to create admin accounts, authorize the startosinstall, and then delete the admin account after and also scripts such as 

 

 

echo "<password>" | ‘/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall’ --agreetolicense --nointeraction --forcequitapps --user <username> --stdinpass (used many variations of this)

 

 

Is there any possible way to force an upgrade on an M1 machine without user input?  

16 REPLIES 16

sdagley
Esteemed Contributor II

@MPL As long as your Jamf Pro instance has a Bootstrap Token escrowed for the machines you can use a Management Command to force the Monterey upgrade.

  1. Do an Advanced Search to find the Macs you need to upgrade
  2. Click the Action button at the bottom of the screen when viewing the results of the search
  3. Select "Send Remote Commands" and click Next
  4. Select "Update OS version and built-in apps (macOS 10.11 or later, Supervised or enrolled via a PreStage enrollment)" under "Remote Commands"
  5. Select "Specific version" under "Target Version" then select 12.3.1 from the popup
  6. Select "Download and install the update, and restart computers after installation" under "Install Action" - NOTE: Any other option here will not force the update
  7. Click Next and follow the remaining prompts to send the command

MPL
Contributor II

@sdagley We do have a bootstrap token escrowed for the machines. We were trying methods to use that yesterday. Do you have an example of a script that we could use to do that?

sdagley
Esteemed Contributor II

@MPL You can trigger the update via a script (I think that requires 10.37.0), but I haven't gotten around to trying that yet. I've added the manual steps to my original post.

MPL
Contributor II

@sdagley Just tried this on one of our M1 test machines with Big Sur and it did not work. All that happens is an alert pops up in the top right and says "A new update was requested to be installed by an administrator". This machine already had the installer present in the /Applications/ directory and I waited a good 15 minutes before reaching out here again. 

 

Not sure if maybe it takes longer or if I'm not doing something correct. Followed the directions you posted above exactly. 

sdagley
Esteemed Contributor II

@MPL It's not instantaneous, but it's been pretty reliable for me. If it's still not updated in another 15 minutes try re-booting and sending the command again.

MPL
Contributor II

Tested again by removing Crowdstrike AV and then pushing command and it didn't work. Restarted machine and pushed command again and it didn't work either. 

 

Not sure what else to do :(

sdagley
Esteemed Contributor II

When you look at the computer record in your JSS what does the management history log for your test Mac show for the update commands?

MPL
Contributor II

It shows that there are 0 pending/0 failed commands.

Looking in the logs, the AvailableOSUpdates & ScheduleOSUpdate is under the Completed Commands section.Screen Shot 2022-04-21 at 11.56.11 AM.png

Screen Shot 2022-04-21 at 12.01.34 PM.png

sdagley
Esteemed Contributor II

Is the Mac you're testing plugged in to a power source? And if you run Activity Monitor, then select All Processes from the View menu, is there any indication of disk activity, or that the update may be downloading (I don't know if the installer in the /Applications folder will be used with this upgrade mechanism)

MPL
Contributor II

Yep! The Macbook Air (M1) has been plugged in the whole time.

Looking in Activity Monitor theres nothing that shows any huge amount of disk activity / update being downloaded. Activity Monitor is the one using the most %CPU.

sdagley
Esteemed Contributor II

Can you leave the Mac logged in and set to not sleep when the screen locks overnight? You could be running into the problem where softwareupdate gets bored and goes to graze off a cliff instead of doing what was asked of it, or for some reason the update is being deferred until some time in the middle of the night as would be done by the options that ask the user if they'd like to install an update overnight, so if might attempt the update overnight.

MPL
Contributor II

@sdagley Our machines by default are setup to not sleep when plugged in. I'll try to leave it plugged in and turned on overnight to see if anything gets pushed through. 

 

Besides issuing the built-in remote commands with JAMF, are there any other methods out there to force a machine to do an OS upgrade with no user input?

sdagley
Esteemed Contributor II

@MPL wrote:

Besides issuing the built-in remote commands with JAMF, are there any other methods out there to force a machine to do an OS upgrade with no user input?


Not without having some other user account with admin rights and a secure token to authorize the install, and it looks like you've already tried that without success.

MPL
Contributor II

We do have a hidden admin account created by jamf which I believe has a bootstrap token but for whatever reason we can't get that to work either. 

 

Using the script below it gets stuck on the license agreement (By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately.) or provides a auth error (Script result: Error: could not get authorization...)

 

echo "<admin password>" | ‘/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall’ --agreetolicense --nointeraction --forcequitapps --user <admin username> --stdinpass (used many variations of this)

 

 

gabester
Contributor III

11a

Thank you, Apple, for borking simple, device administrator issued software updates. Can't wait to see what declarative-management-based solution you come up with that's much harder to implement than it was before, that only works reliably for devices enrolled as either ADE / A(BS)M or BYOD with managed AppleIDs but not for devices manually enrolled or not available for ADE. I'm sure you can figure out something that frustrates us even more! (My speculation is that the whole reason Apple removed the "just works" softwareupdate command functionality was fear of a malware in the middle attack with "corrupt" packages that facilitated jailbreaking of devices or other subversion of current security implementations. After all, an OS package can do things that are otherwise prevented by SIP!)